WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Transcription

1 Outline WEB Security & SET (Chapter 19 & Stalling Chapter 7) Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction (SET) Web Security Considerations Internet is two way WWW is essentially client/server application running over the Internet t the Web is vulnerale to attacks on the Web server over the Internet Web is highly visible If the Web servers are subverted... Web servers are easy to configure and manage. Users are not aware of the risks. Security facilities in the TCP/IP protocol stack IPSec: Transparent to end users & applications. IPsec includes a filtering capability->only the selected traffic incur its overhead SSL/TLS General solution or embedded in specific application package Application-specific security services embedded within the particular application (e.g, PGP, SET). 1

2 SSL & TLS SSL was originated by Netscape TLS working group was formed within IETF First version of TLS can be viewed as a SSLv3.1 SSLv1 (Netscape)->SSLv3, SSLv2 (MS)->PCT SSL intend to provide a practical, widely applicable connection-oriented mechanism for Internet client-server communications security Characteristics of SSL Generic enough to be incorporated into many applications Provides security between the transport (TCP protocol) and upper application layer protocol Supports encryption, authentication, and key exchange Encrypts data so that anyone who intercepts is unable to read it. Assures clients that they are dealing with the server they intend to connect to (server authentication). Prevents any unauthorized clients from connecting to the server. Prevents anyone from meddling with data going to or coming from the server (message integrity). Characteristics of SSL Provides a secure channel Works for any TCP-based protocol: HTTP ( port 443); SIMAP (port 993); SPOP (port 995); NNTP; telnet Can t protect UDP-based protocol: SNMP; NFS; DNS; voice-over-ip for ITU R323 Widely used in Web browsers and servers Server nearly always authenticated, client more rarely usually by RSA signature, but other signature schemes supported, e.g. DSS (Digital Signature Standard) Key agreement usually by client sending RSAencrypted secret to server Diffie-Hellman also supported 2

3 Functional Model of SSL Two layers: SSL Architecture 3 higher-layer protocols: management of SSL exchange Handshake, change cipher spec, alert SSL record protocol provides basic security services to various higher-layer protocol (e.g., http) SSL protocols Handshake Protocol : authentication of the parties in the comm., negotiation of the encryption and hash algorithms, exchange of the PreMasterSecret, which will be used later to generate the auth. and encryption keys through the use of MasterSecret. ChangeCipherSpec (CCS) Protocol: Indicates the record layer any changes in the security parameters Alert Protocol: Indicate errors encountered during message verification and any incompatibility during Handshake Record Protocol: Applies all the negotiated security parameters between the two parties wishing to exchange info., and protects the data coming from the application layer as well as all the messages originated in the other three sub-protocols Exchange of information in SSL Exchange of information in SSL occurs in two phases: Preliminary phase: SSL identifies the parties, negotiates the cryp. attributes, generate and distribute the keys (handshake) Second phase: date exchange occur, security depends on alg. and parameters It is possible to signal an intrusion or an error at any time by Alert Protocol 3

4 Session & Connection Session Created by handshake, defines same cryptographic security parameters for multiple connections Authentication is done once for each session Session parameters: ID, peer certificate, compression method, cipher spec, master secret, is resumable. Connection A transport with some services, associated with a session Connection parameters: Server and client random no.; parameters of the hashing algorithm at both client/server; block encryption keys for both client/server; IV for both sides; A sequence number for each connection Session A SSL session is uniquely identified w/ six state variables Session Identifier: an arbitrary byte sequence chosen by the server to identify an active or resumable session state Peer Certificate: X509 certificate of the peer Compression Method: The alg. used to compress data prior to encryption Cipher Spec: - Cipher suite bulk data encryption algorithm (e.g., null, DES), a MAC alg. (e.g. MD5 or SHA-1), etc MasterSecret: 48-byte secret shared between the client and server Resumable: A flag indicating whether the session can be used to initiate new connections Recognized suites in SSL Cipher Suite: the set of encryption & hash algorithms In order to establish a session key, client & server must agree on a shared secret key. Cipher Spec. Used for encrypting the traffic sent between client and server. RC4-128-bit or 40-bit keys TripleDES bit keys, with 112 bits of effective strength IDEA bit keys Fortezza - 80-bit keys DES - 56-bit keys RC2-40 bit keys Not all SSL/TLS implementation support all algorithms. For sensitive data use secret key ciphers of 128 bits or more. 4

5 Generation of MasterSecret at the Startup of a session A pre-master-secret is exchanged first: RSA, or Diffie-Hellman. Both sides compute master secret based on pre-master-secret. Cryptographic Computations: Details Client generates a 48-byte pre-mastersecret s p Master secret : s m =MD5(s p SHA( A s p r c r s )) MD5(s p SHA( BB s p r c r s )) MD5(s p SHA( CCC s p r c r s )) Where r c,s : client, server random Connection Parameters to define the state of a connection: Server & Client-random 32-bytes, generated at the establishment of a session and for each new connection Server/client write MAC secret (encryption) Secret used in MAC operations on data written by the server/client Server/client write key Bulk cipher key for data encrypted by the server/client and decrypted d by the client/server IV: for CBC mode (one for client, one for server) initialized by SSL handshake protocol Sequence number (both sides): prevent replay attack Generation of secrets & IV at the startup of a connection Session key: same as previous, but use the master secret in place of s p to generate byte stream to cut out: Client, server MAC secret; Client, server write key; Client, server IV s m =MD5(s p SHA( A s p r c r s )) MD5(s p SHA( BB s p r c r s )) MD5(s p SHA( CCC s p r c r s )) Where r c,s : client, server random 5

6 Handshake Protocol The most complex part of SSL. Allows the server & client to authenticate each other. Negotiate t encryption, MAC algorithm and cryptographic keys. SSL Handshake protocol: steps exchange Hello messages to agree algorithms ( ciphersuites ) exchange fresh nonces check for session resumption agree secret material for pre_master_secret authenticate by exchanging certificates and proving knowledge of related private key generate master_secret from pre_master_secret and nonces verify integrity of these messages Message exchange of handshake protocol: the establishment of a new session Message of Handshake Protocol 6

7 Message exchange of handshake protocol: a connection establishment SSL Change Cipher Spec Protocol Consists a single 1-byte message to indicate to the Record protocol that the encryption can start w/ the security parameters that have been negotiated It cause the pending Cipher Spec state to be copied into the current Cipher Spec state, which updates the cipher suite to be used on this connection by the Record Layer SSL Record Protocol RP participates only after the transmission of the ChangeCipherSpec message During the establishment of a session Encapsulate the handshake data During the encryption phase Receive data from upper layers (handshake, alert, ChangeCipherSpec, p application layers), and transmit them after performing the following actions: Fragment data in blocks of maximum size of 2 14 bytes Data compression (optional) SSL Record Protocol Operation 7

8 2 services: Confidentiality, message integrity Layered protocol: Fragment application data into blocks Compress data Apply message authentication code (MAC) = h(m s) for message m and secret s Encrypt with client (cw) or server (sw) write key Transmit over TCP Specify content type for higher protocols SSL Record Protocol SSL Record Protocol Payload SSL Alert Protocol Signals alarm message when an error occurred Messages of the Alert Protocol Indicates the change of states like the closing of a connection Given the same treatment in the Record layer as those of the Application layer or the handshake protocol. 8

9 SSL based Virtual Private Networks (VPNs) What is a VPN? A virtual network is one that provides virtual circuits using the facilities of a real network Uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users intranet work access It is secure, encrypted & scalable VPN in detail Conventional IPSec VPNs Users are connected to the corporate resources by a tunnel over the internet IPSec operates at network layer, Once the tunnel is created, it is as if the user's PC is physically on the corporate LAN, and the user can directly access corporate applications. SSL VPNs Uses SSL and proxies to provide authorized use to the company s resources SSL VPN gateways are set up at the edge of the corporate network and serve as a proxy (or go between) to LAN applications Web browser connects to the VPN gateway just as it would to a web server The browser thinks it is communicating directly with the application; application thinks it is communicating directly with the browser or client software. Pros & Cons of SSL VPN Advantages of SSL VPNs Easier to set up and administrate Cost effective Provide access from anywhere Proxy provides increased security Good Interoperability Disadvantages of SSL-based VPNs Grant access only to web applications SSL provides inferior authentication as compared to IPSec 9

10 IPSec vs. SSL SSL Application: Online Credit Card Payment Two main security yprotocols to protect online payment: SSL & SET General Steps for Credit Card Payment Requirements of Secure Online Credit Card Payment Privacy Transaction information has not been intercepted. Integrity Transactions information has not been altered. Non-repudiation Transaction cannot be denied, and contract is enforceable. Authentication Sender is who she/he purports to be. 10

11 How does SSL secure WWW? SSL vs. S-HTTP S-HTTP: a secure extension of HTTP By Enterprise Integration Technologies Both provides secure communicate w/ web server Confidentiality, authentication, ti ti and data integrity it SSL encrypts the entire Internet session at a lower-level protocol. S-HTTP works on the same layer with HTTP layer. SSL used special handshakes to establish the secure connection. S-HTTP defines a security negotiation header for packets sent during the web session. 1. Parameter negotiation (handshake) 2. Server authentication 3. Client authentication (only on request) 4. Key Exchange 5. Confidential and authenticated message exchange SSL s secure options are preconfigured in the browser and servers, making SSL easier to use. S-HTTP s secure a vast array of options for enforcing the secure properties -> more difficult to configure SSL is the dominant technology for securing Web session in the marketplace SSL Roundup SSL protocol was developed by Netscape in First version, 1.0 The most widely deployed security protocol: Secure browsers, e.g., Netscape, MS Explorer Secure servers, e.g., Netscape, Microsoft Competitors: S-HTTP PCT (private communication technology) = SSLv2 by MS Defined in RFC2246, Open-source implementation at Secure Electronic Transactions An open encryption and security spec./standard Protect credit card transaction on the Internet Companies involved: MasterCard,, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign Set of security protocols and formats 11

12 SET Overview Privacy: Uses 1024 bit public key cryptography which renders the intercepted message unreadable! Integrity: Hashing & signing ensures message sent is unaltered Authentication: Uses digital certificates (X.509v3) to ensure the parties are really who they claim to be. SET Business Requirements Provide confidentiality of payment and ordering information Ensure the integrity of all transmitted data Provide authentication that a cardholder is a legitimate user of a credit card account Provide authentication that a merchant can accept credit card transactions through its relationship with a financial institution (payment gateway) Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction Facilitate and encourage interoperability among software and network providers SET Transactions in Picture Components: Cardholder; Merchant; Acquirer/payment Gateway; customer s bank SET Participants 12

13 Key Technologies of SET Confidentiality of information: DES Integrity of data: RSA digital signatures with SHA-1 hash codes Cardholder account authentication: X.509v3 digital certificates with RSA signatures Merchant authentication: X.509v3 digital certificates with RSA signatures Privacy: separation of order and payment information using dual signatures Dual Signature Purpose: extra protection of privacy, by separating Customer sends order information (OI) to merchant Customer sends payment information (PI) to bank Link is needed Customer can prove a payment is intended for a specific order Construction of Dual Signature DS E KR c [ H ( H ( PI) H(OI))] Payment processing DS E [ H ( H ( PI) H(OI))] KR c Source: W. Stallings, Cryptography and Network Security Cardholder sends Purchase Request 13

14 Payment processing DS E KRc [ H ( H ( PI ) H(OI))] Payment processing Cardholder registration Merchant registration Purchase request/verification Payment Authorization: (x.509) Authorization Request (from merchant to payment gateway) Authorization Response Merchant Verifies Customer Purchase Request Payment Capture Capture Request Capture Response How safe is SET? Uses 1024 bit cipher keys, making it one of the strongest encryption applications. Public key crypt. used Secret key crypt. used If we use 100 computers each processing 10 MIPS, it would take 2.8 x years to break just ONE encrypted message!!!! Source: Recommended Reading and WEB sites Drew, G. Using SET for Secure Electronic Commerce. Prentice Hall, 1999 Garfinkel, S., and Spafford, G. Web Security & Commerce. O Reilly and Associates, 1997 MasterCard SET site Visa Electronic Commerce Site SETCo (documents and glossary of terms) 14