Internet Security Protocols

Transcription

1 Information Security and Privacy Internet Security Protocols Darya Kurilova October 1, 2013 Darya Kurilova 2013

2 Internet Security Protocols Darya Kurilova

3 What is the Internet? Darya Kurilova

4 What Is the Internet? Essentially, a collection of nodes and links: Desktop, laptop, tablet, smartphone, server,... Router, DNS server, switch, hub,... Wired, wireless, optic fiber, satellite,... Darya Kurilova

5 Characteristics of the Internet No single entity that controls the Internet Traffic from a source to a destination flows through nodes controlled by different entities End nodes cannot control through which nodes traffic flows All traffic is split up into individuals packets, and each packet could be routed along a different path Different types of nodes: servers, laptops, routers, UNIX, Windows, etc. Different types of communication links: wireless vs. wired Different packet formats Etc. Darya Kurilova

7 What is a protocol? Darya Kurilova

8 What Is a Protocol? Protocols define the standards and conventions for communication How do we set up a communication channel? Protocols guide everything from how we answer the phone to how we order a pint at a pub Darya Kurilova

9 E.g., compare: What Is a Protocol? Hello, Barman, I d like 493 ml of your finest malted beverage, please! Hmm... Darya Kurilova

10 E.g., compare: What Is a Protocol? A pint of Heineken, please! Coming right up, Ma am! Darya Kurilova

12 How Safe Is It Out There? Darya Kurilova

13 The Main Problem with the Internet Security Transport and network layer designed in the 1970s to connect local networks at different universities and research labs Participants knew and trusted each other Design addressed non-malicious errors (e.g., packet drops), but not malicious errors Darya Kurilova

14 Security Protocols on the Internet Which layer do the security protocols belong to? Application Layer Transport Layer Network Layer Data Link Layer S/MIME, PGP, Sender ID, OpenID, DKIM, SPF, PEM, MOSS, ssh SSL, TLS, PCT IPsec, VPN 802.1x, WEP, WPA, WPA2 Darya Kurilova

15 Security Protocols on the Internet Application-layer security Convenient Can use user logins for authentication No infrastructure requirements But high development cost Solutions are application-specific Transport layer security Standardized and well-understood Requires no application-layer cryptography But applications must be rewritten Network layer / Data link layer security Transparent to the application But has high infrastructure cost Darya Kurilova

16 Who Are We Up Against? How do we model the intruder? Knows the protocol but cannot break cryptography (perfect cryptography assumption) Passive and overhears all network traffic Active and can intercept and generate messages May even be one of the principals running the protocol! A friend s just an enemy in disguise. You can t trust nobody. - - Charles Dickens, Oliver Twist Darya Kurilova

17 Types of Attacks Man in the middle (or parallel sessions) attack: Transfer $100 from Joe to Norman Transfer $100 from Joe to Paul Replay (or freshness) attack: reuse parts of previous messages Masquerading attack: pretend to be another principal by forging source address (e.g., IP spoofing), or convincing other principals to use the intruder s key Reflection attack: send transmitted information back to the originator Type-flaw attack: substitute a different type of message field Darya Kurilova

18 Why Protocols? Why not just encrypt everything? Naive use of cryptography doesn t help! E.g.: Why not just sign everything for authenticity, then encrypt for secrecy? {{I love you} K_Priv_Alice } K_Pub_Bob {{I love you} K_Priv_Alice } K_Pub_Dave Alice Bob Encrypt-then-sign is no better Need a way to lift the protection that cryptography gives us on individual data to whole channels Cryptographic primitives are the building blocks, but have to put them together right Dave Darya Kurilova

19 Protocol Security Properties Security protocols are protocols for establishing channels with desired security properties How do we turn an untrustworthy channel into a trustworthy one? Confidentiality (secrecy), authentication, and timeliness (or freshness) Can be viewed abstractly as I/O restrictions on channels Secrecy restricts channel output: Charlie should not be able to read Alice Secret message for Bob Bob Intruder (Charlie) Darya Kurilova

20 Protocol Security Properties Security protocols are protocols for establishing channels with desired security properties How do we turn an untrustworthy channel into a trustworthy one? Confidentiality (secrecy), authentication, and timeliness (or freshness) Can be viewed abstractly as I/O restrictions on channels Alice Message from Alice Bob Authen3city restricts channel input: Charlie should not be able to write, posing as Alice Intruder (Charlie) Darya Kurilova

21 Other Security Goals Key exchange Symmetric encryption is 1,000x faster than asymmetric, but the key distribution problem Therefore, many protocols deal with authenticated key exchange (AKE) Secure contract signing Anonymity Non-repudiation Darya Kurilova

22 Internet Security Protocol 1: Needham-Schroeder Public Key Protocol (NSPK) Small, simple, and convincing Darya Kurilova

23 Needham-Schroeder Public Key Protocol (NSPK) One of the earliest and simplest protocols Proposed by Roger Needham and Michael Schroeder Dates back to 1978, i.e., 35 years old! Goal: mutual authentication Darya Kurilova

24 How NSPK Works {Nonce Alice, Alice} K_Pub_Bob {Nonce Alice, Nonce Bob } K_Pub_Alice Alice (Client) {Nonce Bob } K_Pub_Bob Bob (Server) Small, simple, and convincing. Looks good, doesn t it? Darya Kurilova

25 A Story Twist! NSPK 1 NSPK 2 {Nonce Alice, Alice} K_Pub_Charlie {Nonce Alice, Alice} K_Pub_Bob {Nonce Alice, Nonce Bob } K_Pub_Alice {Nonce Alice, Nonce Bob } K_Pub_Alice Alice (Client) {Nonce Bob } K_Pub_Charlie Intruder (Charlie) {Nonce Bob } K_Pub_Bob Bob (Server) Man-in-the-middle attack Took almost 20 years to find! Darya Kurilova

26 Security Properties Violations Who was duped? Not Alice, since she meant to share the information (Nonce Alice and Nonce Bob ) with Charlie Bob, however, thinks he shares the information (Nonce Alice and Nonce Bob ) only with Alice Secrecy failed: Charlie knows the values! Authentication failed: Alice had no run with Bob! Darya Kurilova

27 Fixing NSPK {Nonce Alice, Alice} K_Pub_Bob {Nonce Alice, Nonce Bob, Bob} K_Pub_Alice Alice (Client) {Nonce Bob } K_Pub_Bob Bob (Server) Does it work? Darya Kurilova

28 Fixing NSPK NSPK 1 NSPK 2 {Nonce Alice, Alice} K_Pub_Charlie {Nonce Alice, Alice} K_Pub_Bob {Nonce Alice, Nonce Bob, Bob} K_Pub_Alice Alice (Client) Intruder (Charlie) Bob (Server) The man-in-the-middle attack is now prevented. Darya Kurilova

29 Internet Security Protocol 2: Transport Layer Security (TLS/SSL) The popular one Darya Kurilova

30 Transport Layer Security (TLS/SSL) Most widely used transport layer security protocol HTTP + SSL = HTTPS Originally developed by Netscape in mid-90s as an enabling technology for e-business Provided properties: Server authentication Message integrity Message confidentiality Client authentication (optional) Darya Kurilova

31 Transport Layer Security (TLS/SSL) Consists of several subprotocols: Application protocol describes how application data is transmitted: how it s compressed and encrypted how MACs are used for integrity Handshake protocol establishes the security association that describes the cryptographic parameters used: what is the shared key what symmetric encryption algorithm what MAC scheme Various alert protocols manage exceptions and errors Darya Kurilova

32 TLS at a High Level Do I know the public key of the CA of the provided signature? Does the host name in the cer^ficate match the host name of the website that I wants to download? Alice (Client) I m Alice. I want to use TLS. I speak 3DES, RC4, and AES. I m Bob. OK, let s use AES. My cer^ficate is {Bob s host name, Bob s public key, signature of a CA}. {K session } K_Pub_Bob Communica^on proceeds using AES with K session as a symmetric key. Bob (Server) OK. Got it. It s K session. Darya Kurilova

33 TLS at a High Level Client connects to server, indicates it wants to speak TLS, and which ciphersuites it knows Server sends its certificate to client, which contains: Its host name Its public key Some other administrative information A signature from a Certificate Authority (CA) Server also chooses which ciphersuite to use Client validates server s certificate Is its signature from a CA whose public key is embedded in the client (i.e., browser)? Does the host name in the certificate match the host name of the website that client wants to download? Client sends secret session key K, encrypted with server s public key Server decrypts with its private key and gets K Communication now proceeds using K and the symmetric encryption and MAC algorithms from the chosen ciphersuite Darya Kurilova

34 The Success of TLS Why is TLS successful? It just works, without you having to configure anything It comes with your browser Which encouraged web server operators to pay $$ for their certificates Not just the most successful security mechanism, but also the most successful Privacy Enhancing Technology (PET) Increasingly important due to the success of WiFi Darya Kurilova

35 But TLS Is Not a Panacea Users almost never click on the lock When they do, the output is hard to understand! Phishing is still prominent Does a user know the difference between certificates assigned to and Darya Kurilova

36 Internet Security Protocol 3: OpenID Open and free Darya Kurilova

37 OpenID Developed in 2005 by Brad Fitzpatrick Initially developed for LiveJournal website Spread much further Big companies started to use it Symantec, Sun Microsystems, Google, Yahoo!, PayPal, Facebook, IBM, VefiSign, etc. Darya Kurilova

38 OpenID Open standard Allows users to be authenticated by certain co-operating sites (relying parties) using a third party service Eliminates the need for webmasters to provide their own ad hoc systems Allows users to consolidate their digital identities Goal: authentication Darya Kurilova

39 OpenID at a High Level I am registered with an OpenID provider (Carol). Carol (OpenID provider) We share a secret key K. Alice (End- user) Hello. I want to use your services. OK. Please, authen^cate with your OpenID account with Carol. Bob (Relying party) Communica^on between Alice and Bod con^nues. Darya Kurilova

40 Issues with OpenID Authentication bugs May 2012, Google and PayPal Privacy issues Phishing is possible Possible authentication hijacking in unsecured connection Darya Kurilova

41 Definitions Recap Security of the Internet Secure Internet Protocols Protocol security properties Examples: Needham-Schroeder Public Key Protocol (NSPK) TLS / SSL OpenID Darya Kurilova

42 Q & A Darya Kurilova

43 Acknowledgements This slide deck was prepared using slides from presentations by Prof. Ian Goldberg and Paul Hankes Drielsma. Darya Kurilova