secure communication over untrusted networks...virtual private network •a virtual private network...
TRANSCRIPT
![Page 1: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/1.jpg)
Secure Communication
over Untrusted
Networks
Jan Vossaert
![Page 2: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/2.jpg)
Overview
• Introduction
• Secure communication basics
• Secure communication technologies
o Transport layer security
o Virtual private network
• Seminar in September
• Concluding remarks
![Page 3: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/3.jpg)
Introduction
…00II0I000II0I…
passive attacker
![Page 4: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/4.jpg)
Introduction
• Desired security properties:
o Confidentiality
o Authenticity
…00II00II0II000II0I…
passive attackeractive attacker
0II0I
![Page 5: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/5.jpg)
Introduction
• Message confidentiality
• Message authentication
![Page 6: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/6.jpg)
Introduction
untrusted network
Internet
• Message confidentiality
• Message authentication
![Page 7: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/7.jpg)
Introduction
• Remote access to local network
remote monitoringremote servicing
Internet
![Page 8: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/8.jpg)
Introduction
• Access to devices on remote sites
Internet
![Page 9: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/9.jpg)
Introduction
![Page 10: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/10.jpg)
Secure communication basics
• Secure channel between both parties
o Symmetric cryptography
• Algorithm: AES, 3DES, Camellia, IDEA
• Key lengths: 128-256
• Mode:
• Confidentiality: CBC, OFB, CFB, CTR, XTS
• Confidentiality & authenticity: CBC-MAC, GCM, OCB,…
I00111010111
Confidentiality?
Authenticity?
Relies on hash
functions
(MD5, SHA1)
![Page 11: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/11.jpg)
Secure communication basics
• Secure channel between both parties
o Symmetric cryptography
o Session key?
![Page 12: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/12.jpg)
Secure communication basics
• Session key establishment
o Goal:
• Set up a shared secret in a dynamic on-demand manner
o Properties:
• Both parties learn the value of the session key
• No other parties should know the value of the session key
• Unilateral or mutual authentication
• Both parties are ensured the key is freshly generated
![Page 13: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/13.jpg)
Secure communication basics
• Session key establishment
o Types
• Pre-shared keys (PSK)
• Public-key infrastructure (PKI)
![Page 14: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/14.jpg)
Secure communication basics
• Session key establishment
o Pre-shared keys (PSK)
“is a shared secret which was previously shared between the two parties
using some secure channel before it needs to be used.”
public infopublic infopublic info
![Page 15: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/15.jpg)
Secure communication basics
• Session key establishment
o Pre-shared keys (PSK)
• required to generate
• Both parties know the identity of the other party who holds
“is a shared secret which was previously shared between the two parties
using some secure channel before it needs to be used.”
![Page 16: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/16.jpg)
Secure communication basics
• Session key establishment
o Pre-shared keys (PSK)
• required to generate
• Both parties know the identity of the other party who holds
“is a shared secret which was previously shared between the two parties
using some secure channel before it needs to be used.”
Scalability?
![Page 17: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/17.jpg)
Secure communication basics
• Session key establishment
o Pre-shared keys (PSK)
o Public-key infrastructure (PKI)
“is a system to bind public keys with respective user identities by means
of a certificate (e.g. X.509 certificate).”
public key public key
private keyprivate key
![Page 18: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/18.jpg)
Secure communication basics
• Session key establishment
o Pre-shared keys (PSK)
o Public-key infrastructure (PKI) It’s . I vouch for it.
“is a system to bind public keys with respective user identities by means
of a certificate (e.g. X.509 certificate).”
public key public key
private keyprivate key
![Page 19: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/19.jpg)
Secure communication basics
• Session key establishment
o Pre-shared keys (PSK)
o Public-key infrastructure (PKI) It’s . I vouch for it.
“is a system to bind public keys with respective user identities by means
of a certificate (e.g. X.509 certificate).”
public key
private keyprivate key
![Page 20: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/20.jpg)
Secure communication basics
• Session key establishment
o Pre-shared keys (PSK)
o Public-key infrastructure (PKI)
“is a system to bind public keys with respective user identities by means
of a certificate (e.g. X.509 certificate).”
public info public infopublic info
![Page 21: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/21.jpg)
Secure communication basics
• Session key establishment
o Pre-shared keys (PSK)
o Public-key infrastructure (PKI)
• can only be generated if possession of either or
• Identities of the owners of and is certified in
• Unilateral authentication also possible
“is a system to bind public keys with respective user identities by means
of a certificate (e.g. X.509 certificate).”
![Page 22: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/22.jpg)
Secure communication basics
• Summary:
o Symmetric cryptography to protect confidentiality &
authenticity of data
o (Authenticated) key establishment protocols for session
key
• Pre-shared key: for devices that have a long-term association
• Public-key infrastructure: for devices that need to communicate
with a large set of devices
![Page 23: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/23.jpg)
Secure communication technologies
• System level
o Why rely on security at application level?
o Securing legacy applications in new environments
o No distinction between traffic types
• Application-aware
o More control by application
o Feedback to user
![Page 24: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/24.jpg)
Transport Layer Security (TLS)
• One of the most widely deployed security protocols
• History
o Netscape developed SSL protocol
o SSL 3.0 published in 1996
• No longer secure!
o IETF standardization based on SSL 3.0 (RFC 5246)
• TLS 1.0 (1999)
• TLS 1.2 (2008)
• TLS 1.3 (TBD)
![Page 25: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/25.jpg)
Transport Layer Security (TLS)
• Intermediate layer between Transport and
Application Layer
• Two phases:
o Handshake
• Client and/or server authentication
• Establish cryptographic keys and parameters
o Secure exchange of information
![Page 26: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/26.jpg)
Transport Layer Security (TLS)
• Use in industrial network equipment
o Secure management of network devices
• Remote configuration (often via HTTPS - example)
• User authentication over secure session
• Secure transfer of software/firmware updates
o Secure network communication in dedicated
applications
![Page 27: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/27.jpg)
Virtual private network
• A Virtual Private Network (VPN) extends a private network
across a public network (e.g. the Internet)
• The client can access resources as if it would be directly
connected to the private network
o Traffic from device is routed over secure connection
o Network-level component (i.e. no application support
required)
![Page 28: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/28.jpg)
Virtual private network
• Different setups:
o Gateway-to-gateway
• Secure branch office connectivity over the Internet
![Page 29: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/29.jpg)
Virtual private network
• Different setups:
o Gateway-to-gateway
o Host-to-gateway
• Secure remote access to intranet services
![Page 30: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/30.jpg)
Virtual private network
• RFC standardization
• Fixed ports
o UDP 500: key exchange
o UDP 50: encrypted data
o UDP 1701: initial configuration
o UDP 4500: NAT traversal
• Uncertain
• Standardized IPsec protocol
• Open source initiative (GPL)
o Based on SSL/TLS
• Configurable ports
o UDP
o TCP
o TCP:443 to bypass
restrictive firewalls
• Usually good
• OpenSSL
IPsec OpenVPN
origin
ports
compatibility
encryption
![Page 31: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/31.jpg)
Virtual private network
• Use in industrial network equipment
o Remote servicing/monitoring of equipment
o Connecting remote sites in a secure network
o Teleworking
![Page 32: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/32.jpg)
Seminar in September
• Basic security concepts & algorithms
• Public-key infrastructure
o Self-signed certificates vs commercial CAs
o Certificate pinning/trust stores
o Establishment & management of PKI
o Revocation
![Page 33: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/33.jpg)
Seminar in September
• Hands-on experience: secure communication technologies
in industrial networking devices
o Different approaches from different vendors
• Cloud-based vs end-to-end security
• Only compatible with devices from same vendor?
• Vendor certificates or own PKI infrastructure?
o Configuration
• Encapsulation security payload (ESP) vs Authentication Header
(AH)
• Tunnel mode vs transport mode
• Cryptographic parameters
![Page 34: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/34.jpg)
Concluding remarks
• Certificates mainly for device authentication
• Secure session authentication often complemented with
application-level authentication for access control
o Username/password
o Authentication server
o Hardware tokens
![Page 35: Secure Communication over Untrusted Networks...Virtual private network •A Virtual Private Network (VPN) extends a private network across a public network (e.g. the Internet) •The](https://reader033.vdocuments.us/reader033/viewer/2022050523/5fa6936746b470654f2741db/html5/thumbnails/35.jpg)
questions