1.264 Lecture 17. Web security: Encryption (public key) SSL/TLS Blind signatures (SET)

Transcription

1 1.264 Lecture 17 Web security: Encryption (public key) SSL/TLS Blind signatures (SET)

2 Premises for Web security Browser-network-server are the 3 key components User (browser) premises Remote server is operated by organization stated Documents returned by server are free from viruses, etc. Remote server will not distribute user s private info, such as Web use Webmaster (server) premises User will not attempt to break into or alter contents of Web site User will not try to gain access to documents that he/she is not allowed User will not try to crash the server or deny service to others If user has identified him/herself, user is who he/she claims to be Network premises (user and Webmaster) Network is free from 3rd party eavesdroppers Network delivers information intact, not tampered with by 3rd parties

3 Client risks Active content: applets, scripts, ActiveX controls, plug-ins Browsers download and run software without advance notice User usually cannot virus-check before using Formerly innocuous content such as Word files can start viruses Few malicious applets so far: mostly annoying applets except for ing private information Privacy loss Web server site logs: IP address, document retrieved, date/time, previous URL, and more. Cookies. Have been abused by marketing to track user habits Newsgroups. Used to compile lists for spam. Surreptitious with private info. Several instances recently. Microsoft Outlook has been repeatedly attacked via .

4 Server risks Webjacking Break-in and modification of site Hundreds reported, including NASA, CIA, USAF, Exploit operating system and holes, poor configuration, Denial of service Attacks that cause system to expend large resources in response

5 Network risks Packet sniffers: look for passwords, credit card numbers Kits available on Internet Cable modems (shared networks) are major risk Small programs, installed on compromised computer in network Often small Internet service provider (ISP) or small company itself A few sniffer attacks known on Internet (broke SSL) Cryptography is technical solution to sniffing IP address spoofing: pretend you re another machine Look-alike sites set up with stolen pages, etc. Mimic Web merchant, bank, etc. Authentication (digital certificates) are technical solution

6 Cryptography and encryption Plaintext: original message Ciphertext: encrypted message Algorithm: function converting plaintext to ciphertext Key: number used by algorithm to encrypt and/or decrypt

7 Symmetric algorithms Symmetric algorithms: use same key to encrypt and decrypt DES (Data Encryption Standard): 56 bit key, in common use Splits data into pieces, XORs, reshuffles Cracked in two days in June, 1998 Triple DES: encrypt/decrypt/encrypt with 2 or 3 DES keys: 168 bit effective key length Encrypt with key 1, decrypt with key 2, encrypt with key 1 again RC2, RC4, RC5: 40 (export)-2048 bit keys, in common use by encrypting Web servers and browsers IDEA: 128 bit key, popular in Europe, used in PGP, patented Blowfish, Twofish: up to 448 bit key, unpatented, use increasing Rijndael: Current US government AES standard Problems with symmetric keys Must be exchanged in advance, via secure method Multiway communication infeasible: If many users must communicate with server, compromising any one can compromise all

8 Asymmetric or public key algorithms Plaintext Public Private key Ciphertext key Plaintext Key pairs: public key for encryption, private key for decryption RSA: bit, in common use for Web and ElGamal: unpatented, infringement on Diffie-Hellman expired 1997 Problems with public key algorithms Speed: RSA is 1000 times slower than symmetric algorithms Problem avoided by using RSA to exchange a symmetric session key and then using symmetric method for the rest of the session

9 Public key (RSA) concept Public key P is pair of integers (N, p) Secret or private key S is pair of integers (N, s) Generate 3 large random prime numbers (Fermat s Little Thm) Largest is s. Call the other two x and y. N= xy p= smallest integer such that (ps) mod (x-1)(y-1)= 1 Encrypt message m to ciphertext c by: c = m p Decrypt message c to plaintext m by: m = c s s is hard to compute from N and p Requires knowledge of x and y, which requires factoring N Factoring is exponential time algorithm, so if number to be factored is big enough, it takes a very long time...

10 Key length Assume: Algorithm is good Algorithm coded correctly Key management is correct and secure Then only way to crack message is brute force Public key lengths must be longer than symmetric to provide same level of security 384 bit public key offers same security as 40 bit symmetric key (not much) Public keys should be at least 1024 bits Symmetric key length Time to crack on PCs Time to crack on big iron 40 bits Seconds Milliseconds 56 bits Days Hours 64 bits Months Days 80 bits Millions of Years Thousands of Years

11 Key length and US encryption policy Encryption is a munition Still a contentious issue but restrictions are being relaxed Exemptions for 40 bit or weaker encryption (512 bit RSA) granted Banker s exceptions for browsers to use 128 bit encryption You can be considered an international arms courier if you bring your laptop with 1024 bit RSA on an international flight Key recovery Allows government to recover encrypted information Digital envelope contains: Session key encrypted with receiver s public key, as usual Session key encrypted with government key recovery agency key Message Controversy continues: if agency private key leaked, all messages can be read

12 Sender Sender signature Sender s private key Digital signatures Digital signature Sender s public key Recipient Sender signature Side benefit of public key algorithms Problems with digital signatures Spoofer can cut and paste encrypted signature from old message to new faked message. One solution is for one party to send challenge phrase to other Other then encrypts with private key and sends to first, who can check it Message digest functions provide integrity check (often 128 bits) Hash is summary function run on entire message that produces short digest (note that is a very big number of combinations!) Send hash and message. Receiver hashes message and checks if same hash. MD5 (RSA) and SHA (NIST) are common message digest functions SSL uses hash of (session key plus hash(session key and message))

13 Digital envelopes To solve performance problems with public key encryption 1. Generate session key, a secret symmetric key, at random 2. Encrypt message using session key and symmetric algorithm 3. Encrypt session key with receiver s public key: digital envelope 4. Send encrypted message and digital envelope to receiver 5. Receiver uses her private key to decrypt envelope and get session key 6. Receiver uses session key to decrypt message 7. When session is over, both parties discard session key Secure Sockets Layer (SSL) essentially implements this Most widely used security system on Web

14 Secure Sockets Layer (SSL) Dominant protocol for browser-server communications Being standardized as Transport Layer Security (TLS), TLS 1.0 is the same as SSL 3.0 TLS has different hash/digest and encryption functions being proposed for future versions Secure HTTP (S-HTTP) was competitor Same technology (digital envelopes, certificates, message digests) S-HTTP worked with HTTP only; SSL works at TCP level SSL handles HTTP, ftp, telnet, etc. S-HTTP cost money; SSL was free in Netscape browser SSL 2.0 was first version Cracked due to bug in random number generator Cracked again by modifying SSL code download using a sniffer Still a potential problem Vulnerable to man-in-the-middle attacks SSL 3.0 stable, current version

15 SSL, cont Many choices in symmetric algorithm, message digest and authentication Client and server negotiate strongest common protocol SSL has built-in compression Encrypted message has no patterns and can t be compressed, so compression must be done before or within SSL, or not at all SSL encrypts all client-server communications Only public info available is that client is talking to this server Anonymizing proxies can be used to handle this if it s a problem

16 SSL protocol steps

17 SSL protocol steps 1. ClientHello: list client capabilities: SSL version, cipher suites, compression 2. ServerHello: chosen cipher suite, data compression, sessionid 3. Server sends its certificate (client can check back to root CA in browser) 4-5. Optional, rarely done today (but done at MIT) 6. ClientKeyExchange: Client generates trial symmetric key, encrypts it with server public key and sends it to server This prevents a listener (snooper) from copying past message (spoofing) 7. CertificateVerify: Optional, rarely done. Can authenticate client 8. ChangeCipherSpec: Confirm session key and cipher to be used 9. Finished: Client and server hash entire conversation to ensure all messages were received intact and not tampered with 10. Client and server switch to encrypted mode using symmetric session key

18 Secure Electronic Transactions (SET) Joint development: Visa, Mastercard, Netscape, Microsoft Used only for secure credit and debit card transactions Has same features as current credit card system: Registration, purchase requests, authorization, funds transfer, SSL handles encryption but not the financial functions Need online card authorization, bank transactions, etc. SSL does not encrypt financial database on server; SET does SET does not give merchant the customer credit card number SET inhibits guessing credit card numbers (shuts off multiple guesses) SET doesn t handle non-financial functions, has been abandoned We use it as an example of blind signatures, for which we will need a technology and standards in the future

19 SET protocol

20 More information (Bruce Schneier) Monthly Crypto-gram newsletter comp.risks newsgroup Proceedings of the Annual IEEE Symposia on Security and Privacy Applied security Available online (MIT libraries) Advisories, patches "Applied Cryptography, Schneier Field moves too fast for books to be a useful source