Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

Transcription

1 Network Security - Secure upper layer protocols - Dr. John Keeney 3BA33 Question from last lecture: What s a birthday attack? might think a m-bit hash is secure but by Birthday Paradox is not the chance that in a group of people two will share the same birthday only 23 people are needed for prob. >0.5 of this birthday attack works thus: For an m-bit hash, opponent generates 2 m /2 variations of a valid message all with essentially the same meaning opponent also generates 2 m /2 variations of a desired fraudulent message Hash the fraudulent message and find a matching hash (prob 0.5) from a valid message have user sign the valid message, then substitute the forgery which will have a valid signature conclusion is that need to use larger MACs Depending on hash algo birthday attacks can require larger hashes than brute force attacks. 19/04/ Background Slides Sources: Henric Johnson, Charlie Kaufman, Wikipedia, Andre E. Bar yudin, Lawrie Brown, Munehiro Fukuda. Recommended Reading: Stallings, W. Cryptography and Network Security: Principles and Practice, 2 nd edition. Prentice Hall, 1999 Scneier, B. Applied Cryptography, New York: Wiley, 1996 Pfleeger, C. Security in Computing. Prentice Hall, Mel, H.X. Baker, D. Cryptography Decrypted. Addison Wesley, Wikipedia Security is one of the most widely used and regarded network services currently message contents are not secure may be inspected either in transit or by suitably privileged users on destination system Secure protocols Pretty good privacy (PGP) S/MIME 19/04/ /04/

2 Pretty Good Privacy :PGP (Phil Zimmerman ) PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications. It is availiable free on a variety of platforms. Commercial versions also avaialble Based on well known algorithms. Wide range of applicability Not developed or controlled by governmental or standards organizations PGP: Operational Description Consist of five services: Authentication Confidentiality Compression compatibility Segmentation 19/04/ /04/ PGP Operation Authentication 1. sender creates a message 2. SHA-1 used to generate 160-bit hash code of message 3. hash code is encrypted with RSA using the sender's private key, and result is attached to message 4. receiver uses RSA or DSS with sender's public key to decrypt and recover hash code 5. receiver generates new hash code for message and compares with decrypted hash code, if match, message is accepted as authentic PGP Operation Confidentiality 1. sender generates message and random 128-bit number to be used as session key for this message only 2. message is encrypted, using CAST-128 / IDEA/3DES with session key 3. session key is encrypted using RSA with recipient's public key, then attached to message 4. receiver uses RSA with its private key to decrypt and recover session key 5. session key is used to decrypt message 19/04/ /04/

3 PGP Operation Confidentiality & Authentication uses both services on same message create signature & attach to message encrypt both message & signature attach RSA encrypted session key PGP Operation Compression by default PGP compresses message after signing but before encrypting Plaintext has much more repetition / compressibility than encrypted data. uses ZIP compression algorithm 19/04/ /04/ PGP Operation Compatibility when using PGP will have binary data to send (encrypted message etc) however was designed only for text hence PGP must encode raw binary data into printable ASCII characters uses radix-64 algorithm maps 3 bytes to 4 printable chars also appends a CRC The use of radix-64 expands the message by 33%. PGP Segmentation and Reassembly Often restricted to a maximum message length of 50,000 octets. Longer messages must be broken up into segments. PGP automatically subdivides a message that is to large. The receiver strips off all headers and reassemble the block. 19/04/ /04/

4 Summary of PGP Services Function Algorithm Used Digital Signature SHA digest / RSA or DSS Encrypt Message CAST or IDEA or 3DES Encryption with Diffie-Hellman or RSA Compression ZIP Radix-64 conversion Compatibility Segmentation - Format of compressed and signed PGP Message Encrypted with Recipient s public key Signed / Encrypted with Sender s private key Encrypted with Session key K s 19/04/ /04/ PGP Public & Private Keys / Key IDs and Key Rings since many public/private keys may be in use, need to identify which is actually used to encrypt session key in a message could send full public-key with every message but this is inefficient rather use a key identifier based on key is least significant 64-bits of the key will very likely be unique also use key ID in signatures PGP Key Rings each PGP user has a pair of keyrings: public-key ring contains all the public-keys of other PGP users known to this user, indexed by key ID private-key ring contains the public/private key pair(s) for this user, indexed by key ID & encrypted with a hashed passphrase 19/04/ /04/

5 PGP Key Management rather than relying on certificate authorities in PGP every user is own CA can sign keys for users they know directly forms a web of trust trust keys have signed can trust keys others have signed if have a chain of signatures to them key ring includes trust indicators users can also revoke their keys S/MIME Secure/Multipurpose Internet Mail Extension Backed by mail producers of products + Microsoft/Netscape/Novell... S/MIME will probably emerge as the industry standard. PGP for personal security 19/04/ /04/ Simple Mail Transfer Protocol (SMTP, RFC 822) SMTP Limitations - Can not transmit, or has a problem with: executable files, or other binary files (jpeg image) national language characters (non-ascii) messages over a certain size ASCII to EBCDIC translation problems lines longer than a certain length (72 to 254 characters) MIME MIME provided support for varying content types and multi-part messages for with encoding of binary data to textual form MIME-Version: Must be 1.0 -> RFC 2045, RFC 2046 Content-Type: More types being added by developers (application/word) Content-Transfer-Encoding: How message has been encoded (radix-64) Content-ID: Unique identifying character string. Content Description: Needed when content is not readable text (e.g.,mpeg) Content: Multipart messages are divided up into multiple typed MIME parts using boundary markers specified in the header 19/04/ S/MIME defines a new MIME type 19/04/2007 Application/x-pkcs7-mime 20 5

6 S/MIME Functions enveloped data encrypted content and associated keys signed data encoded message + signed digest clear-signed data cleartext message + encoded signed digest signed & enveloped data nesting of signed & encrypted entities 19/04/ S/MIME: Algorithms Used Message Digesting: SHA-1 and MD5 Digital Signatures: DSS DSS is an US Federal cypto algorithm for signing only, very similar to RSA singing Secret-Key Encryption: 3DES, RC2/40 (exportable) Public-Private Key Encryption: RSA with key sizes of 512 and 1024 bits, and Diffie- Hellman (for session keys). 19/04/ Secure Network Channels Transport Layer Security TLS / Secure Sockets Layer SSL Secure Shell: SSH SSL (Secure Socket Layer) transport layer security service originally developed by Netscape version 3 designed with public input subsequently became Internet standard known as TLS (Transport Layer Security) uses TCP to provide a reliable end-to-end service SSL has two layers of protocols 19/04/ /04/

7 SSL Architecture SSL session an association between client & server created by the Handshake Protocol define a set of cryptographic parameters may be shared by multiple SSL connections SSL connection a transient, peer-to-peer, communications link associated with 1 SSL session SSL Architecture Application Protocols, e.g. HTTP 19/04/ /04/ SSL Record Protocol SSL Record Protocol Operation Confidentiality (Encryption) using symmetric encryption with a shared secret key defined by Handshake Protocol IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption Message integrity (Signing) using a MAC with shared secret key similar to HMAC but with different padding 19/04/ /04/

8 SSL Record Format SSL Change Cipher Spec Protocol one of 3 SSL specific protocols which use the SSL Record protocol a single message causes pending state to become current hence updating the cipher suite in use 19/04/ /04/ SSL Alert Protocol conveys SSL-related alerts to peer entity severity warning or fatal specific alert unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data SSL Handshake Protocol Used before any application data are transmitted. allows server & client to: authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used comprises a series of messages in phases Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish 19/04/ /04/

9 SSL Handshake Protocol SSL Record Protocol Payload 19/04/ /04/ SSH protocol details The following layers (protocols) exist: Transport (over TCP/IP or other), data integrity/compression, host authentication User authentication layer Connection layer File transfer protocol (sftp) Protocol version, encryption algorithms, authentication schemes are negotiated SSH Transport: (SSH-TRANS) Negotiation of the encryption algorithms and compression Data flow directions client->server and server->client are independent, may use different encryption and hash algos If compression is enabled, the data is first compressed and only then encrypted Exchange lists of supported algorithms Provides an encrypted channel between client and server client authenticates server by RSA both negotiate encryption algorithm Together establish a session key establish a signing key for each direction establish an encryption key for each direction If the Client does not already have a public key for server hostname, the public key is presented to the user and the they are asked if they want to use (risk) it. Default button is yes! From here on every message exchanged should be encrypted/signed by an appropriate key (MAC signatures) 19/04/ /04/

10 SSH User Authentication (SSH-AUTH) Runs on top of transport layer 3 ways to authenticate Use session key from SSH-TRANS to encrypt password Use public key encryption Use host-based authentication SSH Connection (SSH-CONN) Runs over the transport layer, utilizes the authentication layer Multiplexes the encrypted tunnel provided by it into several logical channels Channel can be opened by either side Provides Interactive sessions Remote command execution X11 forwarding TCP/IP port forwarding 19/04/ /04/ SSH File Transfer Layer (scp/sftp) Runs on top of Connection Layer Provides file transfer Provides general file system access Driven by commands similar to FTP There s a Linux module implementing a file system using sftp Security since it gives access to the file system, can be potentially dangerous SSH versus SSL/TLS Use similar cryptographic ideas and schemes In real world SSL is much more platform neutral SSH about 2M of users around the world SSL almost every computer, e-commerce, MS Messenger etc. SSL/TLS server authentication is optional: the protocol supports fully anonymous operation. In SSH-TRANS, server authentication is mandatory, even if glossed over by the user. Unlike SSH, SSL/TLS uses X.509, which is heavy weight. However, a PKI system provides scalable key management, which SSH currently lacks. SSL/TLS does not provide the range of client authentication options that SSH does; public-key is the only option. SSL/TLS does not have the extra features provided by the SSH Connection Protocol (SSH-CONN). 19/04/ /04/