CS669 Network Security

Transcription

1 UNIT IV SECURITY PRACTICE Authentication applications Kerberos Kerberos Encryption Techniques PGP Radix64 IP Security Architecture Payload Key management Web security requirements SSL TLS SET Authentication applications authentication functions developed to support application-level authentication & digital signatures Kerberos a private-key authentication service X a public-key directory authentication service Kerberos Overview authentication service designed for use in a distributed environment. makes use of a trusted third-party authentication service o enables clients and servers to establish authenticated communication. developed as part of Project Athena at MIT Addresses the following threats o user pretend to be another user operating from that workstation o user may alter the network address and impersonate the workstation o eavesdrop on exchanges and use a replay attack for gaining entry or disrupt provides a centralized authentication server to authenticate users to servers and servers to users relies exclusively on symmetric encryption, making no use of public-key encryption two versions in use 4 & 5 Motivation / Requirements (SRTS) Secure o A network eavesdropper should not be able to obtain the necessary information to impersonate a user. o strong enough such that a potential opponent does not find it to be the weak link. Reliable o should be highly reliable o should employ a distributed server architecture, one system able to back up another. Transparent o user should not be aware that authentication is taking place beyond the requirement to enter a password. Scalable o capable of supporting large numbers of clients and servers modular, distributed architecture. Kerberos Encryption Techniques Simple Kerberos Dialogue MTech CSE (PT, ) SRM, Ramapuram 1 hcr:innovationcse@gg

2 Kerberos Overview Kerberos Version 4 Message Exchanges i) Authentication Service Exchange to obtain ticket-granting ticket 1) Client requests ticket-granting ticket User logs on to workstation and requests service on host 2) AS returns ticket-granting ticket AS verifies user's access right in database, creates ticket-granting ticket and session key. Results are encrypted using key derived from user's password MTech CSE (PT, ) SRM, Ramapuram 2 hcr:innovationcse@gg

3 ii) Ticket-Granting Service Exchange to obtain service-granting ticket 3) Client requests service-granting ticket Workstation prompts user for password and uses password to decrypt incoming message, then sends ticket and authenticator that contains user's name, network address, and time to TGS 4) TGS returns service-granting ticket TGS decrypts ticket and authenticator, verifies request, then creates ticket for requested server iii) Client/Server Authentication Exchange to obtain service 5) Client requests service Workstation sends ticket and authenticator to server 6) Optional authentication of server to client Server verifies that ticket and authenticator match, then grants access to service. If mutual authentication is required, server returns an authenticator Kerberos Realms And Multiple Kerberi Kerberos realm a set of managed nodes that share the same Kerberos database. database resides on the Kerberos master computer system, kept in a physically secure room. o A read-only copy on other Kerberos computer systems. all changes to the database must be made on the master computer system. o requires the Kerberos master password Kerberos principal a service or user that is known to the Kerberos system. Each Kerberos principal is identified by its principal name. Principal names consist of three parts: a service or user name, an instance name, and a realm name MTech CSE (PT, ) SRM, Ramapuram 3 hcr:innovationcse@gg

4 Requirements 1. The Kerberos server must have the user ID and hashed passwords of all participating users in its database. All users are registered with the Kerberos server. 2. The Kerberos server must share a secret key with each server. All servers are registered with the Kerberos server 3. The Kerberos server in each interoperating realm shares a secret key with the server in the other realm. The two Kerberos servers are registered with each other Exchanges Request for Service in another Realm MTech CSE (PT, ) SRM, Ramapuram 4 hcr:innovationcse@gg

5 Environmental shortcomings of Kerberos version 4 Encryption system dependence Export restriction on DES as well as doubts about the strength of DES In version 5, ciphertext is tagged with an encryption type identifier so that any encryption technique may be used Encryption keys are tagged with a type and a length, o allowing the same key to be used in different algorithms o allowing the specification of different variations on a given algorithm. Internet protocol dependence: Version 4 requires the use of Internet Protocol (IP) addresses. Other address types, such as the ISO network address, are not accommodated. Version 5 network addresses are tagged with type and length, allowing any network address Message byte ordering In version 4, the sender of a message employs a byte ordering of its Own In version 5, all message structures are defined using Abstract Syntax Notation One (ASN.1) and Basic Encoding Rules (BER), which provide an unambiguous byte ordering. Ticket lifetime: Lifetime values in version 4 are encoded in an 8-bit quantity in units of five minutes. o 1280 minutes, or over 21 hours In version 5, tickets include an explicit start time and end time, allowing tickets with arbitrary lifetimes Authentication forwarding: Version 4 does not allow credentials issued to one client to be forwarded to some other host and used by some other client Version 5 provides this capability Interrealm authentication: In version 4, interoperability among N realms requires on the order of N2 Kerberos-to-Kerberos relationships Version 5 supports a method that requires fewer relationships Technical deficiencies Double encryption second encryption is not necessary and is computationally wasteful PCBC encryption Version 4 uses nonstandard mode of DES known as propagating cipher block chaining (PCBC) Version 5 provides explicit integrity mechanisms, allowing the standard CBC mode to be used o a checksum or hash code is attached to the message prior to encryption Session keys Password attacks Both versions are vulnerable to a password attack Version 5 does provide a mechanism known as Preauthentication MTech CSE (PT, ) SRM, Ramapuram 5 hcr:innovationcse@gg

6 Kerberos Version 5 Message Exchanges Authentication Service Exchange to obtain ticket-granting ticket Ticket-Granting Service Exchange to obtain service-granting ticket Client/Server Authentication Exchange to obtain service New Elements Realm: Indicates realm of user Options: Used to request that certain flags be set in the returned ticket Times: Used by the client to request the following time settings in the ticket: o from: the desired start time for the requested ticket o till: the requested expiration time for the requested ticket o rtime: requested renew-till time Nonce: A random value to be repeated in message (2) to assure that the response is fresh Kerberos Version 5 Flags MTech CSE (PT, ) SRM, Ramapuram 6 hcr:innovationcse@gg

7 PGP PGP is an open-source, freely available software package for security. It provides o authentication through the use of digital signature, o confidentiality through the use of symmetric block encryption, o compression using the ZIP algorithm, and o compatibility using the radix-64 encoding scheme. PGP incorporates tools for developing a public-key trust model and public-key certificate management Largely the effort of a single person, Phil Zimmermann Reasons for PGP s growth available free worldwide - on a variety of platforms o like Windows, UNIX, Macintosh. o commercial version comes with vendor support. based on algorithms that are considered extremely secure o the package includes RSA, DSS, and Diffie-Hellman for public-key encryption; o CAST-128, IDEA, and 3DES for symmetric encryption; o SHA-1 for hash coding. It has a wide range of applicability, o From corporations to individuals It was not developed by, nor is it controlled by, any governmental or standards organization. o For those with an instinctive distrust of the establishment, this makes PGP attractive. PGP is on an Internet standards track (RFC 3156; MIME Security with OpenPGP). Notation Summary of PGP Services Function Algorithms Used Description Digital signature Message encryption Compression compatibility Segmentation DSS/SHA or RSA/SHA CAST or IDEA or Threekey Triple DES with Diffie-Hellman or RSA ZIP Radix 64 conversion A hash code of a message is created using SHA-1. This message digest is encrypted using DSS or RSA with the sender's private key and included with the message A message is encrypted using CAST-128or IDEA or 3DES with a one-time session key generated by the sender. The session key is encrypted using Diffie- Hellman or RSA with the recipient's public key and included with the message A message may be compressed, for storage or transmission, using ZIP To provide transparency for applications, an encrypted message may be converted to an ASCII string using radix 64 conversion. To accommodate maximum message size limitations, PGP performs segmentation and reassembly. MTech CSE (PT, ) SRM, Ramapuram 7 hcr:innovationcse@gg

8 Operation The PGP does five services Authentication Confidentiality Compression compatibility Segmentation Authentication The sequence is as follows The sender creates a message SHA-1 is used to generate a 160-bit hash code of the message The hash code is encrypted with RSA using the sender's private key, and the result is prepended to the message. The receiver uses RSA with the sender's public key to decrypt and recover the hash code The receiver generates a new hash code for the message and compares it with the decrypted hash code. If the two match, the message is accepted as authentic The combination of SHA-1 and RSA provides an effective digital signature scheme. the recipient is assured that, o Because of the strength of RSA, only the possessor of the matching private key can generate the signature. o Because of the strength of SHA-1, no one else could generate a new message that matches the hash code and, hence, the signature of the original message MTech CSE (PT, ) SRM, Ramapuram 8 hcr:innovationcse@gg

9 Confidentiality provided by encrypting messages to be transmitted or to be stored locally as files Sequence The sender generates a message and a random 128-bit number to be used as a session key for this message only The message is encrypted, using CAST-128 (or IDEA or 3DES) with the session key. o 64-bit cipher feedback (CFB) mode is used The session key is encrypted with RSA, using the recipient's public key, and is prepended to the message. The receiver uses RSA with its private key to decrypt and recover the session key The session key is used to decrypt the message Confidentiality and Authentication a signature is generated for the plaintext message and prepended to the message the plaintext message plus signature is encrypted using CAST-128 (or IDEA or 3DES) the session key is encrypted using RSA (or ElGamal) Compression By default, PGP compresses the message after applying the signature but before encryption. This has the benefit of saving space both for transmission and for file storage indicated by Z for compression and Z-1 for decompression in the above figure The compression algorithm used is ZIP The signature is generated before compression for two reasons: o one can store only the uncompressed message together with the signature for future verification o Applying the hash function and signature after compression would constrain all PGP implementations to the same version of the compression algorithm Message encryption is applied after compression to strengthen cryptographic security. o the compressed message has less redundancy than the original plaintext, cryptanalysis is more difficult compatibility When PGP is used, at least part of the block to be transmitted is encrypted. the resulting block consists of a stream of arbitrary 8-bit octets many electronic mail systems only permit the use of blocks consisting of ASCII text To accommodate this restriction, PGP provides the service of converting the raw 8-bit binary stream to a stream of printable The scheme used for this purpose is Radix-64 Conversion Each group of three octets of binary data is mapped into four ASCII characters appends a CRC to detect transmission errors it blindly converts the input stream to radix-64 format regardless of content, even if the input happens to be ASCII text o the output will be unreadable to the casual observer, which provides a certain level of confidentiality Segmentation and Reassembly facilities often are restricted to a maximum message length like 50,000 octets Any message longer than that must be broken up into smaller segments, each of which is mailed separately To accommodate this restriction, PGP automatically subdivides a message that is too large into segments that are small enough to send via . The segmentation is done after all of the other processing, including the radix-64 conversion. Thus, the session key component and signature component appear only once, at the beginning of the first segment. At the receiving end, PGP must strip off all headers and reassemble the entire original block MTech CSE (PT, ) SRM, Ramapuram 9 hcr:innovationcse@gg

10 Transmission and Reception of PGP Messages Cryptographic Keys and Key Rings PGP makes use of four types of keys: 1. one-time session symmetric keys, 2. public keys, 3. private keys 4. passphrase-based symmetric keys Three separate requirements for these keys 1. A means of generating unpredictable session keys is needed 2. We would like to allow a user to have multiple public-key/private-key pairs o the user may wish to change his or her key pair from time to time o a user may wish to have multiple key pairs at a given time to interact with different groups of correspondents simply to enhance security by limiting the amount of material encrypted with any one key 3. Each PGP entity must maintain a file of its own public/private key pairs as well as a file of public keys of correspondents Session Key Generation Random 128-bit numbers are generated using CAST-128 itself. The input to the random number generator consists of a 128-bit key and two 64-bit blocks that are treated as plaintext to be encrypted. Using cipher feedback mode, the CAST-128 encrypter produces two 64-bit cipher text blocks, which are concatenated to form the 128-bit session key Key Identifiers any given user may have multiple public/private key pairs. the recipient need to know which of its public keys was used to encrypt the session key The solution adopted by PGP is to assign a key ID to each public key that is, with very high probability, unique within a user ID consists of its least significant 64 bits MTech CSE (PT, ) SRM, Ramapuram 10 hcr:innovationcse@gg

11 the key ID of public PUa is (PUa mod 2 64 ). A key ID is also required for the PGP digital signature General Format of PGP Message (from A to B) A message consists of three components: 1. the message component, 2. a signature (optional), 3. a session key component (optional) Message Component includes the actual data to be stored or transmitted, as well as a filename and a timestamp that specifies the time of creation Signature Component MTech CSE (PT, ) SRM, Ramapuram 11 hcr:innovationcse@gg

12 Timestamp: The time at which the signature was made Message digest: The 160-bit SHA-1 digest, encrypted with the sender's private signature key Leading two octets of message digest o to determine if the correct public key was used o also serve as a 16-bit frame check sequence for the message Key ID of sender's public key: Identifies the public key that should be used Session Key Component includes the session key and the identifier of the recipient's public key that was used by the sender to encrypt the session key. The entire block is usually encoded with radix-64 encoding. Key Rings two key IDs are included in any PGP message that provides both confidentiality and authentication. The scheme used in PGP is to provide a pair of data structures at each node, o one to store the public/private key pairs owned by that node o one to store the public keys of other users known at this node. These data structures are referred to, respectively, as the private-key ring and the public-key ring Private-Key Ring a table, in which each row represents one of the public/private key pairs owned by this user Each row contains the following entries: o Timestamp: The date/time when this key pair was generated. o Key ID: The least significant 64 bits of the public key for this entry. o Public key: The public-key portion of the pair. o Private key: The private-key portion of the pair; this field is encrypted. o User ID: Typically, this will be the user's address or any other name can be indexed by either User ID or Key ID the private key itself is not stored in the key ring this key is encrypted using CAST-128 (or IDEA or 3DES). Procedure For Encrypting The Private Key The user selects a passphrase to be used for encrypting private keys When the system generates a new public/private key pair using RSA, o it asks the user for the passphrase. o Using SHA-1, a 160-bit hash code is generated from the passphrase o the passphrase is discarded The system encrypts the private key using CAST-128 with the 128 bits of the hash code as the key. o The hash code is then discarded, o the encrypted private key is stored in the private-key Procedure To Retrieve A Private Key user must supply the passphrase. PGP will retrieve the encrypted private key, generate the hash code of the passphrase, decrypt the encrypted private key using CAST-128 with the hash code MTech CSE (PT, ) SRM, Ramapuram 12 hcr:innovationcse@gg

13 Public-Key Ring used to store public keys of other users that are known to this user Essential fields o Timestamp: The date/time when this entry was generated. o Key ID: The least significant 64 bits of the public key for this entry. o Public Key: The public key for this entry. o User ID: Identifies the owner of this key. Multiple user IDs may be associated with a single public key can be indexed by either User ID or Key ID; PGP Message Generation (from User A to User B; no compression or radix 64 conversion) Signing the message PGP retrieves the sender's private key from the private-key ring using your_userid as an index. PGP prompts the user for the passphrase to recover the unencrypted private key. The signature component of the message is constructed Encrypting the message PGP generates a session key and encrypts the message. PGP retrieves the recipient's public key from the public-key ring using her_userid as an index. The session key component of the message is constructed MTech CSE (PT, ) SRM, Ramapuram 13 hcr:innovationcse@gg

14 PGP Message Reception (from User A to User B; no compression or radix 64 conversion) Decrypting the message PGP retrieves the receiver's private key from the private-key ring, using the Key ID field in the session key component of the message as an index. PGP prompts the user for the passphrase to recover the unencrypted private key PGP then recovers the session key and decrypts the message Authenticating the message PGP retrieves the sender's public key from the public-key ring, using the Key ID field in the signature key component of the message as an index PGP recovers the transmitted message digest PGP computes the message digest for the received message and compares it to the transmitted message digest to authenticate Public-Key Management (TBD) Skipped Approaches to Public-Key Management - The Use of Trust - Contents of Trust Flag Byte - PGP Trust Model Example - Revoking Public Keys MTech CSE (PT, ) SRM, Ramapuram 14 hcr:innovationcse@gg

15 Radix64 Both PGP and S/MIME make use of an encoding technique referred to as radix-64 conversion. This technique maps arbitrary binary input into printable character output. Characteristics The range of the function is a character set that is universally representable at all sites, not a specific binary encoding of that character set. o Thus, the characters themselves can be encoded into whatever form is needed by a specific system. o Example the character "E" is represented in an ASCII-based system as hexadecimal 45 in an EBCDIC-based system as hexadecimal C5. The character set consists of 65 printable characters, one of which is used for padding. o With 2 6 = 64 available characters, each character can be used to represent 6 bits of input No control characters are included in the set. o message can traverse mail-handling systems that scan the data stream for control characters The hyphen character ("-")is not used. o This character has significance in the RFC 822 format and should therefore be avoided Printable Encoding of Binary Data into Radix-64 Format Example consider the 24-bit raw text sequence , which can be expressed in hexadecimal as 235C91. We arrange this input in blocks of 6 bits: The extracted 6-bit decimal values are 8, 53, 50, 17.Looking these up in Table yields the radix-64 encoding as the following characters: I1yR. If these characters are stored in 8-bit ASCII format with parity bit set to zero, we have In hexadecimal, this is Summary Input Data Binary representation Hexadecimal representation 235C91 Radix-64 Encoding of Input Data Character representation I1yR ASCII code (8 bit, zero parity) Hexadecimal representation bit Encoding 0 A 26 a / (Pad) = MTech CSE (PT, ) SRM, Ramapuram 15 hcr:innovationcse@gg

16 IP Security Architecture IP security (IPSec) is a capability that can be added to either current version of the Internet Protocol (IPv4 or IPv6), by means of additional headers. IPSec encompasses three functional areas: authentication, confidentiality, and key management. Authentication makes use of the HMAC message authentication code. Authentication can be applied to the entire original IP packet (tunnel mode) or to all of the packet except for the IP header (transport mode). Confidentiality is provided by an encryption format known as encapsulating security payload. Both tunnel and transport modes can be accommodated. IPSec defines a number of techniques for key management IP Security Overview Applications of IPSec IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include the following Secure branch office connectivity over the Internet Secure remote access over the Internet Establishing extranet and intranet connectivity with partners Enhancing electronic commerce security An IP Security Scenario Benefits of IPSec When IPSec is implemented in a firewall or router, traffic within a company or workgroup does not incur the overhead of security-related processing IPSec in a firewall is resistant to bypass if all traffic from the outside must use IP IPSec is below the transport layer (TCP, UDP) and so is transparent to applications IPSec can be transparent to end users. There is no need to train users. IPSec can provide security for individual users if needed Routing Applications IPSec can assure that - A router advertisement comes from an authorized router - A neighbor advertisement - A redirect message - A routing update is not forged. MTech CSE (PT, ) SRM, Ramapuram 16 hcr:innovationcse@gg

17 IP Security Architecture IPSec Document Overview RFC 2401: An overview of a security architecture RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 RFC 2406: Description of a packet encryption extension to IPv4 and IPv6 RFC 2408: Specification of key management capabilities Architecture: Covers the general concepts, security requirements, definitions, and mechanisms defining IPSec technology Encapsulating Security Payload (ESP) Covers the packet format and general issues related to the use of the ESP for packet encryption and, optionally, authentication. Authentication Header (AH): Covers the packet format and general issues related to the use of AH for packet authentication. Encryption Algorithm: A set of documents that describe how various encryption algorithms are used for ESP. Authentication Algorithm: A set of documents that describe how various authentication algorithms are used for AH and for the authentication option of ESP. Key Management: Documents that describe key management schemes. Domain of Interpretation (DOI): Contains values needed for the other documents to relate to each other. These include identifiers for approved encryption and authentication algorithms, as well as operational parameters such as key lifetime IPSec Services IPSec provides security services at the IP layer Two protocols are used to provide security: o an authentication protocol designated by the header of the protocol, Authentication Header (AH); o a combined encryption/authentication protocol designated by the format of the packet for that protocol, Encapsulating Security Payload (ESP) The services are Access control Connectionless integrity Data origin authentication Rejection of replayed packets (a form of partial sequence integrity) MTech CSE (PT, ) SRM, Ramapuram 17 hcr:innovationcse@gg

18 Confidentiality (encryption) Limited traffic flow confidentiality Security Associations An association is a one-way relationship between a sender and a receiver that affords security services to the traffic carried on it. If a peer relationship is needed, for two-way secure exchange, then two security associations are required. A security association is uniquely identified by three parameters: Security Parameters Index (SPI): A bit string assigned to this SA and having local significance only. The SPI is carried in AH and ESP headers to enable the receiving system to select the SA under which a received packet will be processed. IP Destination Address Currently, only unicast addresses are allowed; this is the address of the destination endpoint of the SA, which may be an end user system or a network system such as a firewall or router. Security Protocol Identifier This indicates whether the association is an AH or ESP security association. SA Parameters A security association is normally defined by the following parameters Sequence Number Counter o A 32-bit value used to generate the Sequence Number field in AH or ESP headers Sequence Counter Overflow o A flag indicating whether overflow of the Sequence Number o Counter should generate an auditable event and prevent further transmission of packets Anti-Replay Window o Used to determine whether an inbound AH or ESP packet is a replay AH Information o Authentication algorithm, keys, key lifetimes, and related parameters being used with AH ESP Information o Encryption and authentication algorithm, keys, initialization values, key lifetimes,related parameters Lifetime of This Security Association o A time interval or byte count after which an SA must be replaced with a new SA or terminated IPSec Protocol Mode o Tunnel, transport, or wildcard Path MTU o Any observed path maximum transmission unit (maximum size of a packet that can be transmitted without fragmentation) and aging variables (required for all implementations). SA Selectors The means by which IP traffic is related to specific SAs is the nominal Security Policy Database (SPD). Each SPD entry is defined by a set of IP and upper-layer protocol field values, called selectors these selectors are used to filter outgoing traffic in order to map it into a particular SA. The following selectors determine an SPD entry Destination IP Address o may be a single IP address, an enumerated list or range of addresses, or a wildcard address Source IP Address UserID Data Sensitivity Level Transport Layer Protocol Source and Destination Ports MTech CSE (PT, ) SRM, Ramapuram 18 hcr:innovationcse@gg

19 Transport and Tunnel Modes Both AH and ESP support two modes of use: transport and tunnel mode Transport Mode provides protection primarily for upper-layer protocols protection extends to the payload of an IP packet. o Examples a TCP or UDP segment or an ICMP packet used for end-to-end communication between two hosts (e.g., a client and a server, or two workstations) ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header. AH in transport mode authenticates the IP payload and selected portions of the IP header Tunnel Mode Tunnel mode provides protection to the entire IP packet the entire packet plus security fields is treated as the payload of new "outer" IP packet with a new header The entire original, or inner, packet travels through a "tunnel" from one point of an IP network to another Because the original packet is encapsulated, the new, larger packet may have totally different source and destination addresses, adding to the security used when one or both ends of an SA are a security gateway, such as a firewall or router with IPSec. With tunnel mode, a number of hosts on networks behind firewalls may engage in secure communications without implementing IPSec. The unprotected packets generated by such hosts are tunneled through external networks by tunnel mode SAs set up by the IPSec software in the firewall or secure router at the boundary of the local network ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header MTech CSE (PT, ) SRM, Ramapuram 19 hcr:innovationcse@gg

20 Authentication Header (Skip) TBD Payload The Encapsulating Security Payload provides confidentiality services, including confidentiality of message contents and limited traffic flow confidentiality. ESP can also provide an authentication service IPSec ESP format Encryption and Authentication Algorithms Padding Transport and Tunnel Modes o Transport Mode ESP o Tunnel Mode ESP IPSec ESP format Security Parameters Index (32 bits): Identifies a security association. Sequence Number (32 bits): A monotonically increasing counter value; this provides an antireplay function, as discussed for AH. Payload Data (variable): This is a transport-level segment (transport mode) or IP packet (tunnel mode) that is protected by encryption. Padding (0255 bytes): The purpose of this field is discussed later. Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field. Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying the first header in that payload (for example, an extension header in IPv6, or an upper-layer protocol such as TCP). Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value computed over the ESP packet minus the Authentication Data field Encryption and Authentication Algorithms implementation must support DES in cipher block chaining (CBC) mode A number of other algorithms are MTech CSE (PT, ) SRM, Ramapuram 20 hcr:innovationcse@gg

21 o o o o o o Padding Three-key triple DES RC5 IDEA Three-key triple IDEA CAST Blowfish If an encryption algorithm requires the plaintext to be a multiple of some number of bytes (e.g., the multiple of a single block for a block cipher), the Padding field is used to expand the plaintext The ESP format requires that the Pad Length and Next Header fields be right aligned within a 32- bit word. Equivalently, the ciphertext must be an integer multiple of 32 bits. The Padding field is used to assure this alignment. Additional padding may be added to provide partial traffic flow confidentiality by concealing the actual length of the payload Transport and Tunnel Modes Transport Mode ESP 1. At the source, the block of data consisting of the ESP trailer plus the entire transport-layer segment is encrypted and the plaintext of this block is replaced with its ciphertext to form the IP packet for transmission. Authentication is added if this option is selected 2. The packet is then routed to the destination. Each intermediate router needs to examine and process the IP header plus any plaintext IP extension headers but does not need to examine the ciphertext. 3. The destination node examines and processes the IP header plus any plaintext IP extension headers. Then, on the basis of the SPI in the ESP header, the destination node decrypts the remainder of the packet to recover the plaintext transport-layer segment Tunnel Mode ESP 1. The source prepares an inner IP packet with a destination address of the target internal host. This packet is prefixed by an ESP header; then the packet and ESP trailer are encrypted and Authentication Data may be added. The resulting block is encapsulated with a new IP header (base header plus optional extensions such as routing and hop-by-hop options for IPv6) whose destination address is the firewall; this forms the outer IP packet. 2. The outer packet is routed to the destination firewall. Each intermediate router needs to examine and process the outer IP header plus any outer IP extension headers but does not need to examine the ciphertext. 3. The destination firewall examines and processes the outer IP header plus any outer IP extension headers. Then, on the basis of the SPI in the ESP header, the destination node decrypts the remainder of the packet to recover the plaintext inner IP packet. This packet is then transmitted in the internal network. MTech CSE (PT, ) SRM, Ramapuram 21 hcr:innovationcse@gg

22 4. The inner packet is routed through zero or more routers in the internal network to the destination host Key management (Skip) TBD Web security requirements Web Security Threats Threats Consequences Countermeasures Integrity Modification of user data Trojan horse browser Modification of memory Modification of message traffic in transit Confidentiality Eavesdropping on the Net Theft of info from server Theft of data from client Info about network configuration Info about which client talks to server Denial of Service Killing of user threads Flooding machine with bogus requests Filling up disk or memory Isolating machine by DNS attacks Authentication Impersonation of legitimate users Data forgery Loss of information Compromise of machine Vulnerabilty to all other threats Loss of information Loss of privacy Disruptive Annoying Prevent user from getting work done Misrepresentation of user Belief that false information is valid Cryptographic checksums Encryption, web proxies Difficult to prevent Cryptographic techniques Classification based on the location of the threat category of computer system security o Web server, o Web browser, category of network security o Network traffic between browser and server Web Traffic Security Approaches MTech CSE (PT, ) SRM, Ramapuram 22 hcr:innovationcse@gg

23 differ with respect to scope of applicability relative location within the TCP/IP protocol stack Network Level use IP Security transparent to end users and applications and provides a general-purpose solution IPSec includes a filtering capability so that only selected traffic need incur the overheads Transport Level implement security just above TCP examples: Secure Sockets Layer (SSL) and the follow-on Transport Layer Security (TLS) two implementation choices o as part of the underlying protocol suite - transparent to applications o can be embedded in specific packages example: Netscape and Microsoft Explorer browsers come equipped with SSL Application Level Application-specific security services are embedded within the particular application. service can be tailored to the specific needs of a given application example: Secure Electronic Transaction (SET) SSL Secure socket layer (SSL) provides security services between TCP and applications that use TCP. The Internet standard version is called transport layer service (TLS). SSL/TLS provides confidentiality using symmetric encryption and message integrity using a message authentication code. SSL/TLS includes protocol mechanisms to enable two TCP users to determine the security mechanisms and services they will use. Netscape originated SSL TLS can be viewed as essentially an SSLv3.1 and backward compatible with SSLv3 (in use) SSL Architecture SSL Protocol Stack make use of TCP to provide a reliable end-to-end secure service SSL is two layers of protocols SSL Record Protocol provides basic security services to various higherlayer protocols Three higher-layer protocols are defined as part of SSL: the o Handshake Protocol, o The Change Cipher Spec Protocol, MTech CSE (PT, ) SRM, Ramapuram 23 hcr:innovationcse@gg

24 o The Alert Protocol Two important SSL concepts SSL session an association between a client and a server created by the Handshake Protocol define a set of cryptographic security parameters which can be shared among multiple connections SSL connection a transport that provides a suitable type of service transient, peer-to-peer relationships, associated with one session Session States number of states associated with each session (examples: receive and send) defined by the following parameters o Session identifier o Peer certificate o Compression method o Cipher spec Specifies the bulk data encryption algorithm (such as null, AES, etc.) hash algorithm (such as MD5 or SHA-1) used for MAC calculation defines cryptographic attributes such as the hash_size o Master secret o Is resumable can be used to initiate new connections Parameters That Define Connection State Server and client random Server write MAC secret Client write MAC secret Server write key Client write key Initialization vectors Sequence numbers SSL Record Protocol The SSL Record Protocol provides two services for SSL connections: Confidentiality o defines a shared secret key that is used for conventional encryption of SSL payloads. Message Integrity o defines a shared secret key that is used to form a message authentication code (MAC). The Record Protocol takes an application message to be transmitted, fragments the data into manageable blocks o blocks of 2 14 bytes (16384 bytes) or less. optionally compresses the data applies a MAC, encrypts, adds a header o hash(mac_write_secret pad_2 hash(mac_write_secret pad_1 seq_num SSLCompressed.type SSLCompressed.length SSLCompressed.fragment)) transmits the resulting unit in a TCP segment. Received data are o decrypted, verified, decompressed, reassembled, delivered to higher-level users MTech CSE (PT, ) SRM, Ramapuram 24 hcr:innovationcse@gg

25 SSL Record Format The final step of SSL Record Protocol processing is to prepend a header Content Type (8 bits) : change_cipher_spec, alert, handshake, and application_data Major Version (8 bits) Minor Version (8 bits) Compressed Length (16 bits) SSL Record Protocol Operation SSL Record Protocol Payload Change Cipher Spec Protocol consists of a single message - single byte with the value 1 purpose of this message is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection Alert Protocol used to convey SSL-related alerts to the peer entity Each message in this protocol consists of two bytes o The first byte takes the value warning(1) or fatal(2) to convey the severity of the message o second byte contains a code that indicates the specific alert Examples of alerts: MTech CSE (PT, ) SRM, Ramapuram 25 hcr:innovationcse@gg

26 fatal alerts: unexpected_message, bad_record_mac, decompression_failure, handshake_failure, illegal_parameter other alerts: close_notify, no_certificate, bad_certificate, unsupported_certificate, certificate_revoked, certificate_expired, certificate_unknown Handshake Protocol Shaded transfers are optional or situation-dependent messages that are not always sent Phase 1. Establish Security Capabilities client_hello message Version, Random, Session ID, CipherSuite, Compression Method server_hello message same parameters as the client_hello message The following key exchange methods are supported RSA, Fixed Diffie-Hellman, Ephemeral Diffie-Hellman, Anonymous Diffie-Hellman, Fortezza MTech CSE (PT, ) SRM, Ramapuram 26

27 Phase 2. Server Authentication and Key Exchange certificate message required for any agreed-on key exchange method except anonymous Diffie-Hellman server_key_exchange message hash is defined as hash(clienthello.random ServerHello.random ServerParams) certificate_request message two parameters: certificate_type and certificate_authorities server_done message sent by the server to indicate the end of the server hello and associated messages Phase 3. Client Authentication and Key Exchange certificate message client_key_exchange message certificate_verify message CertificateVerify.signature.md5_hash MD5(master_secret pad_2 MD5(handshake_messages master_secret pad_1)); Certificate.signature.sha_hash SHA(master_secret pad_2 SHA(handshake_messages master_secret pad_1)); Phase 4. Finish change_cipher_spec message finished message The content of the finished message is the concatenation of two hash values: MD5(master_secret pad2 MD5(handshake_messages Sender master_secret pad1)) SHA(master_secret pad2 SHA(handshake_messages Sender master_secret pad1)) Transport Layer Security -TLS TLS is an IETF standardization initiative whose goal is to produce an Internet standard version of SSL. TLS is defined as a Proposed Internet Standard in RFC RFC 2246 is very similar to SSLv3. Differences with SSLv3 Version Number For the current version of TLS, the Major Version is 3 and the Minor Version is 1 Message Authentication Code two differences between the SSLv3 and TLS MAC schemes TLS makes use of the HMAC algorithm defined in RFC 2104 SSLv3 uses the same algorithm, except that the padding bytes are concatenated with the secret key The MAC calculation covers all of the fields covered by the SSLv3 calculation, plus the field TLSCompressed.version MTech CSE (PT, ) SRM, Ramapuram 27 hcr:innovationcse@gg

28 Pseudorandom Function TLS makes use of a pseudorandom function referred to as PRF to expand secrets into blocks of data for purposes of key generation or validation. Alert Codes TLS supports all of the alert codes defined in SSLv3 with the exception of no_certificate. A number of additional codes are defined in TLS; of these, the following are always fatal: decryption_failed, record_overflow, unknown_ca, access_denied, decode_error, export_restriction, protocol_version, insufficient_security, internal_error, decrypt_error, user_canceled, no_renegotiation Cipher Suites Key Exchange: TLS supports all of the key exchange techniques of SSLv3 with the exception of Fortezza. Symmetric Encryption Algorithms: TLS includes all of the symmetric encryption algorithms found in SSLv3, with the exception of Fortezza Client Certificate Types TLS defines the following certificate types to be requested in a certificate_request message: rsa_sign, dss_sign, rsa_fixed_dh, and dss_fixed_dh. Certificate_Verify and Finished Messages In the TLS certificate_verify message, the MD5 and SHA-1 hashes are calculated only over handshake_messages the finished message in TLS is a hash based on the shared master_secret, the previous handshake messages, and a label that identifies client or server Cryptographic Computations The form of the TLS calculation is different from that of SSLv3 and is defined as follows: master_secret = PRF(pre_master_secret, "master secret", ClientHello.random ServerHello.random) Padding In TLS, the padding can be any amount that results in a total that is a multiple of the cipher's block length, up to a maximum of 255 bytes. Secure Electronic Transaction - SET SET Overview Requirements Key Features of SET SET Participants Secure Electronic Commerce Components Dual Signature o Construction of Dual Signature Payment Processing o SET Transaction Types o Purchase Request o Payment Authorization o Payment Capture SET Overview SET is an open encryption and security specification designed to protect credit card transactions on the Internet. SET is not itself a payment system. it is a set of security protocols and formats that enables users to employ the existing credit card payment infrastructure on an open network, such as the Internet, in a secure fashion. SET provides three services: o Provides a secure communications channel among all parties involved in a transaction o Provides trust by the use of X.509v3 digital certificates MTech CSE (PT, ) SRM, Ramapuram 28 hcr:innovationcse@gg

29 o Ensures privacy because the information is only available to parties in a transaction when and where necessary Requirements 1. Provide confidentiality of payment and ordering information 2. Ensure the integrity of all transmitted data 3. Provide authentication that a cardholder is a legitimate user of a credit card account 4. Provide authentication that a merchant can accept credit card transactions through its relationship with a financial institution 5. Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction 6. Create a protocol that neither depends on transport security mechanisms nor prevents their use 7. Facilitate and encourage interoperability among software and network providers Key Features of SET 1. Confidentiality of information o prevents the merchant from learning the cardholder's credit card number o DES is used to provide confidentiality 2. Integrity of data o RSA digital signatures, using SHA-1 hash codes, provide message integrity. o Certain messages are also protected by HMAC using SHA Cardholder account authentication o SET uses X.509v3 digital certificates with RSA signatures 4. Merchant authentication SET Participants Cardholder an authorized holder of a payment card (e.g., MasterCard, Visa) Merchant person or organization that has goods or services to sell to the cardholder Issuer This is a financial institution, such as a bank, that provides the cardholder with the payment card Acquirer This is a financial institution that establishes an account with a merchant and processes payment card authorizations and payments Payment gateway This is a function operated by the acquirer or a designated third party that processes merchant payment messages Certification authority (CA) This is an entity that is trusted to issue X.509v3 public-key certificates for cardholders, merchants, and payment gateways Sequence of events 1. The customer opens an account. 2. The customer receives a certificate 3. Merchants have their own certificates 4. The customer places an order 5. The merchant is verified 6. The order and payment are sent 7. The merchant requests payment authorization 8. The merchant confirms the order MTech CSE (PT, ) SRM, Ramapuram 29 hcr:innovationcse@gg

30 9. The merchant provides the goods or service 10. The merchant requests payment Secure Electronic Commerce Components Dual Signature Steps The purpose of the dual signature is to link two messages that are intended for two different recipients the customer wants to send the order information (OI) to the merchant the payment information (PI) to the bank 1. The merchant has received OI and verified the signature. 2. The bank has received PI and verified the signature. 3. The customer has linked the OI and PI and can prove the linkage Construction of Dual Signature PI = Payment Information OI = Order Information H = Hash function (SHA-1) = Concatenation PIMD = PI message digest OIMD = OI message digest POMD = Payment Order message digest E = Encryption (RSA) PRc = Customer's private signature key MTech CSE (PT, ) SRM, Ramapuram 30 hcr:innovationcse@gg

31 Payment Processing SET Transaction Types 1. Cardholder registration 2. Merchant registration 3. Purchase request 4. Payment authorization 5. Payment capture 6. Certificate inquiry and status 7. Purchase inquiry 8. Authorization reversal 9. Capture reversal 10. Credit 11. Credit reversal 12. Payment gateway certificate request 13. Batch administration 14. Error message Purchase Request Cardholder Sends Purchase Request The purchase request exchange consists of four messages: Initiate Request Initiate Response Purchase Request o Purchase-related information o Order-related information o Cardholder certificate Purchase Response MTech CSE (PT, ) SRM, Ramapuram 31 hcr:innovationcse@gg

32 Merchant Verifies Customer Purchase Request When the merchant receives the Purchase Request message, it performs the following actions Verifies the cardholder certificates by means of its CA signatures Verifies the dual signature using the customer's public signature key Processes the order and forwards the payment information to the payment gateway for authorization Sends a purchase response to the cardholder Payment Authorization The payment authorization exchange consists of two messages: Authorization Request Authorization response Authorization Request Purchase-related information Authorization-related information Certificates The payment gateway performs the following tasks 1. Verifies all certificates 2. Decrypts the digital envelope of the authorization block to obtain the symmetric key and then decrypts the authorization block 3. Verifies the merchant's signature on the authorization block MTech CSE (PT, ) SRM, Ramapuram 32 hcr:innovationcse@gg

33 4. Decrypts the digital envelope of the payment block to obtain the symmetric key and then decrypts the payment block 5. Verifies the dual signature on the payment block 6. Verifies that the transaction ID received from the merchant matches that in the PI received (indirectly) from the customer 7. Requests and receives an authorization from the issuer Authorization response It includes the following elements Authorization-related information o Includes an authorization block, signed with the gateway's private signature key and encrypted with a one-time symmetric key generated by the gateway Capture token information o This information will be used to effect payment later Certificate o The gateway's signature key certificate Payment Capture To obtain payment, the merchant engages the payment gateway in a payment capture transaction, consisting of a capture request and a capture response message Capture Request message the merchant generates, signs, and encrypts a capture request block, which includes the payment amount and the transaction ID. the payment gateway receives the capture request message, it decrypts and verifies the capture request block and decrypts and verifies the capture token block It then creates a clearing request that is sent to the issuer over the private payment network. This request causes funds to be transferred to the merchant's account Capture Response message The gateway then notifies the merchant of payment via this message The message includes a capture response block that the gateway signs and encrypts Disclaimer Intended for educational purposes only. Not intended for any sort of commercial use Purely created to help students with limited preparation time Text and picture used were taken from the reference items Reference Cryptography and Network Security, Fourth Edition William Stallings Credits Thanks to my family members who supported me, while I spent considerable amount of time to prepare these notes. Feedback is always welcome at GHCRajan@gmail.com MTech CSE (PT, ) SRM, Ramapuram 33 hcr:innovationcse@gg