CSCE 813 Internet Security Secure Services I

Transcription

1 CSCE 813 Internet Security Secure Services I Professor Lisa Luo Fall 2017

2 Previous Class Why do we need cloud computing? Three models of cloud service Software as a service (SaaS) Platform as a service (PaaS) Infrastructure as a service (IaaS) Cloud security risks Abuse of cloud computing Insecure interfaces and APIs Account or service hijacking Data loss or leakage Data protection in the cloud Basic requirement: encrypt data + access control 2

3 Security Objectives of Services Confidentiality Integrity Availability Authentication Authentication vs. Authorization User authentication vs. Message authentication 3

4 1. Internet Mail Architecture

5 5

6 Message User Agent (MUA) Operates on behalf of user actors and user applications 1. Formats a message 2. Submit message to MHS via MSA Housed in the user s computer: client program, or local network server 6

7 Mail Submission Agent (MSA) 1. Accepts messages submitted by MUA SMTP is used between MUA and MSA 2. Enforces the policies of the hosting domain and the requirements of Internet standards 7

8 Message Transfer Agent (MTA) Relays mails, like a package switch or IP router SMTP is used between MTA and MTA, MTA and MDA Mail Delivery Agent (MDA) Transfers message from MHS to MS Message Store (MS) Stores messages MUA retrieves messages from MS via POP (Post Office Protocal) or IMAP (Internet Message Access Protocol) 8

9 2. Protocols

10 Protocols SMTP: used to move messages from source (MUA) to destination (MS) IMPA or POP: used to retrieval message from MS to MUA, or transfer messages between mail servers 10

11 SMTP (Simple Mail Transfer Protocol) Encapsulates messages in an envelope Relay the encapsulated message from source to destination via MTAs How SMTP works: M c 11

12 IMAP vs. POP Allows users to download s from an server 1. User provides username and password 2. After user is authenticated, user can download s via IMAP or POP IMAP vs. POP Both them use TCP IMPA provides stronger authentication, and other functions not supported by POP 12

13 SMTP over TLS (STARTTLS) A security-related extension for SMTP Enables the confidentiality and authentication between SMTP agents If TLS is used to establish a secure communication channel, it is SMTP over TLS 13

14 Multipurpose Internet Mail Extensions (MIME) Goal: address some problems and limitations of SMTP Limitations of SMTP cannot transmit executable files or binary objects cannot transmit text data including national language characters may reject mail message over a certain size some SMTP implementations does not follow the SMTP standards (RFC 821) 14

15 Secure/MIME (S/MIME) A secure enhancement to MIME Provides: Authentication Confidentiality Compression compatibility 93Y 15

16 Authentication Add digital signatures RSA + SHA-256 Q: How to generate digital signatures? message -> M message digest -> H = SHA(M) digital signature -> Sig = E(H, PR_sender) send the message M Sig 16

17 Confidentiality Encrypting message Encryption algorithm: AES with CBC Q: How to distribute the secrete key? use RSA the sender use the receiver s public key to encrypt the secrete key and send to the receiver 17

18 M M E (K, M sig.) M H(M) E (PR, H(M)) Sig. Sig. Sig. Message digest Digital signature M D (K, M sig.) M H(M) Sig. Sig. D (PU, sig) H(M) Equal? 18

19 If only the signature service is used, then the digital signature is encrypted If the confidentiality is used, the message plus the digital signature are encrypted 19

20 Cryptographic algorithms used in S/MIME Function create a message digest to be used in forming a digital signature Requirement MUST support SHA-256 SHOULD support SHA-1 Use message digest to form a digital signature Encrypt session key for transmission with a message Encrypt message for transmission with a onetime session key MUST support RSA with SHA-256 SHOULD support DSA with SHA-256 RSASSA-PSS with SHA-256 RSA with SHA-1 RSA with SHA-1 DSA with SHA-1 RSA with MD5 MUST support RSA encryption SHOULD support RSAES-OAEP Diffie-Hellmanehpemeral-static mode MUST support AES-128 with CBC SHOULD support AES-192 CBC and AES-256 CBC Triple DESCBC 20

21 Summary Internet Mail Architecture Message User Agent (MUA) Mail Submission Agent (MSA) Message Transfer Agent (MTA) Mail Delivery Agent (MDA) Message Store (MS) Protocols SMTP IMPA or POP MIME Secure Protocols: SMTP over TLS S/MIME 21