Security Protocols: SSH. Michael E. Locasto University of Calgary

Transcription

1 Security Protocols: SSH Michael E. Locasto University of Calgary

2 Agenda Philosophy: data protec?on on the network Discussion of SSH SSH history Authen?ca?on Mechanisms SSH2 design overview / architecture Subtle issues 4/2/15 Michael E. Locasto, CPSC 2

3 QoD theshadow asks: Is there any prac?cal way of guaranteeing the authen?city of a fingerprint/public key on the first connec?on? 4/2/15 Michael E. Locasto, CPSC 3

4 Mo?va?ng Ques?on Where is the Right Place to Place Security in the Network? Applica?on layer: filecrypt protocol layer: PEM, S/MIME, PGP Transport layer: SSL, TLS Network layer: IPsec 4/2/15 Michael E. Locasto, CPSC 4

5 4/2/15 Michael E. Locasto, CPSC 5

6 4/2/15 Michael E. Locasto, CPSC 6

7 The Role of SSH Removes complexity from applica?ons that want to use cryptographic protec?on on the network Doesn t require changes to the OS, TCP/IP stack Provides transparent encryp?on, integrity protec?on, authen?ca?on, and authoriza?on Protects against replay a]acks 4/2/15 Michael E. Locasto, CPSC 7

8 Replaces a number of tools (r- tools, telnet) that have weak authen?ca?on models and no encryp?on SSH is a cri?cal protocol and piece of sobware that addresses a number of network security problems 4/2/15 Michael E. Locasto, CPSC 8

9 History of SSH Developed in 1995 by a researcher at the University of Helsinki aber passwords were sniffed on their network Ini?ally open source, started a company to market the product The OpenBSD project took over an early version and created OpenSSH Different protocol versions (1.3, 1.5, 2.0) 4/2/15 Michael E. Locasto, CPSC 9

10 SSH, SCP, and SFTP SSH a secure replacement for telnet/remote command prompt SFTP a protocol layered on top of SSH for file transfer (similar interface to bp, +session) SCP a syntax very close to cp(1), no session 4/2/15 Michael E. Locasto, CPSC 10

11 Tunneling Assume Alice and Bob want to communicate via an applica?on that does not have encryp?on built in (e.g., POP3) SSH port forwarding is a good op?on - realize that data only encrypted between SSH client and server - ssh L 13373: :110 pop.foo.edu - configure client to talk to : /2/15 Michael E. Locasto, CPSC 11

12 The SSH- 2 Protocol Three major sub- protocols - SSH Transport Layer Protocol - SSH Authen?ca?on Protocol - SSH Connec?on Protocol Auth & Conn at same level SSH TRANS is the fundamental building block - Confiden?al integrity- protected pipe to authen?cated peer 4/2/15 Michael E. Locasto, CPSC 12

13 4/2/15 Michael E. Locasto, CPSC 13

14 4/2/15 Michael E. Locasto, CPSC 14

15 Interes?ng Parts of SSH TRANS Session- key establishment PFS Neither side dictates what session key is Key material is hashed by SHA- 1 Cer?ficates SSH2 is ready to use PKI Currently, admins maintain db of host keys 4/2/15 Michael E. Locasto, CPSC 15

16 4/2/15 Michael E. Locasto, CPSC 16

17 SSH- 2::SSH CONN Provides a number of services layered on top of SSH TRANS port forwarding X11 forwarding Compression Mul?ple sessions over 1 connec?on 4/2/15 Michael E. Locasto, CPSC 17

18 SSH- 2::SSH Auth Use SSH AUTH over SSH TRANS to authen?cate public key password host based DSA or RSA 4/2/15 Michael E. Locasto, CPSC 18

19 Differences Between SSH- 1 and SSH- 2 Algorithm nego?a?on for all parts (SSH1 just selected data encryp?on algorithm) More key exchange methods Cer?ficates for public keys Stronger integrity checking (not CRC) Re- keying 4/2/15 Michael E. Locasto, CPSC 19

20 SSH Agent Re- authen?ca?ng mul?ple?mes is a pain (retype passphrase) (use only with public key authen?ca?on) Can have local client (SSH Agent sobware) remember your iden?ty Keeps private keys in memory 4/2/15 Michael E. Locasto, CPSC 20

21 Authen?ca?on in SSH Two major forms password- based (uses PAM on the backend) public- key based (more secure) Honorable men?on: GSSAPI (e.g., Kerberos) host- based (s?ll uses public key auth) 4/2/15 Michael E. Locasto, CPSC 21

22 Password- Based Authen?ca?on SSH client authen?cates server and agrees on a session key Then you authen?cate yourself to the host - are you a legal user of this machine? - server uses some auth mechanism to provide you a real shell Philosophical ques?on: since we re going through such trouble to use a lot of security, why retain a weak authen?ca?on mechanism? 4/2/15 Michael E. Locasto, CPSC 22

23 Public Key Authen?ca?on Password- based authen?ca?on reveals your secret. It s difficult to come up with a good password why give it away so oben? Password::account is a 1 to 1 rela?on Different keypairs provide finger- grained control and audit of user ac?vity e.g., root account access 4/2/15 Michael E. Locasto, CPSC 23

24 Public Key Auth (cont) Create public & private keypair w/ ssh- keygen Distribute your public key to the servers you are interested in logging into, place in ~/.ssh/ authorized_keys2 Put private keys??? (~/.ssh2/ directory) - carry around with you? - single client, mul?ple clients 4/2/15 Michael E. Locasto, CPSC 24

25 Logging in with Public Key Auth ssh enter passphrase $ Authen?cator is created Private key and passphrase never leave client SSH server authen?cates you, not login(1) - footnote: privilege separa?on 4/2/15 Michael E. Locasto, CPSC 25

26 C - > S : locasto S - > C : challenge C - > S : encrypt(challenge, priv_key) S checks if stored public key for locasto decrypts challenge properly S - > C : fail or pass 4/2/15 Michael E. Locasto, CPSC 26

27 SSH ATTACKS AND BUGS 4/2/15 Michael E. Locasto, CPSC 27

28 4/2/15 Michael E. Locasto, CPSC 28

29 SSH- 1 CRC A]ack Ac?ve inser?on a]ack; can insert arbitrary commands to the server June 1998 (Futoransky & Kargieman) CRC is not a cryptographically strong integrity check SSH2 includes strong integrity checks to avoid this a]ack 4/2/15 Michael E. Locasto, CPSC 29

30 Weaknesses of TCP/IP SSH is great, but built on top of TCP/IP vuln to DoS a]ack bogus control / rou?ng packets can be injected password guessing (common a]ack) does not address traffic analysis Really problems w/ anything 4/2/15 Michael E. Locasto, CPSC 30

31 Man in the Middle Because of lack of PKI, the host- key trust requirement is basis of client s trust in server The first?me you connect, vulnerable to a MITM a]ack Admins change server keys at certain intervals (machine reboot or re- install) 4/2/15 Michael E. Locasto, CPSC 31

32 Concluding Remarks Hopefully this talk and the tutorial session has convinced you to use SSH and perhaps even public- key based authen?ca?on! Understand how SSH works and what it does not address 4/2/15 Michael E. Locasto, CPSC 32

33 4/2/15 Michael E. Locasto, CPSC 33

34 RFC 4253 Ques?ons What is the standard ssh port? (4.1) What is the recommended re- keying period? (9) What three arguments does the RFC make that the addi?onal overhead is negligible? (5.3) What is the recommended minimum effec?ve key length (6.3) 4/2/15 Michael E. Locasto, CPSC 34

35 THE END 4/2/15 Michael E. Locasto, CPSC 35