Miscellaneous topics in secure communication CS 772 Fall 2007
Diffie-Hellman Algorithm • First public key system • Allows two individuals to agree on a shared key, exchanging messages in public • Alice generates x, Bob generates y; p and g are known constants to them. • Alice sends gx mod p, and Bob sends gy mod p • Alice computes (gy mod p)x = gxy mod p and Bob computes (gx mod p)y = gxy mod p • This is the shared secret key
Man-in-the-middle attack • Now consider Trudy, the intruder; assume p and g are publicly known • Alice chooses x and sends gx mod p intended for Bob but interrupted by Trudy. • Trudy chooses z and sends gz mod p to Bob posing as Alice and to Alice posing as Bob. • Bob chooses y and sends gy mod p intended for Alice but received by Trudy. • Now Trudy can establish a secret session between itself and Alice, and itself and Bob. • Bob uses gyz mod p as the secret key and Alice uses gxz mod p as the secret key. Trudy shares both these keys.
Defenses against Man-in-the-middle attack • (i) Each has their own permanent public and private numbers; public numbers are published; in the earlier case Alice publishes gx mod p and Bob publishes gy mod p. x and y are kept secret. • (ii) Encrypt sending the numbers using a pre-shared secret key or the other entity’s public key.
GRE and IP/IP Tunnels • GRE -- Generic Routing Encapsulation • GRE and IP/IP are unencrypted tunnels. • They provide virtual connections and static-IP assignment without hiding the communication. For connecting a server to the internet there is little point to encrypting the tunnel anyway, so these can be attractive alternatives due to their simplicity. • IP/IP tunnels do not provide any authentication, and GRE tunnels provide only weak authentication. • IP/IP tunneling is very simple-minded tunneling. The IP payload packet becomes the entire data payload for an IP tunnel carrier packet. Because the payload can be only IP packets, this kind of tunnel can carry only IP traffic. • GRE is essentially a packaging protocol, intended to be able to package any protocol's packets into generic data packages that can be carried by any other protocol. • GRE is a foundation protocol for other tunnel protocols. For example, MPPE/PPTP uses GRE to form the actual tunnel. • Although GRE has generic tunneling capability, its most common use is for tunnels that carry IP and are carried by IP, and the term "GRE" is often meant to be shorthand for this kind of tunnel.
Real-time Communication Secrecy (Chapter 16) • -Parties negotiate interactively to authenticate each other and establish a session key. • IPSec, SSL/TLS, and SSH are some examples • Once established, the conversation is protected by a a session key known as security association.
What layer? • IPSec is below TCP and above IP in the network layer • SSL?TSL and SSH are above TCP and below the application layer • Most systems implement TCP and below in the OS and anything above in the application layer • API to SSL is a superset of API to TCP
How does the layer really matter? • If something is operating above TCP (e.g., SSL), TCP can have no knowledge of malicious data entering the TCP streams. It will simply hand it over to. When the real data with the sequence number comes, TCP will throw it away as a duplicate. This is a cause of denial-of-service. • If something is implemented within the OS, it is assumed that it is more protected and hence the support it provides is also better. In addition, applications don’t need to be changed.
But IPSec has its own problems. • Currently, IP only tells the top layers the source IP address not the user name. Since applications are not changed, even though IPsec is capable of authenticating the other user, it has no way to do so: applications only indicate IP addresses. • What can it do for the application? • Causes traffic on the path between the two parties to be encrypted so no one else can read it • IPsec can access a policy database similar to what a firewall can accesss---rules based on IP address and TCP port#s. • With IPsec, the end point IP address can actually be authenticated
Session Key establishment • Establish a session key after initial authentication for exchanging actual data
Perfect Forward Secrecy • That is: it is impossible for an eavesdropper to decrypt a message after: • Recording the entire encrypted session between Alice and Bob • Later break into both Alice and Bob and steal their long term secrets • How to avoid it? Generate a random session key derived from the long term secret but never store it anywhere afterwards; it is like Alice and Bob forgetting x and y, respectively, after session key is generated. • Escrow-foliage: Even if Alice and Bob are forced to deposit their long term private keys (x and y) with some trusted authority, the protocol should be designed that such that no one else can decrypt the conversation between Alice and Bob later on.