foundations of network and computer security j j ohn black lecture #16 oct 5 th 2007 csci 6268/tlen...
Post on 21-Dec-2015
215 views
TRANSCRIPT
![Page 1: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/1.jpg)
Foundations of Network and Foundations of Network and Computer SecurityComputer Security
JJohn Black
Lecture #16Oct 5th 2007
CSCI 6268/TLEN 5831, Fall 2007
![Page 2: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/2.jpg)
Announcements
• Martin has Quiz #2 graded and available
• No further quizzes before the midterm
• Project #0 is on the web page– Should have enough info by today to get
started on it
![Page 3: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/3.jpg)
OpenSSL enc command
• openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a] [-K key] [-iv IV] [-p] [-P]
• -ciphername can be– des-ecb (yuk!), des-cbc (hmm), des (same as des-
cbc), des-ede3-cbc, des3 (same), aes-128-cbc, bf, cast, idea, rc5
– Can omit the ‘enc’ command if specifying these…– Encrypt with –e– Decrypt with –d– K and IV are obvious
![Page 4: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/4.jpg)
Passphrase-Based encPassphrase
hash function
AES-128-CBC
iv, key (128 bits each)
salt
salt ciphertext
Things to think about:• How to decrypt? Is the IV needed in the ciphertext?• Is the passphrase safe even though the salt and iv are known?
plaintext
![Page 5: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/5.jpg)
So How to Encrypt
• Let’s encrypt the file ‘test’% cat test
hi there
% openssl aes-128-cbc -in test
enter aes-128-cbc encryption password:
Verifying - enter aes-128-cbc encryption password:
Salted__mTR&Qi¦¹K¯¿Óàg&5&kE
• What’s up with the garbage? – Of course the AES outputs aren’t ASCII!– Use –base64 option
![Page 6: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/6.jpg)
base64
• This is an encoding scheme (not cryptographic)– Translates each set of 6 bits into a subset of ASCII
which is printable– Makes ‘garbage’ binary into printable ASCII
• Kind of like uuencode
– Of course this mapping is invertible– For encryption we want to do this after we encrypt– For decryption, we undo this before we decrypt– This is the –a flag for ‘enc’ but –base64 works as well
and is preferable
![Page 7: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/7.jpg)
Example: base64
• Let’s encrypt file ‘test’ again, but output readable ciphertext
% openssl aes-128-cbc -in test -base64
enter aes-128-cbc encryption password:
Verifying - enter aes-128-cbc encryption password:
U2FsdGVkX1/tdjfZnPrD+mSjBBO7InU8Mo4ttzTk8eY=
• We’ll always use this option when dealing with portability issues– Like sending ciphertext over email
![Page 8: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/8.jpg)
Decrypting
• The command to decrypt is once again ‘enc’ – This makes no sense; get used to it– Use the –d flag to tell enc to decrypt– Let’s decrypt the string U2FsdGVkX1/tdjfZnPrD+mSjBBO7InU8Mo4ttzTk8eY=
which I’ve placed into a file called ‘test.enc’% openssl enc -d -in test.enc
U2FsdGVkX18FZENOZFZdYvLoqPdpRTgZw2CZIQs6bMQ=
![Page 9: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/9.jpg)
Hunh?
• It just gave back the ciphertext?!– We didn’t specify an encryption algorithm– Default is the identity map (get used to it)– Let’s try again
% openssl aes-128-cbc -d -in test.enc
enter aes-128-cbc decryption password:
bad magic number
• Ok, now what’s wrong?
![Page 10: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/10.jpg)
Error messages not useful
• We forgot to undo the –base64– The error msg didn’t tell us that (get used to it)– One more try:% openssl aes-128-cbc -d -in test.enc -base64
enter aes-128-cbc decryption password:
hi there
– It was all worth it, right?– Now it’s your turn
![Page 11: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/11.jpg)
Project #0
• I’ll give you a ciphertext, you find the password– Password is a three-letter lowercase alpha
string– Main purpose is to get you to figure out where
openssl lives on your computer(s) – Don’t do it by hand– Full description on our web page
• Due Oct 19th, in class
![Page 12: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/12.jpg)
Back to SSL/TLS
• SSL– Secure Socket Layer
• Designed by Paul Kocher, consulting for Netscape
• TLS– Transport Layer Security
• New version of SSL, and probably what we should call it (but I’m used to SSL)
• Used for web applications (https)– But also used many other places that aren’t
as well-known
![Page 13: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/13.jpg)
TLS – Sketch
• Let’s start by trying to design TLS ourselves and see what else we’ll need– This will end up being only a sketch of the very
complex protocol TLS actually is
• We want:– Privacy, authentication– Protection against passive and active adversaries
• We have:– Symmetric/asymmetric encryption and authentication– Collision-resistant hash functions
![Page 14: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/14.jpg)
A First Stab
• First we need a model– Client/Server is the usual one– Client and Server trust each other– No shared keys between client and server
• Assuming a shared key is not realistic in most settings
– Adversary is active (but won’t try DoS)
• Server generates RSA key pair for encryption– pkS, skS
– S subscript stands for “Server”
![Page 15: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/15.jpg)
A First Stab (cont)
• Now client C comes along and wants to communicate with server S– C sends SSL HELLO to initiate session– S responds by sending pkS
– C sends credit card number encrypted with pkS
– S decrypts credit card number with skS and charges the purchase
• What’s wrong here?
![Page 16: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/16.jpg)
Our First Protocol: Problems
• There are tons of problems here– We don’t know how to encrypt {0,1}*, only how to
encrypt elements of Zn*
• Ok, say we solve that problem (there are ways)
– It’s really SLOW to use RSA on big messages• Ok, we mentioned this before… let’s use symmetric
cryptography to help us
– There is no authentication going on here!• Adversary could alter pkS on the way to the client
• We’d better add some authentication too
• Let’s try again…
![Page 17: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/17.jpg)
Second Stab
• C says Hello• S sends pkS to C• C generates two 128-bit session keys
– Kenc, Kmac, used for encryption and MACing
• C encrypts (Kenc, Kmac) with pkS and sends to S
• S recovers (Kenc, Kmac) using skS and both parties use these “session keys” to encrypt and MAC all further communication
![Page 18: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/18.jpg)
Second Stab (cont)
• Problems?– Good news: we’re a lot more efficient now
since most crypto is done with symmetric key– Good news: we’re doing some authentication
now– Bad news: Man-in-the-Middle attack still
possible– Frustratingly close
• If we could get pkS to the client, we’d be happy
![Page 19: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/19.jpg)
Man in the Middle
• Let’s concretely state the problem– Suppose an adversary A generates pkA and skA
– Now S sends pkS to C, but A intercepts and sends pkA to C instead
– C responds with (Kenc, Kmac) encrypted under pkA and sends to S
– A intercepts, decrypts (Kenc, Kmac) using skA and re-encrypts with pkS then sends on to S
• A doesn’t have to use (Kenc, Kmac) here… any keys would do
– Idea is that A proxies the connection between C and S and reads/alters any traffic he wishes
![Page 20: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/20.jpg)
MitM Attack
C A S
hello hello
pkSpkA
(Kenc, Kmac) under pkA (Kenc, Kmac) under pkS
“Welcome” under (Kenc, Kmac)
CC# under (Kenc, Kmac)
“Welcome” under (Kenc, Kmac)
CC# under (Kenc, Kmac)
![Page 21: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/21.jpg)
How do we Stop This?
• Idea:– Embed pkS in the browser
• A cannot impersonate S if the public key of S is already held by C
• Problems:– Scalability (100,000 public keys in your browser?)
– Key freshening (if a key got compromised and it were already embedding in your browser, how would S update?)
– New keys (how do you get new keys? A new browser?)
– Your crypto is only as reliable as the state of your browser (what if someone gets you to install a bogus browser?)
• (Partial) Solution: Certificates
![Page 22: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/22.jpg)
Certificates: Basic Idea
• Enter the “Certification Authority” (CA)– Some trusted entity who signs S’s public key
• Well-known ones are Verisign, RSA• Let’s assume the entity is called “CA”
• CA generates keys vkCA and skCA
• CA signs pkS using skCA
• CA’s vkS is embedded in all browsers– Same problem with corrupted browsers as before, but
the scaling problem is gone
![Page 23: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/23.jpg)
New Protocol
• C sends Hello
• S sends pkS and the signature of CA on pkS
– These two objects together are called a “certificate”
• C verifies signature using vkCA which is built in to his browser
• C generates (Kenc, Kmac), encrypts with pkS and sends to S
• S decrypts (Kenc, Kmac) with skS
• Session proceeds with symmetric cryptography
![Page 24: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/24.jpg)
SSH (A Different Model)
• SSH (Secure SHell)– Replacement for telnet– Allows secure remote logins
• Different model– Too many hosts and too many clients– How to distribute pk of host?– Can be done physically– Can pay a CA to sign your keys (not likely)– Can run your own CA
• More reasonable, but still we have a bootstrapping problem
![Page 25: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/25.jpg)
SSH: Typical Solution
• The most common “solution” is to accept initial exposure– When you connect to a host for the first time you get
a warning:• “Warning: host key xxxxxx with fingerprint xx:xx:xx is not in
the .ssh_hosts file; do you wish to continue? Saying yes may allow a man-in-the-middle attack.” (Or something like that)
• You take a risk by saying “yes”• If the host key changes on your host and you didn’t expect
that to happen, you will get a similar warning– And you should be suspicious
![Page 26: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/26.jpg)
Key Fingerprints
• The key fingerprint we just saw was a hash of the public key– Can use this when you’re on the road to verify
that it’s the key you expect• Write down the fingerprint on a small card and
check it• When you log in from a foreign computer, verify
the fingerprint
– Always a risk to log in from foreign computers!
![Page 27: Foundations of Network and Computer Security J J ohn Black Lecture #16 Oct 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d625503460f94a453a0/html5/thumbnails/27.jpg)
X.509 Certificates
• X.509 is a format for a certificate– It contains a public key (for us, at least), email
address, and other information– In order to be valid, it must be signed by the
CA– In this class, our grader Martin, will be the CA