UMSSIA DAY VI: ARE WE THERE YET?

Transcription

1 UMSSIA DAY VI: ARE WE THERE YET?

2 CRYPTO PROTOCOLS Good crypto algorithms are hard to design but easy to find on the web. Building robust security protocols, even from secure algorithms, is also hard. Subtle bugs can be found 10+ years after public scrutiny. Anderson and Needham compare crypto protocol design to Programming Satan s Computer.

3 WARMUP ACCT#, E K (PIN) M, N, EP, PIN $$ Ã Acct. N M If E K (PIN) = EP

4 WIDE-MOUTHED FROG 1. E Kas (T,B,K ab ) 2. E Kbs (T+!,A,K ab ) 4. E Kas (T+2!,B,K ab ) 3. E Kbs (T+!,A,K ab ) Share key K ab

5 WOO-LAM 1. Alice 2. N B, a Nonce. 3. C A = E Kas (N B ) 4. E Kbs (A,C A ) 5. E Kbs (N B )

6 ON THE WOO-LAM 1. Alice 3. N BA 5. C A = JUNK 2. Eve 4. N BE 6. C E = E Kes (N BA ) 7. E Kbs (A,C A ) 8. E Kbs (E,C B ) 9. E Kbs (N BA )

7 WOO-LAM FIX? 1. Alice 2. N B, a Nonce. 3. C A = E Kas (N B ) 4. E Kbs (A,C A ) 5. E Kbs (A,N B )

8 WOO-LAM FIX? 1. Alice 4. N B 5. C A = E Kas (N B ) 2. Alice 3. N B 6. C A 7. E Kbs (A,C A ) 8. E Kbs (A,N B )

9 WOO-LAM FIX II 1. Alice 2. N B 3. C A = E Kas (B,N B ) 4. E Kbs (A,C A ) 5. E Kbs (A,N B )

10 DENNING-SACCO 3. CA,CB,Enc B (TS, K AB, Sign A (TS,K AB )) 1. A,B 2. CA = VK a, Sign S (A,VK a ) CB = PK b, Sign S (B,PK b ) Published 1982.

11 DENNING-SACCO DISASTER 3. CA,CE,Enc E (TS, K AE, Sign A (TS,K AE )) 4. CA,CB, Enc B (TS, K AE, ") 1. A,E 2. CA = VK a, Sign S (A,VK a ) CE = PK e, Sign S (E,PK e ) Broken years later!

12 NEEDHAM-SCHROEDER Needham & Schroeder, Using encryption for authentication in large networks of computers, A,B,E B (N a ) A,B,E A (N a,n b ) A,B,E B (N b ) Shared Key: H(N a,n b )

13 NEEDHAM-SCHROEDER Lowe, 1995, Breaking and Fixing the Needham- Schroeder public key protocol A,M,E M (N a ) A,B,E B (N a ) A,B,E A (N a,n b ) A,M,E A (N a,n b ) A,M,E M (N b ) A,B,E B (N b ) It took 17 years to find this bug! Shared Key: H(N a,n b ) Bob thinks it is Alice, not Mallory!

14 TMN r A 3 mod N S r B 3 mod N S r A r B Shared key is r B.

15 TMN r B 3 r C 3 mod N S r D 3 mod N S M CD = r B r C r D r B = (r D M CD )/r C

16 OTHER BUGS Many cryptosystems fail due to poor key management practices: Using passwords or Hash(pw) as keys Choosing random numbers that aren t. (e.g. C rand(); java math.random ) Reuse of passwords and keys Unintentional leaking of plaintexts, keys

17 SIDE-CHANNEL ATTACKS Most crypto assumes computers are black boxes that compute functions instantaneously. Real computers take time to compute and interact with their environments. Simple example: TEMPEST equipment reads monitors from their EM radiation.

18 TIMING ATTACKS Time between keystrokes depends on keys. SSH clients send packets on keystrokes. Time to compute x y mod N depends on x,y. Given many (p,c) pairs and compute times, we can recover RSA private keys. The fastest implementations of AES use four 1024-byte tables. Cache misses leak key bits. cr.yp.to/antiforgery/cachetiming pdf

19 SSH OVERVIEW client server TCP connection setup SSH version string exchange SSH key exchange (includes algorithm negotiation) SSH Authentication SSH data exchange termination of TCP connection

20 SSH KEY EXCHANGE Client K = Y x, h = H(VK S X Y K ) use K if Verify(VK S,h,S) X=g x VK S, Y, S=Sign S (h) Server Y = g y K = X y = g xy h = H(VK S X Y K )

21 SSH AUTHENTICATION The server is authenticated by S and VK S Client has a local database (ssh_known_keys) that associates each server S with VK S. On 1 st exchange, VK S is added to ssh_known_keys. May also use PKI, certificates The client may be authenticated in several ways: Password: entered by user and sent over encrypted connection. Public Key: the user signs a challenge from the server to be verified using her public key Trusted Host: the user s host signs a challenge to be verified with its public key.

22 SSH PACKET FORMAT packet length (4) padding length (1) payload random padding MAC encryption packet length: length of the packet not including the MAC and the packet length field payload: useful contents of the packet May be compressed max payload size is random padding: bytes total length of packet must be multiple of 16 MAC: computed over clear packet and sequence number

23 TLS PROTOCOL LAYER http ftp telnet Application nntp SSL/TLS Transport (TCP) Internet (IP) Network interface Physical layer

24 KEY SSL IDEAS Authentication is handled using certificate authorities (PKI) CAs have widely known verification keys, e.g. Verisign, AT&T, MCI, Keywitness Corp Canada CA supplies a signed certificate with site s public key Session integrity based on MAC of history e.g. Client & server communicate as follows: Client Hi Hello How are you? Server Client and server compare MACs of all messages Server computes MAC(hi,hello,howareyou?) locally Client sends MAC value under encryption If intervention is detected, the session is aborted.

25 IPSEC : IP-LEVEL SECURITY IPsec provides standards to encrypt and authenticate traffic at the IP level. It has three primary security functions: Authentication, via Authentication Headers (AH) Confidentiality, via Encapsulated Security Payloads (ESP) Key management via Internet Key Exchange. (IKE) As a network layer protocol IPsec offers several advantages over application layer protocols: IPsec is implemented at a gateway, not necessarily the desktop It is transparent to application programs and users (except when it s not!) IPsec is based on Security Associations, a pair of hosts plus algorithms, parameters, and keys.

26 IPSEC USAGE SCENARIOS

27 BGP REVIEW Org-X ISP-2 ISP-1 DSP-A ISP-3 NAP ISP-4 Org-Z DSP-C DSP-B Org-Y BGP Router non-bgp Router - BGP speakers advertise AS paths to address blocks. - UPDATEs are generated in response to loss of connectivity or receipt of an UPDATE from a peer router

28 BGP SECURITY REQUIREMENTS Address space ownership verification: Prove that I own IP Autonomous System (AS) authentication: Prove that I am AS 7. Router authentication and authorization: Prove that router belongs to AS 7 Route/address advertisement authorization: Prove that AS 7 has a path to 42.*.*.* Route withdrawal authorization Integrity and authenticity of BGP traffic

29 SBGP PKI Current (hierarchical) address allocation procedure: ICANN/IANA ISP-1 ARIN/RIPE/APNIC ORG-X DSP-A DSP-C ISP-2 ORG-Y DSP-B ORG-Z ORG-YY DSP-D ORG-XX ORG-ZZ Key idea: current organizations are already trusted: PKI based on this structure assumes no additional trust.

30 SBGP ATTESTATIONS SBGP uses special certificates called attestations to certify correctness of routes. Address Attestations are to prove that a destination address is being originated by an authorized AS. They are based on signatures and certificates from the PKI Route Attestations prove that an AS is authorized to use an AS Path. The basic idea is that a router signs the path over to the next hop. Each UPDATE includes one or more Address Attestations and a set of Route Attestations

31 SBGP UPDATE PROPAGATION # seq:4321 nlri:a,b % seq:321 nlri:a,b Hdr seq:4321 RA:r7 as5 # RA:r5 as4 % RA:r3 as3 $ RA:as1 as2 = AA:orga 1 a AA:orgb 1 b NLRI:a,b Hdr seq:321 RA:r5 as4 % RA:r3 as3 $ RA:as1 as2 = AA:orga 1 a AA:orgb 1 b NLRI: a,b $ seq:21 nlri:a,b Hdr seq:21 RA:r3 as3 $ RA:as1 as2 = AA:orga 1 a AA:orgb 1 b NLRI: a,b = seq:1 nlri:a,b Hdr seq:1 RA:as1 as2 = AA:orga 1 a AA:orgb 1 b NLRI: a,b r8 r7 r6 r5 r4 r3 r2 r1 a b AS 5 AS 4 AS 3 AS 2 AS 1

32 DNS RESOLUTION Client Local DNS recursive resolver NS umn.edu NS cs.umn.edu www=ipaddr root & edu DNS server umn.edu DNS server cs.umn.edu DNS server

33 DNS DATA FLOW Cache pollution by Data spoofing Cache impersonation Zone admin Master NS resolver Unauthorized updates Backup NS Impersonating master stub resolver

34 DNSSEC DNSSEC Attempts to address these issues cryptographically. In the Ideal DNSSEC Deployment : There is a public key for the root domain. This is used to sign certificates for the administrators of top-level domains These admins sign certificates for subdomains DNSSEC has three new kinds of records Signatures on results, uploaded by zone admins Certificates, to allow verification NSEC records, to prove negative results

35 Client DNSSEC RESOLUTION NS umn.edu NS cs.umn.edu Sig edu (UMN,VM UMN ) www=ipaddr, Sig CS (www=ipaddr) root & edu DNS server umn.edu DNS server Sig UMN (CS, VK CS ) cs.umn.edu DNS server