Cryptography and Network Security UNIT IV - NETWORK SECURITY.
-
Upload
buddy-gregory -
Category
Documents
-
view
274 -
download
2
Transcript of Cryptography and Network Security UNIT IV - NETWORK SECURITY.
Cryptography and Cryptography and Network SecurityNetwork Security
UNIT IV - NETWORK SECURITYUNIT IV - NETWORK SECURITY
Authentication FunctionsAuthentication Functions
Message authentication or digital signature mechanism Message authentication or digital signature mechanism can be viewed as having two levelscan be viewed as having two levels At lower level: there must be some sort of functions producing At lower level: there must be some sort of functions producing
an an authenticatorauthenticator – a – a valuevalue to be used to authenticate a to be used to authenticate a messagemessage
This lower level functions is used as primitive in a higher level This lower level functions is used as primitive in a higher level authentication protocolauthentication protocol
Authentication Functions
Authentication FunctionsAuthentication Functions Three classes of functions that may be used to produce Three classes of functions that may be used to produce
an authenticatoran authenticatorMessage encryptionMessage encryption
Ciphertext itself serves as authenticatorCiphertext itself serves as authenticatorMessage authentication code (MAC)Message authentication code (MAC)
A public function of the message and a secret A public function of the message and a secret key that produces a fixed-length value that serves key that produces a fixed-length value that serves as the authenticatoras the authenticator
Hash functionHash functionA public function that maps a message of any A public function that maps a message of any
length into a fixed-length hash value, which length into a fixed-length hash value, which serves as the authenticatorserves as the authenticator
Authentication Functions
KERBEROSKERBEROS
In Greek mythology, a many headed dog, the In Greek mythology, a many headed dog, the guardian of the entrance of Hadesguardian of the entrance of Hades
KERBEROSKERBEROS
Users wish to access services on servers.Users wish to access services on servers. Three threats exist:Three threats exist:
User pretends to be another user.User pretends to be another user.User alters the network address of a User alters the network address of a
workstation.workstation.User eavesdrops on exchanges and uses a User eavesdrops on exchanges and uses a
replay attack.replay attack.
KERBEROSKERBEROS
Provides a centralized authentication Provides a centralized authentication server to authenticate users to servers and server to authenticate users to servers and servers to users.servers to users.
Relies on conventional encryption, making Relies on conventional encryption, making no use of public-key encryptionno use of public-key encryption
Two versions: version 4 and 5Two versions: version 4 and 5 Version 4 makes use of DESVersion 4 makes use of DES
Kerberos Version 4Kerberos Version 4
Terms:Terms: C = ClientC = Client AS = authentication serverAS = authentication server V = serverV = server IDIDcc = identifier of user on C = identifier of user on C IDIDv v = identifier of V= identifier of V PPc c = password of user on C= password of user on C ADcADc = network address of C= network address of C KKvv = secret encryption key shared by AS and V= secret encryption key shared by AS and V TS = timestampTS = timestamp || = concatenation|| = concatenation
A Simple Authentication A Simple Authentication DialogueDialogue
(1)(1) C C AS: AS: IIDDc c |||| PPc c || || IIDDvv
(2)(2) AS AS C: C: TicketTicket
(3)(3) CC V: V: IIDDc c |||| Ticket Ticket
Ticket = ETicket = EKKvv[[IIDDc c |||| ADADc c || || IIDDvv]]
Two problems The number of times a user has to enter a password Plaintext transmission of the password
The Idea towards SolutionThe Idea towards Solution
Introducing a ticket-granting server (TGS)Introducing a ticket-granting server (TGS)The user first requests a ticket-granting ticket The user first requests a ticket-granting ticket
((TicketTickettgstgs) from the AS;) from the AS;
The user then authenticates itself to TGS for a The user then authenticates itself to TGS for a ticket (Ticketticket (Ticketvv) for accessing new service;) for accessing new service;
The user finally authenticate itself to V for The user finally authenticate itself to V for requesting a particular service.requesting a particular service.
Kerberos Version 4 Kerberos Version 4 Authentication Dialogue Authentication Dialogue
Kerberos Version 4 Kerberos Version 4 Authentication Dialogue Authentication Dialogue
Kerberos Version 4 Kerberos Version 4 Authentication Dialogue Authentication Dialogue
Overview of KerberosOverview of Kerberos
Request for Service in Request for Service in Another RealmAnother Realm
Difference Between Difference Between Version 4 and 5Version 4 and 5
Encryption system dependence (Encryption system dependence (V.4 V.4 DES)DES) Internet protocol dependenceInternet protocol dependence Message byte orderingMessage byte ordering Ticket lifetimeTicket lifetime Authentication forwardingAuthentication forwarding Interrealm authenticationInterrealm authentication
Kerberos Encryption Kerberos Encryption TechniquesTechniques
PCBC ModePCBC Mode
Kerberos - in practiceKerberos - in practice CCurrently have two Kerberos versionsurrently have two Kerberos versions::
4 : restricted to a single realm 4 : restricted to a single realm 5 : allows inter-realm authentication, in beta test 5 : allows inter-realm authentication, in beta test Kerberos v5 is an Internet standard Kerberos v5 is an Internet standard specified in RFC1510, and used by many utilities specified in RFC1510, and used by many utilities
TTo use Kerberoso use Kerberos:: need to have a KDC on your network need to have a KDC on your network need to have need to have Kerberised applications running on all participating Kerberised applications running on all participating
systems systems major problem - US export restrictions major problem - US export restrictions Kerberos cannot be directly distributed outside the US in source format Kerberos cannot be directly distributed outside the US in source format
(& binary versions must obscure crypto routine entry points and have no (& binary versions must obscure crypto routine entry points and have no encryption) encryption)
else crypto libraries must be reimplemented locally else crypto libraries must be reimplemented locally
X.509 Authentication X.509 Authentication ServiceService
Distributed set of servers that maintains a database Distributed set of servers that maintains a database about users.about users.
Each certificate contains the public key of a user and Each certificate contains the public key of a user and is signed with the private key of a CA.is signed with the private key of a CA.
Is used in S/MIME, IP Security, SSL/TLS and SET.Is used in S/MIME, IP Security, SSL/TLS and SET. RSA is recommended to use.RSA is recommended to use.
X.509 Authentication X.509 Authentication ServiceService
Distributed set of servers that maintains a database Distributed set of servers that maintains a database about users.about users.
Each certificate contains the public key of a user and Each certificate contains the public key of a user and is signed with the private key of a CA.is signed with the private key of a CA.
Is used in S/MIME, IP Security, SSL/TLS and SET.Is used in S/MIME, IP Security, SSL/TLS and SET. RSA is recommended to use.RSA is recommended to use.
X.509 FormatsX.509 Formats
Obtaining a User’s Obtaining a User’s CertificateCertificate
Characteristics of certificates generated by Characteristics of certificates generated by CA:CA:Any user with access to the public key of the Any user with access to the public key of the
CA can recover the user public key that was CA can recover the user public key that was certified.certified.
No part other than the CA can modify the No part other than the CA can modify the certificate without this being detected.certificate without this being detected.
X.509 CA HierarchyX.509 CA Hierarchy
Revocation of CertificatesRevocation of Certificates
Reasons for revocation:Reasons for revocation:The users secret key is assumed to be The users secret key is assumed to be
compromised.compromised.The user is no longer certified by this CA.The user is no longer certified by this CA.The CA’s certificate is assumed to be The CA’s certificate is assumed to be
compromised.compromised.
Authentication ProceduresAuthentication Procedures
SummarySummary
have considered:have considered:message authentication usingmessage authentication using
message encryptionmessage encryptionMACsMACshash functionshash functions
KerberosKerberosX.509 Authentication ServiceX.509 Authentication Service
Authentication ApplicationsAuthentication Applications Developed to support application-level Developed to support application-level
authentication and digital signaturesauthentication and digital signatures Most widely used services: Most widely used services:
Kerberos Kerberos X.509X.509
Kerberos – a private-key authentication Kerberos – a private-key authentication serviceservice
X.509 – a public-key directory authentication X.509 – a public-key directory authentication serviceservice
KerberosKerberos
KerberosKerberos Developed as part of Project Athena at Developed as part of Project Athena at
MITMIT Symmetric encryptionSymmetric encryption
using no public keysusing no public keys Provides centralised private-key third-party Provides centralised private-key third-party
authentication in a distributed networkauthentication in a distributed network Version 4 and 5Version 4 and 5
Kerberos MotivationKerberos Motivation Provide security in a distributed architecture Provide security in a distributed architecture
consisting of dedicated user workstations consisting of dedicated user workstations (clients), and distributed or centralized (clients), and distributed or centralized serversservers
Require the user to prove his identity for Require the user to prove his identity for each service invokedeach service invoked
Require that servers prove their identity to Require that servers prove their identity to clientsclients
SecureSecure, , ReliableReliable, , TransparentTransparent, and , and ScalableScalable
Kerberos SchemeKerberos Scheme Trusted third party authentication serviceTrusted third party authentication service Uses a protocol based on Needham and Uses a protocol based on Needham and
Schroeder [NEED78], see Chapter 7Schroeder [NEED78], see Chapter 7 Clients and servers trust Kerberos to Clients and servers trust Kerberos to
mediate their mutual authenticationmediate their mutual authentication
Kerberos Version 4Kerberos Version 4 Uses DES, in a rather elaborate protocol, Uses DES, in a rather elaborate protocol,
to provide authenticationto provide authentication Uses an Authentication Server (AS)Uses an Authentication Server (AS)
Knows all user passwords, and stores in a DBKnows all user passwords, and stores in a DBShares a unique secret key with each serverShares a unique secret key with each serverSend an encrypted ticket granting ticketSend an encrypted ticket granting ticketTGT contains a lifetime and timestampTGT contains a lifetime and timestamp
Kerberos Version 4Kerberos Version 4 Uses a Ticket Granting Server (TGS)Uses a Ticket Granting Server (TGS)
Issues tickets to users authenticated by ASIssues tickets to users authenticated by ASEncrypted with a key only known by AS and Encrypted with a key only known by AS and
TGSTGSReturns a service granting ticketReturns a service granting ticket
Service granting ticket contains timestamp Service granting ticket contains timestamp and lifetimeand lifetime
Kerberos DialogKerberos Dialog Problem: lifetime and no server Problem: lifetime and no server
authenticate to userauthenticate to user Uses a session keyUses a session key Message Exchanges (see table 14.1)Message Exchanges (see table 14.1)
AS exchange to obtain ticket-granting ticketAS exchange to obtain ticket-granting ticketTGS exchange to obtain service granting TGS exchange to obtain service granting
ticketticketClient/Server authentication exchange to Client/Server authentication exchange to
obtain serviceobtain service
Kerberos OverviewKerberos Overview
Kerberos OverviewKerberos Overview
Multiple KerberiMultiple Kerberi Kerberos server in each realm shares a Kerberos server in each realm shares a
secret key with one anothersecret key with one another There must be trust between the serversThere must be trust between the servers i.e. each server are registered with one i.e. each server are registered with one
anotheranother
Does not scale wellDoes not scale well
Kerberos RealmsKerberos Realms
Kerberos Version 5Kerberos Version 5 Fixes version 4 environmental Fixes version 4 environmental
shortcomingsshortcomings New elements for AS exchange:New elements for AS exchange:
Realm, Options, Times, NonceRealm, Options, Times, Nonce Client/server authentication exchangeClient/server authentication exchange
Subkey, sequence numberSubkey, sequence number
Kerberos Ticket Flags (see table 14.4)Kerberos Ticket Flags (see table 14.4)
X.509X.509 part of X.500 seriespart of X.500 series
distributed servers maintaining user distributed servers maintaining user information databaseinformation database
defines framework for authentication services defines framework for authentication services directory may store public-key certificatesdirectory may store public-key certificateswith public key of user signed by certification with public key of user signed by certification
authority authority also defines authentication protocols also defines authentication protocols
X.509X.509 uses public-key cryptology & digital signatures uses public-key cryptology & digital signatures
algorithms not standardised, but RSA algorithms not standardised, but RSA recommendedrecommended
X.509 certificates are widely used X.509 certificates are widely used
Public key certificate associated with each userPublic key certificate associated with each userGenerated by some trusted CAGenerated by some trusted CA
Certification Authority (CA) issues certificatesCertification Authority (CA) issues certificates The notation The notation CA<<A>>CA<<A>> represents a certificate for a represents a certificate for a
client A signed by CAclient A signed by CA
X.509 CertificatesX.509 Certificates issued by a Certification Authority (CA), containing: issued by a Certification Authority (CA), containing:
version 1, 2, or 3 version 1, 2, or 3 serial number (unique within CA) identifying certificate serial number (unique within CA) identifying certificate signature algorithm identifier signature algorithm identifier issuer X.500 name (CA) issuer X.500 name (CA) period of validity (from - to dates) period of validity (from - to dates) subject X.500 name (name of owner) subject X.500 name (name of owner) subject public-key info (algorithm, parameters, key) subject public-key info (algorithm, parameters, key) issuer unique identifier (v2+) issuer unique identifier (v2+) subject unique identifier (v2+) subject unique identifier (v2+) extension fields (v3) extension fields (v3) signature (of hash of all fields in certificate) signature (of hash of all fields in certificate)
X.509 CertificatesX.509 Certificates
Obtaining a User CertificateObtaining a User Certificate Certificate notation: CA{…}Certificate notation: CA{…}
Any user with CA’s public key can verify Any user with CA’s public key can verify the user public key that was certifiedthe user public key that was certified
No party other than the CA can modify the No party other than the CA can modify the certificate without being detectedcertificate without being detected
because cannot be forged, certificates can because cannot be forged, certificates can be placed in a public directory be placed in a public directory
CA HierarchyCA Hierarchy if both users share a common CA then they are if both users share a common CA then they are
assumed to know its public key assumed to know its public key otherwise CA's must form a hierarchy otherwise CA's must form a hierarchy use certificates linking members of hierarchy to use certificates linking members of hierarchy to
validate other CA's validate other CA's each CA has certificates for clients (forward) each CA has certificates for clients (forward)
and parent (backward) and parent (backward) each client trusts parents certificates each client trusts parents certificates enable verification of any certificate from one CA enable verification of any certificate from one CA
by users of all other CAs in hierarchy by users of all other CAs in hierarchy
CA HierarchyCA Hierarchy
Certificate RevocationCertificate Revocation certificates have a period of validitycertificates have a period of validity may need to revoke before expiry:may need to revoke before expiry:
1.1. user's private key is compromiseduser's private key is compromised
2.2. user is no longer certified by this CAuser is no longer certified by this CA
3.3. CA's certificate is compromisedCA's certificate is compromised CA’s maintain list of revoked certificatesCA’s maintain list of revoked certificates
the Certificate Revocation List (CRL)the Certificate Revocation List (CRL) users should check certificates with CA’s CRLusers should check certificates with CA’s CRL
Authentication ProceduresAuthentication Procedures X.509 includes three alternative authentication X.509 includes three alternative authentication
procedures: procedures: One-Way Authentication One-Way Authentication Two-Way Authentication Two-Way Authentication Three-Way Authentication Three-Way Authentication all use public-key signaturesall use public-key signatures
See Figure 14.6 for Authentication ProceduresSee Figure 14.6 for Authentication Procedures
One-Way AuthenticationOne-Way Authentication 1 message ( A->B) used to establish 1 message ( A->B) used to establish
the identity of A and that message is from A the identity of A and that message is from A message was intended for B message was intended for B integrity & originality of message integrity & originality of message
message must include timestamp, nonce, message must include timestamp, nonce, B's identity and is signed by AB's identity and is signed by A
may include additional info for Bmay include additional info for Beg session key eg session key
Two-Way AuthenticationTwo-Way Authentication 2 messages (A->B, B->A) which also 2 messages (A->B, B->A) which also
establishes in addition:establishes in addition:the identity of B and that reply is from B the identity of B and that reply is from B that reply is intended for A that reply is intended for A integrity & originality of reply integrity & originality of reply
reply includes original nonce from A, also reply includes original nonce from A, also timestamp and nonce from Btimestamp and nonce from B
may include additional info for Amay include additional info for A
Three-Way AuthenticationThree-Way Authentication 3 messages (A->B, B->A, A->B) which 3 messages (A->B, B->A, A->B) which
enables above authentication without enables above authentication without synchronized clocks synchronized clocks
has reply from A back to B containing has reply from A back to B containing signed copy of nonce from B signed copy of nonce from B
means that timestamps need not be means that timestamps need not be checked or relied upon checked or relied upon
X.509 Version 3X.509 Version 3 has been recognised that additional has been recognised that additional
information is needed in a certificate information is needed in a certificate email/URL, policy details, usage constraintsemail/URL, policy details, usage constraints
rather than explicitly naming new fields rather than explicitly naming new fields defined a general extension methoddefined a general extension method
extensions consist of:extensions consist of:extension identifierextension identifiercriticality indicatorcriticality indicatorextension valueextension value
Certificate ExtensionsCertificate Extensions key and policy informationkey and policy information
convey info about subject & issuer keys, plus convey info about subject & issuer keys, plus indicators of certificate policyindicators of certificate policy
certificate subject and issuer attributescertificate subject and issuer attributessupport alternative names, in alternative support alternative names, in alternative
formats for certificate subject and/or issuerformats for certificate subject and/or issuer certificate path constraintscertificate path constraints
allow constraints on use of certificates by allow constraints on use of certificates by other CA’sother CA’s
Public Key InfrastructurePublic Key Infrastructure
Chapter 15 – Electronic Mail Chapter 15 – Electronic Mail SecuritySecurity
Despite the refusal of VADM Poindexter and LtCol North to Despite the refusal of VADM Poindexter and LtCol North to appear, the Board's access to other sources of appear, the Board's access to other sources of information filled much of this gap. The FBI provided information filled much of this gap. The FBI provided documents taken from the files of the National Security documents taken from the files of the National Security Advisor and relevant NSC staff members, including Advisor and relevant NSC staff members, including messages from the PROF system between VADM messages from the PROF system between VADM Poindexter and LtCol North. The PROF messages were Poindexter and LtCol North. The PROF messages were conversations by computer, written at the time events conversations by computer, written at the time events occurred and presumed by the writers to be protected occurred and presumed by the writers to be protected from disclosure. In this sense, they provide a first-hand, from disclosure. In this sense, they provide a first-hand, contemporaneous account of events.contemporaneous account of events.——The Tower Commission Report to President The Tower Commission Report to President Reagan on the Iran-Contra Affair, 1987Reagan on the Iran-Contra Affair, 1987
Email SecurityEmail Security
email is one of the most widely used and email is one of the most widely used and regarded network services regarded network services
currently message contents are not secure currently message contents are not secure may be inspected either in transit may be inspected either in transit or by suitably privileged users on destination or by suitably privileged users on destination
systemsystem
Email Security EnhancementsEmail Security Enhancements
confidentialityconfidentialityprotection from disclosureprotection from disclosure
authenticationauthenticationof sender of messageof sender of message
message integritymessage integrityprotection from modification protection from modification
non-repudiation of originnon-repudiation of originprotection from denial by senderprotection from denial by sender
Pretty Good Privacy (PGP)Pretty Good Privacy (PGP)
widely used de facto secure emailwidely used de facto secure email developed by Phil Zimmermanndeveloped by Phil Zimmermann selected best available crypto algs to useselected best available crypto algs to use integrated into a single programintegrated into a single program on Unix, PC, Macintosh and other systems on Unix, PC, Macintosh and other systems originally free, now also have commercial originally free, now also have commercial
versions availableversions available
PGP Operation – PGP Operation – AuthenticationAuthentication
1.1. sender creates messagesender creates message2.2. use SHA-1 to generate 160-bit hash of use SHA-1 to generate 160-bit hash of
message message 3.3. signed hash with RSA using sender's signed hash with RSA using sender's
private key, and is attached to messageprivate key, and is attached to message4.4. receiver uses RSA with sender's public receiver uses RSA with sender's public
key to decrypt and recover hash codekey to decrypt and recover hash code5.5. receiver verifies received message using receiver verifies received message using
hash of it and compares with decrypted hash of it and compares with decrypted hash codehash code
PGP Operation – PGP Operation – ConfidentialityConfidentiality
1.1. sender generates message and 128-bit sender generates message and 128-bit random number as session key for itrandom number as session key for it
2.2. encrypt message using CAST-128 / IDEA / encrypt message using CAST-128 / IDEA / 3DES in CBC mode with session key3DES in CBC mode with session key
3.3. session key encrypted using RSA with session key encrypted using RSA with recipient's public key, & attached to msgrecipient's public key, & attached to msg
4.4. receiver uses RSA with private key to receiver uses RSA with private key to decrypt and recover session keydecrypt and recover session key
5.5. session key is used to decrypt messagesession key is used to decrypt message
PGP Operation – Confidentiality PGP Operation – Confidentiality & Authentication & Authentication
can use both services on same messagecan use both services on same messagecreate signature & attach to messagecreate signature & attach to messageencrypt both message & signatureencrypt both message & signatureattach RSA/attach RSA/ElGamal encrypted session keyElGamal encrypted session key
PGP Operation – PGP Operation – CompressionCompression
by default PGP compresses message by default PGP compresses message after signing but before encryptingafter signing but before encryptingso can store uncompressed message & so can store uncompressed message &
signature for later verificationsignature for later verification& because compression is non deterministic& because compression is non deterministic
uses ZIP compression algorithmuses ZIP compression algorithm
PGP Operation – Email PGP Operation – Email CompatibilityCompatibility
when using PGP will have binary data to send when using PGP will have binary data to send (encrypted message etc)(encrypted message etc)
however email was designed only for texthowever email was designed only for text hence PGP must encode raw binary data into hence PGP must encode raw binary data into
printable ASCII charactersprintable ASCII characters uses radix-64 algorithmuses radix-64 algorithm
maps 3 bytes to 4 printable charsmaps 3 bytes to 4 printable chars also appends a CRCalso appends a CRC
PGP also segments messages if too bigPGP also segments messages if too big
PGP Operation – SummaryPGP Operation – Summary
PGP Session KeysPGP Session Keys
need a session key for each messageneed a session key for each messageof varying sizes: 56-bit DES, 128-bit CAST or of varying sizes: 56-bit DES, 128-bit CAST or
IDEA, 168-bit Triple-DESIDEA, 168-bit Triple-DES generated using ANSI X12.17 modegenerated using ANSI X12.17 mode uses random inputs taken from previous uses random inputs taken from previous
uses and from keystroke timing of useruses and from keystroke timing of user
PGP Public & Private KeysPGP Public & Private Keys
since many public/private keys may be in use, since many public/private keys may be in use, need to identify which is actually used to encrypt need to identify which is actually used to encrypt session key in a messagesession key in a message could send full public-key with every messagecould send full public-key with every message but this is inefficientbut this is inefficient
rather use a key identifier based on keyrather use a key identifier based on key is least significant 64-bits of the keyis least significant 64-bits of the key will very likely be uniquewill very likely be unique
also use key ID in signaturesalso use key ID in signatures
PGP Message FormatPGP Message Format
PGP Key RingsPGP Key Rings
each PGP user has a pair of keyringseach PGP user has a pair of keyrings::public-key ring contains all the public-keys of public-key ring contains all the public-keys of
other PGP users known to this user, indexed other PGP users known to this user, indexed by key IDby key ID
private-key ring contains the public/private private-key ring contains the public/private key pair(s) for this user, indexed by key ID & key pair(s) for this user, indexed by key ID & encrypted keyed from a hashed encrypted keyed from a hashed passphrasepassphrase
security of private keys thus depends on security of private keys thus depends on the pass-phrase securitythe pass-phrase security
PGP Message GenerationPGP Message Generation
PGP Message ReceptionPGP Message Reception
PGP Key ManagementPGP Key Management
rather than relying on certificate authoritiesrather than relying on certificate authorities in PGP every user is own CAin PGP every user is own CA
can sign keys for users they know directlycan sign keys for users they know directly
forms a “web of trust”forms a “web of trust” trust keys have signedtrust keys have signed can trust keys others have signed if have a chain of can trust keys others have signed if have a chain of
signatures to themsignatures to them
key ring includes trust indicatorskey ring includes trust indicators users can also revoke their keysusers can also revoke their keys
S/MIME (Secure/Multipurpose S/MIME (Secure/Multipurpose Internet Mail Extensions)Internet Mail Extensions)
security enhancement to MIME emailsecurity enhancement to MIME emailoriginal Internet RFC822 email was text onlyoriginal Internet RFC822 email was text onlyMIME provided support for varying content MIME provided support for varying content
types and multi-part messagestypes and multi-part messageswith encoding of binary data to textual formwith encoding of binary data to textual formS/MIME added security enhancementsS/MIME added security enhancements
have S/MIME support in many mail agentshave S/MIME support in many mail agentseg MS Outlook, Mozilla, Mac Mail etceg MS Outlook, Mozilla, Mac Mail etc
S/MIME FunctionsS/MIME Functions
enveloped dataenveloped dataencrypted content and associated keysencrypted content and associated keys
signed datasigned dataencoded message + signed digestencoded message + signed digest
clear-signed dataclear-signed datacleartext cleartext message + encoded signed digestmessage + encoded signed digest
signed & enveloped datasigned & enveloped datanesting of signed & encrypted entitiesnesting of signed & encrypted entities
S/MIME Cryptographic S/MIME Cryptographic AlgorithmsAlgorithms
digital signatures: DSS & RSAdigital signatures: DSS & RSA hash functions: SHA-1 & MD5hash functions: SHA-1 & MD5 session key encryption: ElGamal & RSAsession key encryption: ElGamal & RSA message encryption: AES, Triple-DES, message encryption: AES, Triple-DES,
RC2/40 and othersRC2/40 and others MAC: HMAC with SHA-1MAC: HMAC with SHA-1 have process to decide which algs to usehave process to decide which algs to use
S/MIME MessagesS/MIME Messages
S/MIME secures a MIME entity with a S/MIME secures a MIME entity with a signature, encryption, or bothsignature, encryption, or both
forming a MIME wrapped PKCS objectforming a MIME wrapped PKCS object have a range of content-types:have a range of content-types:
enveloped dataenveloped datasigned datasigned dataclear-signed dataclear-signed dataregistration requestregistration requestcertificate only messagecertificate only message
S/MIME Certificate ProcessingS/MIME Certificate Processing
S/MIME uses X.509 v3 certificatesS/MIME uses X.509 v3 certificates managed using a hybrid of a strict X.509 managed using a hybrid of a strict X.509
CA hierarchy & PGP’s web of trustCA hierarchy & PGP’s web of trust each client has a list of trusted CA’s certseach client has a list of trusted CA’s certs and own public/private key pairs & certsand own public/private key pairs & certs certificates must be signed by trusted CA’scertificates must be signed by trusted CA’s
Certificate AuthoritiesCertificate Authorities
have several well-known CA’shave several well-known CA’s Verisign one of most widely usedVerisign one of most widely used Verisign issues several types of Digital IDsVerisign issues several types of Digital IDs increasing levels of checks & hence trustincreasing levels of checks & hence trust
ClassClass Identity ChecksIdentity Checks UsageUsage
11 name/email checkname/email check web browsing/emailweb browsing/email
22 + enroll/addr check+ enroll/addr check email, subs, s/w email, subs, s/w validatevalidate
33 + ID documents+ ID documents e-banking/service e-banking/service accessaccess
SummarySummary
have considered:have considered:secure emailsecure emailPGPPGPS/MIMES/MIME
- -
IP SecurityIP Security
OutlineOutline
Internetworking and Internet ProtocolsInternetworking and Internet Protocols IP Security OverviewIP Security Overview IP Security ArchitectureIP Security Architecture Authentication HeaderAuthentication Header Encapsulating Security PayloadEncapsulating Security Payload Combinations of Security AssociationsCombinations of Security Associations Key ManagementKey Management
TCP/IP ExampleTCP/IP Example
IPv4 HeaderIPv4 Header
IPv6 HeaderIPv6 Header
IP Security OverviewIP Security Overview IPSec is not a single protocol. IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms Instead, IPSec provides a set of security algorithms
plus a general framework that allows a pair of plus a general framework that allows a pair of communicating entities to use whichever algorithms to communicating entities to use whichever algorithms to provide security appropriate for the communication.provide security appropriate for the communication.
Applications of IPSecApplications of IPSec Secure branch office connectivity over the InternetSecure branch office connectivity over the Internet Secure remote access over the InternetSecure remote access over the Internet Establsihing extranet and intranet connectivity with Establsihing extranet and intranet connectivity with
partnerspartners Enhancing electronic commerce securityEnhancing electronic commerce security
IP Security ScenarioIP Security Scenario
IP Security OverviewIP Security Overview
Benefits of IPSecBenefits of IPSec Transparent to applications - below transport layer Transparent to applications - below transport layer
(TCP, UDP)(TCP, UDP) Provide security for individual usersProvide security for individual users
IPSec can assure that:IPSec can assure that: A router or neighbor advertisement comes from an A router or neighbor advertisement comes from an
authorized routerauthorized router A redirect message comes from the router to A redirect message comes from the router to
which the initial packet was sentwhich the initial packet was sent A routing update is not forgedA routing update is not forged
IP Security ArchitectureIP Security Architecture IPSec documents: NEW updates in 2005!IPSec documents: NEW updates in 2005!
RFC 2401RFC 2401: : Security Architecture for the Internet Protocol.Security Architecture for the Internet Protocol. S. Kent, R. Atkinson. S. Kent, R. Atkinson.
November 1998. (November 1998. (An overview of security architecture)An overview of security architecture) RFC 4301RFC 4301 (12/2005) (12/2005) RFC 2402RFC 2402: : IP Authentication Header.IP Authentication Header. S. Kent, R. Atkinson. November 1998. S. Kent, R. Atkinson. November 1998.
((Description of a packet encryption extension to IPv4 and IPv6)Description of a packet encryption extension to IPv4 and IPv6) RFC 4302RFC 4302 (12/2005)(12/2005)
RFC 2406RFC 2406: : IP Encapsulating Security Payload (ESP).IP Encapsulating Security Payload (ESP). S. Kent, R. Atkinson. S. Kent, R. Atkinson.
November 1998.November 1998. (Description of a packet emcryption extension to IPv4 and IPv6) (Description of a packet emcryption extension to IPv4 and IPv6) RFC 4303RFC 4303 (12/2005) (12/2005)
RFC2407RFC2407 The Internet IP Security Domain of Interpretation for ISAKMP The Internet IP Security Domain of Interpretation for ISAKMP D. Piper. D. Piper.
November 1998. PROPOSED STANDARD.November 1998. PROPOSED STANDARD. (Obsoleted by (Obsoleted by RFC4306RFC4306)) RFC 2408RFC 2408: : Internet Security Association and Key Management Protocol Internet Security Association and Key Management Protocol
(ISAKMP).(ISAKMP). D. Maughan, M. Schertler, M. Schneider, J. Turner. November 1998. D. Maughan, M. Schertler, M. Schneider, J. Turner. November 1998.
(Specification of key managament capabilities) (Specification of key managament capabilities) (Obsoleted by (Obsoleted by RFC4306RFC4306)) RFC2409RFC2409 The Internet Key Exchange (IKE) The Internet Key Exchange (IKE) D. Harkins, D. Carrel. November 1998. D. Harkins, D. Carrel. November 1998.
PROPOSED STANDARD.PROPOSED STANDARD. (Obsoleted by (Obsoleted by RFC4306RFC4306, Updated by , Updated by RFC4109RFC4109) )
IP Security ArchitectureIP Security Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE)
A method for establishing a security association (SA) that A method for establishing a security association (SA) that authenticates usersauthenticates users, , negotiates the encryption methodnegotiates the encryption method and and exchanges the secret keyexchanges the secret key. IKE is used in the IPsec . IKE is used in the IPsec protocol. Derived from the ISAKMP framework for key protocol. Derived from the ISAKMP framework for key exchange and the Oakley and SKEME key exchange exchange and the Oakley and SKEME key exchange techniques, IKE uses public key cryptography to provide the techniques, IKE uses public key cryptography to provide the secure transmission of the secret key to the recipient so that secure transmission of the secret key to the recipient so that the encrypted data may be decrypted at the other end. the encrypted data may be decrypted at the other end. ((
http://computing-dictionary.thefreedictionary.com/IKEhttp://computing-dictionary.thefreedictionary.com/IKE)) RFC4306RFC4306 Internet Key Exchange (IKEv2) ProtocolInternet Key Exchange (IKEv2) Protocol C. Kaufman, Ed. C. Kaufman, Ed.
December 2005 (Obsoletes December 2005 (Obsoletes RFC2407RFC2407, , RFC2408RFC2408, , RFC2409RFC2409) PROPOSED ) PROPOSED STANDARDSTANDARD
RFC4109RFC4109 Algorithms for Internet Key Exchange version 1 (IKEv1)Algorithms for Internet Key Exchange version 1 (IKEv1) P. P. Hoffman. May 2005 (Updates Hoffman. May 2005 (Updates RFC2409RFC2409) PROPOSED STANDARD) PROPOSED STANDARD
IPSec Document OverviewIPSec Document Overview
IPSec ServicesIPSec Services
Access ControlAccess Control Connectionless integrityConnectionless integrity Data origin authenticationData origin authentication Rejection of replayed packetsRejection of replayed packets Confidentiality (encryption)Confidentiality (encryption) Limited traffic flow confidentiallityLimited traffic flow confidentiallity
Security Associations (SA)Security Associations (SA)
A one way relationsship between a A one way relationsship between a sender and a receiver.sender and a receiver.
Identified by three parameters:Identified by three parameters:Security Parameter Index (SPI)Security Parameter Index (SPI)IP Destination addressIP Destination addressSecurity Protocol IdentifierSecurity Protocol Identifier
Transport Mode SATransport Mode SA Tunnel Mode SATunnel Mode SA
AHAH AuthenticatesAuthenticates IP payload IP payload and selected portions of IP and selected portions of IP header and IPv6 extension header and IPv6 extension headersheaders
AuthenticatesAuthenticates entire inner entire inner IP packet plus selected IP packet plus selected portions of outer IP headerportions of outer IP header
ESPESP EncryptsEncrypts IP payload and any IP payload and any IPv6 extesion headerIPv6 extesion header
EncryptsEncrypts inner IP packet inner IP packet
ESP with ESP with authenticationauthentication
EncryptsEncrypts IP payload and any IP payload and any IPv6 extesion header. IPv6 extesion header. AuthenticatesAuthenticates IP payload but IP payload but no IP headerno IP header
EncryptsEncrypts inner IP packet. inner IP packet.
AuthenticatesAuthenticates inner IP inner IP packet.packet.
Before applying AHBefore applying AH
Transport Mode Transport Mode (AH Authentication)(AH Authentication)
Tunnel Mode Tunnel Mode (AH Authentication)(AH Authentication)
Authentication HeaderAuthentication Header Provides support for data integrity and authentication Provides support for data integrity and authentication
(MAC code) of IP packets.(MAC code) of IP packets. Guards against replay attacks.Guards against replay attacks.
End-to-end versus End-to-End-to-end versus End-to-Intermediate AuthenticationIntermediate Authentication
Encapsulating Security Encapsulating Security PayloadPayload
ESP provides confidentiality servicesESP provides confidentiality services
Encryption and Authentication Encryption and Authentication AlgorithmsAlgorithms
Encryption:Encryption: Three-key triple DESThree-key triple DES RC5RC5 IDEAIDEA Three-key triple IDEAThree-key triple IDEA CASTCAST BlowfishBlowfish
Authentication:Authentication: HMAC-MD5-96HMAC-MD5-96 HMAC-SHA-1-96HMAC-SHA-1-96
ESP Encryption and ESP Encryption and AuthenticationAuthentication
ESP Encryption and ESP Encryption and AuthenticationAuthentication
Combinations of Security Combinations of Security AssociationsAssociations
Combinations of Security Combinations of Security AssociationsAssociations
Combinations of Security Combinations of Security AssociationsAssociations
Combinations of Security Combinations of Security AssociationsAssociations
Key ManagementKey Management
Two types:Two types:ManualManualAutomatedAutomated
OakleyOakley Key Determination Protocol Key Determination ProtocolInternet Security Association and Key Internet Security Association and Key
Management Protocol (Management Protocol (ISAKMPISAKMP))
OakleyOakley
Three authentication methods:Three authentication methods:Digital signaturesDigital signaturesPublic-key encryptionPublic-key encryptionSymmetric-key encryption (aka. Preshare Symmetric-key encryption (aka. Preshare
key)key)
ISAKMPISAKMP
Cryptography and Cryptography and Network SecurityNetwork Security
Third EditionThird Edition
by William Stallingsby William Stallings
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Edited by Dick SteflikEdited by Dick Steflik
Web SecurityWeb Security
Web now widely used by business, government, Web now widely used by business, government, individualsindividuals
but Internet & Web are vulnerablebut Internet & Web are vulnerable have a variety of threatshave a variety of threats
integrityintegrity confidentialityconfidentiality denial of servicedenial of service authenticationauthentication
need added security mechanismsneed added security mechanisms
SSL (Secure Socket Layer)SSL (Secure Socket Layer)
transport layer security servicetransport layer security service originally developed by Netscapeoriginally developed by Netscape version 3 designed with public inputversion 3 designed with public input subsequently became Internet standard known subsequently became Internet standard known
as TLS (Transport Layer Security)as TLS (Transport Layer Security) uses TCP to provide a reliable end-to-end uses TCP to provide a reliable end-to-end
serviceservice SSL has two layers of protocolsSSL has two layers of protocols
Where SSL FitsWhere SSL Fits
HTTP SMTP POP3
80 25 110
HTTPS SSMTP SPOP3
443 465 995
Secure Sockets Layer
Transport
Network
Link
Uses Public Key SchemeUses Public Key Scheme Each client-server pair usesEach client-server pair uses
2 public keys 2 public keys one for client (browser)one for client (browser)
created when browser is installed on client machinecreated when browser is installed on client machine
one for server (http server)one for server (http server) created when server is installed on server hardwarecreated when server is installed on server hardware
2 private keys2 private keysone for client browserone for client browserone for server (http server)one for server (http server)
SSL ArchitectureSSL Architecture
SSL ArchitectureSSL Architecture
SSL sessionSSL sessionan association between client & serveran association between client & servercreated by the Handshake Protocolcreated by the Handshake Protocoldefine a set of cryptographic parametersdefine a set of cryptographic parametersmay be shared by multiple SSL connectionsmay be shared by multiple SSL connections
SSL connectionSSL connectiona transient, peer-to-peer, communications a transient, peer-to-peer, communications
linklinkassociated with 1 SSL sessionassociated with 1 SSL session
SSL Record ProtocolSSL Record Protocol
confidentialityconfidentiality using symmetric encryption with a shared secret using symmetric encryption with a shared secret
key defined by Handshake Protocolkey defined by Handshake Protocol IDEA, RC2-40, DES-40, DES, 3DES, IDEA, RC2-40, DES-40, DES, 3DES, FortezzaFortezza, ,
RC4-40, RC4-128RC4-40, RC4-128 message is compressed before encryptionmessage is compressed before encryption
message integritymessage integrity using a MAC (Message Authentication Code) using a MAC (Message Authentication Code)
created using a shared secret key and a short created using a shared secret key and a short messagemessage
SSL Change Cipher Spec SSL Change Cipher Spec ProtocolProtocol
one of 3 SSL specific protocols which one of 3 SSL specific protocols which use the SSL Record protocoluse the SSL Record protocol
a single messagea single message causes pending state to become currentcauses pending state to become current hence updating the cipher suite in usehence updating the cipher suite in use
SSL Alert ProtocolSSL Alert Protocol
conveys SSL-related alerts to peer entityconveys SSL-related alerts to peer entity severityseverity
warning or fatalwarning or fatal
specific alertspecific alert unexpected message, bad record mac, decompression unexpected message, bad record mac, decompression
failure, handshake failure, illegal parameterfailure, handshake failure, illegal parameter close notify, no certificate, bad certificate, unsupported close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate, certificate revoked, certificate expired, certificate unknowncertificate unknown
compressed & encrypted like all SSL datacompressed & encrypted like all SSL data
SSL Handshake ProtocolSSL Handshake Protocol
allows server & client to:allows server & client to: authenticate each otherauthenticate each other to negotiate encryption & MAC algorithmsto negotiate encryption & MAC algorithms to negotiate cryptographic keys to be usedto negotiate cryptographic keys to be used
comprises a series of messages in phasescomprises a series of messages in phases Establish Security CapabilitiesEstablish Security Capabilities Server Authentication and Key ExchangeServer Authentication and Key Exchange Client Authentication and Key ExchangeClient Authentication and Key Exchange FinishFinish
SSL Handshake ProtocolSSL Handshake Protocol
TLS (Transport Layer TLS (Transport Layer Security)Security)
IETF standard RFC 2246 similar to SSLv3IETF standard RFC 2246 similar to SSLv3 with minor differenceswith minor differences
in record format version numberin record format version number uses HMAC for MACuses HMAC for MAC a pseudo-random function expands secretsa pseudo-random function expands secrets has additional alert codeshas additional alert codes some changes in supported cipherssome changes in supported ciphers changes in certificate negotiationschanges in certificate negotiations changes in use of paddingchanges in use of padding
Secure Electronic Transactions Secure Electronic Transactions (SET)(SET)
open encryption & security specificationopen encryption & security specification to protect Internet credit card transactionsto protect Internet credit card transactions developed in 1996 by Mastercard, Visa developed in 1996 by Mastercard, Visa
etcetc not a payment system, rather a set of not a payment system, rather a set of
security protocols & formatssecurity protocols & formatssecure communications amongst partiessecure communications amongst partiestrust from use of X.509v3 certificatestrust from use of X.509v3 certificatesprivacy by restricted info to those who need itprivacy by restricted info to those who need it
SET ComponentsSET Components
SET TransactionSET Transaction
1.1. customer opens accountcustomer opens account2.2. customer receives a certificatecustomer receives a certificate3.3. merchants have their own certificatesmerchants have their own certificates4.4. customer places an ordercustomer places an order5.5. merchant is verifiedmerchant is verified6.6. order and payment are sentorder and payment are sent7.7. merchant requests payment authorizationmerchant requests payment authorization8.8. merchant confirms ordermerchant confirms order9.9. merchant provides goods or servicemerchant provides goods or service10.10. merchant requests paymentmerchant requests payment
Dual SignatureDual Signature
customer creates dual messagescustomer creates dual messagesorder information (OI) for merchantorder information (OI) for merchantpayment information (PI) for bankpayment information (PI) for bank
neither party needs details of otherneither party needs details of other but but mustmust know they are linked know they are linked use a dual signature for thisuse a dual signature for this
signed concatenated hashes of OI & PIsigned concatenated hashes of OI & PI
Purchase Request – Purchase Request – CustomerCustomer
Purchase Request – Purchase Request – MerchantMerchant
Purchase Request – Purchase Request – MerchantMerchant
1.1. verifies cardholder certificates using CA sigsverifies cardholder certificates using CA sigs2.2. verifies dual signature using customer's verifies dual signature using customer's
public signature key to ensure order has not public signature key to ensure order has not been tampered with in transit & that it was been tampered with in transit & that it was signed using cardholder's private signature signed using cardholder's private signature keykey
3.3. processes order and forwards the payment processes order and forwards the payment information to the payment gateway for information to the payment gateway for authorization (described later)authorization (described later)
4.4. sends a purchase response to cardholdersends a purchase response to cardholder
Payment Gateway Payment Gateway AuthorizationAuthorization
1.1. verifies all certificatesverifies all certificates2.2. decrypts digital envelope of authorization block to obtain decrypts digital envelope of authorization block to obtain
symmetric key & then decrypts authorization blocksymmetric key & then decrypts authorization block3.3. verifies merchant's signature on authorization blockverifies merchant's signature on authorization block4.4. decrypts digital envelope of payment block to obtain decrypts digital envelope of payment block to obtain
symmetric key & then decrypts payment blocksymmetric key & then decrypts payment block5.5. verifies dual signature on payment blockverifies dual signature on payment block6.6. verifies that transaction ID received from merchant verifies that transaction ID received from merchant
matches that in PI received (indirectly) from customermatches that in PI received (indirectly) from customer7.7. requests & receives an authorization from issuerrequests & receives an authorization from issuer8.8. sends authorization response back to merchantsends authorization response back to merchant
Payment CapturePayment Capture
merchant sends payment gateway a merchant sends payment gateway a payment capture requestpayment capture request
gateway checks requestgateway checks request then causes funds to be transferred to then causes funds to be transferred to
merchants accountmerchants account notifies merchant using capture notifies merchant using capture
responseresponse
SummarySummary
have considered:have considered:need for web securityneed for web securitySSL/TLS transport layer security protocolsSSL/TLS transport layer security protocolsSET secure credit card payment protocolsSET secure credit card payment protocols