TLS security protocol, Firewalls Diana Berbecaru < diana.berbecaru @ polito.it > Politecnico di Torino Dip. Automatica e Informatica Security internal to the applications APP #1 sec... APP #N sec logical channel (socket) TCP IP network each application implements security internally the common part is limited to the communication channels (socket) possible implementation errors (inventing security protocols is not simple!) does not guarantee interoperability APP #1... secure logical channel Security external to applications APP #N sec logical channel (socket) TCP IP network the session level would be the ideal one to be used to implement many security functions but it does not exist in TCP/IP! a secure session level was proposed: it simplifies the work of application developers it avoids implementation errors it is up to the application to select it (or not) Diana Berbecaru - Politecnico di Torino (2006-2012) 1
SSL (Secure Socket Layer) / TLS standard for Internet security originally proposed by Netscape Communications secure transport channel (session level), which provides: authentication (server, server + client), message confidentiality, authentication and integrity of messages, protection against replay attacks and filtering versions: SSL v2 (obsolete) SSL v3 (current) TLS, standard IETF - versions TLS 1.0, 1.1, 1.2 History of SSL/TLS SSL v1 (1994) was never released, SSL v2 (1994) was proposed by Netscape as component of its product: Netscape Navigator 1.1 Microsoft solved some security problems in SSL and released his own protocol (incompatible with SSL v2): PCT (Private Communications Technology) SSLv3 was released by Netscape (1995), as revision of the preceding version IETF intervened by proposing TLS (Transport Layer Security) protocol the differences between TLS and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate. Evolution of SSL/TLS Diana Berbecaru - Politecnico di Torino (2006-2012) 2
SSL applications easily applicable to all protocols based on TCP: HTTP, SMTP, NNTP, FTP, TELNET,... e.g. the famous secure HTTP (https://...) = 443/TCP official ports for SSL applications (examples) https 443/tcp # http protocol over TLS/SSL smtps 465/tcp # smtp protocol over TLS/SSL (was ssmtp) nntps 563/tcp # nntp protocol over TLS/SSL (was snntp) ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL telnets 992/tcp # telnet protocol over TLS/SSL pop3s 995/tcp # pop3 protocol over TLS/SSL (was spop3) SSL/TLS uses: SSL/TLS cryptography asymmetric cryptography for peer authentication and key exchange symmetric encryption for confidentiality the key used to encrypt differs between session: session key message authentication codes (MAC with key) for integrity and message authentication the key used to calculate MAC is different at each session and differs from the key used for encryption sequence numbers for protection against replay attacks and filtering SSL authentication and integrity peer authentication at the channel setup: the server authenticates itself by sending its public key (X.509 certificate) and by responding to an asymmetric challenge the client authentication (with public key and X.509 certificate) is optional for authentication and integrity of the data exchanged over the channel the protocol uses: a keyed digest (MD5 o SHA-1) an MID to avoid replay and cancellation Diana Berbecaru - Politecnico di Torino (2006-2012) 3
SSL - confidentiality the client generates a session key used for symmetric encryption of data (RC2, RC4, DES, 3DES or IDEA) the key is sent to the server after having encrypted it with the public key of the server (RSA, Diffie Hellman or Fortezza-KEA) SSL (1) https://www.polito.it/ (2) security configuration secure Web server (3) cert (www.polito.it) (3bis) server challenge /response (4) cert (user) (4bis) client challenge /response (5) secure channel (SSL) browser SSL components SSL is composed by two level protocols: (1) SSL Handshake Protocol: negotiates the security parameters and performs the key exchange; (2) SSL Record Protocol: allows the exchange of SSL records as elementary unit of transmission two other protocols are present: (3) SSL Change Cipher Spec Protocol: signals the change of the cipher(s), in particular indicates the start of the encrypted communication; (4) SSL Alert Protocol: sends error messages and warning messages Diana Berbecaru - Politecnico di Torino (2006-2012) 4
SSL-3 architecture SSL handshake protocol SSL change cipher spec protocol SSL alert protocol application protocol (e.g. HTTP) SSL record protocol reliable transport protocol (e.g. TCP) network protocol (e.g. IP) SSL Handshake Protocol allows server & client to: authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used comprises a series of messages in phases establish security capabilities server authentication and key exchange client authentication and key exchange Finish SSL Alert Protocol conveys SSL-related alerts to peer entity severity warning or fatal specific alert unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data Diana Berbecaru - Politecnico di Torino (2006-2012) 5
SSL-2 architecture SSL handshake protocol application protocol (e.g. HTTP) SSL record protocol reliable transport protocol (e.g. TCP) network protocol (e.g. IP) SSL Session and SSL Connection SSL session an association between client & server created by the Handshake Protocol define a set of cryptographic parameters may be shared by multiple SSL connections SSL connection a transient, peer-to-peer, communications link associated with 1 SSL session Tipical web transaction: Session-id 1. open, 2. GET page.htm, 3. page.htm, 4. close 1. open, 2. GET home.gif, 3. home.gif, 4. close 1. open, 2. GET logo.gif, 3. logo.gif, 4. close 1. open, 2. GET back.jpg, 3. back.jpg, 4. close 1. open, 2. GET music.mid, 3. music.mid, 4. close If the SSL cryptographic parameters must be negotiated every time, then the computational load becomes high. Diana Berbecaru - Politecnico di Torino (2006-2012) 6
Session-id in order to avoid re-negotiation of the cryptographic parameters for each SSL connection, the SSL server can send a session identifier (that is more connections can be part of the same logical session) if the client, when opening the SSL connection, sends a valid session-id then the negotiation part is skipped and data are immediately exchanged over the secure channel the server can reject the use of session-id (always or after a time passed after its issuance) SSL with session-id (1) https://www.polito.it/ (1bis) session-id secure Web server browser (5) secure channel (SSL) SSL-3 record protocol application data fragmentation F1 F2 compression computation of MAC MAC padding MAC P encryption header H Diana Berbecaru - Politecnico di Torino (2006-2012) 7
TLS-1.0 record format uint8 type = change_cipher_spec (20), alert (21), handshake (22), application_data (23) uint16 version = major (uint8) + minor (uint8) uint16 length: type <= 2**14 (record not compressed) for compatibility with SSL-2 <= 2**14 + 1024 (compressed records) major minor length... fragment [ length ]... SSL computation of MAC MAC = message_digest ( key, data, padding, seq_number) message_digest depends on the chosen algorithm key sender-write-key or receiver-read-key seq_number 32-bit integer SSL-3: new features with respect to SSL-2 data compression: optional before encryption (after it s not useful anymore ) data encryption is optional: in order to have only authentication and integrity possibility to re-negotiate the SSL connection: periodical change of keys change of the algorithms Diana Berbecaru - Politecnico di Torino (2006-2012) 8
SSL-3 handshake protocol agree on a set of algorithms for confidentiality and integrity exchange random numbers between the client and the server to be used for the subsequent generation of the keys establish a symmetric key by means of public key operations (RSA, DH o Fortezza) negotiate the session-id exchange the necessary certificates Source: W. Stallings: Cryptography and Network Security SSL/TLS connection phases (according to protocol specification) Handshake SSL(v3.0) / TLS (v1.0 e 1.1) Client Hello Certificate* Client Key Exchange Certificate Verify* Change Cipher Spec Finished Server Hello Certificate* Server Key Exchange* Certificate Request* Server Hello Done Change Cipher Spec Finished NOW THE CLIENT AND THE SERVER CAN USE SYMMETRIC CRYPTOGRAPHY Data Transfer Teardown Application Data Alert Close Notify Application Data Alert Close Notify Client Server *) = Indicate optional messages or context dependent and that are not always sent. Diana Berbecaru - Politecnico di Torino (2006-2012) 9
Phases of a typical SSL/TLS connection (no ephemeral public keys, no client auth) List of CIPHER SUITEs + CLIENT RANDOM ENCRYPTED SYMMETRIC KEY Handshake ACTIVATION ENCRYPTION ON CLIENT SIDE CONFIRMS ALG. + MAC of ALL HANDSHAKE MESSAGES Client Hello Server Hello Certificate Server Hello Done Client Key Exchange Change Cipher Spec Finished Change Cipher Spec Finished NOW CLIENT AND SERVER CAN USE SYMMETRIC CRYPTOGRAPHY CIPHER SUITE SELECTED + SERVER RANDOM CONTAINS THE PUBLIC KEY USED TO ENCRYPT THE SYMMETRIC KEY (can contain a certificate chain) NEGOTIATION SERVER FINISHED ACTIVATION ENCRYPTION ON SERVER SIDE CONFIRMS ALG. + MAC of ALL HANDSHAKE MESSAGES Data Transfer Teardown Application Data Alert Close Notify Application Data Alert Close Notify Client Server Phases of an SSL/TLS connection with client authentication Handshake SSL(v3.0) / TLS (v1.0 e 1.1) Client Hello Server Hello Accepted CAs and types of Client certificate or Certificate accepted certificate chain Certificate Request certificates (e.g. X.509) Used by the server to Server Hello Done Certificate verify the client: contains the signature of Client Key Exchange all handshake messages exchanges so far (so Certificate Verify that an attacker cannot change the client Change Cipher Spec certificate) Finished Change Cipher Spec Finished NOW CLIENT AND SERVER CAN USE SYMMETRIC CRYPTOGRAPHY Data Transfer Teardown Application Data Alert Close Notify Client Application Data Alert Close Notify Server Phases of an SSL/TLS connection with ephemeral public keys LIST CIPHER SUITEs + CLIENT RANDOM If RSA is used: encrypted symmetric key; If DH is used: Handshake client exponent SSL(v3.0) / ACTIVATE ENCRYPTION TLS (v1.0 ON CLIENT SIDE and 1.1) CONFIRMS ALG. + MAC of ALL HANDSHAKE MESSAGES Client Hello Client Key Exchange Change Cipher Spec Finished Server Hello Certificate Server Key Exchange Server Hello Done CIPHER SUITE SELECTED +SERVER RANDOM RSA/DSA signature applied on an RSA key or on a DH exponent (see Note) NEGOTIATION SERVER FINISHED ACTIVATE ENCRYPTION ON SERVER SIDE Change Cipher Spec CONFIRMS ALG. + MAC of ALL Finished HANDSHAKE MESSAGES Data Transfer Teardown NOW CLIENT AND SERVER CAN USE SYMMETRIC CRYPTOGRAPHY Application Data Application Data Alert Close Notify Alert Close Notify Diana Berbecaru - Politecnico di Torino (2006-2012) 10
Cryptographic material in SSL master secret generated by both parties (client and server) from a premaster secret and from random values generated both by the client and server key material generated from the master secret and from shared random values encryption keys, MAC and IV extracted from the key material Generation of Master Secret THE PUBLIC KEY OF THE SERVER IS SENT IN Certificate and/or ServerKeyExchange CLIENT GENERATES THE PREMASTER SECRET AND ENCRYPTS IT WITH THE PUBLIC KEY OF THE SERVER CLIENT SENDS THE PREMASTER SECRET (encrypted) IN ClientKeyExchange SENT BY THE SERVER IN ServerHello SENT BY THE CLIENT IN ClientHello ll MASTER SECRET IS COMPOSED BY 3 MD5 HASH VALUES, CONCATENATED = 384 BITS Source: THOMAS, SSL AND TLS ESSENTIALS Generation of Key Material SIMILAR TO THE CONSTRUCTION OF MASTER SECRET... ONLY THAT IN THIS CASE IT IS USED THE MASTER SECRET INSTEAD OF THE PREMASTER SECRET Source: THOMAS, SSL AND TLS ESSENTIALS Diana Berbecaru - Politecnico di Torino (2006-2012) 11
Keys extracted from Key Material SECRET KEYS USED TO CALCULATE THE MAC SYMMETRIC KEYS INITIALIZATION VECTORS (IV) USED FOR ENCRYPTION WITH SYMMETRIC BLOCK ALGORITHMS (AES, DES, RC2) IN CBC MODE Source: THOMAS, SSL AND TLS ESSENTIALS TLS Transport Layer Security standard IETF: TLS-1.0 = RFC-2246 (jan 1999) TLS-1.1 = RFC-4346 (apr 2006) TLS-1.0 = SSL-3.1 (99% similar to SSL-3) emphasis on standard (i.e. not proprietary) digest and crypto algorithms: DH + DSA + 3DES HMAC... that is the ciphersuite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Firewalls lots of vulnerabilities on hosts in network users don t keep systems up to date lots of patches lots of exploits in wild (no patch for them) solution? limit access to the network put firewalls across the perimeter of the network Diana Berbecaru - Politecnico di Torino (2006-2012) 12
Firewalls (contd ) firewall inspects traffic through it allows traffic specified in the policy drops everything else two types (basically) Packet filters, (app.) proxies Firewall Internal Network Internet THE THREE COMMANDMENTS OF FIREWALL I. the FW must be the only contact point of the internal network with the external one II. only the authorized traffic can traverse the FW III. the FW must be a highly secure system itself D.Cheswick S.Bellovin Packet Filters packet filter selectively passes packets from one network interface to another usually done within a router between external and internal networks screening router can be done by a dedicated network element packet filtering bridge harder to detect and attack than screening routers Diana Berbecaru - Politecnico di Torino (2006-2012) 13
data available Packet Filters Contd. IP source and destination addresses Transport protocol (TCP, UDP, or ICMP) TCP/UDP source and destination ports ICMP message type Packet options (Fragment Size etc.) actions available Allow the packet to go through Drop the packet (Notify Sender/Drop Silently) Log information about the packet example filters Packet Filters Contd. block all packets from outside except for SMTP servers block all traffic to a list of domains block all connections from a specified domain Typical Firewall Configuration Internal hosts can access DMZ and Internet External hosts can access DMZ only, not Intranet DMZ hosts can access Internet only Advantages? If a service gets compromised in DMZ it cannot affect internal hosts Internet X Intranet X DMZ Diana Berbecaru - Politecnico di Torino (2006-2012) 14
Example Firewall Rules stateless packet filtering firewall Rule (Condition, Action) rules are processed in top-down order if a condition satisfied action is taken Sample Firewall Rule allow SSH from external hosts to internal hosts Two rules Inbound and outbound How to know a packet is for SSH? Inbound: src-port>1023, dst-port=22 Outbound: src-port=22, dst-port>1023 t Protocol=TCP Rule Dir Src Addr Src Port Dst Addr Dst Port Proto Action SSH-1 In Ext > 1023 Int 22 TCP Allow SSH-2 Out Int 22 Ext > 1023 TCP Alow advantages Packet Filters transparent to application/user simple packet filters can be efficient disadvantages very hard to configure the rules doesn t have enough information to take actions does port 22 always mean SSH? who is the user accessing the SSH? Diana Berbecaru - Politecnico di Torino (2006-2012) 15
Stateful (dynamic) packet filter similar to packet filter but state-aware state informations from the transport or application level (e.g. FTP PORT command) can distinguish new connections from those already open state tables for open connections packets matching one row in the table are passed without any further control better performance than packet filter SMP support still has many of the static packet filter limitations Alternatives Proxy firewalls two connections instead of one either at transport level SOCKS proxy or at application level HTTP proxy requires applications (or dynamically linked libraries) to be modified to use the proxy Data available Proxy Firewall Application level information User information advantages: Better policy enforcement Better logging Fail closed disadvantages: doesn t perform as well one proxy for each application client modification Diana Berbecaru - Politecnico di Torino (2006-2012) 16
FW architectures there are many possible ways to set up a FW. the choice of a FW architecture depends on: cost performance availability needs sensitivity of information being protected by the FW several FW architectures have been defined: Screening router Dual-homed gateway Screened-host gateway, screened subnet FW: basic components screening router ( choke ) router that filters traffic at IP level bastion host secure system, with auditing application gateway ( proxy ) service that works on behalf of an application, with access control dual-homed gateway system with two network cards and routing disabled Screening router external network Diana Berbecaru - Politecnico di Torino (2006-2012) 17
Screening router exploits the router to filter the traffic both at IP and upper levels no need for dedicated hardware no need for a proxy and hence no need to modify the applications simple, easy, cheap and... insecure! Dual-homed gateway external network GW Dual-homed gateway easy to implement small additional hardware requirements the internal network can be masqueraded unflexible large work overhead Diana Berbecaru - Politecnico di Torino (2006-2012) 18
Screened host gateway external network GW Screened-host gateway router: blocks the packets from INT to EXT unless they come from the bastion host blocks the packets from EXT to INT unless they go to the bastion host exception: directly enabled protocols bastion host: circuit/application level gateway to selectively enable some services Screened-host gateway more expensive more flexible complex to manage: two systems rather one possible selectively relax the controls over some services / hosts only the hosts/protocols passing through the bastion can be masqueraded (unless the router offers the NAT functionality) Diana Berbecaru - Politecnico di Torino (2006-2012) 19
Screened subnet external network GW DMZ Screened subnet DMZ (De-Militarized Zone) the DMZ is home not only to the gateway but also to other hosts (tipically the public servers): Web remote access (ftp, telnet) DNS the routing may be configured so that the internal network is unknown expensive Screened-subnet (version 2) to reduce costs and simplify management often the routers are omitted (and their function incorporated into the gateway) AKA three-legged firewall external network GW internal network DMZ Diana Berbecaru - Politecnico di Torino (2006-2012) 20