How To Add Security To The Basic Protocols



Similar documents
Internet Security Protocols

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Network Security. Lecture 3

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

IP Security. Ola Flygt Växjö University, Sweden

Chapter 7 Transport-Level Security

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Network Security Part II: Standards

Lecture 10: Communications Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Internet Protocol Security IPSec

Network Security Essentials Chapter 5

Transport Level Security

Communication Security for Applications

Communication Systems SSL

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Chapter 10. Network Security

Security Protocols/Standards

Chapter 5: Network Layer Security

IPSec and SSL Virtual Private Networks

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Chapter 32 Internet Security

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Internetwork Security

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Web Security Considerations

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Security vulnerabilities in the Internet and possible solutions

Computer and Network Security

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Transport Layer Security Protocols

Secure Sockets Layer

Chapter 17. Transport-Level Security

CS 4803 Computer and Network Security

T Cryptography and Data Security

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

Network Security Fundamentals

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

CCNA Security 1.1 Instructional Resource

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

[SMO-SFO-ICO-PE-046-GU-

Securing IP Networks with Implementation of IPv6

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

Introduction to Security and PIX Firewall

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

Introduction. An Overview of the DX Industrial Router Product Line. IP router and firewall. Integrated WAN, Serial and LAN interfaces

How To Understand And Understand The Security Of A Key Infrastructure

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Internet Security Architecture

Lecture 17 - Network Security

Standards and Products. Computer Security. Kerberos. Kerberos

CSC Network Security

Insecure network services. Firewalls. Two separable topics. Packet filtering. Example: blocking forgeries. Example: blocking outgoing mail

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Introduction to Network Security. 1. Introduction. And People Eager to Take Advantage of the Vulnerabilities

CSC 474 Information Systems Security

Overview. SSL Cryptography Overview CHAPTER 1

Laboratory Exercises V: IP Security Protocol (IPSec)

The Secure Sockets Layer (SSL)

IP SECURITY (IPSEC) PROTOCOLS

The BANDIT Products in Virtual Private Networks

Virtual Private Networks

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

T Cryptography and Data Security

Web Security. Mahalingam Ramkumar

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Netzwerksicherheit: Anwendungen

Branch Office VPN Tunnels and Mobile VPN

Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

EXAM questions for the course TTM Information Security May Part 1

Secure Socket Layer. Security Threat Classifications

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Introduction to Computer Security

Chapter 11 Security Protocols. Network Security Threats Security and Cryptography Network Security Protocols Cryptographic Algorithms

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

z/os Firewall Technology Overview

Virtual Private Networks: IPSec vs. SSL

Cryptography and Network Security IPSEC

Computer Networks. Secure Systems

Security Architecture for IP (IPsec)

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Transcription:

Goals Security Protocols Prof. Bart Preneel COSIC KU Leuven - Belgium Firstname.Lastname(at)esat.kuleuven.be http://homes.esat.kuleuven.be/~preneel October 2014 Understanding how security can be added to the basic protocols Understanding TLS and its limitations Understanding IPsec and its limitations With thanks to Joris Claessens and Walter Fumy 1 2 Outline summary Principles layer security SSL/TLS layer security IPSec, VPN, SSH The - A of s IP is the protocol that integrates all infrastructures Workstation, PC, Laptop, PDA,... IP Router IP Router A B C Workstation, PC, Laptop, PDA,... various transmission technologies Ethernet Token Ring WLAN Powerline DECT GSM UMTS Satellites PSTN ISDN ATM Frame Relay 3 4 Protocols Encapsulation SMTP HTTP TCP/UDP IP Link... SMTP HTTP TCP/UDP IP Link... Layer (Web, FTP,... ) Layer (TCP, UDP) Header Header Layer (Web, FTP,... ) Layer (TCP, UDP) Layer Protocol (IP) Layer Transmission Control Protocol (TCP), User gram Protocol (UDP) 5 Layer (IP) IP Header Header Access Layer Layer (IP) IP Header Header Access Layer 6 1

Security Goals (started in ISO 7498-2) confidentiality: entities (anonimity) data traffic flow (unilateral or mutual) entity authentication data authentication (connection-less or connection-oriented): data origin authentication + data integrity access control non-repudiation of origin versus deniability SP Architecture I: Encapsulation unprotected data SP hdr encrypted data MAC confidentiality integrity Bulk data: symmetric cryptography Authenticated encryption: best choice is to authenticate the ciphertext 7 8 SP Architecture II: Session (Association) Establishment Security: at which layer? Host A SP hdr encrypted data MAC Security Associations (Security Parameters incl. Shared Keys) Key Management and Security Association Establishment Protocols Host B layer: closer to user more sophisticated/granular controls end-to-end but what about firewalls? Lower layer: application independent hide traffic data but vulnerable in middle points Combine? 9 10 S-HTTP Security Protocols Layer Security (SSH, SSL, TLS) Transmission Control Protocol (TCP) Electronic Commerce Layer PayPal, Ecash, 3D Secure... PGP PEM IP/ IPSec ( Protocol Security) S/MIME User gram Protocol (UDP) Public-Key Infrastructure security services depend on the layer of integration: the mechanisms can only protect the payload and/or header information available at this layer header information of lower layers is not protected!! PKIX SPKI COMSEC in practice wired SSL/TLS VPN: IPsec VOIP wireless GSM, 3G WLAN: WPA2 (RSN) PAN: Bluetooth, Zigbee 11 12 2

COMSEC Communications insecurity 1 G (analog) Confidentiality authentication Entity authentication 2 G (GSM) weak unilateral 3G WLAN TLS IPsec optional unilateral Skype not open not open not open/meet in the middle attack 13 Not end to end architectural errors wrong trust assumptions default = no security protocol errors unilateral entity authentication weak entity authentication mechanism downgrade attack modes of operation errors no authenticated encryption wrong use of crypto cryptographic errors weak crypto implementation errors range of wireless communication is often underestimated! 14 security: broader context security: DNSSec fundamental protocols of the do not have adequate security this is well understood, but there is no preventive patching panic response to ever improving attacks changing widely used protocols is hard DNS attack [Kaminsky, Black Hat 08] BGP attack [Kapela-Pilosov, Defcon 08] More examples: IPV6 attacks SNMPv3 Bug [Wes Hardakar] Insecure SSL-VPN [Mike Zusman] Insecure Cookies [Mike Perry] long and winding road (started in 1997) several attacks (e.g. cache poisoning [Kaminsky08]) several TLDs signed 2005-2009 live in July 2010 for root Versign signed.com early 2011 http://www.root-dnssec.org/ http://ispcolumn.isoc.org/2006-08/dnssec.html 15 16 SSL/TLS Protocols Browser Secure WWW Server layer security http:// https:// SSL SSL SSL / TLS System HTTP HTTP over SSL System connection-oriented data confidentiality and integrity, and optional client and server authentication. 18 3

Layer Security Protocols SSL / TLS IETF Working Group: Layer Security (tls) RFC 2246 (PS), 01/99 transparent secure channels independent of the respective application. available protocols: Secure Shell (SSH), SSH Ltd. Secure Sockets Layer (SSL), Netscape Layer Security (TLS), IETF TLS TCP IP Encapsulation Decapsulation Protected Negotiation Authentication Key Establishment Handshake Mainly in context of WWW security, i.e., to secure the HyperText Transfer Protocol (HTTP) TLS: security at the transport layer can be used (and is intended) for other applications too (IMAP, telnet, ftp, ) end-to-end secure channel, but nothing more... data is only protected during communication no non-repudiation! 19 20 SSL/TLS Secure Sockets Layer (Netscape) SSL 2.0 (1995): security flaws! SSL 3.0 (1996): still widely used - not interoperable with TLS 1.0 Layer Security (IETF) TLS 1.0 (01/99) adopted SSL 3.0 with minor changes - RFC 2246 - default DSA/3DES TLS 1.1 (4/2006) - RFC 4346 default: RSA/3DES; several fixes for padding oracle and timing attacks (explicit IV for CBC) TLS 1.2 (8/2008) - RFC 5246 replaces MD5 and SHA-1 by SHA-256 (SHA-1 still in a few places) add AES ciphersuites (but still supports RC4!) add support for authenticated encryption: GCM and CCM RFC 5176 (2/2011) removes backward compatibility with SSL 2.0 Currently 314 ciphersuites! Handshake Protocol layer TCP/IP TLS 1.1 and 1.2 deployment very slow (about 25% of servers in Feb. 14); boost in Nov. 2013 (new attacks + Snowden revelations). 21 22 Client Hello Server Hello... Change Cipher Spec Protocol Change Cipher Spec e.g., http, telnet,... Record Layer Protocol SSL record Alert Protocol Alert Protocol SSL/TLS in more detail Record layer protocol fragmentation compression (not in practice) cryptographic security: encryption data confidentiality MAC data authentication [no digital signatures!] Handshake protocol negotiation of cryptographic algorithms client and server authentication establish cryptographic keys (master key and derived key for encryption and MAC algorithm) Certificate Client Key Exchange Certificate Verify [changecipherspec] Finished Handshake: overview start handshake, protocol version, algorithms authentication server + exchange (pre)master secret client authentication end handshake, integrity verification Server Hello Certificate Server Key Exchange Certificate Request Server Hello Done 23 24 key confirmation CLIENT Client Hello SERVER Hello Request [changecipherspec] Finished 4

TLS 1.2 Encapsulation Options TLS 1.2 Key Management Options Integrity key size 144 160 256 Anonymous Non anonymous algorithm options HMAC- MD5 HMAC- SHA HMAC- SHA256 DH_anon Server authentication, no client authentication Server and client authentication Confidentiality key size 40 56 128 168 256 algorithm options RC4_40 RC2_CBC_40 DES_CBC_40 DES_CBC mandatory RC4 IDEA_CBC AES_CBC 3DES_ EDE_CBC AES_CBC vulnerable to a meet-in-themiddle attack mandatory RSA DH_DSS DH_RSA DHE_DSS DHE_RSA RSA DH_DSS DH_RSA DHE_DSS DHE_RSA mandatory 25 26 SSL/TLS: security services TLS in the future SSL/TLS only provides: entity authentication data confidentiality data authentication SSL/TLS does not provide: non-repudiation unobservability (identity privacy) protection against traffic analysis secure many-to-many communications (multicast) security of the end-points (but relies on it!) Reduce the number of cipher suites Authenticated encryption gains popularity: AES-GCM Chacha20 with Poly1305AES TLS 2.0: mandatory encryption for httpv2.0? Identity protection (cf. IPsec) Backward compatibility remains very important because of huge installed base 27 27 28 IP Security Protocols layer security IPsec, VPN, SSH IETF Working Group: IP Security Protocol (ipsec) Security Architecture for the Protocol RFC 2401 (PS), 11/98 IP Authentication Header (AH) RFC 2402 (PS), 11/98 IP Encapsulating Security Payload (ESP) RFC 2406 (PS), 11/98 Key Exchange (IKE) RFC 2409 (PS), 11/98 layer protocol for negotiation of Security Associations (SA) and Key Establishment / IKE TCP/UDP IP/IPSec Encapsulation Decapsulation Protected SA Establishment Authentication Key Establishment Handshake Large and complex. (48 documents) Mandatory for IPv6, optional for IPv4 30 5

IPSec VPN models: Hosts and Security Gateways IPsec - Security services Host-tohost (not VPN) Branchto-branch Host-togateway Trusted Untrusted IPSec Gateway Untrusted Untrusted IPSec Gateway IPSec Gateway Trusted Access control Connectionless integrity origin authentication Rejection of replayed packets (a form of partial sequence integrity) Confidentiality Limited traffic flow confidentiality Trusted 31 32 IPsec - Concepts IPsec - Parameters Security features are added as extension headers that follow the main IP header Authentication header (AH) Encapsulating Security Payload (ESP) header Security Association (SA) Security Parameter Index (SPI) IP destination address Security Protocol Identifier (AH or ESP) sequence number counter sequence counter overflow anti-replay window AH info (algorithm, keys, lifetimes,...) ESP info (algorithms, keys, IVs, lifetimes,...) lifetime IPSec protocol mode (tunnel or transport) path MTU (maximum transmission unit) 33 34 IKE Algorithm Selection Mandatory Algorithms Algorithm Type IKE v1 IKE v2 Payload Encryption DES-CBC AES-128-CBC Payload Integrity HMAC-MD5 HMAC-SHA1 HMAC-SHA1 DH Group 768 Bit 1536 Bit Transfer Type 1 (Encryption) ENCR_DES_CBC ENCR_AES_128_CBC Transfer Type 2 (PRF) Transfer Type 3 (Integrity) PRF_HMAC_SHA1 [RFC2104] AUTH_HMAC_SHA1_96 [RFC2404] PRF_HMAC_SHA1 [RFC2104] AUTH_HMAC_SHA1_96 [RFC2404] IPsec - Modes (host-to-host) ESP: encrypts and optionally authenticates IP payload, but not IP header AH: authenticates IP payload and selected portions of IP header Tunnel (between security gateways) after AH or ESP fields are added, the entire packet is treated as payload of new outer IP packet with new outer header used for VPN Source: draft-ietf-ipsec-ikev2-algorithms-00.txt, May 2003 35 36 6

IPsec - ESP header IPsec - ESP mode Security Parameters Index: identifies SA Sequence number: anti-replay Encrypted payload data: data confidentiality using DES, 3DES, RC5, IDEA, CAST, Blowfish Padding: required by encryption algorithm (additional padding to provide traffic flow confidentiality) Integrity Check Value : data authentication using HMAC-SHA-1-96 or HMAC-MD5-96 IP hdr IP hdr upper layer data ESP hdr upper layer data ESP tlr ICV Confidentiality Integrity 37 38 IPsec - ESP Tunnel mode IPsec: Key management IP hdr upper layer data new IP hdr ESP hdr IP hdr upper layer data ESP tlr ICV Confidentiality Integrity RFCs 2407, 2408, and 2409 Manual Automated procedure / framework Security Association and Key Management Protocol (ISAKMP), RFC 2408 (PS) key exchange mechanism: Key Exchange (IKE) Oakley: DH + cookie mechanism to thwart clogging attacks SKEME 39 40 IPsec: Key management IKE defines 5 exchanges Phase 1: establish a secure channel Main mode Aggressive mode Phase 2: negotiate IPSEC security association Quick mode (only hashes, PRFs) Informational exchanges: status, new DH group based on 5 generic exchanges defined in ISAKMP IPsec: Key management protection suite (negotiated) encryption algorithm hash algorithm authentication method: preshared keys, DSA, RSA, encrypted nonces Diffie Hellman group: 5 possibilities cookies for anti-clogging 41 42 7

IKE v2 - RFC Dec 2005 IKE v2 Initial Handshake (1/2) IKEv1 implementations incorporate additional functionality including features for NAT traversal, legacy authentication, and remote address acquisition, not documented in the base documents Goals of the IKEv2 specification include to specify all that functionality in a single document to simplify and improve the protocol, and to fix various problems in IKEv1 that had been found through deployment or analysis IKEv2 preserves most of the IKEv1 features while redesigning the protocol for efficiency, security, robustness, and flexibility 43 Alice and Bob negotiate cryptographic algorithms, mutually authenticate, and establish a session key, creating an IKE-SA Usually consists of two request/response pairs The first pair negotiates cryptographic algorithms and does a Diffie-Hellman exchange The second pair is encrypted and integrity protected with keys based on the Diffie- Hellman exchange 44 IKE v2 Initial Handshake (2/2) IPsec Overview Second exchange divulge identities prove identities using an integrity check based on the secret associated with their identity (private key or shared secret key) and the contents of the first pair of messages in the exchange establish a first IPsec SA ( child-sa ) is during the initial IKE-SA creation much better than previous alternatives IPsec documents hard to read committee design: too complex ESP in Tunnel mode with authenticated encryption probably sufficient simplify key management clarify cryptographic requirements and thus difficult to implement (securely) avoid encryption without data authentication 45 46 Concluding comments IPsec is really transparent, SSL/TLS only conceptually, but not really in practice SSH, PGP: stand-alone applications, immediately and easy to deploy and use security: solved in principle but many implementation issues complexity creates security weaknesses and end point security: more is More information (1) William Stallings, Cryptography and Security - Principles and Practice, Fifth Edition, 2010 N. Doraswamy, D. Harkins, IPSec (2nd Edition), Prentice Hall, 2003 (outdated) Erik Rescorla, SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, 2000. IETF web site: www.ietf.org e.g., IETF-TLS Working Group needed! http://www.ietf.org/html.charters/tls-charter.html 47 48 8

More information (2) Jon C. Snader, VPNs Illustrated: Tunnels, VPNs, and IPsec, Addison-Wesley, 2005 Sheila Frankel, Demystifying the IPsec Puzzle, Artech House Computer Security Series, 2001 Anup Gosh, E-Commerce Security, Weak Links, Best Defenses, Wiley, 1998 Rolf Oppliger, Security Technologies for the World Wide Web, Artech House Computer Security Series 1999 W3C Security (incl WWW Security FAQ) http://www.w3.org/security/ 49 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information