fundamentals of network security 3. network security protocols · 3. network security protocols...
TRANSCRIPT
FundamentalsofNetworkSecurity3.NetworkSecurityProtocols
CryptoWorks21•July25&27,2017
Dr DouglasStebila
https://www.douglas.stebila.ca/teaching/cryptoworks21
FundamentalsofNetworkSecurity1. BasicsofInformationSecurity
– Securityarchitectureandinfrastructure;securitygoals(confidentiality,integrity,availability,andauthenticity);threats/vulnerabilities/attacks;riskmanagement
2. CryptographicBuildingBlocks– Symmetriccrypto:ciphers(stream,block),hashfunctions,message
authenticationcodes,pseudorandomfunctions– Publickeycrypto:publickeyencryption,digitalsignatures,keyagreement
3. NetworkSecurityProtocols&Standards– Indetail:publickeyinfrastructure,TLS– Overview:Networking,SSH,IPsec,Kerberos,WEP
4. NetworkScanningandDefence– Trafficsniffingandnetworkreconnaissance(mmap)– Networkprotection:firewallsandintrusiondetection
5. AccessControl&Authentication;WebApplicationSecurity– Accesscontrol:discretionary/mandatory/role-based;phases– Authentication:somethingyouknow/have/are/somewhereyouare– Websecurity:cookies,SQLinjection– Supplementalmaterial:Passwords
NetworkSecurityProtocols
• PublicKeyInfrastructure• Networking• TransportLayerSecurity(TLS)• Otherprotocols– SecureShell(SSH)– IPsec– Kerberos–WiredEquivalentProtocol(WEP)
PUBLICKEYINFRASTRUCTURES(PKI)
Problem:HowdoesBobgetAlice’spublickeytobeginwith?
Usingdigitalsignaturesforentityauthentication
Bobsendsarandom
challengetoAlice
Alicesignsthechallengeusingherprivatekey
Alicesendssignatureto
Bob
BobverifiesthesignatureusingAlice’spublickey
Certificatesandcertificateauthorities
• Acertificate isanassertionbyatrustedthirdpartythataparticularpublickeybelongstoaparticularentity.
• Thecertificateauthoritygeneratesacertificateby1. Obtainingtheuser’spublickeybysometrustmechanism.2. Verifyingthattheuserreallyiswhoshesayssheis.3. Signing(usingthecertificateauthority’spublickey)theuser’spublickey
andname.
• Thisallowstwopartieswhohavenevermettoestablishtrustbetweenthem:– Exchangecertificates.– Doauthenticationusingdigitalsignatures.– Iftheyeachtrustthecertificateauthoritythatsignedtheotherparty’s
certificate,theycannowbecertainwhotheotherpartyis.
X.509certificatesAstandardizedformatforcertificates.Usesastrange(old)formatcalledASN.1andastrangebinaryencoding.
Publickey
Certificateauthority
Validityperiod
Revocationinformation
Domainname
CA’ssignatureoneverything
+Certificaterevocation
CertificateRevocationLists(CRLs)• EachCAcanpublishafile
containingalistofcertificatesthathavebeenrevoked.
• Havetodownloadwholelist.• CRLaddressoftenincludedin
certificate.
• Onceacertificate’sbeenissued,whathappensiftheuser’sprivatekeyhasbeencompromised?
• Wewouldliketobeabletorevoke thecertificate,orindicatethatitshouldnolongerbetrusted.
• Whenrevokingcertificatesthatwereusedformessageauthentication,whatdoesthatmeanfordocumentssignedusingthatcertificate?Mayneedatrustedtimestampserveraswell.
OnlineCertificateStatusProtocol(OCSP)• AnonlineservicerunbyaCAfor
checkinginreal-timeifacertificatehasbeenrevoked.
• Don’thavetodownloadwholelist.• Notwidelyimplemented.
PublickeyinfrastructureApublickeyinfrastructure (PKI) is• asetofsystems(hardware,software,policies,procedures)• formanaging(creating,distributing,storing,revoking)• digitalcertificates.
Includes:• oneormorecertificateauthorities• users• relyingparties• possiblyatimestampserver• possiblyadirectoryserverstoringcertificates(e.g.,LDAP
server,ActiveDirectoryserver)
Certificatetypes
Domainvalidation• Identity
confirmedbyvalidatingcontroloverDNSrecord
• Let'sEncrypt$0• Comodo $77• Thawte$149
Organizationvalidation• Identity
confirmedbysomechecksoflegalstatusoforganization
• Symantec$995• Thawte$199
Extendedvalidation• Morerigourous
checkoforganization'sexistence
• Symantec$995• Thawte$299
Eye-trackingstudiesshowthatusersdonotnoticetheseadditionalsecurityindicators
CertificateTransparency
• AcertificateloggingmechanismtoallowanyonetocheckwhichcertificatesaCAhasissued
• AuditorsmonitorCAstowatchformaliciousbehaviour
• Domainnameownersmonitorthelogstocheckforcertificatesissuedfortheirdomains
BrowserstrusthundredsofCAs(directlyorindirectly)bydefault.
AnyCAcanissueacertificateforanydomain.(Somenewprotocolshelprestrictthat.)
Secure email
• X.509certificatescanalsobeusedtosendsecureemail:– digitallysigned– encrypted
• S/MIME (Secure/MultipurposeInternetMailExtensions):– Supportedinmostdesktopmailprograms.– Reliesonapublickeyinfrastructure.
• PGP (PrettyGoodPrivacy):– Availableasanadd-ontomostdesktopmailprograms.– Usespublickeys,butdoesn’trequireCAs:usersmanually
distributetheirkeysina“weboftrust”• Notwidelyused:
– UsersmustknowhowsetuppublickeysandobtainS/MIMEX.509certificateordistributePGPpublickeys.
– Littletonosupportinwebmail.
ApplicationsofPKIs
• Websiteauthentication(TLS)• Emailauthentication(S/MIME,PGP)• Domainnames(DNSSEC)• Digitalidentities– e.g.,nationalidentitycards(Belgium,Spain,Germany)
• Business-to-businesse-commerce– e.g.,digitallysigningtransactions,XMLsignatures
NETWORKING
IETFInternetProtocolsuiteLayer Examples
Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)
Transport connection-oriented(TCP)connectionless(UDP)
Internet
addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)
Link
packetframing(Ethernet)physical connection• WLAN(WEP, WPA)• ADSL• GSM/3G
There’salsothe7-layerOSImodel.
Mostd
efined
bythe
InternetEngineerin
gTask
Force(IE
TF)
Link(a.k.a.networkaccess)layer
Computernetworkscanusealargenumberofconnectionsandtransmissionmedia• Telephonewires• Ethernet(twistedpair)cables• OpticFibrecables• Satellitecommunications• Mobilephonenetworks• Wirelessnetworks• Bluetooth
Atthislayerphysicaladdressesidentifynetworknodes• EthernetMACaddress
Thelink ornetworkaccesslayer isthephysicallayerandisassociatedwithcomputerhardware.
Internet(a.k.a.network)layer
Hostaddressingandidentification:• EachhosthasauniqueIP
address:– IPv4,32bit,
e.g.,131.181.118.220– IPv6,128bit,
e.g.,2001:0db8:85a3:0000:0000:8a2e:0370:7334
Packetrouting:• OrganizationsareassignedarangeofIPaddressesthattheymanageandassigntotheircomputers.
TheInternetlayer runsalowlevelprotocolcalledtheInternetProtocol(IP)(plusafewextrahelpers,e.g.ICMP).• IPv4(1981),IPv6(1996)
TransportLayer
TCP (TransmissionControlProtocol)• connection-oriented protocol
– back-and-forth,ongoingconnections
• reliability– largemessagessplitintopackets– in-orderdeliveryofpackets,
recombinedtolargemessage– errorchecking– retransmissionoflostpackets– congestioncontrol
UDP (UserDatagramProtocol)• connectionless protocol
• sendapacket,that’sit• unreliable
• simpleerrorchecking• noretransmissionoflost
packets• usedforstreaming
• audio,video,VOIP
Thetransportlayer establishesbasicdatachannelsforapplications.Itusesports todistinguishbetweendifferentapplicationsonthesamehost.
Applicationlayer
Eachapplicationprotocolhasuniquemessageformatsthataresentandreceivedtoachievetheirtasks.• HTTP(web)• FTP(filetransfer)• SSH,Telnet(login)• SMTP,POP3,IMAP(email)• XMPP(chat)• BitTorrent (I’msureyouknowwhat
thisisusedfor)
Eachapplicationprotocolrequiresthelowernetworklayers(TCP,IP,NetworkAccess)tocommunicateonthenetwork.
ManyuseanintermediateprotocolcalledSSL/TLSforencryptionandauthentication.
Applicationlayerprotocols areusedbyapplicationstoprovideuserservicesoveranetwork.
Client-serverontheInternet• Eachapplicationserverlistensformessagesonaparticularportnumber.Commonports:– webservers:port80(HTTP),443(HTTPS)– login:port22(SSH),23(Telnet)– filetransfer:port20/21(FTP),22(SFTP/SCP)– emailservers:port25(SMTP),220/993(IMAP),110(POP)
• ClientsidentifythemachinetheywanttoconnecttousinganIPaddress.
• Clientsidentifytheprogramtheywanttouseusingaportnumber.
ApplicationLayer– Webbrowser••Constructstherequestinaspecificformat– HTTPrequest.••Includesaddressinformationoftheserver(IPaddressandportnumber)
TransportLayer••BreaksHTTPrequestintoTCPpackets(eachwithaddressinfo– IPaddressandport)
InternetLayer••RoutesTCPpacketstodestinationIPaddress(packetswitching)
LinkLayer••Packetsaretransmittedacrosswire,wireless,satelliteetcdependingonhowcomputerisconnected
Example:requestingawebpage
LinkLayer••Receivespacketsacross“wire”
InternetLayer••CollectspacketsforthisIPaddress
TransportLayer••Assemblespacketsofrequest.••Determinesifthereareanyerrors,andifsorequestsretransmission.••SendscompleteHTTPrequesttospecifiedport
ApplicationLayer– Webserver••ProcessestheHTTPrequest,maybepreparesaresponse
Example:receivingawebpagerequest
NetworksecurityprotocolsNetwork-relatedsecurityprotocolsincommonuseinclude:
– SecureShell(SSH):Usedforremotelogin,filetransfer,andlimitedVPNservice.
– TransportLayerSecurity(TLS):Usedextensivelyonthewebandisoftenreferredtoinprivacypoliciesasameansofprovidingconfidentialwebconnections.
– IPSecurity(IPsec):ProvidessecurityservicesattheIPlevelandisusedtoprovideVirtualPrivateNetwork(VPN)services.
– WiFi security(WEP,WPA):Providessecurityservicesatthelinklayerforwirelesscommunication
IETFInternetProtocolsuiteLayer Examples
Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)
Transport connection-oriented(TCP)connectionless(UDP)
Internet
addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)
Link
packetframing(Ethernet)physical connection• WLAN(WEP,WPA)• ADSL• GSM/3G
TLS
TRANSPORTLAYERSECURITY(TLS)A.K.A.SECURESOCKETSLAYER(SSL)
Terminology• SSL:SecureSocketsLayer• ProposedbyNetscape
– SSLv2:1995– SSLv3:1996
• TLS:TransportLayerSecurity
• IETFStandardizationofSSL– TLSv1.0=SSLv3:1999– TLSv1.1:2006– TLSv1.2:2008– TLSv1.3:2017?
• HTTPS: HTTP(HypertextTransportProtocol)overSSL
SecuritygoalsofTLS
• Providesauthentication basedonpublickeycertificates– server-to-client(always)– client-to-server(optional)
• Providesconfidentiality andintegrity ofmessagetransmission
• Butonlyprotectsconfidentialityifauthenticationiscorrect.
IETFInternetProtocolsuiteLayer Examples
Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)
Transport connection-oriented(TCP)connectionless(UDP)
Internet
addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)
Link
packetframing(Ethernet)physical connection• WLAN• ADSL• GSM/3G
TLSaddsencryptiontomanyapplicationlevelprotocols
TLS
TLSandHTTP• TLScanbeusedtoprovideprotectionforHTTPcommunications:– Port443isreservedforHTTPoverTLS
• HTTPSisthenameoftheURLschemeusedwiththisport.
• http://www.develop.com impliestheuseofstandardHTTPusingport80.
• https://www.develop.com impliestheuseofHTTPoverTLSusingport443.
SSL/TLSProtocol
Client Server
1.Negotiatecryptographicalgorithms
2.Authenticateusingcertificates
3.Establishencryptionkeys
Internet
MessageEncryptedMessage
Encryption Decryption
EncryptedMessage Message
SSLSession
Key KeyMAC MAC
HAND
SHAK
ERE
CORD
LAYER
WhatisTLS?
• 5protocolversions• vastarrayofstandards• manyimplementations!• 300+combinationsof
cryptographicprimitives• differentlevelsofsecurity• differentmodesof
authentication• additionalfunctionality:
– alerts&errors– sessionresumption– renegotiation– compression
https://www.trustworthyinternet.org/ssl-pulse/July2,2017
1995 1996 1999 2006 2008
WhatisTLS?
ThecurrentapprovedversionofTLSisversion1.2,whichisspecifiedin:• RFC5246:“TheTransportLayerSecurity(TLS)ProtocolVersion1.2”.Thecurrentstandardreplacestheseformerversions,whicharenowconsideredobsolete:• RFC2246:“TheTLSProtocolVersion1.0”.• RFC4346:“TheTransportLayerSecurity(TLS)ProtocolVersion1.1”.aswellastheneverstandardizedSSL3.0:• RFC6101:“TheSecureSocketsLayer(SSL)ProtocolVersion3.0”.OtherRFCssubsequentlyextendedTLS.ExtensionstoTLS1.0include:• RFC2595:“UsingTLSwithIMAP,POP3andACAP”.SpecifiesanextensiontotheIMAP,POP3andACAPservicesthatallowtheserver andclientto
usetransport-layersecuritytoprovideprivate,authenticatedcommunicationovertheInternet.• RFC2712:“AdditionofKerberosCipherSuitestoTransportLayerSecurity(TLS)”.The40-bitciphersuitesdefinedinthismemoappearonlyfor
thepurposeofdocumentingthefactthatthoseciphersuitecodeshavealreadybeenassigned.• RFC2817:“UpgradingtoTLSWithinHTTP/1.1”,explainshowtousetheUpgrademechanisminHTTP/1.1toinitiateTransportLayerSecurity(TLS)
overanexistingTCPconnection.ThisallowsunsecuredandsecuredHTTPtraffictosharethesamewellknownport(inthiscase, http:at80ratherthanhttps:at443).
• RFC2818:“HTTPOverTLS”,distinguishessecuredtrafficfrominsecuretrafficbytheuseofadifferent'serverport'.• RFC3207:“SMTPServiceExtensionforSecureSMTPoverTransportLayerSecurity”.SpecifiesanextensiontotheSMTPservicethatallowsan
SMTPserverandclienttousetransport-layersecuritytoprovideprivate,authenticatedcommunicationovertheInternet.• RFC3268:“AESCiphersuites forTLS”.AddsAdvancedEncryptionStandard(AES)ciphersuitestothepreviouslyexistingsymmetricciphers.• RFC3546:“TransportLayerSecurity(TLS)Extensions”,addsamechanismfornegotiatingprotocolextensionsduringsessioninitialisation and
definessomeextensions.MadeobsoletebyRFC4366.• RFC3749:“TransportLayerSecurityProtocolCompressionMethods”,specifiestheframeworkforcompressionmethodsandtheDEFLATE
compressionmethod.• RFC3943:“TransportLayerSecurity(TLS)ProtocolCompressionUsingLempel-Ziv-Stac (LZS)”.• RFC4132:“AdditionofCamelliaCipherSuitestoTransportLayerSecurity(TLS)”.• RFC4162:“AdditionofSEEDCipherSuitestoTransportLayerSecurity(TLS)”.• RFC4217:“SecuringFTPwithTLS”.• RFC4279:“Pre-SharedKeyCiphersuites forTransportLayerSecurity(TLS)”,addsthreesetsofnewciphersuitesfortheTLSprotocoltosupport
authenticationbasedonpre-sharedkeys.ExtensionstoTLS1.1include:• RFC4347:“DatagramTransportLayerSecurity”specifiesaTLSvariantthatworksoverdatagramprotocols(suchasUDP).• RFC4366:“TransportLayerSecurity(TLS)Extensions”describesbothasetofspecificextensionsandagenericextensionmechanism.• RFC4492:“EllipticCurveCryptography(ECC)CipherSuitesforTransportLayerSecurity(TLS)”.• RFC4507:“TransportLayerSecurity(TLS)SessionResumptionwithoutServer-SideState”.• RFC4680:“TLSHandshakeMessageforSupplementalData”.• RFC4681:“TLSUserMappingExtension”.• RFC4785:“Pre-SharedKey(PSK)Ciphersuites withNULLEncryptionforTransportLayerSecurity(TLS)”.• RFC5054:“UsingtheSecureRemotePassword(SRP)ProtocolforTLSAuthentication”.DefinestheTLS-SRPciphersuites.• RFC5081:“UsingOpenPGP KeysforTransportLayerSecurity(TLS)Authentication”,obsoletedbyRFC6091.ExtensionstoTLS1.2include:• RFC5746:“TransportLayerSecurity(TLS)RenegotiationIndicationExtension”.• RFC5878:“TransportLayerSecurity(TLS)AuthorizationExtensions”.• RFC6091:“UsingOpenPGP KeysforTransportLayerSecurity(TLS)Authentication“.• RFC6176:“ProhibitingSecureSocketsLayer(SSL)Version2.0”.• RFC6209:“AdditionoftheARIACipherSuitestoTransportLayerSecurity(TLS)”.
http://en.wikipedia.org/wiki/Transport_Layer_Security
StructureofTLS
Negotiationofcryptographicparameters
Authentication(one-wayormutual)usingpublickeycertificates
Establishmentofamastersecretkey
Derivationofencryptionandauthenticationkeys
Keyconfirmation
Bi-directionauthenticatedencryptionOptionalcompression
HANDS
HAKEPRO
TOCO
LRE
CORD
LAYER
ALERTPROTOCOL
StructureofTLS
ClientHello --------> ServerHello
Certificate*ServerKeyExchange*
CertificateRequest*<-------- ServerHelloDone
Certificate*ClientKeyExchangeCertificateVerify*(derive session keys)[ChangeCipherSpec]Finished --------> (derive session keys)
[ChangeCipherSpec]<-------- Finished
Bi-directionauthenticatedencryptionOptionalcompression
HANDS
HAKEPRO
TOCO
LRE
CORD
LAYER DES/3DESCBC
AESCBC/GCM/CCMRC4
RSADSAECDSA
RSADSAECDSA
324TLSciphersuites
TLS_NULL_WITH_NULL_NULLTLS_RSA_WITH_NULL_MD5TLS_RSA_WITH_NULL_SHATLS_RSA_EXPORT_WITH_RC4_40_MD5TLS_RSA_WITH_RC4_128_MD5TLS_RSA_WITH_RC4_128_SHATLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5TLS_RSA_WITH_IDEA_CBC_SHATLS_RSA_EXPORT_WITH_DES40_CBC_SHATLS_RSA_WITH_DES_CBC_SHATLS_RSA_WITH_3DES_EDE_CBC_SHATLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHATLS_DH_DSS_WITH_DES_CBC_SHATLS_DH_DSS_WITH_3DES_EDE_CBC_SHATLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHATLS_DH_RSA_WITH_DES_CBC_SHATLS_DH_RSA_WITH_3DES_EDE_CBC_SHATLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHATLS_DHE_DSS_WITH_DES_CBC_SHATLS_DHE_DSS_WITH_3DES_EDE_CBC_SHATLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHATLS_DHE_RSA_WITH_DES_CBC_SHATLS_DHE_RSA_WITH_3DES_EDE_CBC_SHATLS_DH_anon_EXPORT_WITH_RC4_40_MD5TLS_DH_anon_WITH_RC4_128_MD5TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHATLS_DH_anon_WITH_DES_CBC_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHATLS_KRB5_WITH_DES_CBC_SHATLS_KRB5_WITH_3DES_EDE_CBC_SHATLS_KRB5_WITH_RC4_128_SHATLS_KRB5_WITH_IDEA_CBC_SHATLS_KRB5_WITH_DES_CBC_MD5TLS_KRB5_WITH_3DES_EDE_CBC_MD5TLS_KRB5_WITH_RC4_128_MD5TLS_KRB5_WITH_IDEA_CBC_MD5TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHATLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHATLS_KRB5_EXPORT_WITH_RC4_40_SHATLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5TLS_KRB5_EXPORT_WITH_RC4_40_MD5TLS_PSK_WITH_NULL_SHA TLS_DHE_PSK_WITH_NULL_SHATLS_RSA_PSK_WITH_NULL_SHATLS_RSA_WITH_AES_128_CBC_SHATLS_DH_DSS_WITH_AES_128_CBC_SHATLS_DH_RSA_WITH_AES_128_CBC_SHATLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_DH_anon_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHATLS_DH_DSS_WITH_AES_256_CBC_SHATLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_DH_anon_WITH_AES_256_CBC_SHATLS_RSA_WITH_NULL_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS_DH_DSS_WITH_AES_128_CBC_SHA256TLS_DH_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_CAMELLIA_128_CBC_SHATLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHATLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHATLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHATLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHATLS_DH_anon_WITH_CAMELLIA_128_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHA256TLS_DH_DSS_WITH_AES_256_CBC_SHA256TLS_DH_RSA_WITH_AES_256_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_256_CBC_SHA256TLS_DH_anon_WITH_AES_128_CBC_SHA256TLS_DH_anon_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_CAMELLIA_256_CBC_SHATLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHATLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHATLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHATLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHATLS_DH_anon_WITH_CAMELLIA_256_CBC_SHATLS_PSK_WITH_RC4_128_SHATLS_PSK_WITH_3DES_EDE_CBC_SHATLS_PSK_WITH_AES_128_CBC_SHATLS_PSK_WITH_AES_256_CBC_SHATLS_DHE_PSK_WITH_RC4_128_SHATLS_DHE_PSK_WITH_3DES_EDE_CBC_SHATLS_DHE_PSK_WITH_AES_128_CBC_SHATLS_DHE_PSK_WITH_AES_256_CBC_SHATLS_RSA_PSK_WITH_RC4_128_SHA TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHATLS_RSA_PSK_WITH_AES_128_CBC_SHATLS_RSA_PSK_WITH_AES_256_CBC_SHATLS_RSA_WITH_SEED_CBC_SHATLS_DH_DSS_WITH_SEED_CBC_SHATLS_DH_RSA_WITH_SEED_CBC_SHATLS_DHE_DSS_WITH_SEED_CBC_SHATLS_DHE_RSA_WITH_SEED_CBC_SHATLS_DH_anon_WITH_SEED_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DH_RSA_WITH_AES_128_GCM_SHA256TLS_DH_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_DSS_WITH_AES_128_GCM_SHA256TLS_DHE_DSS_WITH_AES_256_GCM_SHA384TLS_DH_DSS_WITH_AES_128_GCM_SHA256TLS_DH_DSS_WITH_AES_256_GCM_SHA384TLS_DH_anon_WITH_AES_128_GCM_SHA256TLS_DH_anon_WITH_AES_256_GCM_SHA384TLS_PSK_WITH_AES_128_GCM_SHA256TLS_PSK_WITH_AES_256_GCM_SHA384TLS_DHE_PSK_WITH_AES_128_GCM_SHA256TLS_DHE_PSK_WITH_AES_256_GCM_SHA384TLS_RSA_PSK_WITH_AES_128_GCM_SHA256TLS_RSA_PSK_WITH_AES_256_GCM_SHA384TLS_PSK_WITH_AES_128_CBC_SHA256TLS_PSK_WITH_AES_256_CBC_SHA384TLS_PSK_WITH_NULL_SHA256TLS_PSK_WITH_NULL_SHA384TLS_DHE_PSK_WITH_AES_128_CBC_SHA256TLS_DHE_PSK_WITH_AES_256_CBC_SHA384TLS_DHE_PSK_WITH_NULL_SHA256TLS_DHE_PSK_WITH_NULL_SHA384TLS_RSA_PSK_WITH_AES_128_CBC_SHA256TLS_RSA_PSK_WITH_AES_256_CBC_SHA384TLS_RSA_PSK_WITH_NULL_SHA256TLS_RSA_PSK_WITH_NULL_SHA384TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256TLS_EMPTY_RENEGOTIATION_INFO_SCSVTLS_ECDH_ECDSA_WITH_NULL_SHATLS_ECDH_ECDSA_WITH_RC4_128_SHATLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_ECDSA_WITH_AES_128_CBC_SHATLS_ECDH_ECDSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_NULL_SHATLS_ECDHE_ECDSA_WITH_RC4_128_SHATLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_ECDH_RSA_WITH_NULL_SHATLS_ECDH_RSA_WITH_RC4_128_SHATLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHATLS_ECDH_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_NULL_SHATLS_ECDHE_RSA_WITH_RC4_128_SHATLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDH_anon_WITH_NULL_SHA TLS_ECDH_anon_WITH_RC4_128_SHATLS_ECDH_anon_WITH_3DES_EDE_CBC_SHATLS_ECDH_anon_WITH_AES_128_CBC_SHATLS_ECDH_anon_WITH_AES_256_CBC_SHATLS_SRP_SHA_WITH_3DES_EDE_CBC_SHATLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHATLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHATLS_SRP_SHA_WITH_AES_128_CBC_SHATLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHATLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHATLS_SRP_SHA_WITH_AES_256_CBC_SHATLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHATLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_PSK_WITH_RC4_128_SHATLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHATLS_ECDHE_PSK_WITH_AES_128_CBC_SHATLS_ECDHE_PSK_WITH_AES_256_CBC_SHATLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384TLS_ECDHE_PSK_WITH_NULL_SHATLS_ECDHE_PSK_WITH_NULL_SHA256TLS_ECDHE_PSK_WITH_NULL_SHA384TLS_RSA_WITH_ARIA_128_CBC_SHA256TLS_RSA_WITH_ARIA_256_CBC_SHA384TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384TLS_DH_anon_WITH_ARIA_128_CBC_SHA256TLS_DH_anon_WITH_ARIA_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384TLS_RSA_WITH_ARIA_128_GCM_SHA256TLS_RSA_WITH_ARIA_256_GCM_SHA384TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384TLS_DH_anon_WITH_ARIA_128_GCM_SHA256TLS_DH_anon_WITH_ARIA_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384TLS_PSK_WITH_ARIA_128_CBC_SHA256TLS_PSK_WITH_ARIA_256_CBC_SHA384TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384TLS_PSK_WITH_ARIA_128_GCM_SHA256TLS_PSK_WITH_ARIA_256_GCM_SHA384TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384TLS_RSA_WITH_AES_128_CCMTLS_RSA_WITH_AES_256_CCMTLS_DHE_RSA_WITH_AES_128_CCMTLS_DHE_RSA_WITH_AES_256_CCMTLS_RSA_WITH_AES_128_CCM_8TLS_RSA_WITH_AES_256_CCM_8TLS_DHE_RSA_WITH_AES_128_CCM_8TLS_DHE_RSA_WITH_AES_256_CCM_8TLS_PSK_WITH_AES_128_CCMTLS_PSK_WITH_AES_256_CCMTLS_DHE_PSK_WITH_AES_128_CCMTLS_DHE_PSK_WITH_AES_256_CCMTLS_PSK_WITH_AES_128_CCM_8TLS_PSK_WITH_AES_256_CCM_8TLS_PSK_DHE_WITH_AES_128_CCM_8TLS_PSK_DHE_WITH_AES_256_CCM_8
IsTLSsecure?
WhatshouldTLSdo?• Server-to-client
authentication• Client-to-server
authentication(optional)• Confidentialcommunication
withintegrityprotection
Whatdoesn’tTLSdo?• (Trustedcreationof
certificates)• Password-based
authentication• Stopdenialofservice
attacks• Preventwebapplication
vulnerabilities
ComponentsofTLS
Cryptoprimitives
•RSA,DSA,ECDSA•Diffie–Hellman,ECDH
•HMAC•MD5,SHA1,SHA-2
•DES,3DES,RC4,AES
Ciphersuitedetails
•Datastructures•Keyderivation•Encryptionmodes,IVs
•Padding
Advancedfunctionality
•Alerts&errors•Certification/revocation
•Negotiation•Renegotiation•Sessionresumption
•Keyreuse•Compression
Libraries
•OpenSSL•GnuTLS•SChannel•JavaJSSE
Applications
•Webbrowsers:Chrome,Firefox,IE,Safari
•Webservers:Apache,IIS,…
•ApplicationSDKs•Certificates
Real-worldattacksonTLS
Cryptoprimitives
•RSA,DSA,ECDSA•Diffie–Hellman,ECDH
•HMAC•MD5,SHA1,SHA-2
•DES,3DES,RC4,AES
•
Ciphersuitedetails
•Datastructures•Keyderivation•Encryptionmodes,IVs
•Padding
Advancedfunctionality
•Alerts&errors•Certification/revocation
•Negotiation•Renegotiation•Sessionresumption
•Keyreuse•Compression
Libraries
•OpenSSL•GnuTLS•SChannel•JavaJSSE
Applications
•Webbrowsers:Chrome,Firefox,IE,Safari
•Webservers:Apache,IIS,…
•ApplicationSDKs•Certificates
Heartbleed
DebianOpenSSL
entropybugBleichenbacherRSAPKCSv1
Lucky13
Rizzo&Duong“CRIME”attack
goto fail;
Esotericfeatures– compression• TLSsupportsoptional
compression• Messagebrokenupintochunks,
eachchunkcompressedthenencrypted
• Sizeofciphertext=>amountofcompression=>leaksplaintextinfo
• “CRIME”attack,Sept.2012• Fix:disablecompression
https://www.trustworthyinternet.org/ssl-pulse/June1,2016
(Perfect)Forwardsecrecy
• Anadversarywholaterlearnstheserver'slong-termprivatekeyshouldn'tbeabletoreadprevioustransmissions
• RSAkeytransport:noPFS
• signedDiffie–Hellman:PFS https://www.trustworthyinternet.org/ssl-pulse/September4,2014
(Perfect)Forwardsecrecy
• Anadversarywholaterlearnstheserver'slong-termprivatekeyshouldn'tbeabletoreadprevioustransmissions
• RSAkeytransport:noPFS
• signedDiffie–Hellman:PFS https://www.trustworthyinternet.org/ssl-pulse/July2,2017
Certificateauthoritybreachesanderrors
• DigiNotar inJul.2011– securitybreach,malicious
certificatesformanydomainsissued
– wentoutofbusiness• TURKTRUST inAug.2011
– issuedintermediateCAwithwildcardsigningcapabilities
– laterusedforman-in-the-middleproxyfiltering/scanning
– noevidenceforuseinattack– detectedonlyinJan2013
• Digicert Malaysia inNov.2011– 22certificateswithweakprivate
keysormissingrevocationdetailsissued
• KPN/Getronics inNov.2011– suspendedCAbusinessafter
detectinginfectiononitswebservernoevidenceofcertificatemalfeasance
• Webbrowserstrust650+certificateauthoritieswhichcanissuecertificatesforanydomainontheInternet
• Extendedvalidationcertificates don’tsolvetheproblem
Cryptographicattacks
• Manyweaknessesfoundinrecordlayersymmetricencryptionalgorithms.
• Usuallyrequirelargeamountofdatatosucceed.• Noturgenttofix,butcryptographicattacksonlygetbetter,neverworse.
• Canbeconfusingasknowledgeevolves:– BEASTattack2011=>AES-CBCmodeinsecure,useRC4
– Patersonetal.attack2013=>RC4insecure,usefixedAES-CBC
TLSv1.3:TheNextGeneration
• CurrentlyunderdevelopmentattheIETF
• Primarygoals:– removeciphersuites withoutforwardsecrecy– removeobsolete/deprecatedalgorithms– providelow-latencymodewithfewerroundtrips– encryptmoreofthehandshaketoimproveprivacy
OTHERPROTOCOLSSSH,IPsec,Kerberos
SSH(SecureShell)protocol• SSHusedforsecure
remoteaccess(liketelnet,butsecure)
• Providespublickeyauthenticationofserversandclientsandencryptedcommunication
• SpecifiedinRFCsbytheIETF
UseofSSH
• Primarilyusedasanapplicationitself(remotelogin)
• Occasionallyusedasa“poorman’sVPN”
Layer Examples
Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)
Transport connection-oriented(TCP)connectionless(UDP)
Internet
addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)
Link
packetframing(Ethernet)physical connection• WLAN(WEP,WPA)• ADSL• GSM/3G
SSHsecurityservices• MessageConfidentiality.
– Protectsagainstunauthorised datadisclosure.– Accomplishedbytheuseofencryptionmechanisms.
• MessageIntegrity.– SSHcandetermineifdatahasbeenchanged(intentionallyorunintentionally)
duringtransit.– Integrityofdatacanbeassuredbyusingamessageauthenticationcode
(MAC).• MessageReplayProtection.
– Thesamedataisnotdeliveredmultipletimes.• PeerAuthentication.
– Servertoclientauthenticationbasedonpublickeys– Clienttoserverauthenticationbasedonpasswordsorpublickeys– Ensuresthatnetworktrafficisbeingsentfromtheexpectedparty.
ClientauthenticationinSSH• SSH (SecureShell)isoftenusedforremotecommand-lineaccessin
UnixandMacOSX.• Itsupportspublickeyauthentication.
– Asecurity-consciousSSHinstallationwouldsupportonly publickeyauthenticationanddisablepassword-basedauthentication.
• Eachaccountcanhavemultipleassociatedpublickeys.– Multipleuserscanlogintoasingleaccountwithouthavingtobetold
thepasswordforthataccount.Easytorevokeoneuser’saccesstothataccount.
– Oneusercouldhaveadifferentkeyfromeachlocalcomputer(laptop,desktop,...);ifoneoflocalcomputerislost/compromised,easytorevokeitsaccess.
• Userscanassociatethesamekeywithmultipleaccounts.– Yieldsaformofsinglesign-on.– Userscanprotecttheirprivatekeyusingapassword.
IPsec (InternetProtocolSecurity)
• ProvidesconfidentialityandauthenticationforInternetcommunications
• WorksattheIPlayeroftheprotocolstack– TLSworksathigherlevels,
soapplicationshavetobedesignedtouseTLS
– IPsec canbeusedtransparentlywithanyapplication
• OftenusedforVirtualPrivateNetworks(VPNs)
Layer Examples
Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)
Transport connection-oriented(TCP)connectionless(UDP)
Internet
addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)
Link
packetframing(Ethernet)physical connection• WLAN(WEP,WPA)• ADSL• GSM/3G
IPsec:CommonArchitecturesGateway-to-gateway
Source: NIST Special Publication 800-77
IPsec:CommonArchitecturesHost-to-gateway
Source: NIST Special Publication 800-77
Singlesign-on
• Singlesign-onprotocols allowausertouseacredentialfromoneidentityproviderwithmanyrelyingparties.
• Theuser’sauthenticationtotheidentityprovidercanbebasedonanyform(s)ofauthentication:password,publickey,biometric.
• Theidentityprovidergivesanassertiontotherelyingparty statingwhotheuseris.
Kerberos• Protocolforcryptographic
authenticationofusersandservicesondistributedsystems
• Authenticationbasedonknowledgeofsharedsecrets
• Usessymmetricauthentication• Reliesonatrustedthirdparty
tomediateauthenticationbetweenparties
• DevelopedbyMITinthe1980sand1990s
• Kerberosversion5publishedin1993
• KerberosusedasdefaultauthenticationmethodinWindows2000andlateraspartofActiveDirectoryservices
• MostUNIX-basedoperatingsystems(Linux,Solaris,MacOSX,FreeBSD)supportKerberosauthetication ofusersandservices
• Kerberosalsosupportspublickey(asymmetric)authentication
WIREDEQUIVALENTPRIVACY(WEP)
WiredEquivalentPrivacy(WEP)
• Goal: provideloginauthentication,messageauthentication/integrity,andmessageconfidentialityfor802.11wirelessnetworks– standardizedin1999– usesRC4forencryption– usesCRC-32checksumforintegrity– usespre-establishedsharedkeys
IETFInternetProtocolsuiteLayer Examples
Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)
Transport connection-oriented(TCP)connectionless(UDP)
Internet
addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)
Link
packetframing(Ethernet)physical connection• WLAN(WEP,WPA)• ADSL• GSM/3G
WiFi Security
Internet
Encrypted:(
Unencrypted:)Unencrypted:)
WEPEncryption
• 64-bitWEPusesa24-bitIVanda40-bitkey
• 128-bitWEPusesa24-bitIVanda104-bitkey
• AppendCRC-32(m)tomessagebeforeencrypting
WEPLoginAuthenticationToauthenticatetoa802.11networkusingWEPsharedkeyauthentication:• Accesspointsends128-bit
challengeinplaintext• ClientpicksanIV,usesIV,K
toencryptchallenge(withRC4)
• Serverdecryptschallengeandcompares
Isthissecure?• Attackerseeschallenge
plaintext,ciphertext• Ciphertext =XORof
keystream andmessage,checksum
• Attackercanderivekeystream fromciphertextandplaintextchallenge
• Attackercanusekeystreamtoencryptanotherchallengeandgainaccess
WirelessSecurity
WEP• Loginauthentication:completely
insecure;attackercanimpersonateafterseeingasinglepacket
• Messageauthentication/integrity:completelyinsecure;attackercanundetectablymodifyanypacketwith100%successrate
• Messageconfidentiality:completelyinsecure;attackercanrecoversecretkeywithhighprobabilityinjustaminuteusingreadilyavailabletools
• In2007,USretailerTJMaxxhad45millioncustomercreditcardsstolenbecausetheirwirelessnetworkwassecuredusingWEP
• WEPprohibitedforuseincreditcardprocessing(PCI-DSS)afterJune2010.
Wi-FiProtectedAccess• Wi-FiProtectedAccess
(WPA,WPA2)standardizedin2003
• WPAmostlystillsecure,aslongasstrongpasswordsareused
• Wi-FiProtectedSetup8-digitPINsbrute-forcedinafewhours
IETFInternetProtocolsuiteLayer Examples
Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)
Transport connection-oriented(TCP)connectionless(UDP)
Internet
addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)
Link
packetframing(Ethernet)physical connection• WLAN(WEP,WPA)• ADSL• GSM/3G
TLS
Casestudy:InjectingadsinWi-FihotspotAT&TprovidesfreeWi-Fihotspotsinairports.
Inadditiontomakingusersviewadswhentheyfirstconnectedtothehotspot,AT&TwasalsomodifyingHTTPresponsesfromwebserverstoincludetheirownadsonpages.
http://arstechnica.com/business/2015/08/atts-free-wi-fi-hotspot-injects-extra-ads-on-non-att-websites/
Casestudy:InjectingadsinWi-Fihotspot
Internet
GEThttp://www.stanford.edu/
Casestudy:InjectingadsinWi-Fihotspot
• Link-layersecuritywouldnot protectagainstthisattack– WEP/WPA
• Internet-layer,transport-layer,andapplication-layerwouldprotectagainstthisattack– IPsec:UseaVPNtoatrusted
gateway.– TLS:Encryption/integrityprotection
forwebpageconnections.– SSH:Encryption/integrityprotection
forremotelogin.
Layer Examples
Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)
Transport connection-oriented(TCP)connectionless(UDP)
Internet
addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)
Link
packetframing(Ethernet)physical connection• WLAN(WEP,WPA)• ADSL• GSM/3G
TLS
PracticalsX.509CertificatesandSecureEmail• UsingtheXCAcertificate
authoritysoftware:– Setupacertificateauthority– Generateaprivatekeyand
certificaterequestforauser– Issueacertificatetotheuser
• Importthecertificateintoanemailclientandsendasignedemail
TLS• Usingyourwebbrowser,
inspectthecertificateusedinasecureconnectionwithawebsite
• UsingtheWireshark packetsniffingsoftware,inspectaTLSconnectiontoseetheprotocolmessagessent
Practicals availableathttps://www.douglas.stebila.ca/teaching/cryptoworks21