, SNMP, Securing the Web: SSL

Transcription

1 , SNMP, Securing the Web: SSL 4 January 2015 Lecture 12 4 Jan 2015 SE 428: Advanced Computer Networks 1

2 Topics for Today (SMTP, POP) Network Management (SNMP) ASN.1 Secure Sockets Layer 4 Jan 2015 SE 428: Advanced Computer Networks 2

3 Application Level Protocol (like HTTP) Distinguish 1. User interface (mail reader: Thunderbird, Outlook) 2. Message transfer protocol (SMTP, POP, IMAP) 3. Companion protocol (message formatting: RFC 822, MIME) user agent SMTP SMTP mail access protocol (e.g., POP, IMAP) user agent sender s mail server receiver s mail server 4 Jan 2015 SE 428: Advanced Computer Networks 3

4 Simple Mail Transfer Protocol Used to move mail from sender to server and server to server Request/Reply conversation style (codes for replies) Authentication possible (password, SSL/TLS) Steps: 1. Greeting (HELO, EHLO) with name 2. Envelope headers RCPT TO MAIL FROM 3. Data Formatted according to rules in RFC or MIME Ends with a single period (.) on a line 4. Quit 4 Jan 2015 SE 428: Advanced Computer Networks 4

5 SMTP Trace 4 Jan 2015 SE 428: Advanced Computer Networks 5

6 SMTP Misc Verify mail address exists: VRFY Can refuse to answer Can answer only locally or even check globally May be disabled for security Expand name: EXPN Expands a mailing list name to its full list of users Often disabled for security Only a few common implementations sendmail, postfix Parsing is messy 4 Jan 2015 SE 428: Advanced Computer Networks 6

7 Retrieving Mail Post Office Protocol - POP Download s from server Can delete after USER PASS LIST RETR STAT DELE UIDL Internet Message Access Protocol - IMAP Designed to leave messages on server Internal folders Move messages across folders Search folders More flexible retrieval Just mail headers Just single attachments Much more complicated 4 Jan 2015 SE 428: Advanced Computer Networks 7

8 POP Trace 4 Jan 2015 SE 428: Advanced Computer Networks 8

9 POP Trace 4 Jan 2015 SE 428: Advanced Computer Networks 9

10 Mail Formats RFC 5322 (822) Header lines From To Subject Received Date All mail is encoded in ASCII (7bits) Multipurpose Internet Mail Extensions (MIME) Header lines: Content-Description Content-Type image/gif image/png text/plain text/richtext application/postscript application/msword Content-Transfer-Encoding ASCII or base64 Encoding scheme Everything in ASCII characters Use 64 values (A-Za-z0-9+/) Encode 3B 4 chars in base64 4 Jan 2015 SE 428: Advanced Computer Networks 10

11 MIME Example 4 Jan 2015 SE 428: Advanced Computer Networks 11

12 MIME Example 4 Jan 2015 SE 428: Advanced Computer Networks 12

13 So Far (SMTP, POP) Network Management (SNMP) ASN.1 Secure Sockets Layer 4 Jan 2015 SE 428: Advanced Computer Networks 13

14 Network Management When you have hundreds of servers and routers, it s hard to manage them all manually remote protocol Lets network admin track status Simple Network Management Protocol (SNMP) Request/Reply protocol (GET/SET) Requests from network nodes information types (Management Information Base MIB): System: General parameters Interfaces: Physical addresses, packets sent on each interface Address translation: ARP and translation tables IP: Routing table, number of successfully routed packets, reassembly, drops TCP: Connections, timeouts, resets, per connection information UDP: Datagrams sent and received 4 Jan 2015 SE 428: Advanced Computer Networks 14

15 Used to build dashboards 4 Jan 2015 SE 428: Advanced Computer Networks 15

16 Variables and ASN.1 Abstract Syntax Notation (ASN.1) Basic Encoding Rules (BER) Data items in the form: <tag, length, value> Tag: 8 bit field (can be multibyte) Length: how many bytes follow Less than 127 B, length has the length >127B, length has how many B in the length Value can nest other data items ASN.1 in SNMP Variables listed in dot notation : IP field called ipinreceives (number of IP datagrams received) : all MIB fields 4 is the IP group 3 is the ipinreceives field 4 Jan 2015 SE 428: Advanced Computer Networks 16

17 So Far (SMTP, POP) Network Management (SNMP) ASN.1 Secure Sockets Layer 4 Jan 2015 SE 428: Advanced Computer Networks 17

18 Secure Sockets Layer Secure Sockets Layer (SSL) for securing the Web Official Name: Transport Layer Security (TLS) Protocol Designed by Netscape in 1996 Adapted by IETF Now in RFC 5246 TLS 1.2 in Aug 2008 Many extensions and outside applications Most important use is on the web (HTTP) Commonly called HTTPS SSL has no relation to HTTP, however 4 Jan 2015 SE 428: Advanced Computer Networks 18

19 Secure Sockets Layer Main goal: Establish a secure communication channel between two computers Engineering security Different operating systems (easy) Different cryptographic services (harder) Different versions (harder) No Trusted Third Party (?) One side may not have any authentication tokens (harder) Also: It must be efficient Must be flexible It must be exportable Online negotiation (!) 4 Jan 2015 SE 428: Advanced Computer Networks 19

20 Secure Sockets Layer Solution: Add another layer in the protocol stack on top of TCP Well, two layers really Several sub-protocols too 4 Jan 2015 SE 428: Advanced Computer Networks 20

21 Sessions and Connections Setting up a secure conversation involves online negotiation Expensive! 2 RTTs minimum Web content is sent in a series of Requests Each request (connection) gets 1 item HTTP 1.1 changes this a bit That shouldn t mean we negotiate for each request! Solution: Long running Sessions and short lived Connections Do the negotiation once for the session Make many connections on the same session 4 Jan 2015 SE 428: Advanced Computer Networks 21

22 The SSL Protocols SSL Record Protocol Move data SSL Handshake Protocol Negotiate security decisions SSL Change Cipher Spec Activate the negotiated security decisions SSL Alert Protocol! 4 Jan 2015 SE 428: Advanced Computer Networks 22

23 SSL Record Protocol 1. Fragment packets into 2 14 bytes or less (16,384) 2. Compress (if you want) 3. Message Authentication Code (Keyed) Hash 4. Encrypt 5. Append Header Content Type (Protocol) Change Cipher Spec Alert Handshake Application_Data Major Version Minor Version Compressed length 4 Jan 2015 SE 428: Advanced Computer Networks 23

24 SSL Handshake Protocol Does the negotiation Four phases: 1. Establish client security capabilities 2. Establish server security tokens 3. Establish client security tokens 4. Implement the negotiated decisions Change Cipher Spec 4 Jan 2015 SE 428: Advanced Computer Networks 24

25 SSL Handshake Protocol Phase 1: Client Starts (Highest) SSL Version Client Nonce: n c Session Id If it s 0 a new session If it s not continue a session Cipher Suite List of crypto algorithms supported In order of preference Compression Method List of supported methods Client waits 4 Jan 2015 SE 428: Advanced Computer Networks 25

26 SSL Handshake Protocol Phase 1: Server Responds Chosen SSL Version Server nonce: n s Session Id Old one if continuing Chosen Cipher Suite Chosen Compression Method Phase 2: Server tokens Server Certificate (Optional) Request Client Certificate Server_Hello_Done 4 Jan 2015 SE 428: Advanced Computer Networks 26

27 SSL Handshake Protocol Phase 3: Client tokens Client verifies certificate Client sends security tokens Certificate (Optional) Signs previous messages with Certificate private key (Client Verify) If no certificate: Pre-master secret (48 bits) Encrypted with Server Key 4 Jan 2015 SE 428: Advanced Computer Networks 27

28 SSL Handshake Protocol Phase 4: Implement Client sends: Change Cipher Spec Server sends: Change Cipher Spec Both indicate they are ready to use what has been negotiated 4 Jan 2015 SE 428: Advanced Computer Networks 29

29 SSL Change Cipher Spec Simple protocol: 1 message with 1 byte of data Byte set to 1 Tells the other side to implement the agreed upon cipher suite 4 Jan 2015 SE 428: Advanced Computer Networks 30

30 SSL Alert Protocol Two bytes of data Byte 1: Severity of alert = 1: Warning = 2: Fatal (terminates connection) Byte 2: Alert Codes Examples: Close notify, Decompression failure, Bad certificate, Certificate revoked, Illegal parameter, Decode error, Insufficient security 4 Jan 2015 SE 428: Advanced Computer Networks 31

31 Reflection: SSL Enables secure communication over the internet Works even if only one side has a certificate (more on this later) Client authentication must be done some other way Main application for certificates and PKI Has helped sell many certificates (more on this later) Secures the communication channel But not the data stored on the other side A thief can still steal your credit card information from the server Has made it harder for governments to spy on web traffic 4 Jan 2015 SE 428: Advanced Computer Networks 32

32 Conclusion (SMTP, POP) Network Management (SNMP) ASN.1 Secure Sockets Layer 4 Jan 2015 SE 428: Advanced Computer Networks 33