week 10, lecture 1 nwen 304 advanced network applications
TRANSCRIPT
Upcoming Evaluations - I
• Group Project Progress Presentation
• Thursday 30 September (11 a.m. to 1:00 p.m.) and Friday 01 October 2021 (11:00 a.m. to 01:00 p.m.)
• CO 246
• Schedule uploaded on the course wiki.
• Email by September 27 if your team wishes to present remotely over Zoom
• What are you supposed to present
• What are you building
• Identified modules to work on
• Division of work among the team members
• Progress made so far2
Upcoming Evaluations - II
Term Test – II
• When : Wednesday, October 6 2021
• 4:10 p.m. to 5:10 p.m.
• Where : HULT220
• Syllabus: Everything covered after Mid-term break
• I do not have a sample test paper
• I will list the topics and what all you need to know in those topics in the course wiki by September 22, 2021
3
Security – Under the hood
4
Threats on the Web
5
Security – Key Components
• Confidentiality: protect information from unauthorized access andmisuse.
• How is confidentiality maintained:• Authorized access: Verify identity of the user before granting access
• What if communication channel / server gets compromised ? data sent /stored in encrypted form• Data at rest : Cryptographic functions
• Data in transit: Secure channel (TLS - HTTPS)
6
Security – Key Components
• Integrity is the characteristic that alterations to a system’s assets can be madeonly in an authorized way.
• We trust the data if we trust:
• its origin (how/from whom was it obtained?)
• how it was protected before it arrived at our machine
• how it was protected in transit to our machine
• how it is protected on our machine
7
Recap: One way Hash functions - Message Digests• Are a primary way of establishing integrity
• Message digest (hash)• Given message P it is easy to compute MD(P)
• Given a message digest x, it is infeasible to find a message P such that MD(P) = x
• It is infeasible to find two messages, P1 and P2, such that MD(P1) = MD(P2)
• Often involves use of Salt
8
Recap: Message Authentication using One Way Hash functions
9
How is Integrity Maintained
• Message Hashes and
• Digital Signatures are
• Used to establish Data and Origin Integrity
• Where are the public keys posted and how do we verify the owner of the key ?
• We use Certification Authorities to validate the public key mapping to anentity/identity
10
Availability
The owner of the website can be attacked as well.
• Some websites have been defaced; the files that make up the websitecontent have been remotely accessed and modified without authorization.
Websites have also been subject to Denial of Service (DoS) attacks, during whichwould-be customers are unable to access the website because it is beingoverwhelmed by bogus requests.
A loss of availability is the disruption of access to or use of information or aninformation system
Recap: Foundations: Internet Protocol Suite
12
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Application Layer
Transport Layer
Internet Layer
Network Interface
Layer
OSI Layers TCP / IP Layers
HTTP FTP TELNET SMTP DNS
TCP UDP
IP
Ethernet Token Ring ATM
TCP / IP Protocols
Recap: Foundations: Internet Protocol Suite
13
Application Layer
Transport Layer
Internet Layer
Network Interface Layer
Host A
Application Layer
Transport Layer
Internet Layer
Network Interface Layer
Router
Internet Layer
Network Interface Layer
Host B
Communication goes down to physical network
Then from network peer to peer
Then up to relevant layer
How is availability Maintained
• DoS attacks are segregated by which layer of the Open Systems Interconnection (OSI)model they attack.
• They are most common at:
• Network (layer 3)
• Transport (Layer 4)
• Presentation (Layer 6) and
• Application (Layer 7) Layers.
• Protection: Firewalls, Replication (not always preventable)
• Recent DoS attack in NZ: https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/: Used HTTP pipelining
14
Integrity case study: Certificates
15
Example: Certifying a Public Key
• Certification authorities issue certificates and binds key owner's identity to the key.
16
-CA privatekey
K CA
add digitalsignature to
certificate
Certificatesigned withcertificationauthority’skey
K B
+Bob’s publickey K
B
+
Information aboutBob's identity (name, address etc.) and Bob's public key
Certificate Essentials
• At its minimum, a certificate assigned to a user consists of the user’spublic key, the identifier of the key owner, a time stamp (in the formof a period of validity), etc.
• The whole block is encoded with the CA’s private key, and isreferred to as the CA having signed the certificate.
• A certificate issued to party A is essentially:
CA = E(K-CA, [T, IDA, K+
A])
17
Certificate verification
• When A presents his/her certificate to party B,
• B can verify the legitimacy of the certificate by decrypting it with the CA’s public key.
• Successful decryption authenticates both the certificate supplied by A and A’spublic key.
• X.509 Standard defines the format of public key certificates
18
Single Point of Failure
• Subverting the certification authority breaks the scheme, and Malice can now claim to be Bob
19
Malice’s publickey K
M
+
+CA publickey
K CA
verify the certificate
Information aboutBob's identity (name, address etc.) and Malice's public key
Yes – valid, can use Malice’s public key to
communicate with Bob
Threshold Cryptography
• Instead of sharing the keys, we want to allow encryption or decryption by a group.
• (t, n)-threshold cryptography configuration
• n members
• no less than t members must cooperate,can tolerate up to n-t traitors
• Widely used in financial networks, Hardware security modules (e.g. Amazon Cloud HSM)
20
Solution: Distribute the Private Key
• Create key shares such that t shares required for successful encryption and decryption.
• Distribute to multiple certificate authorities controlled by different people.
21
CA'sprivatekey K
CA
-
Create RSAshares
Share 1of CA's privatekey
SK 1,CA
-
Share 2 of CA's privatekey
SK 2,CA
-
Share 3 of CA's privatekey
SK 3,CA
-
Solution: Normal Operation
• Each certification authority computes a partial digital signature using their key share.
• Bob combines the shares together to generate a complete digital signature. Need at least t shares to create a valid signature.
22
Combine shares
together
K B
+Bob’s publickey K
B
+
SK 1,CA
- SK 3,CA
-
Create partialdigital signature
Create partialdigital signature
Certificatesigned withcertificationauthority’skey
Solution: Preventing Subversion
• Malice wants to substitute Bob’s public key for her own.
• Malice subverts one certification authority, however, fewer than t valid shares means the generated signature is invalid and will fail when verification takes place.
23
Malice’s publickey K
M
+
Combineshares
together
K M
+
SK 2,CA
-
Sharing Secrets
• All the secrets we have looked at involve 2-parties:• Sam and Alice share a key (secret) and are able to communicate.• Alice can read everything written using the secret, and• Bob can read everything written using the secret.
• Consider instead a different scenario:• Imagine a vault that can only be opened using a secret code.• Our bank has n managers who need to be able to open the vault.• IDEA: give the secret code (S) to all n managers.• RESULT: this is dangerous, as the security of the vault may be vulnerable if any one of
the managers is compromised.• This is a 1 out-of n scheme (1:n).
• The general problem is called secret sharing.
24
Secret Sharing (n:n)
• All managers are required to open the vault.
• IDEA: give S1 to manager1, S2 to the manager2, etc.
secret(S) = S1⊕ S2⊕ · · · ⊕ Sn
• the vault cannot be opened when fewer than n managers are present.
• Principle of separation of duties.
• RESULT: this is overly restrictive, e.g., if one of the managers is not available, then the vault cannot be opened.
25
Secret Sharing (2:n)
• We want a scheme such that any two of the n managers can open the vault, but any one manager cannot open the vault by himself.
• IDEA: we can use a line:
f(x) = mx + s
• The principle is to use the y-intercept as our secret (S).
• We calculate a point (or key share) for each manageri = f(i).
26
Solving for Y (S)
27
0
2
4
6
8
10
12
14
0 1 2
But if we know 2 points…
0
2
4
6
8
10
12
14
0 1 2
Share manager 1
Share manager 1
Share manager 2
S
RESULT: if we only know one point, then we learn nothing as there are an infinite number of possible solutions for S.
RESULT: if we know 2 points, then we can completely solve for the y-intercept and therefore S.
Secret Sharing (m:n)
• We want a scheme such that any m of n bank managers can open the vault, but any collection of managers fewer than m cannot, i.e., 3 from 5 managers, 2 cannot open it, but 3 can.
• IDEA: (Shamir) we can use a polynomial of the form:
f(x) = cm-1xm-1 + … + c2x2 + c1x + S
• Shamir’s algorithm is based on the fact that a polynomial of degree m-1 can be uniquely identified by m points:
• A line f(x) = mx + s (degree 1) can be identified by 2 points.
• A parabola f(x) = c2x2 + c1x + s (degree 2) can be identified by 3 points.
• f(x) = c3x3 + c2x2 + c1x + s (degree 3) can be identified by 4 points.28
Secret Sharing (m:n)
• Here you can see the degree 2 parabola has infinite solutions when only 2 points are defined.
• With 3 points the curve is uniquely identified, and we can now work backwards to reconstruct the polynomial equation.
29
0
100
200
300
400
500
600
700
0 10 20 30 40 50 60
Secret Sharing (m:n)
The details…
• We construct a polynomial f(x) of degree m-1 using m-1 random coefficientsand the secret S as the constant.
• We then pick n random x values and solve the polynomial creating n points (or key shares) of the form (xi,yi) for the managers.
30
0
100
200
300
400
500
600
700
0 10 20 30 40 50 60
Secret Sharing (m:n)
• To retrieve the value S, we need to know at least m of the n shares (in any combination, say 3 of 5) and,
• We reconstruct the coefficients for the equation using Lagrange interpolation(see http://en.wikipedia.org/wiki/Lagrange_polynomial).
31
0
100
200
300
400
500
600
700
0 10 20 30 40 50 60
S
Web Traffic Security
32
Web Traffic Security Approaches
• HTTP is an insecure protocol since data in an HTTP protocol is encoded in plain text format.
• Any man-in-the-middle can listen to TCP communication and read your personal data transmitted over the web.
33
Relative location of security facilities in the TCP/IP protocol stack
* TLS has 2 possible implementations.1. For full generality, SSL can be provided as part of underlying protocol suite (transparent to the user).2. Or SSL can be embedded in specific packages. Virtually all browsers come equipped with TLS, and most web servers implement the protocol.
Transport Layer Security (TLS)
• Probably the Internet’s most important security protocol.
• Originally designed by Netscape for Web transactions
• Back then, called Secure Sockets Layer
• But used for just about everything you can think of:• HTTP
• VPNs
• Voice/video
• IoT Now
• Maintained by the IETF
• The role of the TLS layer is to establish a secure connection with the serverusing a TLS handshake (after the TCP handshake) and encrypt the HTTP datausing some encryption algorithms negotiated with the server.
SSL and TLS
• Netscape’s original SSL protocols: • 1.0 (not published due to flaws)
• 2.0 (first official release) introduced in 1995, deprecated in 2011
• 3.0 introduced in 1996, deprecated in 2015
• TLS built on SSL version 3.0 w/limited downgrade compatibility. • 1.0 introduced in 1999, deprecated in March 2020
• 1.1 introduced in 2006, deprecated in March 2020
• 1.2 introduced in 2008
• 1.3 introduced in 2018
35
Intent: Ensure a Secure channel
• SSL/TLS provides the following services over TCP layer :
1. Crypto negotiation: Negotiate encryption and hash methods
2. Key Exchange: Secret key exchange using public key certificates
3. Confidentiality: Encryption using secret key
4. Integrity: Message authentication using a keyed hash
36
TLS Protocol Architecture
37
2 layers of protocol
Handshake protocol: mutually authenticateand negotiate crypto parameters for a “SSLsession”
Change Cipher Spec Protocol: Implementnegotiated crypto parameters
Alert protocol: To convey problems
Record Protocol: apply encryption and MACfor message exchange
Simplified view of TLS
38
FYI: What’s in a Cipher Suite?
• Key Exchange (RSA, DHE, ECDHE, PSK, ...)
• Authentication (RSA, DSS, ECDSA, ...)
• Encryption (AES, Camellia, ...)
• MAC (MD5, SHA1, SHA256, ...)
• Basically the choice of encryption technologies that will be used.
• Client offers, Server chooses.
39
TLS Handshake Protocol
• Allows peers to authenticate each other.
• Negotiate an encryption and MAC algorithm.
• Exchange cryptographic keys.
40
TLS Handshake Protocol
41
Example: Cypher Suite:TLS_RSA_WITH_AES_256_CBC_SHAServer will use the RSA algorithm to encrypt the shared secret
key of bulk data encryption. The bulk encryption algorithm used
by both the client and the server is AES 256 bit (in CBC mode).
TLS Handshake Protocol
42
TLS Handshake Protocol
43
TLS Handshake Protocol
44
TLS Record Protocol
45
HTTPS (HTTP over SSL)
• Refers to the combination of HTTP and SSL to implement securecommunication between a Web browser and a Web server
• The HTTPS capability is built into all modern Web browsers• A user of a Web browser will see URL addresses that begin with https://
rather than http://• If HTTPS is specified, port 443 is used, which invokes SSL• When HTTPS is used, the following elements of the communication are
encrypted:• URL of the requested document• Contents of the document• Contents of browser forms• Cookies sent from browser to server and from server to browser• Contents of HTTP header
46