Internet security protocols

Transcription

1 Internet security protocols

2 In this lecture: SSH Kerberos SSL/TLS

3 SSH protocol is used to mutually authenticate the Client and the Server and to establish a secure channel between them. It consists of Transport Layer Protocol unilaterally authenticates the Server to the Client. Establishes a channel that the Client deems secure. User Authentication Protocol authenticates the Client to the Server. Connection Protocol multiplexes the secure channel into several logical channels.

4 Transport layer protocol. 0. Client and Server establish connection. 1. Both sides send to each other the key exchange messagesá,áëcontaining a nonceæ,æë; the protocol and software versions; lists of names of accepted key exchange protocols and cryptographic primitives, in order of preference. Primitives are asymmetric primitives symmetric encryption primitives MAC primitives

5 If D-H key exchange with the chosen, then group Ô, Õ ½ 2. Client choosesü¾ê Õ, sends ÜÑÓ Ôto 3. Server Server. choosesý¾ê Õ, computes ÝÑÓ Ô; computes ÝÑÓ Ô; computesà Á ÁË pk Ã˵ µ; sends pk Ã˵ À Ã˵to Client. 4. Client checks whether it recognizes pk Ã˵; recomputes À, checks the signature.

6 The shared secretãand the hashàare used to derive keys and initial vectors for the secure channel: IV Ëis À A µ; IVË is À B µ; same for encryption keys and MAC keys ( Ëand Ë ). ÀforÀfrom the initial key exchange. All further communication is encrypted and MAC-ed. Both sides may initiate a new exchange of keys.

7 A payloadåis encoded in a packet as whereô is used to make the length of packet a multiple of the cipher block length. È Ô ØÐ Ò Ô Ò Ð Ò Å Ô Ò µ A packet is encoded as where ÕÒÓ¾ ¾ ¾. È Ãenc MACÃmac ÕÒÓ Èµµ Encryption: actually the stream of is encrypted, not each packet separately. Standard suggests using some block cipher in the CBC-mode. packetsè½ È¾ È Exercise. What is the problem here with MACs? With encrypting?

8 User authentication protocol. Password-based: Client sends his name and password. Server checks that (name,password)-pair is valid. Signature-based: Client sends his public key and a signature on various things: including the session identifier. Server checks the knowledge of the key and the signature.

9 Connection protocol. Not a security protocol.

10 Kerberos protocol suite provides a single sign-on to various services offered on a corporate network. corporate there exists a single authority. Each useríhas a single password (shared keyãí). It is agreed out-of-band.

11 The intranet of a large corporation: Several domains. in different geographic locations Each domain contains several serversë. Each domain has a ticket-granting serverì Ë. There is a global authentication server Ë.

12 2. Ë :Í Ì Ì Ë Ì Ì, where To get a service from a serverë, the client on behalf of the userífirst connects the Ë: HereÌÁ½is the desired validity interval (start and end Ë:Í Ì Ë ÌÁ½ ƽ 1. times) of the ticket. ÌÁ¾is not intended as a security feature here. Ì Ì Ì Ë Ã Ì Ë ÌÁ¾ ƽ ÃÍ Ì Ì Ë Í Ì Ë Ã Ì Ë ÌÁ¾ Ã Ë Ì Ë

13 :Í Ì Ë ÌÃÌ, where Ì Ë Í Ë Ã Ë ÌÁ ÃÌ Ë Ë 4.Ì Ë ÌÃÌ Ë Ã Ë ÌÁ ƾ Ã Ì Ë then contactsì Ëin a similar manner: The last component (the authenticator) shows that Ì Ë:Ë ÌÁ ƾ Ì Ì Ë ÌÙÖÖ Ã Ì Ë 3. the client could decryptì Ì. They should be cached to make sure that they re not used twice.

14 andëthen authenticate using the shared keyã Ë: also andë. Ë:Ì Ë ÌÙÖÖ Ã Ë 5. : ÌÙÖÖ Ã Ë 6.Ë The keyã Ëis used to secure the channel between

15 Ë: Æ 1. : Ã ÌÁ Æ Ã Ë Ã ÌÁ Ã Ë 2.Ë : Ã ÌÁ Ã Ë ÌÙÖÖ Ã : ÌÙÖÖ Ã The exchanges 1-2 and 3-4 followed a common pattern: wants to talk to. andëshare a keyã Ëfor ¾.

16 A S1 S2 S3 Somewhat similar to hierarchical PKI... B

17 AS TGS Server Client Source of the name Kerberos.

18 TLS consists of Handshake protocol Typical public-key protocol Client sends server a secret value encrypted with server s public encryption key. The keys are derived from this secret value. The public keys are found from certificates. Record protocol

19 Record protocol encapsulates the payloads. A payload Åis translated to whereô is used to make the length of the argument of ÁÎ Å MACÃÑ ÕÒÓ Åµ Ô Ã Òµ the encryption a multiple of block length. LetÐbe the length ofô in bytes. and the bytes inô are all equal toð ½. Then½ Ð ¾ well as encryption and tagging algo- à ÒandÃÑ, as rithms have been agreed in the handshake protocol.

20 If a party receives an encrypted packet from the other party, then he Decrypts the packet. Checks that the padding is correct (at leastðlast bytes have valueð the ½forÐ ½). If the check fails, then sends an error message, otherwise... Checks the MAC. If the check fails then sends an error message. Otherwise proceeds.

21 This party may be implementing an oracle that tells whether the padding was correct. Error message due to incorrect padding and error message due to incorrect MAC may take different amount of time to compute. Access to such an oracle allows us to decrypt. Hence the implementation must make sure to insert delays as appropriate.

22 CBC-mode: Let us be interested in the value ½ D µ. ½ E ÁÎ Ô½µ ½ Ô µ E ofô LetÖbe a random block. SendÖ to the oracle. If it answers padding OK then most probably Exercise. How many tries? How to verify that equation? We have foundð µ. This tells usð Ô µ. Ð Ö D µµ ¼½½ LetÖ¼ Ö ¼ ½. ThenÐ Ö¼ D µµ ¼¾½. VaryÖ¼(except last 8 bits), until the second last byte of Ö¼ D µequals¼¾½. Etc. Third, fourth, etc. byte...