1 / 52

Secure Communications Protocols

Secure Communications Protocols. Dr. Ron Rymon Efi Arazi School of Computer Science IDC, Herzliya. 2010/11. Pre-requisite: Basic Cryptography, Identity Authentication. Overview. IP Layer Security Web communications security Wireless security. IP Layer Security. IPSec.

leanne
Télécharger la présentation

Secure Communications Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Communications Protocols Dr. Ron Rymon Efi Arazi School of Computer Science IDC, Herzliya. 2010/11 Pre-requisite: Basic Cryptography, Identity Authentication

  2. Overview • IP Layer Security • Web communications security • Wireless security

  3. IP Layer Security IPSec Main Source: Stallings

  4. Network (IP) Layer OSI 7 layers

  5. IP Security • IPSec is not a single protocol, but rather a framework, and set of algorithms that provide IP layer security services • Authentication • Confidentiality • Key Management • Implemented between transport and IP layers • All packets going out are encrypted • All packets coming in are authenticated and decrypted • Can be implemented in routers, and also in client software • Benefits • Transparent to applications: good for security-ignorant apps • Routers can authenticate requests and other routers

  6. Typical Scenarios

  7. IPSec Architecture • Authentication Header (AH) • only authentication service • Encapsulating Security Payload (ESP) • Packet Encryption • Packet Authentication (optional) • Domain Of Interpretation (DOI) • Specific parameters for encryption and authentication algorithms • Key Management

  8. IPSec Services

  9. Security Association (SA) • One SA for each one-way communication, specifying • Security Parameters Index (SPI) identifies the SA in the SA DB • IP Destination • Security Protocol Identifiers (which of AH or ESP shall be used) • Security Policy Database (SPD) specifies SA selectors • Maps outbound packets to specific SAs, e.g. app-specific fields • SA Database stores all SA entries • AH info: authentication algorithm, keys, key lifetime,… • ESP info: encryption and authentication algorithms, keys, IVs,… • Running sequence number, used to prevent packet replays • SA lifetime • IPSec protocol mode: Tunnel, Transport

  10. Authentication Header (AH) • Authentication of data and source • Prevent modifications of payload while in transit • Prevent IP spoofing • AH contains Integrity Check Value (ICV) • Calculated HMAC over payload and all transit-immutable values, concatenated with shared key (possibly truncated to fit) • IPSec requires support of at least SHA-1 and MD5 • Countering replay attacks • Goal: prevent capture and replay of packets • For every SA, source generates up to 232 sequence numbers, then starts a new SA with a new seed • Receiver authenticates using a sliding window (w=64)

  11. AH Packet Format Which SA? Anti-Replay Integrity Check Value (ICV)

  12. Encapsulating Security Payload (ESP) • Adds (symmetric) encryption of the payload • Encryption Algorithms: DES (must), and also 3DES, RC5, IDEA, 3IDEA, CAST, Blowfish. In 2003, added AES • CBC mode • Plaintext payload is replaced with ciphertext by source and is routed as new payload • Optionally provides authentication • HMAC with SHA-1 or MD5 (96 bits only) • Anti-replay sequence number • Note: ESP supports authentication because SA cannot use both ESP and AH

  13. ESP Packet Format Which SA? Anti-Replay Integrity Check Value (ICV)

  14. Transport and Tunnel Modes • Transport Mode • Protects upper layers • IP Payload is encrypted / authenticated • Tunnel Mode • Protects all layers • New packet created at network boundary, with original packet as its payload, and the entire inner packet is encrypted / authenticated • Can be applied to both AH and ESP router router internet San Francisco New York

  15. Tunneling Example (AH) • Before AH • AH Transport Mode • AH Tunnel Mode

  16. SA Bundles and Tunneling • SA bundles allow a sequence of SAs to be applied to same packet, or within a tunnel • Transport adjacency • Transport ESP SA (w/o authentication) followed by Transport AH SA (covering also ESP fields) • Iterated Tunneling

  17. Key Management • IPSec assumes availability of symmetric keys • Option 1: Manual configuration • Primarily for link communication • Option 2: Internet Key Exchange (IKE) automated on-demand creation of keys • ISAKMP – default SA and key management protocol • Does not mandate a specific key exchange protocol • Implements at least Oakley, but can also use RSA for instance • Oakley – default key determination protocol, based on a hardened Diffie-Hellman protocol

  18. Oakley • A refinement of Diffie-Hellman • DH weaknesses • Clogging attack: attacker forces Alice to exponentiate endlessly • Man-in-the-middle attack: attacker impersonates Alice to Bob and impersonates Bob to Alice • Oakley hardening (IKEv2) • Precedes the DH phase with exchange of a pseudorandom number (“cookie”) which is specific to each party (based on IPs of parties) • This number is first acknowledged as belonging to other party, and only then DH is performed. Hence attacker can only clog with acknowledge requests • Authenticates DH exchange to prevent impersonation • Use nonces against replay attacks • Options: • Choice of “groups” (modulo) for DH exchange • Choice of authentication method: digital signature, or encryption

  19. Hardened Oakley

  20. ISAKMP • Protocol to establish, negotiate, modify, and delete SAs • ISAKMP messages: • Security Association – establish new SA (initial parameters) • Proposal – indicates the protocol to be used (ESP or AH) • Transform – the algorithms to be used, e.g., 3DES, HMAC-SHA-1 • Key Exchange – which key exchange protocol, e.g., Oakley, RSA • Identification – the identity of the peers, e.g., IP address, User ID • Certificate – certificates of the peers • Certificate Request • Hash – data generated by the hash function • Signature – data generated by digital signature function • Nonce – the current nonce • Notification - messages • Delete – revoke an SA

  21. IPSEC and IKE in OSI Model

  22. Virtual Private Networks (VPN)

  23. VPN Implementations • IPSec tunneling or transport encryption • Simple encryption for systems that are not IPSec enabled • Symmetric encryption using a physically-delivered shared key • Public-key encryption, e.g., using RSA or PGP • SSL implementations • Most implementations include • Authentication, Authorization, and Accounting (3A) servers • Firewalls/ QoS servers • Actual implementation • Desktop client for remote users • VPN concentrator (hardware) • Part of firewalls/routers • Win2K on top of Active Directory VPN Concentrator

  24. Other Implementations • MultiProtocol Label Switching (MPLS) • Label packets so that they go through a preferred routing (Label Switched Paths – LSP). Labels are added to packet. • Implemented between data layer and IP layer • Sometimes viewed as IP implementation of ATM-like network • Serves primarily for QoS reasons, but also reduces security risks • MPLS VPN

  25. Anonymized Networks • Use VPN idea to anonymize sender/receiver • Client downloads network map, and selects path • “Onion” routers know only prior/subsequent nodes • Prevents traffic analysis • Offered by EFF to dissidents and journalist tippers

  26. Web Access Security Secure Socket Layer (SSL) Transport Layer Security (TLS) Main Source: Stallings

  27. Web Security Considerations • In principle, Web access is simply client-server • Protocols such as Kerberos apply… • Unrealistic to require every web application to implement own security • Suggesting use of IPSec… • But IPSec requires deployment on both ends (client included) • Special characteristics of Web servers • “out there” accessible to anyone • connected to corporate databases - dangerous if subverted • applicative software developed quickly and often security-ignorant • Special characteristics of Web users • often not security knowledgeable • often not subject to corporate or other rules • cannot be counted on to fulfill their part in a security protocol

  28. Web Security Threats -the usual… • Integrity • Modification of data on servers (“data-at-rest”) • Modification of messages (“data-in-motion”) • Confidentiality • Theft of data from server, or from client • Eavesdropping on communication • Info on network configuration • Info on network traffic • Interruption • Denial of Service • Authentication • Impersonation of legitimate users • Data forgery on server (or client)

  29. Web Applications Vulnerabilities • Explosion in the use of web applications • Custom applications • Wikis, portals, bulleting boards • Web apps vulnerabilities account for half of all SANS vulnerabilities • Malware • Buffer overflows • SQL Injections • Cross-site scripts

  30. Alternative Security Facilities for Web Communications • Network layer, e.g., IPSec • Application layer, e.g. • SET on top of HTTP • PGP and S/MIME on top of SMTP • SSL/TLS protocols • As a protocol above TCP in transport and session layers • As part of application software: browser on client side and web server (SSL was developed by Netscape)

  31. Secure Socket Layer (SSL) • Developed by Netscape as part of their browser • SSLv3 was subjected to public review • Transport Layer Security (TLS) designed as successor to SSLv3 • SSL is a session-based protocol, and each session may consist of multiple connections • SSL consists of two layers • SSL Record Protocol provides basic security services, e.g. https • Handshake protocol is used to initiate sessions • Alert protocol for peer messaging • SSL session states: • Security algorithms • Compression methods • Master keys • Certificates

  32. SSL Record Protocol • Services: Confidentiality, Message Integrity • Header: • Content type: SSL-specific, or application (e.g. HTTP) • SSL version • Several encryption algorithms are permitted • HMAC standard

  33. Handshake Protocol: Initial Negotiation Hello + Cipher Spec • Client suggests; Server chooses • SSL version: lower version will be used • Nonce: timestamp+random • Session ID: existing or new • Alternative CipherSpec suites, in decreasing preference • Key exchange • Encryption algorithms • MAC algorithm • Parameters • AES added in 2008 • Compression methods supported

  34. Handshake Protocol: Authentication and Key Exchange • Server starts; client follows • Server sends certificate • Server sends key exchange message • Server may ask for client certificate • Client responds Authen- tication and Key Exchange Finish • State changed to pending cipher_spec • Handshake done

  35. Example Hello and Cipher Select Cert and Key Exch Finish

  36. Cookies • Text files on client side (username@sitename) • Web Server is allowed to store key/value pairs • The browser resends cookie to Web Server • Can be encrypted or not • Used to implement state, e.g. Login credentials, browsing history, allowed capabilities • Simple implementation • Capability, Expiration, HMAC(Cap+Exp)

  37. Wireless LANs Security 802.11b/g/n Main Sources: IEEE standards, SANS, and Berkeley Group

  38. Wireless Networks • Originally devised for mobile, and/or location-based services, • HomeRF – 1.2Mbps (later increased to 10Mbps) • Bluetooth – short range (10m), Personal Area Network, low voltage • 802.11 – IEEE Standard for wireless LANs • Frequency hopping, using 2.4GHz unlicensed ISM frequency • 802.11b (WiFi) – Direct Sequencing Spread Spectrum (DSSS), and increases bit rates to 11Mbps • Achieves market sweet spot, in terms of cost, acceptance, interoperability • 802.11a – 5GHz frequency, 54Mbps, addresses some security concerns • 802.11g – provides 54Mbps at 2.4GHz and compatible with 802.11b • 802.11n – substantial increase in speed/range (MIMO technology) • 202.11i – security standard for wireless networks

  39. Wired Equivalent Privacy (WEP) • Wireless communication is point-to-multipoint • Adversary can simply intercept packets, without having to intrude or impersonate • WEP security services: • Confidentiality • Integrity of messages • No key management, and no robust authentication • WEP mechanisms • Challenge response (encryption ) to authenticate • RC4 used to encrypt packets, based on a 40-bit key shared between mobile unit and access point, concatenated with 24 bit IV (link encryption) • Integrity Check Vector (ICV) is appended to the packets, to ensure that they were not modified

  40. WEP Weaknesses (Summary) • Same hand-configured 40-bit key is shared by all mobile devices that connect to same access point • Lack of key management services results in infrequent change of above keys • Attacks take advantage of small IV size • Until 2003, WEP was only security standard in 802.11b • And (if this is not enough)…most devices are shipped with WEP turned OFF

  41. RC4 (reminder) • Stream-cipher developed by RSA • Keystream is generated based on initial key • Keystream is XORed with the plaintext • RC4 with 40 bits is exportable… • Original Wi-Fi implementations have 64-bit RC4 key, which is comprised of 40-bit WEP key + 24-bit IV Keystream Generator Ki Pi Ci

  42. Passive Attacks on WEP’s Shortcomings • A.k.a. “drive-by hacking” or “parking lot attacks” • First, note that if two ciphertexts are encrypted with same keystream, they can be XORed • (A  K)  (B  K) = A  B • Second, note that the keystream depends on key + IV • The key is constant per access point, its just the IV • Some implementations start at 0 and add 1 for each message; some use randomized numbers • IVs are quickly repeated • At 11Mbps (old rate), IVs definitely repeated in 5 hours • Birthday paradox: 50% chance for repeat after only 5000 packets; 99% for repeat in 10 minutes • Once plaintext is recovered, can recover keystream • (A  K)  A • Following keystreams can also be computed

  43. More Attacks on WEP’s Shortcomings • WEP’s authentication is based on challenge-response • The expected response is the encryption of the challenge • But, since the challenge is sent in the clear, with both plaintext and ciphertext, one can infer the keystream and fake her own response • WEP’s ICV is based on Cyclical Redundancy Check (CRC) • When modifying content, it is easy to predict the bits that need to be flipped in the CRC • Eve can change destination IP address, and have the AP decrypt the packet for her • Table-based attack: Eve can construct a table of all possible keystreams (224 x 1500 bytes = 24GB)

  44. Improving 802.11b WEP Security • First, don’t forget to turn WEP on • 50% of sites don’t use any encryption • Turn off SSID broadcast • Do not boost signal • Administrators should use end-to-end encryption • Place access points outside the firewall and use VPN • Use authentication protocols, e.g. RADIUS, to authenticate clients • Most vendors have extended RC4 key size to 128 bits • 104 bits (13 bytes) + IV of 24 bits (and some double that) • WEP2 • WEP2 adds to IV space, and uses different and changing keys for different stations

  45. Wi-Fi Protected Access (WPA) • New standard (part of 802.11i), approved 6/2004 • In Enterprise mode • Key management services • Central RADIUS authentication server (otherwise Pre-Shared Key) • RC4 enhanced with • 48-bit IV and smart IV sequencing algorithms • New Message Integrity Code (MIC) • Key based on initial exchange of random numbers • Ongoing generation of per-packet keys • WPA2 • Replaces RC4 with AES • CCMP = Counter-Mode Encryption + Cipher Block Chaining + Message Authentication Code • Requires new hardware • Michael algorithm shuts off network for 1 min when detecting an unauthorized message

  46. Wireless Communication is Fundamentally Weak • The 802.11 protocol is fundamentally weak. • “Using a wireless network for mission-critical data is plain stupid. Using it for life-critical data is criminally negligent” Niels Ferguson, developer of the Michael algorithm.

  47. Cellular Phone Security Voice Security WAP PKI Malware Main Sources: WAP Forum, Certicom

  48. Cellular Communication Security • Analog phones: easy-to-scan clear channel • ESNs easily harvested and cloned • Digital: call scrambling (FHMA, TDMA) • Can encrypt, but rarely used (or use default keys) • GSM was designed with cryptography • SIM stores Identity and Key (encryption/authentication) • Challenge-response (A3) and key generation (A8) algs • Academic success breaking A3/A8 w/ chosen plaintext attack • Encryption alg (A5) • Also broken w/ access to SIM or over-the-air queries to phone • Some countries use A5/2 algorithm that is further weakened • Some attacks on base station

  49. WAP • Main risks • Today: Eavesdropping, Impersonation, Interruption • Soon: Malware, Intrusion… • Needed security services • Confidentiality, Authentication, Non-repudiation (m-commerce) • Must work in computationally-challenged environment

  50. WAP Security Mechanisms

More Related