1 certificates, ssl, and one time passwords fall 2010 david brumley
TRANSCRIPT
1
Certificates, SSL, and One time passwords
Fall 2010David Brumley
2
Recap• Recap:
– Intro to network security
• Today:– X509 Certificates– SSL/TLS– IPSec– Remote authentication
• HW2 is out
3
Alice
AlicePublic keyExpiration Date
Certificate
Certificates bind a public key to a user
4
Alice
AlicePublic keyExpiration Date
Certificate
Certificate Authority (CA)
5
Alice
AlicePublic keyExpiration Date
Certificate
CA Signature
6
Alice
AlicePublic keyExpiration Date
Certificate
Cert Parameters
7
Alice
Alice Sends:User ID || public key || …
Certificate Authority (CA)
8
Alice
Alice Generates and Gives:User ID || public key || …
Certificate Authority (CA)
CA Computes:D=H(User ID || public key || …)Sig = Sign(D, CA private key)Gives Alice Sig
9
Alice
Alice Generates and Gives:User ID || public key || …
Certificate Authority (CA)
CA Computes:D=H(User ID || public key || …)Sig = Sign(D, Serial, CA private key)Gives Alice <Sig, Serial>
Alice’s Certificate[User ID || public key || …] || CA Name || Serial || Sig || <add.
params>
10
X.509 Authentication Service
• universally accepted standard for formatting public-key certificates– widely used in network security applications, including
IPSec, SSL, SET, and S/MIME• part of CCITT X.500 directory service standards• uses public-key crypto & digital signatures
–algorithms not standardised, but RSA recommended
11
X.509 Certificates
12
Secure Sockets Layer (SSL) & Transport Layer Security (TLS)
• transport layer security service– originally developed by Netscape– version 3 designed with public input
• subsequently became Internet standard RFC2246: Transport Layer Security (TLS)
• use TCP to provide a reliable end-to-end service• may be provided in underlying protocol suite• or embedded in specific packages
13
SSL
Alice Bob.com
1. ClientHello
Encryption with Symmetric Cipher (e.g., AES) withshared secret
2. ServerHello
3. ClientKeyExchange
14
Protocol Stack
Telnet …
IP
TCP
SSL Record Protocol
HandshakeChangeCipher
Alert
HTTP
SSL/TLS
15
SSL Record Protocol Services
• message integrity– using a MAC with shared secret key– similar to HMAC but with different padding
• confidentiality– using symmetric encryption with a shared secret key defined
by Handshake Protocol– AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-
128– message is compressed before encryption
Telnet …
IP
TCP
SSL Record Protocol
HandshakeChangeCipher
Alert
HTTP
16
SSL Record Protocol Operation
Telnet …
IP
TCP
SSL Record Protocol
HandshakeChangeCipher
Alert
HTTP
17
SSL Change Cipher Spec Protocol• Initiate change the keying material used for
encryption between the client and server.• one of 3 SSL specific protocols which use the SSL
Record protocol• a single message. Initiates handshake protocol
Telnet …
IP
TCP
SSL Record Protocol
HandshakeChangeCipher
Alert
HTTP
18
SSL Alert Protocol• conveys SSL-related alerts to peer entity• severity
» warning or fatal
• specific alert» fatal: unexpected message, bad record mac, decompression
failure, handshake failure, illegal parameter» warning: close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate unknown
• compressed & encrypted like all SSL data
Telnet …
IP
TCP
SSL Record Protocol
HandshakeChangeCipher
Alert
HTTP
19
SSL Handshake Protocol
• allows server & client to:– authenticate each other– to negotiate encryption & MAC algorithms– to negotiate cryptographic keys to be used
• comprises a series of messages in phases1. Establish Security Capabilities2. Server Authentication and Key Exchange3. Client Authentication and Key Exchange4. Finish
Telnet …
IP
TCP
SSL Record Protocol
HandshakeChangeCipher
Alert
HTTP
20
Detailed Handshake Protocol
21
SSL with RSA
1. ClientHello
2. ServerHello Certificate with (Ns, es)
3. ClientKeyExchange Sends c
i. Picks random rii. f = Format(r)iii. c= fe mod N)
i. f’ = cd mod Nii. r’ = unformat(f’)
BlockCipher(r’, messages)Detect misformatted messages and abort if r’ != r
Problem: Attackers exposing private key expose all traffic
22
Remote Timing Attacks are Practical
23
SSL with Ephemeral DH
1. ClientHello
2. ServerHello Certificate with (Ns, es) & DH p, g, c
3. ClientKeyExchange Sends c
i. Picks random rii. f = ga mod piii. c= RSASign(f mod Ns)
• Pre-master shared secret: gab mod p
• RSA Signature defeats man-in-the-middle
• Fixes RSA problem
• Much, much slower so not used often
i. Verify Sig
ii. Pick random x
iii. Compute:c = fx mod p
24
Certificate Revocation
Alice Bob.com
1. ClientHello
2. ServerHello (send cert., e.g., pub key e)
Is Bob.com’s key still legit?
25
Certificate Revocation
Alice Bob.com
1. ClientHello
2. ServerHello (send cert., e.g., pub key e)
Verification Authority (VA)
Verification Protocol
26
Certificate Verification Protocols
• Expiration Date
• OCSP – Online Cert Status Protocol
• Certificate Revocation Lists (CRL) and Certificate Revocation Trees (CRT)
27
Online Cert Status Protocol
Alice Verification Authority (VA)
1. Request(Bob’s Cert)
2. Check DB
3. Response(Sign(Bob’s Cert {OK,BAD})
VA Signing Key)
• Implemented in IE7 (Vista+), Firefox, Safari, Opera, Chrome (Vista+)
• What do we do when VA key bad?
28
Online Cert Status Protocol
Alice Verification Authority (VA)
1. Request(Bob’s Cert)
2. Check DB
3. Response(Sign(Bob’s Cert {OK,BAD})
VA Signing Key)
• Implemented in IE7 (Vista+), Firefox, Safari, Opera, Chrome (Vista+)
• What do we do when VA key bad?
29
CRT’s: Efficient Variant of OCSP [kocher98]
Secure and Trustworthy Verification
Authority (VA)
1. Create CRT
Insecure VA1 Replica
Insecure VA2 Replica
Insecure VA3 Replica
2. Distribute CRT
Alice
3. Query replica
30
Certificate Revocation Tree Generation
C1 C2 C3 C4 Ci-1 Ci…
Revoked cert Cj sorted by serial
h h h
h h
h
VASig = Sign(Hroot , VA signing key)
Verification Authority (VA)
H1 H2 H3
H3
H4
H5 H6
Hroot
31
Secure and Trustworthy Verification
Authority (VA)
Insecure VA1 Replica
Insecure VA2 Replica
Insecure VA3 Replica
32
Insecure VA2 ReplicaAlice
1. Is Bob’s Cert C2 revoked
2. [C1, H2, H6, VASig]
C1 C2 C3 C4 Ci-1 Ci…
Revoked cert Cj sorted by serial
h h h
h h
h
VASig)
H1 H2 H3
H3
H4
H5 H6
Hroot3. Alice validates C2 on list:a. H’root=H(H(C1, C2), H2, …, H6)b. H’ =?= Hc. VA Sig valid?
Copy
Size of Proof:O(log i)
33
IPSec
34
IP Security• various application security mechanisms
– eg. S/MIME, PGP, Kerberos, SSL/HTTPS• security concerns cross protocol layers• hence would like security implemented by the
network for all applications
35
IPSec• general IP Security mechanisms• provides
– authentication– privacy– key management
• applicable to use over LANs, across public & private WANs, & for the Internet
36
IPSec Uses
37
Benefits of IPSec
• in a firewall/router provides strong security to all traffic crossing the perimeter
• in a firewall/router is resistant to bypass• The application can request the operating system to
set up a security association before starting a TCP connection or a UDP exchange
• can be transparent to end users• can provide security for individual users• secures routing architecture
38
IP Security Architecture• mandatory in IPv6, optional in IPv4
• have two security header extensions:– Authentication Header (AH) (authentication
only)– Encapsulating Security Payload (ESP)
(auth/encryption)
• VPNs want both authentication/encryption– hence usually use ESP
• specification is quite complex– numerous RFC’s 2401/2402/2406/2408
39
Authentication Header (AH)• provides support for data integrity & authentication
of IP packets– end system/router can authenticate user/app– prevents address spoofing attacks by tracking sequence
numbers• based on use of a MAC
– HMAC-MD5-96 or HMAC-SHA-1-96• parties must share a secret key
40
Authentication Header
41
Encapsulating Security Payload (ESP)
42
Key Management
• handles key generation & distribution• typically need 2 pairs of keys
– 2 per direction for AH & ESP• manual key management
– sysadmin manually configures every system• automated key management
– automated system for on demand creation of keys for SA’s in large systems
– has Oakley & ISAKMP elements
43
Remote Authentication
44
Authentication Mechanisms in Practice:Passwords
– Used to authenticate people– Low entropy– Replay attacks possible– Secrets stored on server
– Aside: “Extra questions” for password recovery insecure
Security Properties?
45
Authentication Mechanisms in Practice:Biometrics
– No remote login– No revocation– Best used for 2-factor authentication (to increase password
entropy)
Security Properties?
46
Lamport Hashes (One-Time Passwords)
1. Setup: Alice picks p and computes:w = h(h(h(h….(h(p))))))
– Denote n hashes by hn(p)– Puts w on server, stores p and n
2. Alice authenticates:– n = n -1– x = hn(p)– Send x– Server verifies h(x) = w– Server stores x if correct
n times
47
Security properties of One-Time Pads
1. Protects against replay/eavesdropping
2. No secrets on server
3. Limited # of authentications
4. Insecure against man-in-the-middle
48
Secure Tokens
k0 = initial shared secretk = H(k) every t seconds
49
Secure Tokens
k0 = initial shared secretk = H(k) every t seconds
Security Properties?
50
That is all for today