Data Loss Prevention 4. Encryption Public/private key. Hashing. Digital Certificates. Disk Encryption. Tunnels.

Transcription

1 Data Loss Prevention 4. Encryption Public/private key. Hashing. Digital Certificates. Disk Encryption. Tunnels.

2 Encryption Introduction Intruder Eve Privacy (Private Key) Identity (Public Key) Integrity (Public/Private Key) Bob Alice John John Trent Trusted third party

3

4

5

6 Encryption Conclusion Encryption Bob Eve Public key Encryption/ Decryption Typical application: Diffie-Hellman used to generate private-key. Public-key used for authentication. Private-key used for encryption. Encryption/ Decryption Key exchange (Diffie-Hellman) Secret key used to encrypt/decrypt (DES/3DES/AES) Communications Channel Used to authenticate (RSA) Encryption/ Decryption Alice Private key Private key Key exchange (Diffie-Hellman) John John Public key Secret key used to encrypt/decrypt (DES/3DES/AES) Public key Used to authenticate (RSA) Private key Private key John John RSA 2048 bits Replace by: ElGamal 160bits Public key

7 Data Loss Detection/ Prevention Block or Stream?

8

9

10 RC4. This is a stream encryption algorithm, and is used in wireless communications (such as in WEP) and SSL (Secure Sockets). IV and Key RC4 Pseudo infinite stream (eg ) + Cipher stream (eg ) Private-key methods The IV (Initiation Vector) gives variation in the output for the same key Ex-OR operator Data stream (eg ) Data stream Pseudo infinite stream Cipher stream Encryption

11 Data Loss Detection/ Prevention Private Key

12 Encryption Private key DES AES Blowfish DES (Enc) DES (Dec) DES (Enc) K 1 K 2 K 1 DES. DES encryption algorithm is block cipher and uses a 64-bit block and a 64-bit encryption key. 3DES. DES encryption algorithm is block cipher and uses a 64-bit block and a 64-bit encryption key (of which only 56 bits are actively used in the encryption process). Unfortunately DES has been around for a long time, and the 56-bit version is now easily crackable (in less than a day, on fairly modest equipment). An enhancement, and one which is still fairly compatible with DES, is the 3- DES algorithm. It has three phases, and splits the key into two. Overall the key size is typically 112 bits (2x54 bits - with a combination of the three keys - of which two of the keys are typically the same). The algorithm is EncryptK3( DecryptK2( EncryptK1(message), where K1 and K3 are typically the same (to keep compatibility). Twofish Bruce Schneier created Twofish with a general-purpose private key block cipher encryption algorithm. AES. AES (or Rijndael) is a new block cipher, and is the new replacement for DES, and uses 128- bit blocks with 128, 192 and 256 bit encryption keys. It was selected by NIST in 2001 (after a five year standardisation process). The name Rijndael comes from its Belgium creators: Joan Daemen and Vincent Rijmen. RC2 RC2. RC2. RC2 ("Rivest Cipher") is a block cipher, and is seen as a replacement for DES. It was created by Ron Rivest in 1987, and is a 64- bit block code and can have a key size from 40 bits to 128-bits (in increments of 8 bits). The 40-bit key version is seen as weak, as the encryption key is so small, but is favoured by governments for export purposes, as it can be easily cracked. In this case the key is created from a Key and an IV (Initialisation Vector). The key has 12 characters (96 bits), and the IV has 8 characters (64 bits), which go to make the overall key. Blowfish. Bruce Schneier created Blowfish with a general-purpose private key block cipher encryption algorithm. Blowfish (with CBC). Blowfishcbc. With CBC we split the message into blocks and encrypt each block. The input from the first stage is the IV (Initialisation Vector), and the input to the following stages is the output from the previous stage. In this example we will use Blowfish to encrypt, using CBC. Others Skipjack. Skip jack. Skipjack is a block cipher, using private-key encryption algorithm, and designed by NSA. Camellia. Camillia is a block cipher created by Mitsubishi and NTT. RC4. RC4 is a stream cipher used in WEP (in wireless encryption). Affine. Affine is a stream cipher which uses an equation to encrypt.

13

14

15

16

17

18 Data Loss Detection/ Prevention Key Exchange

19

20

21 Encryption Logs Eve Bob A x A y A (x+y) Alice (A x ) y A xy John John

22 Encryption Logs Eve Random value x A Agreed number Random value y Bob A x A Y Alice A Y A x Private key

23 Encryption Logs Eve Random value x A Agreed number Random value y Bob A x A Y Alice A Y A x (A Y ) x (A x ) y

24

25

26

27 Data Loss Detection/ Prevention Public Key

28

29

30 Encryption RSA Select two primes (p,q) Next, the n value is calculated. Thus: n = p x q = 11 x 3 = 33 Next PHI is calculated by: PHI = (p-1)(q-1) = 20 e selected so that GCD(e,PHI)=1 Public key: (n,e)

31 Bob Select two prime numbers: a and b n = a x b e is chosen so that e and (a-1)x(b-1) are relatively prime (no common factor greater than 1) d = e-1 mod [(a-1)x(b-1)] Public-key encryption Public key is now: <e,n> Private key is now: <d,n> Encryption Generating public and private keys

32 Eve Public key generates two keys: A public key and a private one. These are special in that if one is applied to encrypt, the other can be used to decrypt Public-key Public key are keys which relate to extremely large prime numbers (as it is difficult to factorise large prime numbers). It is extremely difficult to determine a private key from a public key. Public-key encryption Bob Encryption Communications Channel Decryption Alice Public key Public key Private key Private key Encryption

33 Public-key Public-key encryption Bob Eve Public key Encryption A. Bob creates the message. B. Bob encrypts with Alice s public key and sends Alice the encrypted message C. Alice decrypts with her private key D. Alice receives the message A Hello Communications Channel B Once Bob encrypts the message, the only key which can decrypt it is Alice s private key. Bob and Alice keep their private keys secret. Decryption Alice Public key Encryption Private key H&$d. C D Private key Hello

34

35

36 Data Loss Detection/ Prevention Hash Values

37 MD5 hash algorithm How do we get a finger-print for data? Bob Hello. How are you? Is this okay? Data Message Hash Authentication Eve With a fingerprint we can hopefully tell if Eve has modified any of the data Solved by Prof Ron Rivest with the MD5 hash signature.

38 MD5 hash algorithm Bob Hashing Algorithm (MD5) bit signature hello Hello Hello. How are you? Napier XUFAKrxLKna5cZ2REBfFkg ixqzu8rhepaoj6v4xhge1w CysDE5j+ZOUbCYZtTdsFiw j4nxh5mkrk4j13n1mfxhtg Message Hash Authentication hello Hello Hello. How are you? Napier Base-64 5D41402ABC4B2A76B9719D911017C592 8B1A9953C A827ABF8C47804D7 CC BF9AD833BEBF90239BF0F 8F83571F9324AE4E23D C7B6 Hex

39 SHA-1 hash algorithm Bob Hashing Algorithm (SHA-1) bit signature hello Hello Hello. How are you? Napier qvtghdzf6klavt4po0gs2a6pq00= 9/+ei3uy4Jtwk1pdeF4MxdnQq/A= Puh2Am76bhjqE5lbTWtwsqbdFC8= v4gxnavod2b09gr2tqw4yopouro= Message Hash Authentication hello Hello Hello. How are you? Napier Base-64 AAF4C61DDCC5E8A2DABEDE0F3B482CD9AEA9434D F7FF9E8B7BB2E09B70935A5D785E0CC5D9D0ABF0 3EE876026EFA6E18EA13995B4D6B70B2A6DD142F BF81B135A F4F464764EAC38CA8A4EBABA Hex

40 MD5 hash algorithm Bob Hashing Algorithm (MD5) bit signature Message Hash Authentication Security and mobility are two of the most important issues on the Internet, as they will allow users to secure their data transmissions, and also break their link with physical connections. Security and mobility are two of the mast important issues on the Internet, as they will allow users to secure their data transmissions, and also break their link their physical connections. F94FBED3DAE05D223E6B963B9076C4EC +U++09rgXSI+a5Y7kHbE7A== Base-64 8A8BDC3FF80A01917D CFBF iovcp/gkazf9bdkaaghpvw== Hex

41 Hash Hash methods OpenSSL echo -n hello openssl md5 (stdin)= 5d41402abc4b2a76b9719d911017c592 echo -n hello md5sum 5d41402abc4b2a76b9719d911017c592 - root@kali:~# openssl md5 pw MD5(pw)= 859b6a9be3b45262c4414bd1696ba91b root@kali:~# md5sum pw 859b6a9be3b45262c4414bd1696ba91b pw Hash methods supported: md2 md4 md5 rmd160 sha sha1

42 MD5 hash algorithm Files/folders Hashing Algorithm (MD5) bit signature Hash signature Hash signatures are used to gain a signature for files, so that they can be checked if they have been changed. Message Hash Authentication [Path] / filename MD5 sum [C:\Windows\System32\] cpx 0a0feb9eb28bde8cd b03b cpx d69ae057cd82d04ee7d311809abefb2a 8point1.wav beab165fa58ec f32e124685d5 aaclient.dll ad45dedfdcf69a28cbaf6a2ca84b5f1e AC3ACM.acm 59683d1e4cd0b1ad6ae32e1d627ae25f Ac3audio.ax 4b87d889edf278e5fa223734a9bbe79a ac3filter.cpl 10b27174d e7a05f3c36acd2a accessibilitycpl.dll ac4cecc86eeb8e1cc2e9fe022cff3ac1 ACCTRES.dll 58f57f2f2133a2a77607c8ccc9a30f73 acledit.dll 0bcee3f d1b09d18e ZSHP1020.CHM c671ed21e6d27c94a49a754e975f5e0a [Path] / filename ZSHP1020.EXE 96e45ab81a9e8da835009d [C:\Windows\system32\] ZSHP1020.HLP a076932c7b1d590d6fffab727a4abc6a cpx ZSPOOL.DLL fae332da4762c6779a f cpx ZTAG.DLL 7ca836648e d9f3bff56679ee 8point1.wav ZTAG32.DLL 27b026cc7ee3b42745c fbfc52 aaclient.dll MD5 sum AC3ACM.acm Ac3audio.ax Cg/rnrKL3ozYNXFjQ7A7FA== 1prgV82C0E7n0xGAmr77Kg== vqswx6woxsuxhfmuekaf1q== ruxe39z2mijlr2osqetfhg== WWg9HkzQsa1q4y4dYnriXw== S4fYie3yeOX6Ijc0qbvnmg==

43 MD5 hash algorithm Files/folders Hashing Algorithm (MD5) bit signature Hash signature Hash signatures are used to identify that a file/certificate has not been changed. Bob Message Hash Authentication The digital certificate has an SHA-1 hash thumbprint (3f6a...89) which will be checked, and if the thumbprint is different, the certificate will be invalid.

44

45

46 Risk 4: One Password Fits All 150 million accounts compromised # Count Ciphertext Plaintext EQ7fIpT7i/Q= j9p+hwtwwt86amjgzflzyg== L8qbAD3jl3jioxG6CatHBw== password BB4e6X+b2xLioxG6CatHBw== adobe j9p+hwtwwt/ioxg6cathbw== djv7ZCI2ws= qwerty dqi0aswpyvq= LqYzKVeq8I= PMDTbP0LZxu03SwrFUvYGA== photoshop e6mpxq5g6a8= million accounts 6.5 million accounts (June 2013) One account hack leads to others 1 million accounts in plain text. 77 million compromised Dropbox compromised ,000 client accounts

47 Advanced Crypto 3. Hashing and Authentication Bob Alice Eve Salting Trent

48

49 Encryption Salting password $1$fred$bATAk8UUH/IDAp9sd6IUv/ 1 fred batak8uuh/idap9sd6iuv/ password batak8uuh/idap9sd6iuv/ fred C:\openssl>openssl passwd -1 -salt fred password $1$fred$bATAk8UUH/IDAp9sd6IUv/

50 # cat /etc/shadow root:$1$etg2exuz$f9ntp7omafhkilqabmqng1:15651:0:99999:7::: # openssl passwd -1 -salt Etg2ExUZ redhat $1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1 $ openssl version OpenSSL 1.0.1f 6 Jan 2014 $ openssl dgst -md5 file MD5(file)= b1946ac92492d2347c6235b4d $ openssl genrsa -out mykey.pem 1024 Generating RSA private key, 1024 bit long modulus e is (0x10001 $ openssl rsa -in mykey.pem -pubout > mykey.pub writing RSA key $ cat mykey.pub -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXv9HSFkpM+ZoOQcpdHBZiUwX8 EzIKm0nsgjc5ZTYVaF9CMLtmKoTzep7aQX9o9nKepFt1kQ73Ta9vOPd6CX61/cgY Xy2tShw0imrtFaVDFjX+7kLmc0uWbFFCoZMtJxIaXaa9SV2kARxOCTJ2uOjRTCCe XU09IJGHnIhSNJeIJQIDAQAB -----END PUBLIC KEY----- $ cat /etc/shadow root:$1$etg2exuz$f9ntp7omafhkilqabmqng1:15651:0:99999:7::: $ openssl passwd -1 -salt Etg2ExUZ redhat $1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1

51 Data Loss Detection/ Prevention Authentication with Private Key

52 Public key encryption secret identity... trust Eve Trent Bob s Private Key Alice s Public Key Bob s Public Key Alice s Private Key

53 Public key encryption secret identity... trust Eve Trent Bob s Private Key Alice s Public Key Bob s Public Key Alice s Public Key Alice s Private Key

54 Public key encryption secret identity... trust Eve Trent Bob s Private Key Alice s Public Key Bob s Public Key Alice s Public Key Alice s Private Key

55 Public key encryption secret identity... trust Eve Trent Alice s Public Key Bob s Private Key Hello Alice, Wish you were here! - Bob Alice s Public Key Bob. Bob s Public Key Alice s Private Key

56 Public key encryption secret identity... trust Eve Trent Alice s Public Key Bob s Private Key Hello Alice, Wish you were here! - Bob Alice s Public Key Bob. Bob s Public Key Bob s Private Key Alice s Private Key

57 Public key encryption secret identity... trust Eve Trent Alice s Public Key Bob s Private Key Alice s Public Key Hello Alice, Wish you were here! - Bob Alice s Public Key Bob. Bob s Public Key Alice s Private Key

58 Public key encryption secret identity... trust Eve Trent Bob s Private Key Hello Alice, Wish you were here! - Bob Alice s Public Key Bob. Bob s Public Key Which key to open the message? Alice s Private Key

59 Public key encryption secret identity... trust Eve Trent Bob s Private Key Alice s Private Key Hello Alice, Wish you were here! - Bob Alice s Public Key Bob. Bob s Public Key Which key to open the message? Alice s Private Key

60 Public key encryption secret identity... trust Eve Trent Bob s Private Key Hello Alice, Wish you were here! - Bob Alice s Public Key Bob. Bob s Public Key Which key to we open the signature with? Alice s Private Key

61 Public key encryption secret identity... trust Eve Trent Bob s Private Key Hello Alice, Wish you were here! - Bob Alice s Public Key Bob. Bob s Public Key Bob s Public Key Alice s Private Key

62 Public key encryption secret identity... trust Eve Trent Bob s Private Key Hello Alice, Wish you were here! - Bob Alice s Public Key Bob. Bob s Public Key Alice s Private Key

63 Using Bob s private key to authenticate himself Message Message MD5 Encrypted MD5 The magic private key Bob s private key Bob Bob s public key Authentication

64 Bob encrypts the message/hash with Alice s public key Message Message MD5 Encrypted MD5 Bob The magic private key Bob s public key Bob s private key Encrypted Content Alice s public key Alice Authentication Alice s private key

65 Bob encrypts the message/hash with Alice s public key Message MD5 Message Encrypted MD5 Encrypted Content Bob Bob s private key The magic private key Authentication Bob s public key Encrypted Content Alice s public key Alice s private key Alice

66 Alice decrypts the message Message MD5 Message Encrypted MD5 Encrypted Content Bob Bob s private key The magic private key Bob s public key Alice Authentication Encrypted Content Message Encrypted MD5 Alice s public key Alice s private key

67 Alice decrypts the message Message MD5 Message Encrypted MD5 Encrypted Content Bob Bob s private key The magic private key Bob s public key Alice Authentication Encrypted Content Message Encrypted MD5 MD5 (message) MD5 (result) Alice compares the MD5 values. If they are the same Bob sent the message

68 Data Loss Detection/ Prevention Digital Certificates

69 Identity on the Internet Identifies it is trusted (Digital Certificate) Keeps communications secure (encryption) Trent Bob Trap-door Eve

70 Digital certificates should only be distributed with the public key Bob This certificate has only the public key This certificate has both public and private key Digital Cert. Authentication

71 Digital certificates should only be distributed with the public key Bob P7b format -----BEGIN CERTIFICATE----- MIID2zCCA4WgAwIBAgIKWHROcQAAAABEujANBgkqhkiG9w0BAQUFADBgMQswCQYD VQQGEwJHQjERMA8GA1UEChMIQXNjZXJ0aWExJjAkBgNVBAsTHUNsYXNzIDEgQ2Vy dglmawnhdgugqxv0ag9yaxr5mrywfaydvqqdew1bc2nlcnrpysbdqsaxmb4xdta2 MTIxNzIxMDQ0OVoXDTA3MTIxNzIxMTQ0OVowgZ8xJjAkBgkqhkiG9w0BCQEWF3cu YnVjaGFuYW5AbmFwaWVyLmFjLnVrMQswCQYDVQQGEwJVSzEQMA4GA1UECBMHTG90 aglhbjesmbaga1uebxmjrwrpbmj1cmdomrowgaydvqqkexfoyxbpzxigvw5pdmvy c2l0etelmakga1uecxmcsvqxgtaxbgnvbamtefdpbgxpyw0gqnvjagfuyw4wggei MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvCFETyJL8VXAhbEMRzQI0gM81 ci75nmmsoamjzcb6fhgemgowmycoscmqkrvjaknos+4mxznhcy3mdob+szbwovax M5FOxhSrV+Q86hsK8cDc+1sqyJ8TQtufuDNs0NfNY6tR6q7CgGqQ8/VjSxNqzK39 iluf1ahhycet/ab6o/qwzl4ivsz2nml4dyauyilhlplvbpphgde6sdqxwyd0cpfv ZN7pauD5fqBESfO6bUkCieI47AzRMQj3kHuDt7MexVW7aoX+nXLP4wn7IamaxasF QvhdOKyCZhYs82JQDGatXRCqkklztmZW5i6GkPsE7XVuX265WJQ5afhp2hYlAgMB AAGjggEXMIIBEzAdBgNVHQ4EFgQUzyZ/YcCJwT5opPHLPlcQKkOlkJwwYwYDVR0j BFwwWoAUlP5Zh0V700k6CorvRMWB9ifVkBmhP6Q9MDsxCzAJBgNVBAYTAkdCMREw DwYDVQQKEwhBc2NlcnRpYTEZMBcGA1UEAxMQQXNjZXJ0aWEgUm9vdCBDQYIBDTBN BgNVHR8ERjBEMEKgQKA+hjxodHRwOi8vd3d3LmFzY2VydGlhLmNvbS9PbmxpbmVD QS9jcmxzL0FzY2VydGlhQ0ExL2NsYXNzMS5jcmwwPgYIKwYBBQUHAQEEMjAwMC4G CCsGAQUFBzAChiJodHRwOi8vb2NzcC5nbG9iYWx0cnVzdGZpbmRlci5jb20vMA0G CSqGSIb3DQEBBQUAA0EATOCwGJ1tS0kTlupmpjkMl8IdxMmD5WuhszjBlGsMhPxI H+vXhL9yaOw+Prpzy7ajS4/3xXU8vRANhyU9yU4qDA== -----END CERTIFICATE----- Authentication Digital Cert. The main certificate formats include: P7b. Text format PFX/P12. Binary. SST. Binary.

72 Encrypting messages to Alice Eve A. Bob creates the message. B. Bob encrypts with Alice s public key and sends Alice the encrypted message C. Alice decrypts with her private key D. Alice receives the message Bob A Alice Encryption Communications Channel Decryption Digital Cert. Authentication Hello H&$d. C B D Hello Alice sends her digital certificate with her public key on it Alice s private key

73 Authenticating Bob Bob A Alice Encryption/ Decryption Communications Channel Encryption/ Decryption Hello B Digital Cert. Bob s private key Hash H&$d. C D Alice s private key Hello Authentication Bob sends his Digital certificate to authenticate himself Alice checks the hash using Bob s public key from his certificate Hash

74 Advanced Crypto Bob Alice 5. Disk Encryption Eve Introduction Trent

75

76 Disk Encryption EFS EFS Drive or Folder encryption CER file Contains certificate. PFX Contains certificate and private key. Public key Private key Encryption key Header EFS

77 Disk Encryption Market Microsoft Bitlocker File/Folder Encryption Disk Encryption Check Point Full Disk Encryption Software TrueCrypt McAfee Endpoint Encryption Encryption Software Sophos SafeGuard Disk Encryption Axanum (.AXX) Disk Encryption

78 Disk Encryption FIPS FIPS Level 4 Physical security requirements more stringent. Robustness against environmental attacks. FIPS Level 3 Physical tamper-resistance. Identity-based authentication. Physical or logical separation between the interfaces by which where the key security parameters are entered or passed. Identity access (Fred) Isolation barrier FIPS Level 2 O/S must be compliant for Level 2 and above Physical tamper-evidence. Role-based authentication. Role access (Admin) FIPS (Federal Information Processing Standards) Level 1 Lowest level with limited requirements. NIST publish 140 publication series for cryptography FIPS May 2001 FIPS Software limited to L1/L2. Disk Encryption

79 Disk Encryption Access Password or passphrase File/Folder Encryption NapI5r123$ Disk Encryption USB drive with encryption key Biometric device (eg fingerprint reader) with Trusted Platform Module which holds the actual encryption key OTP device such as an RSA token Multi-factor authentication uses two or more of these Disk Encryption

80 Disk Encryption Access Non-encrypted in transit Non-encrypted In memory Non-encrypted in storage Directory structure API/DLL Integration (c:, d:, etc) Encryption Layer Disk Storage Cloud Storage Disk Image File Image Disk Encryption

81 Data Loss Detection/ Prevention TrueCrypt

82 Disk Encryption TrueCrypt TrueCrypt Advantages: Open-source. Windows/Linux/OS X. Free Disadvantages: If you lose the pass phrase almost impossible to recover. Current support is patchy. Password Salt (512-bit) PBKDF2 (Passwordbased Key Derivation Function) RFC 2898 Header Key (dklen) Header (contains material keys) Encryption: AES, Serpent, Twofish Serpent AES Authentication: RIPEMD-160, SHA-512, Whirlpool AES-Serpent DK = PBKDF2(PRF, Password,Salt, c, dklen) DK = PBKDF2(HMAC-SHA1, passphase, ssid,4096,256) Serpent. Ross Anderson et al bit key. 128-bit block (one of the AES finalists). Twofish. Bruce Schneier et all bit key. 128-bit block (one of the AES finalists). AES. FIPS-approved (Rijndael) bit key. 128-bit block. Disk Encryption

83 Disk Encryption TC TrueCrypt

84 Data Loss Detection/ Prevention Detecting Enc/Comp

85 Disk Encryption Detecting File Compression PKZIP: 50 4B [PK] GZIP: 1F 8B 08 Tar: Zlib: 78 01, 78 9C or 78 DA [ ] 50 4B D 6C 39 DA 4D PK...l9.M [ ] B8 0F E...'...an [ ] 69 6D 2E D 6C ED 54 D1 4E D 37 im.xaml.t.n.0.}7 [ ] F1 1F 9A 7E 00 C5 69 4C 24 B0 C4 CD A9 0F 6A 96...~..iL$...j. [ ] 8D 64 CF 15 EE A0 B1 B4 A4 2D 8A 7F 6F 2D 6C 63.d...-..o-lc [ ] CA F 7C 90 A7 02 E7 9C 7B EF 39 E9 0D {.9..W [ ] 4C A4 F2 05 D5 C AD 23 BC 2A D C9 L...S.#.*..e. File Encryption 47 c3 dd 4e ce af 76 d6 94 9d 5d d3 db 0d e4 ae af 57 e fd 14 7e f5 7d 02 7a b 2c d 54 1c 75 bb 54 0b f8 95 a9 92 d7 33 ad 2f 00 cb 8c 9f b2 bd 0f e3 aa 0a 59 6b f 5b f e3 32 ed c3 f cb f 3b Detecting compression/enc

86 Data Loss Detection/ Prevention SSL/TLS

87 Tunnelling Stack HTTP, FTP Telnet, POP-3 IMAP, SMTP Application TCP, UDP, SPX Transport IP, IPX, ARP, ICMP Ethernet, PPP, HDLC Cables, Signals Network Data Link Physical Network protocols

88 Tunnelling Stack Ports HTTP 80 HTTPs 443 TELNET 23 SSH 22 SMTP 25 SMTPs 465 POP POP-3s 995 HTTP, FTP Telnet, POP-3 IMAP, SMTP Application Application HTTPS (HTTP + SSL) FTP (FTP+SSL) SSH (Telnet+SSL) Transport TCP, UDP, SPX IP, IPX, ARP, ICMP Transport Network SSL Network SSL 1.0 SSL 2.0 SSL 3.0 [0x0300] SSL 3.1 (TLS 1.0) [0x0301] TLS 1.1 and 1.2 [0x0302] Ethernet, PPP, HDLC Data Link Data Link Secure Socket Layer Transport Layer Socket Cables, Signals Physical Physical Network protocols

89 Tunnelling Stack TCP [SYN] to Port 443 TCP [SYN,ACK] from Port 443 TCP [ACK] to Port 443 Client Hello (Start of Handshake) Application Transport SSL Network Data Link Physical TLS

90 Tunnelling Stack Client Hello Server Hello TLS

91 Tunnelling Stack Client Hello Public key Server Hello Client Key Exchange TLS

92 Disk Encryption TC openssl s_client -connect CONNECTED( ) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/c=us/st=california/l=mountain View/O=Google Inc/CN= i:/c=us/o=google Inc/CN=Google Internet Authority G2 1 s:/c=us/o=google Inc/CN=Google Internet Authority G2 i:/c=us/o=geotrust Inc./CN=GeoTrust Global CA 2 s:/c=us/o=geotrust Inc./CN=GeoTrust Global CA i:/c=us/o=equifax/ou=equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEdjCCA16gAwIBAgIISVyALWN+akUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE --- SOx4I5L0D0jZYqKfJuImGcFwdIETq0EpCmkhJfGNHjVdzC/h/T61TmaY -----END CERTIFICATE----- subject=/c=us/st=california/l=mountain View/O=Google Inc/CN= issuer=/c=us/o=google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent --- SSL handshake has read 3719 bytes and written 446 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 9D92CEC32FA9F86C6D902081EE186C4FC68234FFF7B903D6621A86C98092BD51 Session-ID-ctx: Master-Key: B8A14DB1D3021E80B53F30EA94D2EEA155A995B926879B08E3D971EB16873D16F E2FA368D374716DB14A412 B Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: (seconds) TLS session ticket: fa 8d cb d 99 c8-b c ca 53 e9 bd...ps=.....s f8 8e ec 82 c1 56-ab d9 9b 36 c2 56 b0 db...v...6.v b d a5 02 ac 1f-34 fa fd 7c ba V...4.r! a ae e ef 8a e5-a a c ac *.....W(:.g d 14 bf b0 6d 96 9f cb-eb 0c 0a f a6 84 }...m...@._ e2 3b 98 0b e7 f4 b1 e1-04 be 15 6b 36 a5 57 b3.;...k6.w f2 f4 20 fe b5 7f-6b 10 4e 7a f9 b5 6d k.Nz..m ec 07 e6 f0 c b 30 f9 b0 d3 c I.1k0...% f e8 25 cc e6 0e 76 b1 45 b..3.%."2.t..v.e a cf 1b b0 97 7d d9 8d :`...}..G )... 00a0-6f 5a b4 f2 oz.. Client Hello: Versions: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA (rfc5246) Server Hello: Version: TLS_RSA_WITH_RC4_128_SHA Key Exchange: Public key (RSA) Encryption: RC4 Hash: 128-bit SHA (SHA-1) TLS_RSA_WITH_AES_256_CBC_SHA256 Key: RSA Enc: AES_256_CBC Hash: SHA256 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Key ex: DH_DSS Enc: 3DES_EDE_CBC Hash: SHA Start Time: Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) TrueCrypt

93 Tunnelling SSL Client Hello: Versions: TLS_RSA_WITH_RC4_128_SHA (rfc5246) Server Hello: Version: TLS_RSA_WITH_RC4_128_SHA Key Exchange: Public key (RSA) Hash: 128-bit SHA (SHA-1) Encryption: RC4 Session key Public key Private key Tunnel created (RC4, Hash: SHA-1) SSL Tunnelling

94 Data Loss Prevention 4. Encryption Public/private key. Hashing. Digital Certificates. Disk Encryption. Tunnels.