CS549: Cryptography and Network Security

Transcription

1 CS549: Cryptography and Network Security by Xiang-Yang Li Department of Computer Science, IIT Cryptography and Network Security 1

2 Notice This lecture note (Cryptography and Network Security) is prepared by Xiang-Yang Li. This lecture note has benefited from numerous textbooks and online materials. Especially the Cryptography and Network Security 2 nd edition by William Stallings and the Cryptography: Theory and Practice by Douglas Stinson. You may not modify, publish, or sell, reproduce, create derivative works from, distribute, perform, display, or in any way exploit any of the content, in whole or in part, except as otherwise expressly permitted by the author. The author has used his best efforts in preparing this lecture note. The author makes no warranty of any kind, expressed or implied, with regard to the programs, protocols contained in this lecture note. The author shall not be liable in any event for incidental or consequential damages in connection with, or arising out of, the furnishing, performance, or use of these. Cryptography and Network Security 2

3 Network Security Cryptography and Network Security 3

4 Topics to be covered Applications security www security Malicious software Networks Wireless LAN security IPsec Firewall Intrusions Cryptography and Network Security 4

5 Cryptography and Network Security Security Xiang-Yang Li Cryptography and Network Security 5

6 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear, the Board's access to other sources of information filled much of this gap. The FBI provided documents taken from the files of the National Security Advisor and relevant NSC staff members, including messages from the PROF system between VADM Poindexter and LtCol North. The PROF messages were conversations by computer, written at the time events occurred and presumed by the writers to be protected from disclosure. In this sense, they provide a first-hand, contemporaneous account of events. The Tower Commission Report to President Reagan on the Iran-Contra Affair, 1987 Cryptography and Network Security 6

7 Security is one of the most widely used and regarded network services currently message contents are not secure may be inspected either in transit or by suitably privileged users on destination system Cryptography and Network Security 7

8 Security Enhancements confidentiality protection from disclosure authentication of sender of message message integrity protection from modification non-repudiation of origin protection from denial by sender Cryptography and Network Security 8

9 Pretty Good Privacy (PGP) widely used de facto secure developed by Phil Zimmermann selected best available crypto algs to use integrated into a single program available on Unix, PC, Macintosh and Amiga systems originally free, now have commercial versions available also Cryptography and Network Security 9

10 PGP Five services Authentication, confidentiality, compression, compatibility, segmentation Functions Digital signature Message encryption Compression compatibility segmentation Cryptography and Network Security 10

11 PGP Operation Authentication 1. sender creates a message 2. SHA-1 used to generate 160-bit hash code of message 3. hash code is encrypted with RSA using the sender's private key, and result is attached to message 4. receiver uses RSA or DSS with sender's public key to decrypt and recover hash code 5. receiver generates new hash code for message and compares with decrypted hash code, if match, message is accepted as authentic Cryptography and Network Security 11

12 PGP Operation Confidentiality 1. sender generates message and random 128-bit number to be used as session key for this message only 2. message is encrypted, using CAST-128 / IDEA/3DES with session key 3. session key is encrypted using RSA with recipient's public key, then attached to message 4. receiver uses RSA with its private key to decrypt and recover session key 5. session key is used to decrypt message Cryptography and Network Security 12

13 PGP Operation Confidentiality & Authentication uses both services on same message create signature & attach to message encrypt both message & signature attach RSA encrypted session key Cryptography and Network Security 13

14 PGP Operation Compression by default PGP compresses message after signing but before encrypting so can store uncompressed message & signature for later verification & because compression is non deterministic uses ZIP compression algorithm Cryptography and Network Security 14

15 PGP Operation Compatibility when using PGP will have binary data to send (encrypted message etc) however was designed only for text hence PGP must encode raw binary data into printable ASCII characters uses radix-64 algorithm maps 3 bytes to 4 printable chars also appends a CRC PGP also segments messages if too big Cryptography and Network Security 15

16 PGP Operation Summary Cryptography and Network Security 16

17 Segmentation & Reassembly systems impose maximum length 50 Kb, for example PGP provides automatic segmentation Done after all other operations Thus only one session key needed Cryptography and Network Security 17

18 Key management Generating unpredictable session keys Identifying keys Multiple public, private key pairs for a user Maintain keys Its own public, private keys of a PGP entity Public keys of correspondents Cryptography and Network Security 18

19 Session Key Generation Algorithm used: CAST-128 Input to CAST-128 A 128-bit key Two 64 bits plaintexts to be encrypted Output using cipher feedback mode Generates 2 64-bits ciphers form session key Plaintexts are from 128-bits randomized number Based on key stroke of user (timing and actual keys) Then combined with previous session key Cryptography and Network Security 19

20 Key Identifiers Receiver has multiple public keys How to know which private key is proper? Approach Sending the least significant 64 bits as key ID Need send the receiver s public key ID used for encrypting the session key Need send the sender s public key ID, whose corresponding private key used for signature Cryptography and Network Security 20

21 Key Rings Private key rings Timestamp, Key ID, public key, encrypted private key, user ID Public key rings Timestamp, Key ID, public key, owner trust, user ID, key legitimacy, signature, signature trust Cryptography and Network Security 21

22 Public Key Management A public key attributed to B may belong to C C can send messages to A forge B s sig C can read any encrypted message to B Approach to true public key Physically get key from B Obtain B s key from mutual trusted authority Using key legitimacy field computed from the signature trust field and number of certificates for the key Cryptography and Network Security 22

23 Revoking Public Key Reason It is compromised: private key is open Simply to avoid use of same key for a period Approach Owner issues key revocation certificate, signed by owner Using corresponding private key to sign the certificate Disseminate the certificate as widely and as quickly as possible Cryptography and Network Security 23

24 S/MIME (Secure/Multipurpose Internet Mail Extensions) security enhancement to MIME original Internet RFC822 was text only MIME provided support for varying content types and multi-part messages with encoding of binary data to textual form S/MIME added security enhancements have S/MIME support in various modern mail agents: MS Outlook, Netscape etc Cryptography and Network Security 24

25 S/MIME Functions enveloped data encrypted content and associated keys signed data encoded message + signed digest clear-signed data cleartext message + encoded signed digest signed & enveloped data nesting of signed & encrypted entities Cryptography and Network Security 25

26 S/MIME Cryptographic Algorithms hash functions: SHA-1 & MD5 digital signatures: DSS & RSA session key encryption: ElGamal & RSA message encryption: Triple-DES, RC2/40 and others have a procedure to decide which algorithms to use Cryptography and Network Security 26

27 S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed using a hybrid of a strict X.509 CA hierarchy & PGP s web of trust each client has a list of trusted CA s certs and own public/private key pairs & certs certificates must be signed by trusted CA s Cryptography and Network Security 27

28 Certificate Authorities have several well-known CA s Verisign one of most widely used Verisign issues several types of Digital IDs with increasing levels of checks & hence trust Class Identity Checks Usage 1 name/ check web browsing/ 2+ enroll/addr check , subs, s/w validate 3+ ID documents e-banking/service access Cryptography and Network Security 28

29 SPAM Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, often for dubious products, get-rich-quick schemes, or quasi-legal services. Spam costs the sender very little to send -- most of the costs are paid for by the recipient or the carriers rather than by the sender Cryptography and Network Security 29

30 Spam spam has existed since the beginning of the Internet, and has grown to about 90 billion messages a day, although about 80% is sent by fewer than 200 spammers. Botnets, virus infected computers, account for about 80% of spam. addresses are collected from chatrooms, websites, newsgroups, and viruses which harvest users address books, and are sold to other spammers Cryptography and Network Security 30

31 Anti-Spam Techs Some popular methods for filtering and refusing spam include filtering based on the content of the , DNS-based blackhole lists (DNSBL), greylisting, spamtraps, enforcing technical requirements, checksumming systems to detect bulk , and by putting some sort of cost on the sender via a Proof-ofwork system or a micropayment. Each method has strengths and weaknesses and each is controversial due to its weaknesses. Cryptography and Network Security 31

32 Filtering Methods Bayesian spam filtering CRM114 dspam Markovian discrimination POPFile Policyd-weight Postfix policy-daemon before SMTP DATA Procmail is an MDA (Mail Delivery Agent) for Unix systems. Maildrop is an MDA (Mail Delivery Agent) for Unix systems. Sendmail supports libmilter for mail filtering Sieve (mail filtering language) is an RFC standard for describing mail filters SpamAssassin Anti-Spam SMTP Proxy information filtering White list# whitelists Cryptography and Network Security 32

33 Summary have considered: secure PGP S/MIME Cryptography and Network Security 33

34 Cryptography and Network Security Security on WWW Xiang-Yang Li Cryptography and Network Security 34

35 Introduction Introduction Presentation of SSL The inner workings of SSL Attacks on SSL Presentation of S-HTTP Comparison with SSL/TLS Attacks on S-HTTP Other aspects of Web security TLS IPSec, Kerberos, SET Conclusion Cryptography and Network Security 35

36 Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats integrity confidentiality denial of service authentication need added security mechanisms Cryptography and Network Security 36

37 SSL (Secure Socket Layer) transport layer security service originally developed by Netscape version 3 designed with public input subsequently became Internet standard known as TLS (Transport Layer Security) uses TCP to provide a reliable end-to-end service SSL has two layers of protocols Cryptography and Network Security 37

38 Location of SSL SSL is build on top of TCP Provides a TCP like interface In theory can be used by all type of applications in a transparent manner Cryptography and Network Security 38

39 SSL Architecture Cryptography and Network Security 39

40 SSL Architecture SSL session an association between client & server created by the Handshake Protocol define a set of cryptographic parameters may be shared by multiple SSL connections SSL connection a transient, peer-to-peer, communications link associated with 1 SSL session Cryptography and Network Security 40

41 SSL Record Protocol confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption message integrity using a MAC with shared secret key similar to HMAC but with different padding Cryptography and Network Security 41

42 SSL Change Cipher Spec Protocol one of 3 SSL specific protocols which use the SSL Record protocol a single message causes pending state to become current hence updating the cipher suite in use Cryptography and Network Security 42

43 SSL Alert Protocol conveys SSL-related alerts to peer entity severity warning or fatal specific alert unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data Cryptography and Network Security 43

44 SSL Handshake Protocol allows server & client to: authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used comprises a series of messages in phases Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish Cryptography and Network Security 44

45 General purpose Two step process: Handshake : exchange private keys using a public key encryption algorithm Data transmission: exchange the required data using a private key encryption Cryptography and Network Security 45

46 SSL Handshake Protocol Cryptography and Network Security 46

47 handshake Cryptography and Network Security 47

48 hello Client Hello : List of supported private key encryptions + Client random number Server Hello : Selected encryption algorithm Server Random number Session ID Server Certificate: Verify server s identity Cryptography and Network Security 48

49 Key exchange Client Key Exchange: Client Generate second random: Pre Master Key Send Pre Master Key Calculate Master Key Calculate Secret Key Calculate MAC Key Server Calculate Master Key Calculate Secret Key Calculate MAC Key Cryptography and Network Security 49

50 Resumed based on Session Id Cryptography and Network Security 50

51 Certificate authority Certificate Authority (CA) is a trusted third party that helps identify the server. How does everything work? Server sends ID, public key to CA CA creates and signs the server s Certificate Client receives the Certificate from Server Client verifies the Certificate using the signature and the CA s public key Cryptography and Network Security 51

52 MAC MAC = Message Authentication Code The initial message is split into fragments For each fragment a fingerprint is calculated using the MAC key The fragment, fingerprint and record header are encrypted and sent Receiver checks the fingerprint using MAC key to detect inconsistent messages Cryptography and Network Security 52

53 Attacks on SSL Certificate Injection Attack The list of trusted Certificate Authorities is altered Can be avoided by upgrading the OS or switching to a safer one. Man in the Middle Cipher Spec Rollback : regresses the public key encryption algorithms Version Rollback : regression from SSL 3.0 to weaker SSL 2.0 Algorithm rollback : modify public encryption method Truncation attack : TCP FIN RST used to terminate connection Timing attack Can be avoided by randomly delaying the computations Brute force Can be used on servers that accept small key sizes: 40 bits for symmetric encryptions and 512 for the asymmetric one. Cryptography and Network Security 53

54 TLS (Transport Layer Security) IETF standard RFC 2246 similar to SSLv3 with minor differences in record format version number uses HMAC for MAC a pseudo-random function expands secrets has additional alert codes some changes in supported ciphers changes in certificate negotiations changes in use of padding Cryptography and Network Security 54

55 TLS TLS was developed by IETF to replace SSL version 3. Based on SSL version 3, with some changes: Replaced FORTEZZA key exchange option with DSS. Include the hash method HMAC used by IPSec for authentication in IP headers. More differentiation between sub-protocols. TLS has mechanisms for backwards compatibility with SSL. Cryptography and Network Security 55

56 TLS TLS has about 30 possible cipher suites, combinations of key exchange, encryption method, and hashing method. Key exchange includes: RSA, DSS, Kerberos Encryption includes: IDEA(CBC), RC2, RC4, DES, 3DES, and AES Hashing: SHA and MD5 (Note: Some of the suites are intentionally weak export versions.) Cryptography and Network Security 56

57 Secure Electronic Transactions (SET) open encryption & security specification to protect Internet credit card transactions developed in 1996 by Mastercard, Visa etc not a payment system rather a set of security protocols & formats secure communications amongst parties trust from use of X.509v3 certificates privacy by restricted info to those who need it Cryptography and Network Security 57

58 SET Components Cryptography and Network Security 58

59 SET Transaction 1. customer opens account 2. customer receives a certificate 3. merchants have their own certificates 4. customer places an order 5. merchant is verified 6. order and payment are sent 7. merchant requests payment authorization 8. merchant confirms order 9. merchant provides goods or service 10. merchant requests payment Cryptography and Network Security 59

60 Dual Signature customer creates dual messages order information (OI) for merchant payment information (PI) for bank neither party needs details of other but must know they are linked use a dual signature for this signed concatenated hashes of OI & PI Cryptography and Network Security 60

61 Purchase Request Customer Cryptography and Network Security 61

62 Purchase Request Merchant Cryptography and Network Security 62

63 Purchase Request Merchant 1. verifies cardholder certificates using CA sigs 2. verifies dual signature using customer's public signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature key 3. processes order and forwards the payment information to the payment gateway for authorization (described later) 4. sends a purchase response to cardholder Cryptography and Network Security 63

64 Payment Gateway Authorization 1. verifies all certificates 2. decrypts digital envelope of authorization block to obtain symmetric key & then decrypts authorization block 3. verifies merchant's signature on authorization block 4. decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block 5. verifies dual signature on payment block 6. verifies that transaction ID received from merchant matches that in PI received (indirectly) from customer 7. requests & receives an authorization from issuer 8. sends authorization response back to merchant Cryptography and Network Security 64

65 Payment Capture merchant sends payment gateway a payment capture request gateway checks request then causes funds to be transferred to merchants account notifies merchant using capture response Cryptography and Network Security 65

66 A B C D C- Secure-HTTP Presentation of S-HTTP Designed by E. Rescorla and A. Schiffman of EIT to secure HTTP connections Proposed in 1994 but never used commercially Not to be confused with HTTPS: encrypts HTTP messages at the application level Security on the WWW Cryptography and Network Security 66

67 A B C D C- Secure-HTTP Location of S-HTTP HTTP-specific message encryption Can possibly be used over a secure channel Designed to be compatible with HTTP for handling at lower layers Security on the WWW Cryptography and Network Security 67

68 A B C D C- Secure-HTTP S-HTTP vs. SSL/TLS HTTP-specific vs. general purpose SSL (IMAPS, POPS, LDAPS ) Burden of encryption not on transmission/reception but rather on message production/unpacking Similar set of available ciphers, plus added capabilities for signing (DSS, RSA) Very general specifications, leaving a lot to implement and a potential for incompatible implementations Only one reference implementation in NCSA Mosaic Security on the WWW Cryptography and Network Security 68

69 A B C D C- Secure-HTTP S-HTTP vs. SSL/TLS: functionalities Security Service S-HTTP SSL Privacy Public or private cryptosystem Encryption of the complete HTTP transaction Symmetric key cryptosystem Complete communication encryption Integrity Simple MAC or signing MAC only Authentication Key management on the keys used, or digital signature During the initial public key exchange (server auth. mandatory, client auth. optional) Non-repudiation Digital signature Not provided S-HTTP can make use of key management Non-repudiation is not provided by SSL Signing is optional, but a major attraction to S-HTTP Security on the WWW Cryptography and Network Security 69

70 A B C D C- Secure-HTTP S-HTTP vs. SSL/TLS: proxy traversal Proxy traversal: SSL connection External secure server OR SSL tunnel cleartext SSL-aware proxy SSL tunnel Enterprise environment Proxy traversal: S-HTTP messaging Encrypted data External secure server Authentication S-HTTP-aware proxy Enterprise environment Security on the WWW Cryptography and Network Security 70

71 A B C D C- Secure-HTTP S-HTTP inner working Message-based encryption Superset of HTTP: outer envelope Specific headers added Request: Secure*Secure-HTTP/1.2 Response: Secure-HTTP/ OK Security on the WWW Cryptography and Network Security 71

72 A B C D C- Secure-HTTP S-HTTP attacks Basically the same as on SSL, since the ciphers are the same Default values more secure in S-HTTP than SSL at the time of proposal (e.g. DES vs. RC4) S-HTTP generally stronger by design (more resilient to proxy compromising) More complex and wider specifications create a potential for faulty implementations No real-world use to field test the actual security of S- HTTP Security on the WWW Cryptography and Network Security 72

73 A B C D D- Other protocols HTTP Basic Authentication HTTP has an authentication scheme as part of its original protocol. Supported by almost all browsers and web servers. Password and username are sent in clear text (base64 encoded) in the HTTP request message. Obviously not secure enough for sensitive information. This scheme is being replaced by the slightly more secure HTTP Digest Authentication, which sends a MD5 hash of the password and other information. Security on the WWW Cryptography and Network Security 73

74 IPsec IPSec is a security layer added to a computer s protocol stack in the kernel (Below TCP). It is invisible to the application. It is implemented by adding additional protocol numbers in the IP protocol field. Good for implementing a VPN. Packets can be either tunneled inside IPSec packets, or Transported with only the data portion of the original packet encrypted. Every IPSec end machine (which could be a LAN s router) must implement IPSec for it to work. Cryptography and Network Security 74

75 Summary have considered: need for web security SSL/TLS transport layer security protocols de facto standard, versatile and low-level enough to accommodate many types of payloads SET secure credit card payment protocols IPSec: true network-layer security for any applications (not just the Web) Kerberos: robust 2-way authentication framework with emphasis on security manageability Cryptography and Network Security 75

76 A B C D D- Conclusion Web Security SSL/TLS: de facto standard, versatile and low-level enough to accommodate many types of payloads S-HTTP: never took off, restricted to HTTP messages IPSec: true network-layer security for any applications (not just the Web) Kerberos: robust 2-way authentication framework with emphasis on security manageability Security on the WWW Cryptography and Network Security 76