Applied Networks & Security

Transcription

1 Applied Networks & Security Crypto with Critical Analysis John Kristoff IT 263 Winter 2006/2007 John Kristoff - DePaul University 1

2 Critical analysis disclaimer Following this disclaimer are slides used in other versions of the course. We mark up some slides using strikethroughs and underlined red in comic sans ms 20pt font. This is not meant to slight other teachers or their material. Much of the material is good and helpful so we use it. We do this to explore complex issues, refresh dated material, correct inaccuracies and stimulate critical thinking. In some cases we are pedantic where it seems useful, but we are not exhaustive and try to avoid being overly tedious when it is unnecessary. IT 263 Winter 2006/2007 John Kristoff - DePaul University 2

3 Security Technologies and Cryptography 3

4 Topics Security technologies Cryptography Fundamentals (Symmetric, Asymmetric, Hash, HMAC) Authentication Services Read chapter 7 One thing I've noticed missing is User Education, this is really hard, but you still gotta do it, technical solutions can't fix the dork who helpfully gives his password to a so-called administrator who calls and asks for it

5 Layered Security Architecture To prevent attacks, an enterprise need to build a complete and comprehensive security architecture using tools, methods and techniques that individually target some threats and work in an integrated fashion to provide a complete enterprise framework for secure computing. One missing piece or aspect may endanger the whole infrastructure. Example: if you do not have virus protection, can an intruder bypass your firewalls? What are the tools and technologies available? 5

6 Security Technologies Identity technologies Firewalls Intrusion detection systems (IDS) Intrusion Prevention Systems (IPS) Host and application security Content filtering Cryptography Physical security Methods and Policies change control, vulnerability assessment 6

7 Identities Technologies Username/password One time passwords (OTP) Synchronous and Asynchronous Tokens Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Control Access Control System (TACACS+) Public Key Infrastructure (PKI) Biometrics Some physical characteristics: Chip ID. Side note: strong/2-factor authentication terminology. 7

8 Firewalls Stateless packet filters - Router with access control list (ACL) Statefull Filters Proxy firewalls Host firewalls Much more on that in later lectures 8

9 Intrusion detection systems Signature-based Network IDS Anomaly-based Network IDS 9

10 Intrusion Prevention Systems (IPS) IDS with a twist! Block the attack if you identified it. IPS also are actually next generation firewalls 10

11 Host and application security File system integrity checking Antivirus protection Sandboxing systems Patch management and deployment 11

12 Content filtering Proxy servers (also firewall) Web filtering filtering Activity monitoring 12

13 Cryptography VPNs Network layer crypto (IPSEC) L5 to L7 crypto (SSL, TLS, terminal server) File system encryption Symmetric vs. asymmetric crypto 13

14 Physical Security Redundancy Fire suppression Locks, bars, vaults. Note: what about your backup tapes?? Physical lockdown of external media (see host security) Protection against electromagnetic leaks Tempest. See: =tempest/index.php 14

15 Methods and Policies CRITICAL ASPECT!! Often overlooked Formal security policies development and enforcement: This is the foundation of any INFOSEC program. Acceptable Use Policies (AUP) Regular Vulnerability Assessments Software development methods Audits 15

16 Cryptography Cryptography is crucial: it is the key building block for many other security services. Without it: no Ecommerce, no authentication services, no secure logins. It is a key component that will allow: Confidentiality Services, Integrity Services and Authentication Services. What does Cryptography means? Origin of the word: from Greek: Crypto Secret Graph Writing Not a new concept: was used by Romans: Ceasar Cipher 16

17 Overview Encryption is the process of taking a message (in cleartext or plaintext format) and transform it (in a format often called ciphertext ) so that its meaning can not be understood. Decryption is the process of taking the ciphertext and transforming it back to cleartext. To encrypt a message, you will use an encryption algorithm and an encryption key. To decrypt a message, you will use a decryption algorithm and a decryption key. 17

18 Characteristics of Encryption Algorithms The Encryption/Decryption algorithms must have the following characteristics: Efficient: must minimize amount of memory and time required to run them. Secure and/or reliable. Two choices: Make the algorithm secret. The opponent does not know HOW to decrypt the data. Make the algorithm public. The opponent knows how to decrypt the data but the only way to decrypt the data is to try all possible keys. This types of attacks are known as brute force attacks. 18

19 Keep algorithm Secret You can hide the method/algorithm used by implementing it in hardware devices or through a compiled algorithm. In software: you can be target of reverse engineering: almost always feasible to decompile/reverse engineer it. In hardware: Much harder to analyze but the secrecy can be compromised by: A disgruntle employee. A disgruntle or careless vendor. Now if the algorithm used to encrypt has a flaw: an attacker may be able to decrypt the data even without knowing the key. By keeping the algorithm secret, it is not subject to the analysis of it by Cryptanalysts that may identify a weakness before large deployment. 19

20 Cases Studies: make method secret Let s take a look at some concrete solutions that used this secrecy to secure the encrypted the data: Cable TV Scrambling DVD Encoding 20

21 Cases Studies: Make algorithm secret Cable/Sat TV Scrambling Rely on hardware encoding/scrambling Manufacturer rely on difficulty to analyze hardware functions and reproduce them. However, one can find cheap descrambler for sale. 21

22 Cases Studies: Make algorithm secret DVD Encoding Movie industry spent years developing a standard (CSS) for encryption. After development they simply released it. Not for review, but the full product (DVD) that relied on the standard. Encryption keys were assigned to DVD manufacturers and decryption keys based on them were distributed to all DVD reader manufacturers to build in all DVD readers. Two ooopps happened: A DVD software reader improperly protected one decryption key and it was made public. Several security technologists reversed engineered and decoded the encryption algorithm used. Soon after a software program (DeCSS) was released that allows one to pull the decrypted data off the DVD disk and play/save it like any other multimedia file. What was the movie industry reaction: Sue them but the damage is done: nobody can order or afford the recall of all DVD players! Lesson learned: Security by Secrecy does not work! 22

23 Make the algorithm public The algorithm will be scrutinized by experts and if after some time, nobody find a weakness: chances are: there are none! So how do you defeat the encryption? The only way is by going through and trying all possible decryption keys! This is called a Brute Force attack. How many possible keys exist? It depends on the length/size of the key. 40 bits key bits key bits key In average you will need to go through ½ the possible keys. However here is a fun question: how do you know you found the right key? Can you identify the plaintext? If it is English (or French for that matter) it is easy but what if it is a binary file? 23

24 Make the algorithm public So how do you protect the secrecy? Use a longer key!!! However the longer the key, the longer it takes to encrypt/decrypt the data. So we can establish that it will be possible for anybody to decrypt the data: the problem is not IF they can decrypt it but HOW LONG will it take to decrypt it! Make the cost of running a brute force attack longer than the value of the data. For example: If it takes you 4 years to decode a credit card number that has a 2 years expiration, is it worth trying? If you need to build a $10, decryption machine to decrypt ordering information that will allow you to hijack $2,000, worth of data in 3 months, is it worth it? 24

25 Case Study: Reliable Algorithm with long key: is it safe? If you use an algorithm that has no known weakness (for example 3DES) with a long enough key (for example 128 bits) you are safe from eavesdropping. Is that really true? What could go wrong? 25

26 Case Study: Reliable Algorithm with long key: is it safe? If you use an algorithm that has no known weakness (for example 3DES) with a long enough key (for example 128 bits) you are safe from eavesdropping. Is that really true? What could go wrong? You also need to protect your keys. 26

27 Friends and enemies: Alice, Bob, and Trudy well-known in network security world Bob, Alice (lovers!) want to communicate securely Trudy (intruder) may intercept, delete, add messages Alice channel data, control messages Bob data secure sender secure receiver data Trudy 27

28 Who might Bob, Alice be? well, real-life Bobs and Alices! Web browser/server for electronic transactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table updates other examples? 28

29 There are bad guys (and girls) out there! Q: What can a bad guy do? A: a lot! eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source address in packet (or any field in packet) hijacking: take over ongoing connection by removing sender or receiver, inserting himself in place denial of service: prevent service from being used by others (e.g., by overloading resources) 29

30 The language of cryptography plaintext K A Alice s encryption key encryption algorithm ciphertext Bob s K decryption B key decryption algorithm plaintext symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret (private) 30

31 Symmetric key cryptography K A-B K A-B plaintext message, m encryption algorithm ciphertext K A-B (m) decryption algorithm plaintext m = K ( K (m) ) A-B A-B A-B symmetric key crypto: Bob and Alice share known same (symmetric) key: K e.g., key is knowing substitution pattern in mono alphabetic substitution cipher Q: how do Bob and Alice agree on key value?

32 Symmetric key crypto: DES DES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64-bit plaintext input How secure is DES? First DES Challenge 1997: 56-bit key-encrypted phrase ( Strong cryptography makes the world a safer place ) decrypted (brute force) in 4 months no known backdoor decryption approach making DES more secure: use three keys sequentially (3-DES) on each datum use cipher-block chaining (64-bit block) 32

33 Symmetric key crypto: DES DES operation initial permutation 16 identical rounds of function application, each using different 48-bit key final permutation 33

34 AES: Advanced Encryption Standard new (Nov. 2001) symmetric-key NIST standard, replacing DES processes data in 128-bit blocks 128, 192, or 256 bit keys brute force decryption (try each possible key) taking 1 sec on DES, takes 149 trillion years for AES 34

35 Other Symmetric Encryption Standards Wired Equivalent Privacy (WEP) 3DES Developed for Wireless LANs 40-bit or 104-bit keys Note: WEP is NOT secure: it will prevent a casual eavesdropper to get traffic but is easy to break. Problem of DES: Key too short 3DES uses 3 successive iteration of DES with 3 keys (K1, K2, K3) making an effective key length of 168-bits. Note: 3DES is very processor intensive. 35

36 Symmetric Encryption Secret Key Distribution Problem How does one user/app distribute the encryption key to the other user securely? Over the telephone? By ? Usually a system admin must enter the key manually at both ends before communication can occur (as with WEP, for example). This may present a start-up problem. Also if N parties want to communicate with each others, how many symmetric keys must be generated? 36

37 Public Key Cryptography symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if never met )? - Key Distribution Center public key cryptography radically different approach [Diffie- Hellman76, RSA78] sender, receiver do not share secret key public encryption key known to all private decryption key known only to receiver 37

38 Asymmetric Encryption Asymmetric Cryptology is the most important breakthrough is cryptographic science in 4000 years. The key used for encryption is different than the key used for decryption. Public Key encryption uses manipulation of message AND mathematical properties between the keys used. Instead of using only ONE key, public key cryptography uses TWO keys that are linked together by mathematical properties. Example: Create pair of keys (1/4, 4) Use a multiplication x4 (public key) to encrypt and Use a division x ¼ (private key) to decrypt Of course, it is obvious in this case to crack the private key when knowing the public key! Now we have 2 keys, this has great consequences in term of confidentiality, key distribution and authentication: We can use one key as a public key and openly distribute it while keeping one key private for sole use by the party that generated the pair of keys. 38

39 Public key/asymmetric cryptography Misconceptions Public key/asymmetric cryptography has several common misconceptions: More secure than conventional encryption: WRONG security of the scheme only depends on the key length (assuming no flaw in encryption methods). Make conventional encryption obsolete: WRONG because of much larger overhead of PK, usually it is only used for initial communication and to allow 2 parties to securely communicate and exchange a common symmetric key that will then be used for all communication encryption. Key distribution trivial: WRONG many aspects are difficult and advanced procedures must still be involved. The private keys must also be carefully protected. Also we need a method to trustfully and reliably distribute the public key. 39

40 Asymmetric Cryptography Requirements It s computationally easy to generate a pair of keys It s computationally easy to encrypt It s computationally easy to decrypt It is computationally infeasible for an opponent to derive the private key from the known public key It is computationally infeasible for an opponent to recover the original message from the ciphertext knowing only the public key. (useful but not necessary requirement) Either of the 2 related keys can be used for encryption and the other for decryption. M=DK-pub [E K-priv (M)]=D K-priv [E K-pub (M)] 40

41 Public key cryptography K B + K B - Bob s public key Bob s private key plaintext message, m encryption algorithm ciphertext + K (m) B decryption algorithm plaintext message - + m = K (K (m)) B B 41

42 RSA: Choosing keys 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e<n) that has no common factors with z. (e, z are relatively prime ). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d). K B + K B -

43 RSA: Encryption, decryption 0. Given (n,e) and (n,d) as computed above 1. To encrypt bit pattern, m, compute ( m < n ) c = m e e mod n (i.e., remainder when m is divided by n) 2. To decrypt received bit pattern, c, compute m = c d d mod n (i.e., remainder when c is divided by n) Magic happens! m = (m e d mod n) mod n c

44 RSA: another important property The following property will be very useful later: - + K (K (m)) = m B B use public key first, followed by private key = + - B B K (K (m)) use private key first, followed by public key Result is the same!

45 Authentication Like cryptography, authentication services are a key foundation upon which many other services are provided. Why do we need authentication? A user claiming a given identity must be able to verify it. Because we want to make sure we give access to the correct users and the identity of the user has been verified via authentication services. The user must be accountable for his/her action (nonrepudiation). Accountability can only be enforced if the its identity was checked. Authentication is not only for users: services and applications should also be authenticated. Wouldn t you want to make sure that the web page that is displayed really comes from amazon.com before you enter your credit card number? 45

46 Identity and Authentication Identity services determine who the user is. Hi all. I am Elvis! - Elvis is my identity. Identity can be given by the user via its username, account name, SS#, etc It can also be established by biometric information: a fingerprint will declare a user identity. At the same, it can also provide authentication of the identity. Identity must be verified using some method. It can be as easy as NONE: Hey you say you are Elvis why should I doubt that Or ask for a password: graceland Or look for a characteristic: He has dark hair: He is Elvis Or ask for something he posses: He has the keys to Graceland, therefore he is Elvis That identity verification process is the authentication process. 46

47 Authentication Methods Authentication can be established by: Something you know: A password Something you have: you may have a hardware token, or have a special software on the PC. Something you are: Biometric authentication, you are a specific MAC address or IP You may want to use 1 method to authenticate a user or 2 or 3 combined. This later methods are usually referred to as strong authentication. Authentication methods used must be decided based on business requirements. Some application/data access may require weak authentication some very strong. These decisions are business decisions and must be documented in an organization s security policy. 47

48 Other Services Enabled by Authentication Authorization: Is the authenticated user authorized to perform an activity or to access a given data or application? Accounting: Log the utilization of a resource: how long did the user access a service/application? How much data was accessed, read, written downloaded? This will be logged in audit trails for accountability purposes (charge back, non-repudiation). 48

49 Authentication protocols Goal: Bob wants Alice to prove her identity to him Protocol ap1.0: Alice says I am Alice I am Alice Failure scenario?? 49

50 Authentication protocols Goal: Bob wants Alice to prove her identity to him Protocol ap1.0: Alice says I am Alice I am Alice in a network, Bob cannot see Alice, so Trudy simply declares herself to be Alice 50

51 Authentication protocols: another try Protocol ap2.0: Alice says I am Alice in an IP packet containing her source IP address Alice s IP address I am Alice Failure scenario?? 51

52 Authentication protocols: another try Protocol ap2.0: Alice says I am Alice in an IP packet containing her source IP address Alice s IP address I am Alice Trudy can create a packet spoofing Alice s address 52

53 Authentication protocols: another try Protocol ap3.0: Alice says I am Alice and sends her secret password to prove it. Alice s IP addr Alice s password I m Alice Alice s IP addr OK Failure scenario?? 53

54 Authentication protocols: another try Protocol ap3.0: Alice says I am Alice and sends her secret password to prove it. Alice s IP addr Alice s password I m Alice Alice s IP addr OK playback attack: Trudy records Alice s packet and later plays it back to Bob Alice s IP addr Alice s password I m Alice 54

55 Authentication protocols: yet another try Protocol ap3.1: Alice says I am Alice and sends her encrypted secret password to prove it. Alice s IP addr encrypted password I m Alice Alice s IP addr OK Failure scenario?? 55

56 Authentication protocols: another try Protocol ap3.1: Alice says I am Alice and sends her encrypted secret password to prove it. Alice s IP addr encrypted password I m Alice Alice s IP addr OK record and playback still works! Alice s IP addr encrypted password I m Alice 56

57 Authentication protocols: yet another try Goal: avoid playback attack Nonce: number (R) used only once in-a-lifetime ap4.0: to prove Alice live, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key I am Alice R Failures, drawbacks? K A-B (R) Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice!

58 Authentication protocols: ap5.0 ap4.0 requires shared symmetric key can we authenticate using public key techniques? ap5.0: use nonce, public key cryptography R I am Alice - K A (R) send me your public key K A + Bob computes + - K A (K A(R)) = R and knows only Alice could have the private key, that encrypted R + such - that K A (K (R)) = R A

59 ap5.0: security hole Man (woman) in the middle attack (MITM): Trudy poses as Alice (to Bob) and as Bob (to Alice) - + m = K (K (m)) A A I am Alice R - K (R) A Send me your public key K + A + K (m) A Trudy gets - + m = K (K (m)) sends T m to T Alice encrypted with Alice s public key I am Alice R - K (R) T Send me your public key K + T + K (m) T

60 ap5.0: security hole Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) Difficult to detect: Bob receives everything that Alice sends, and vice versa. (e.g., so Bob, Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well! Protocol op5.0 is only as secure as the distribution of public keys

61 Password Authentication Most common form of authentication but we need to take some time to think about it and see how it can be misused. Initial password selection. How do you determine/generate the initial password? Password complexity What type of complexity should you require? Minimum length Inclusion of letters, numbers, special characters Can the user choose it own password or should it be generated for them. Note: if it is generate and is extremely complex, the chance that a user writes it on a note and stick it to the monitor is high! Not a great idea! Aging Should the user be required to change it every X Days. Should they be prohibited to re-use same password or a variation of it. Popular way for users is to use: mypass1 then mypass2 then mypass3 etc Lockouts Should the account be locked-out after X bad attempts? This can lead to problems if too strict. The education of the user community is essential for the successful implementation of a good password policy. 61

62 Token Authentication A Token device or password generator is usually hand-held device that generate a password. Has a display sometime a keypad for data/pin entry 2 main types: Synchronous and asynchronous. Synchronous The device and the server synchronize their time. Based on the time, a password is generated. The devices (usually) re-synch on a successful authentication. Drawback: if a user does not authenticate for a long time (usually months), the synchronization may be lost and require manual (admin) action. Asynchronous Use a challenge-response method Server send a message User enter a pin or password Token calculates a password and display it User enter displayed password to server 62

63 Biometric Authentication Basic idea: verify an identity by a unique personal attribute (something you are) Very effective but the systems have some characteristics you need to be aware of: False positives are possible. False negative are possible. Become more viable and popular as system reliability and pricing are getting lower Often used in conjunction with another authentication form (passwords, pins) 63

64 Biometric Examples Fingerprint Read someone s fingerprint Palm Scan Similar than fingerprints but on whole hand. Hand Geometry Based on length, width of hand and fingers Retina Scan Look for blood vessel patterns Iris Scan Based on colored portion of eye. Unique pattern of colors, rings, rifts, etc.. Signature Dynamics Based on speed and patterns that an individual use to sign Keyboard Dynamics Based on speed and motions an individual use to type a phrase or a password. Voice Print Based on voice sounds and patterns Facial Scan Based on an individual s facial characteristics, bone structure, sizes. 64

65 Kerberos Kerberos is a set of authentication services developed at MIT as part of project Athena. Where does name come from? Greek Mythology: Kerberos was a 3-headed dog that guards the entrance to the underworld. Key benefit of Kerberos: it can provide a single signon system for distributed and heterogeneous environments. At the core was also the idea that it will be implemented in very hostile environments and must include authentication of users, services and hosts. Based on a symmetric crypto key and provides end-toend security. Passwords are never transmitted. 65

66 Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator. verifiable, non-forgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document Similar to authentication but not the same 66

67 Digital Signatures - Simple digital signature for message m: Bob signs m by encrypting with his private key K - B, creating signed message, K - (m) B Bob s message, m Dear Alice Oh, how I have missed you. I think of you all the time! (blah blah blah) Bob K B - Public key encryption algorithm Bob s private key K B - (m) Bob s message, m, signed (encrypted) with his private key 67

68 Digital Signatures (more) Suppose Alice receives msg m, digital signature K - (m) B Alice verifies m signed by Bob by applying Bob s public key K + B to K - (m) then checks B K+ B (K- B (m) ) = m. If K + B(K - B(m) ) = m, whoever signed m must have used Bob s Alice private thus key. verifies that: Bob signed m. No one else signed m. Bob signed m and not m. Non-repudiation: Alice can take m, and signature K - B(m) to court and prove that Bob signed m. - 68

69 Message Digests Computationally expensive to public-key-encrypt long messages Goal: fixed-length, easy- tocompute digital fingerprint apply hash function H to m, get fixed size message digest, H(m). Hash function properties: large message m many-to-1 H: Hash Function H(m) produces fixed-size msg digest (fingerprint) given message digest x, computationally infeasible to find m such that x = H(m) 69

70 equal? Digital signature = signed message digest Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message: large message m + H: Hash function Bob s private key K B - H(m) digital signature (encrypt) encrypted msg digest - K B (H(m)) large message m H: Hash function H(m) Bob s public key K B + encrypted msg digest - K B (H(m)) digital signature (decrypt) H(m)

71 Hash Function Algorithms MD5 hash function widely used (RFC 1321) computes 128-bit message digest in 4-step process. arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x. SHA-1 is also used. (Secure Hash Algorithm) US Federal standard [NIST, FIPS PUB 180-1] 160-bit message digest 71

72 MAC Hash Function The CRC Code that is used for error detection is an example of a hash function. For security services, we call the hash code a Message Authentication Code (MAC) or Hash MAC (HMAC). To ensure message Integrity (make sure that the message received was the same as the message sent): Sender calculates MAC code and appends to message Receiver calculates MAC code and compares to sender s MAC. If they match, then message was not altered in transmission. 72

73 Message Integrity Can t an attacker modify the message AND recalculate the MAC? How do you ensure that the real sender calculated the Hash MAC? For Symmetric (Private Key) systems: the sender can encrypt the HMAC using the private key and send it. The receiver then recalculates the message hash and decrypts the HMAC. If it matches: it proves that the party that possessed the encryption key created the message and the hash. For Public Key systems: Same idea but the sender uses his private key to encrypt the hash. The receiving party uses the sender s public key to decrypt the hash and verify it. 73

74 Trusted Intermediaries Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC) acting as intermediary between entities Public key problem: When Alice obtains Bob s public key (from web site, , diskette), how does she know it is Bob s public key, not Trudy s? Solution: trusted certification authority (CA) 74

75 Key Distribution Center (KDC) Alice, Bob need shared symmetric key. KDC: server shares different secret key with each registered user (many users) Alice, Bob know own symmetric keys, K A-KDC K B-KDC, for K P-KDC communicating with KDC. K B-KDC K A-KDC K P-KDC K X-KDC K Y-KDC KDC K Z-KDC K A-KDC K B-KDC 75

76 Key Distribution Center (KDC) Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other? K A-KDC (A,B) KDC generates R1 Alice knows R1 K A-KDC (R1, K B-KDC (A,R1) ) K B-KDC (A,R1) Alice and Bob communicate: using R1 as session key for shared symmetric encryption Bob knows to use R1 to communicate with Alice 76

77 Certification Authorities Certification authority (CA): binds public key to particular entity, E. E (person, router) registers its public key with CA. E provides proof of identity to CA. CA creates certificate binding E to its public key. certificate containing E s public key digitally signed by CA CA says this is E s public key Bob s identifying information Bob s public key K + B digital signature (encrypt) K - CA CA private K B + certificate for Bob s public key, signed by CA

78 Certification Authorities When Alice wants Bob s public key: gets Bob s certificate (Bob or elsewhere). apply CA s public key to Bob s certificate, get Bob s public key K B + digital signature (decrypt) K B + Bob s public key CA public key K + CA 78

79 Public Key Infrastructure (PKI) A PKI consist of programs, protocols, procedures, public key encryption mechanisms, database, data formats. This comprehensive structure allows people to communicate in a secure and predictable manner. Based on 2 main aspects: Public key cryptology X.509 standard protocols for exchanging digital certificates The security services it provides are: Authentication Confidentiality Integrity Non-repudiation Fundamental Issue: How do you authenticate a person or application before you make use of their public key? 79

80 Digital Certificates To be part of a PKI a user or service needs a Digital Certificate. The digital certificate contains the credential of the entity, identifying information and its public key. How can I trust the certificate? Because the certificate was signed by a trusted third party called the Certificate Authority (CA) Key point: user certificates are assumed to have been created by some trusted Certificate Authority and placed in the directory of the CA by the CA or the user. If certificate placed by user, you need a strong mechanism to ensure authentication of user. Note: each user still needs to protect their secret key. The certificate and PKI do not assist you for that. Which Certificate Authorities do I trust? Certain trusted root CAs are configured in your browser. Root CAs can then authenticate other CAs. 80

81 Public versus Private CA You want to use certificates, should you implement your own CA infrastructure or purchase Certificate(s) from a well-known CA provider (Verisign, Entrust, etc..)? Response: well it depends on the needs, requirements and what these certificates will be used for. Private CA Advantages: No need to spend annual $$ for renewal. Can generate large number of certificates at little/no additional costs. Public CA Advantages: Will be recognized as valid by all Internet Users. No need to support CA servers internally. No need to manage registration of users and certificate revocation internally. 81

82 Cryptography in real life Secure Secure sockets Security in

83 Secure Alice wants to send confidential , m, to Bob. m K S. K S ( ) K S (m ) K S (m ). K S ( ) m K S. + K B ( ) K B + + K B (K S ) + - Internet + K B (K S ) K B - K S -. K B ( ) Alice: generates random symmetric private key, K S. encrypts message with K S (for efficiency) also encrypts K S with Bob s public key. sends both K S (m) and K B (K S ) to Bob.

84 Secure Alice wants to send confidential , m, to Bob. m K S. K S ( ) K S (m ) K S (m ). K S ( ) m K S. + K B ( ) K B + + K B (K S ) + - Internet + K B (K S ) K B - K S -. K B ( ) Bob: uses his private key to decrypt and recover K S uses K S to decrypt K S (m) to recover m

85 Secure (continued) Alice wants to provide sender authentication message integrity. m H( ) K Ā.. - K A ( ) - K A (H(m)) - K A (H(m)) + K. A + K A ( ) H(m ) m + - Internet m compare. H( ) H(m ) Alice digitally signs message. sends both message (in the clear) and digital signature.

86 Secure (continued) Alice wants to provide secrecy, sender authentication, message integrity. m m H( ) K Ā.. - K A ( ) - K A (H(m)) + K S. K S ( ) +. K B ( ) K B + Alice uses three keys: her private key, Bob s public key, newly created symmetric key K S + + K B (K S ) Internet

87 Pretty Good Privacy (PGP) Internet encryption scheme, de-facto standard. uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described. provides secrecy, sender authentication, integrity. inventor, Phil Zimmerman, was target of 3-year federal investigation. A PGP signed message: ---BEGIN PGP SIGNED MESSAGE--- Hash: SHA1 Bob:My husband is out of town tonight.passionately yours, Alice ---BEGIN PGP SIGNATURE--- Version: PGP 5.0 Charset: noconv yhhjrhhgjghgg/12epj+lo8ge4vb3 mqjhfevzp9t6n7g6m5gw2 ---END PGP SIGNATURE--- 87

88 Secure sockets layer (SSL) transport layer security to any TCP-based app using SSL services. used between Web browsers, servers for e- commerce (shttp). security services: server authentication data encryption client authentication (optional) server authentication: SSL-enabled browser includes public keys for trusted CAs. Browser requests server certificate, issued by trusted CA. Browser uses CA s public key to extract server s public key from certificate. check your browser s security menu to see its trusted CAs. 88

89 SSL (continued) Encrypted SSL session: Browser generates symmetric session key, encrypts it with server s public key, sends encrypted key to server. Using private key, server decrypts session key. Browser, server know session key All data sent into TCP socket (by client or server) encrypted with session key. SSL: basis of IETF Transport Layer Security (TLS). SSL can be used for non-web applications, e.g., IMAP. Client authentication can be done with client certificates. 89

90 IEEE security War-driving: drive around Bay area, see what networks available? More than 9000 accessible from public roadways 85% use no encryption/authentication packet-sniffing and various attacks easy! Securing encryption, authentication first attempt at security: Wired Equivalent Privacy (WEP): a failure current attempt: i 90

91 Wired Equivalent Privacy (WEP): authentication as in protocol ap4.0 host requests authentication from access point access point sends 128 bit nonce host encrypts nonce using shared symmetric key access point decrypts nonce, authenticates host no key distribution mechanism authentication: knowing the shared key is enough 91

92 802.11i: improved security numerous (stronger) forms of encryption possible provides key distribution uses authentication server separate from access point 92

93 Network Security (summary) Basic techniques... cryptography (symmetric and public) authentication message integrity key distribution. used in many different security scenarios secure secure transport (SSL) IP sec