Suggested Reading. Computer Networks, Andrew Tanenbaum 4 th Ed, 2004

Transcription

1 Systems and Network Technology Suggested Reading Computer Networks, Andrew Tanenbaum 4 th Ed, 2004 Computer Networking with Internet protocols and Technology, William Stallings 1 st Ed, 2004 Network Security Essentials, Applications and Standards, William Stallings 1 st Ed, 2000 Network and Internet Security by Vijay Ahuja Computer Networks and Internets, Douglas Comer Numerous other networking books GMIT Galway Page 1 of 194

2 Systems and Network Technology Course Outline Encryption Symmetric /Asymmetric Key Encryption, Message Digest, MAC, Digital Signatures / Envelope Authentication Passwords, Challenge/Response, Tokens Authentication Protocols Public Key, Private Key, Kerberos ACL, Covert Channels Internet Security SSL, S-HTTP IPsec Firewalls, Proxy, SOCKS Internet Applications Support: SMTP, POP3, IMAP4, MIME Security: PGP, PEM, MOSS WWW Document types: Active, Dynamic, Static HTTP Browser technology Search Engines Emerging Technology GMIT Galway Page 2 of 194

3 Systems and Network Technology System Security As networks grow in size, so do risks Network growth vastly exceeded improvements to network security Four classes of security risks: 1. Breaching secret data: Revealing confidential data 2. Unauthorised logons: Stolen / misused passwords 3. Unauthorised denial of service: Hacker shutting down system, degrading performance, consuming resources 4. Network Spoofing: Host on network used to impersonate another host Motives for Security Attacks Industrial Espionage, Financial, Revenge, Publicity GMIT Galway Page 3 of 194

4 Systems and Network Technology Security Concepts Identification: Users identified via userid Confidentiality: Protection of message from passive attacks Authentication: Assure recipient that the message is from source that it is claimed to be from Requires exchange of shared secrets between user / application, i.e. password Integrity: Assures that messages are received as they are sent, no duplication, modification, replay, reordering Non-repudiation: Prevents sender or receiver from denying either transmitting or receiving message GMIT Galway Page 4 of 194

5 Systems and Network Technology Encryption Cryptography - Greek for secret writing 1. Symmetric Key Encryption - Same secret key for encryption and decryption, Very fast Two types: Block Ciphers, 128 bits, 256 bits, etc Stream Ciphers - Feedback Cipher = char-for-char or bit-for-bit transformation Examples: DES Data Encryption Standard, '77, 56-bit key AES - Advanced Encryption Standard, '01 CAST-128 Carlisle Adams and Stafford Tavares (NT) IDEA International Data Encryption Algorithm RC4 - Rivest Cipher 4 RC5 - Rivest Cipher 5 Most widely used type of encryption Key known to both parties, biggest difficulty distribution of key, which is performed outside system (a) Key physically delivered from A to B (b) A sends new key to B using old key, or visa versa (c) 3 rd party selected, physically deliver key to A, B (d) 3 rd party selected, electronically deliver key to A, B over encrypted link GMIT Galway Page 5 of 194

6 Systems and Network Technology 2. Asymmetric Key Encryption - One key for encryption and different but related key decryption Diffie and Hellman, '76 Called public key cryptography (PKCS) Solves key exchange problem inherent in secret-key cryptography PKCS basis of public key authentication schemes Every user has private key and public key Two important attributes: 1. Impossible to derive decryption key using encryption key and algorithm 2. Either of the two keys can be used for encryption and the other for decryption Public key algorithms on Internet use RSA (Rivest, Shamir, Adleman) for confidentiality and Authentication GMIT Galway Page 6 of 194

7 Systems and Network Technology Each scheme (i.e. symmetric versus asymmetric) optimised for specific application Public-key (Asymmetric): Ideally suited to key exchange Non-repudiation Can also encrypt messages but very slow Secret-key (Symmetric): Ideally suited to encrypting messages, sender generates session key, receiver needs same session key to decrypt message times faster than PKCS GMIT Galway Page 7 of 194

8 Systems and Network Technology 3. Message Digest - No Keys Piece of data that accompanies a message Based on one-way hash function that takes in plaintext and computes a fixed-length bit string A change of even 1 bit in input plaintext will result in different output, Output at least 128 bits long Used to indicate whether original document has been modified A s Message Hash Function MD algorithms, (MD2, MD4, MD5), SHA-1 What gets distributed on the network is original message in plain text with a message digest appended on at the end A s Message Message Digest Message Digest Receiver performs exact same Hash function on plaintext data to see if same Message Digest generated Notice that there are no keys used by the hash function GMIT Galway Page 8 of 194

9 Systems and Network Technology 4. Message Authentication Code - Common Shared Key Piece of data that accompanies a message Used to indicate whether original document has been modified A s Message Message Authentication Algorithm Message Authentication Code (MAC) K AB What gets distributed on the network is original message in plain text with a MAC appended on at the end A s Message MAC Receiver performs exact same Message Authentication Algorithm on plaintext data to see if same Message Authentication Code generated Notice that there are keys used by the Message Authentication Algorithm Often called HMAC for Hashed Message Authentication Code GMIT Galway Page 9 of 194

10 Systems and Network Technology 5. Digital Signatures - Message Digest Signatures Piece of data that accompanies a message Digital Signatures used for all of the following features: Authentication Originality of messages Non-repudiation Receiver cannot have concocted message Sometimes include timestamps, nonce, recipients' identity A s Message Hash Function Message Digest Digital Signature A s Priv Key Lots of different Digital Signatures variations possible GMIT Galway Page 10 of 194

11 Systems and Network Technology Possibility 1: What gets distributed on the network is original message in plain text with a Digital Signature appended on at the ends A s Message Digital Signature Fast for implementation! GMIT Galway Page 11 of 194

12 Systems and Network Technology Possibility 2: Public-Key Signatures A s Message Encrypt A s Priv Key Encryp t B s Pub Key Encrypt Text is also Digital Signature What gets distributed on the network is encrypted message Slow for implementation! Possibility 3: Any system that utilises private key to encrypt data GMIT Galway Page 12 of 194

13 Systems and Network Technology 6. Digital Envelope comprises encrypted message and encrypted session key A s Priv Key A s Message Asymmetric Enc Hash Function Digital Signature Digital Envelope Random Session Key B s Pub Key Symmetric Enc Assymetric Enc Enc Message Enc Session Key Used for performance improvements in future correspondents between two parties NB A { } indicated that whatever is between {} is signed using A's private key E K [ ] indicated that whatever is between [ ] is encrypted using key K GMIT Galway Page 13 of 194

14 Systems and Network Technology Authentication Verifying something, e.g. userid, network address, data integrity, etc Based on: Something User Knows - Password, Encryption key Something User Has - Hand held devices, Token Token Cards Magnetic Cards Smart cards Something User Is - Physiological and Behavioural characteristic GMIT Galway Page 14 of 194

15 Systems and Network Technology Something User Knows - Passwords Most prevalent protocol for identifying people Two pieces of information used to authenticate users, User Id, Password Four types of passwords: 1. Unique password Distinct for each user 2. Group Password Minimal security 3. Non-unique Passwords Short password allocated to each user, e.g. 4 decimal digits Identification depends on much longer number held on magnetic strip on ATM card 4. Passwords that changes each time system accessed Prepare a list of passwords for user, At each access one password used, becomes invalid for future If tapping occurs, password no longer valid GMIT Galway Page 15 of 194

16 Systems and Network Technology Password Controls Suppress entry messages - greetings Limited logon attempts - eliminate brute force attack Password ageing Two password systems Minimum password length Root password protection User lockouts System generated passwords Run password checking program - Cracker GMIT Galway Page 16 of 194

17 Systems and Network Technology Something User Has - Challenge/Response Tokens User has challenge/response token Calc, key-ring Token pre-loaded with algorithm, enc key and PIN Neither item can be extracted from token User changes PIN Called two-factor authentication. Combination of something used has and something user knows User initiates login process (1), Host issues challenge to user (2) User enters pin on token to activate it (3) User then enters challenge issued by host into token (4) Token generates a response (5) User keys in the response to complete authentication -(6) Host performs same enc process in parallel, if results same, success GMIT Galway Page 17 of 194

18 Systems and Network Technology 5 6 3,4 2 1 Advantages Very secure Token has an unlimited lifetime (cheaper to operate) Disadvantages More user steps than other systems If token disabled must be returned for reactivation Usually bulkier than other tokens Works on limited number of platforms GMIT Galway Page 18 of 194

19 Systems and Network Technology User has a token, i.e. card Time-Synchronized Tokens User has PIN associated with token User initiates login process -(1) User enter pin on token to generate password -(2,3) Token response based on some time-sync value User keys in token-generated password to complete authentication -(4) Advantages Very secure Fewer user steps required for authentication Easy to carry around Works on more platforms Less administration than Challenge/Response systems Disadvantages Potentially costlier than Challenge/Response systems GMIT Galway Page 19 of 194

20 Systems and Network Technology Something User Has - Challenge/Response Protocols Sender and receiver share secret key K AB, not distributed via network A = Identity of sender R A R B = Nonce, one time large random number K S = Session key Two-way Authentication using shared key K AB Receiver B initiates challenge-response protocol 1 A S E N D E R A 2 RB 3 KAB [R B ] 4 RA 5 KAB [R A ] Challenge R E C E I V E R B 6 KAB [K S ] Optional GMIT Galway Page 20 of 194

21 Systems and Network Technology Sender A initiates challenge-response protocol S E N D E R A 1 Challenge A RA 2 RB K AB [R A ] 3 KAB [R B ] R E C E I V E R B GMIT Galway Page 21 of 194

22 Systems and Network Technology Non-repudiation Repudiation defined as "denial, by one of entities involved in communication, of having participated in all, or part, of the communication" One party to transaction later falsely denying that transaction occurred Disagreements relating to: Whether particular event occurred or not When event occurred What parties were involved in particular event? What information was associated with event? Three types of non-repudiation: 1. Non-repudiation of origin: Receiver received message but sender claims not to have sent message Receiver received message but contents different from what sender claims to have sent Receiver received message on particular date and time but sender claims not to have sent message at that date and time GMIT Galway Page 22 of 194

23 Systems and Network Technology 2. Non-repudiation of delivery: Sender claims to have sent message, but recipient claims not to have received message Sender claims to have sent message, but contents different from what recipient received Sender claims to have sent message on particular date and time but recipient claims not to have received message at that time and date 3. Non-repudiation of submission: Sender claims to have sent message, but recipient claims not to have received message and claims that sender did not sent message Sender claims to have sent message on particular date and time but recipient claims that message was not sent at that time on that date GMIT Galway Page 23 of 194

24 Systems and Network Technology Non-repudiation of Origin Provided by originator of message digitally signing message using private key A s Message, Timestamp, Nonce, Recipients Id Hash Function Message Digest A s Priv Digital Signature What gets transmitted through Network / Internet is A s Message Timestamp, Nonce, Recipients Id = B Plaintext Digital Signature Alternative mechanism is if originator of message uses trusted third party to digitally sign message GMIT Galway Page 24 of 194

25 Systems and Network Technology Non-repudiation of Delivery Recipient must send originator a digitally signed ack containing copy of: Original message or Digital Signature of original message Message must be signed using recipient's private key or using trusted third party to digitally signing message A s Message, Timestamp, Nonce, Recipients Id Hash Function Message Digest A s Priv Digital Signature A s Message Timestamp, Nonce, Recipients Id = B Digital Signature Digital Signature Message Digest B s Priv Hash Function A s Original Message OR A s Original DS, New Timestamp, New Nonce, Recipients Id = A GMIT Galway Page 25 of 194

26 Systems and Network Technology Possibility of encountering reluctant recipient Alternative is to use Trusted third party Delivery Agent Progressive Delivery Reports, e.g. similar to Non-repudiation of Submission Considered a subtype of non-repudiation of delivery Mechanisms most often used to prevent non-repudiation of Submission is any of the techniques used for nonrepudiation of Delivery GMIT Galway Page 26 of 194

27 Systems and Network Technology Authentication Protocols 1. Two-Party Authentication One-Way Authentication Two-Way Authentication 2. Third-Party Authentication Kerberos 3. Public-Key Authentication One-Way Authentication Two-Way Authentication 4. X.509 Directory Authentication X.509 Certificates GMIT Galway Page 27 of 194

28 Systems and Network Technology 1. Two-Party Authentication One-Way Authentication User wishes to logon to application User sends userid and password to application One-Way authentication : Confirms user is authenticated to application Assures application that ID and password was sent by legitimate user - no-one else has password Two-Way Authentication User is authenticated to application AND application is authenticated to user Two-Way authentication : Confirms user is authenticated to application Assures application that ID and password was sent by legitimate user - no-one else has password Server has been authenticated to user Password for server sent by legitimate server Not commonly used due to practical problems GMIT Galway Page 28 of 194

29 Systems and Network Technology Client LAN Server Two-Party One -Way Authentication Request for logon Prompt for Id Send Id Prompt for Password Send Password Client logged on Two-Party Two -Way Authentication Prompt for Password Send Password Server logged on GMIT Galway Page 29 of 194

30 Systems and Network Technology 2. Third-Party Authentication Systems Two-Party Two-Way not commonly used due to practical problems, e.g. 50 users on LAN each communicating with each other Natural extension to Two-Party Two-Way authentication is to use a trusted third-party Requirements being: 1. System should provide Two-Party Two-Way authentication, third party provides centralised storage and maintenance of passwords 2. Scheme should not transport passwords over network 3. Passwords should not be stored at client station 4. Once logged on, scheme should provide temporary secret to represent user 5. System should be capable of securely transmitting encryption keys GMIT Galway Page 30 of 194

31 Systems and Network Technology Kerberos Authentication protocol designed at MIT Designed to allow workstation users to access network resources in a secure way Kerberos Client Authentication Server (AS) Ticket Granting Server (TG) Application Server (AP) Mail Server Print Server File Server Database Server Kerberos involves three servers Client workstation is where user interacts with workstation and enters Id and password 1. Authentication Server provides password storage and interacts with client in authenticating user Interaction provides ticket-granting ticket to client GMIT Galway Page 31 of 194

32 Systems and Network Technology Ticket-Granting Ticket is used by client obtain a Service- Granting Ticket from Ticket Granting Server Service-Granting Ticket temporary secret used by client to achieve authentication with application server 2. Ticket-Granting Server provides service-granting ticket to client in order to receive services from Application Server 3. Application Server provides desired services to user Exchange Frequency 1. Client-AS exchange Once per user login 2. Client-TG exchange Once per type of service required 3. Client-AP exchange Once per service request to AS Kerberos server stores userid and hashed passwords of all users in database Kerberos server must share secret encryption key with each application server DES, Symmetrical Enc GMIT Galway Page 32 of 194

33 Systems and Network Technology Client --> Authentication Server Exchange Object is to authenticate user and provide client with capability to obtain service granting ticket Passwords not transmitted over network Client send AS plaintext request that consists of : Client Id TG Id Timestamp - Synchronise AS with client clock AS derives encryption key from users password Uses key to encrypt packet for client : TG Id Time Stamp - Time ticket issued Lifetime Value - Duration of validity of TGT Session Key - Secret encryption key between Client and TG Ticket-Granting Ticket Client Id Client Address TG Id Session Key Time Stamp Lifetime Value TGT is additionally encrypted using a key shared between AS and TG, i.e. TGT can only be decrypted by TG GMIT Galway Page 33 of 194

34 Systems and Network Technology Upon receiving packet, client will prompt user for password Client derives key from password and attempts to decrypt packet from AS Packet restored only if correct password supplied No password stored at client workstation, no passwords transmitted over network Client receives packet and will decrypt using key derived from password => Recover TGT TG decrypts session key using key shared between AS and TG Session key is distributed securely Client has TGT and Session Key GMIT Galway Page 34 of 194

35 Systems and Network Technology Client--> Ticket-Granting Server Exchange Purpose of exchange is for client to send request to TG to obtain Service-Granting Ticket for desired application Client send TG packet consisting of: Ticket-Granting Ticket Id of desired Application Server Authenticator Client Id Client Address Timestamp - Very short lifetime Authenticator encrypted using encryption key (session key) shared between TG and client TG uses secret key shared between AS and TG to decrypt the TGT Ticket assures TG that client is who he says he is GMIT Galway Page 35 of 194

36 Systems and Network Technology TG sends client packet that includes: AP Id Time Stamp Lifetime Value Session Key - Encryption key to be used between Client and AP Service Granting Ticket Client Id Client Address App Server Id Session Key - Encryption key to be used between client and AP Time Stamp Lifetime Value Packet encrypted using session key shared between Client and TG Service Granting Ticket encrypted using Encryption key shared between Application server and Ticket-Granting Server GMIT Galway Page 36 of 194

37 Systems and Network Technology Client Application Server Exchange Exchange takes place every time user desires to obtain services from AP Object is to assure authenticity of client to AP Client can reuse SGT for same AP E.g. once client has obtained SGT for mail server, client can subsequently resend same SGTicket within ticket s lifetime Client sends following packet to Application Server: SGT Authenticator: Client Id Client Address Timestamp Very short lifetime Authenticator encrypted using encryption key shared between AP and client SGT encrypted using encryption key known only to AP and the TG server AP may also reply with Authentication packet to client, but with timestamp incremented by 1 Encrypted using key shared between Client / AP Client can decrypt authenticator using shared encryption key GMIT Galway Page 37 of 194

38 Systems and Network Technology Client 2 1 Kerberos Authentication Server (AS) 4 Ticket Granting Server (TG) 3 5 Application Server (AP) 1 = Key Derived From Users Password 2 = Session Key shared between Client and TG 3 = Encryption Key shared between Client and AP 4 = Encryption Key shared between AS and TG 5 = Encryption Key shared between TG and AP GMIT Galway Page 38 of 194

39 Systems and Network Technology Kerberos accepted security standard for Internet If security of AS compromised, whole system compromised Kerberos relies on clock synchronisation between client and AS Problem s with clocks may permit attacks DES standard used for encryption GMIT Galway Page 39 of 194

40 Systems and Network Technology 3. Public Key Authentication User A User B Plaintext Plaintext Encrypt A s private Key Decrypt A s public Key Encrypt Text Encrypt Text Message Authentication using Public Key Scheme One-way Authentication but no confidentiality as any user can decrypt using A s public key User A User B Plaintext Plaintext Encrypt B s public Key Decrypt B s private Key Encrypt Text Encrypt Text Message Confidentiality using Public Key Any other user with knowledge of B s public key could have sent this message Provides confidentiality without Authentication GMIT Galway Page 40 of 194

41 Systems and Network Technology User A Plaintext User B Plaintext Encrypt A s private Key Decrypt A s public Key Encrypt B s public Key Decrypt B s private Key Encrypt Text Encrypt Text Message Confidentiality and Authentication One-Way Authentication achieved when use private key to encrypt and public key to decrypt - Picture above - A Authenticated to B Exchange is one-way authentication since only A is authenticated to B GMIT Galway Page 41 of 194

42 Systems and Network Technology User A Plaintext User B Plaintext Decrypt B s public Key Encrypt B s private Key Decrypt A s private Key Encrypt A s public Key Encrypt Text Encrypt Text Message Confidentiality and Authentication B uses his private key to encrypt Assures A that B sent message, i.e. Two-Way Authentication GMIT Galway Page 42 of 194

43 Systems and Network Technology 4. X.509 Authentication Procedures CCITT (Comite Consultatif International Telegraphique et Telephonique) recommendation for Authentication using public/private key scheme Early '90's, CCITT reorganised to form International Telecommunication Union (ITU) Number of different area, ITU-T concerned with Telecommunications standardisation, i.e. make technical recommendations about telephone and communications interfaces ITU-T and ISO developed online directory services call X.50x X.509 defines framework for authentication services X.509 certificate issued to user by Certificate Authority (CA) - like electronic driving license Certificate created by some trusted CA and placed in directory by CA or user User certificates stored in central X.500 directory - repository for public key certificates X.509 based on public key cryptography and digital signatures NB: C.A. not responsible for generation of pub/priv key Only responsible for secure distribution of pub keys GMIT Galway Page 43 of 194

44 Systems and Network Technology Not always practical for all users to subscribe to the same CA One private key More practical to have a number of CA s, each with their own pub/private key pair Concept of trusted parties and friends Three levels in picture below but possible to have more levels Chain of certificates going back to root called Chain of trust or Certificate path GMIT Galway Page 44 of 194

45 Systems and Network Technology CA Priv Key Version Serial Number Algorithm Identifier Issuer Period of Validity Subject Public Key Information Digital Signature Version of certificate Number given to user, Unique within CA Algorithm used to sign certificate, RSA CA created and signed certificate Two dates before / after User whom certificate issued to Public Key of user, algorithm One-way hash of above fields using CA s private key Any user can decrypted signature using CA public key Any user can access CA to obtain public key of other user CA maintains validity of certificates Also maintains list of revoked certificates (CRL) if : 1. User or CA private key compromised 2. User no longer certified by CA X.509 certs used by PEM, PGP, SSL, S-HTTP, SET, S/MIME, IP Security GMIT Galway Page 45 of 194

46 Systems and Network Technology It is possible that a malicious person changes a certificate. The original certificate contains Johns name as the subject and John s public key. But someone changes the Subject name from John to Tom. I now believe that I am sending a private / encrypted message to Tom as I am using his public key and only his (i.e. Toms) private key can be used to decrypt this message. But in actual fact the only person who will be able to decrypt my message is John because he has possession of the corresponding private key. You believe that you am sending the encrypted message to Tom, but in actual fact you are sending the encrypted message to John!! Users of certificates must validate the certificates prior to use. GMIT Galway Page 46 of 194

47 Systems and Network Technology GMIT Galway Page 47 of 194

48 Systems and Network Technology GMIT Galway Page 48 of 194

49 Systems and Network Technology GMIT Galway Page 49 of 194

50 Systems and Network Technology Access Control Mechanism Process of enforcing different levels of access to network resources achieved through Access Controls Access Control Mechanism based on three types of information : Subject : Subject capable of accessing object, e.g. User, Terminal, User Group, Objects : Entity to which access controlled, e.g. programs, records, files, database, etc Access Rights : Way subject can access object, User Permissions, Read, Write, Ex, Del Access Matrix contains information to specify access control lists (ACL) and Capability Lists Objects Subject John Address File Read Payroll... Read Tom Mary Read Write GMIT Galway Page 50 of 194

51 Systems and Network Technology ACL defines access rights for each subject - columns of access matrix - to a particular object Capability list specifies rights to access object - rows of access matrix Access control often implemented as part of process to access resources, e.g. opening file check to see if user allowed Access control classified according to whether rights assigned by owner of resource or by system Discretionary Access Control ( DAC ) : Access performed at discretion of individual owner of data Owner of data specifies rules for accessing data Flexibility to users for sharing their information Implemented using ACL s or CL s Mandatory Access Control ( MAC ) : Access defined by system administrator Sensitive data Good at implementing consistency across network Typical environments may require a mixture of DAC and MAC Covert Channels - Secret way to convey information GMIT Galway Page 51 of 194

52 Systems and Network Technology Science of hiding messages called Steganography From Greek word 'covered writing' Herodotus writing tattoo on head of messenger Wax melted off blank tablets so that secret messages could be applied to underlying wood before wax is reapplied GMIT Galway Page 52 of 194

53 Systems and Network Technology Overt Channels used to provide information exchange among users in Client / Server environment If channel is used for illegitimate transfer channel called Covert Channel S e n d e r Encode Secret Information Overt Channel Legitimate Information Flow Unauthorised Information Flow Covert Channel Decode Secret Information R e c e i v e r Covert channel defined as communication channel that allows two processes to transfer unauthorised info without violating access control Available 24 * 7 High User : Channel with high level of security clearance Low User : Channel with low level of security clearance Difficult to detect, difficult to eliminate GMIT Galway Page 53 of 194

54 Systems and Network Technology Conditions for Covert Channels 1. Oversight during implementation by network administrator High and low user permitted to list all users of system Possible for high user to encode information in users names Low user decodes user names 2. Incorrect implementation or operation of ACL s 3. Existence of a shared resource between sender and receiver Covert storage channel uses storage mechanism to communicate information Disk Space before and after allocation Spaces in print file File Naming GMIT Galway Page 54 of 194

55 Systems and Network Technology Covert timing channel uses sequence of events to communicate information High user can change CPU utilisation at predetermined intervals to generate a binary code Resource Availability : Busy and Free resources corresponding to Binary code Covert channels best eliminated by using sound system design GMIT Galway Page 55 of 194

56 Systems and Network Technology Internet Security Security provisions in three separate levels: 1. Network Security: Authentication header, Packet Encryption, etc 2. Application Security: Security safeguards built into application, operate independently of any security networks measures, e.g. PEM, PGP, SSL 3. System Security: Protection of end-system and local environment Operating system GMIT Galway Page 56 of 194

57 Systems and Network Technology WWW Security Netscape developed a security protocol for communication between Web browsers and servers Secure Socket Layer (SSL) provides authentication, encryption and message integrity SSL uses TCP as transport protocol and is independent of higher layer applications Consists of two protocols: SSL Record Protocol SSL Handshake Protocol Widely implemented in Browsers, Servers and Internet commerce products SSL utilises port #443 rather than standard port #80 Client / Server agree set of algorithms (encryption, hashing, compression) for privacy and authentication SSL provides Server authentication (X.509) Client authentication (X.509) - optional Encrypted SSL session GMIT Galway Page 57 of 194

58 Systems and Network Technology SSL Architecture Uses TCP to provide reliable end-to-end secure service SSL actually two layers of protocols SSL Handshake Protocol SSL Change Cipher spec Protocol SSL Record Protocol TCP SSL Alert Protocol HTTP IP SSL Record Protocol provides basic security services to various higher protocols, e.g. HTTP Other protocols (i.e. SSL Change Cipher spec Protocol and SSL Alert Protocol) used is the management of SSL exchanges GMIT Galway Page 58 of 194

59 Systems and Network Technology SSL Record Protocol Specifies encapsulation of all transmitted and received data Provides for Generation of integrity check ( MAC) via shared key Confidentiality via symmetric encryption of data Lossless compression of data - optional Application Data, e.g. HTTP Fragment Compress Add MAC Encrypt Add Header GMIT Galway Page 59 of 194

60 Systems and Network Technology Data portion of SSL record consists of: Actual-Data : Payload Padding-Data : Data required to pad message MAC-Data : Message Authentication Code bits MAC-Data computed as: MAC-Data = HASH(SECRET, ACTUAL-DATA, PADDING-DATA, SEQUENCE-NUMBER) Secret field derived from hashed value of master key and the client and server nonce Sequence-number counter maintained by client and server - one counter server, one for client Actual MAC is then computed using a shared secret key SSL supports various encryption algorithms: DES, IDEA, RC2, RC4, etc SSL supports various MAC (hash) algorithms: MD5, SHA-1 GMIT Galway Page 60 of 194

61 Systems and Network Technology SSL Handshake Protocol consists of 5 phases: Most complex part of SSL Allows server and client to authenticate each other and to negotiate 1. Encryption Algorithm 2. MAC Algorithm 3. Keys Used before application data is transmitted Consists of a series of messages exchanged by client and server GMIT Galway Page 61 of 194

62 Systems and Network Technology 1. Hello Phase : Establishes security capabilities Client sends CLIENT-HELLO message to server: SSL Version: Highest version understood by client Cipher suite for client: In decreasing order of preference Compression method: May be null, must be lossless Session Id: 0 if new session, # of old session Random data to challenge server - nonce If server recognises old session id, session restarted Server sends SERVER-HELLO message to CLIENT: SSL Version: Highest version understood by server Cipher suite selected by server Compression method selected by server Session Id: # of new session, # of old session Random data to challenge client - nonce If new session, server sends X.509 certificate to client Certificate includes Servers public key, signed by private key of CA Number of key exchange methods supported, most common method is to encrypt secret key using recipients public key, i.e. key found in X.509 cert GMIT Galway Page 62 of 194

63 Systems and Network Technology 2. Key Exchange Phase Client generates pre-master key, symmetric key, 48 bytes long Key sent to Server enc using Servers public key Supports various different algorithms Client may or may not send X.509 cert during this phase 3. Master key (Session Key) Production Phase Two Master keys generated by both Client and Server Generated using hash of: Pre-Master key Client nonce Server nonce 4. Client Authentication Phase If client authentication required, Server requests X.509 certificate from client Client responds with certificate GMIT Galway Page 63 of 194

64 Systems and Network Technology 5. Finished Phase Client indicates completion of authentication by sending session Id encrypted with master key Server sends SERVER-FINISHED message that includes session Id encrypted with master key Trusted session now established between client and server GMIT Galway Page 64 of 194

65 Systems and Network Technology Transport Layer Security (TLS) IETF standardised initiative to produce an Internet standard version of SSL Current draft very similar to SSL v3 RFC 2246 GMIT Galway Page 65 of 194

66 Systems and Network Technology Secure Hyper Text Transfer Protocol (S-HTTP) HTTP protocol consists of ASCII request followed by response Browser Request Web Client Response Server Web page consists of various sections: Version Information Header Body HTTP Request Calls Method Get Head Put Post Delete Link Unlink Description Request to read Web page Request to read Web page header Request to store new Web page Send data via URL, filling up form, etc Remove Web page Connect two existing resources Break link between two resources S-HTTP used to protect individual transaction requests / responses Unlike SSL, no actual session created between client and server GMIT Galway Page 66 of 194

67 Systems and Network Technology Security-enhanced variant of HTTP proposed by Enterprise Integration Technologies (EIT) Message-based protocol that allows Server to choose security specifications for each transaction (i.e. request / response) between client and server. Server can specify wide variety of cryptographic options (CRYPTOPTS) for each hypertext link in HTML document that uses HTTP protocol Hypertext links defined in anchor coding portion of HTML document In anchor coding, specify CRYPTOPTS that tell the client appropriate security for referenced document Server can choose whether communications is: Encrypted Signed Both encrypted and signed Authenticated - Implied Can also specify CRYPTOPTS in protection set-ups and, optionally, in ACL files CRYPTOPTS in anchor must be consistent with CRYPTOPTS specified in protection set-ups and ACL files If not, the server won't serve requested document Provides same services as SSL: Authentication, Integrity, Confidentiality GMIT Galway Page 67 of 194

68 Systems and Network Technology Provides maximum flexibility in a) Choice of key mgt : pub/priv keys, digital envelopes, secret keys, Kerberos b) Security policies c) Cryptographic algorithms Any request / response may be signed, authenticated, encrypted, no protection or any combination GMIT Galway Page 68 of 194

69 Systems and Network Technology Scenario Create HTML page on server, specify within page anchors that use S-HTTP Code or write cryptographic options in each S-HTTP anchor to tell the client the appropriate security for the document referenced in the anchor When Client wishes to access document, Client clicks on S-HTTP anchor on page Client reads anchor and CRYPTOPTS and compares CRYPTOPTS with own CRYPTOPTS If client cannot comply negotiation fails, document will not be sent to client If client can comply, client sends server clients CRYPTOPTS in header along with request for document Server receives request Server compares CRYPTOPTS, if consistent, server provides document Note: CRYPTOPTS in anchor tell client appropriate security for document CRYPTOPTS in protection setups and ACL files enforce security for document GMIT Galway Page 69 of 194

70 Systems and Network Technology Coding a HTML document for S-HTTP S-HTTP requires Server certificate that contains Servers public key Need to include security coding in HTML document with Servers S-HTTP security specifications Use security coding to: 1. Supply client with Servers Certificate, included in header of a HTML page 2. Supply client with Security Spec for document referenced in anchor Notification of S-HTTP security specs Optionally: Distinguished Name associated with servers cert CRYPTOPTS GMIT Galway Page 70 of 194

71 Systems and Network Technology 1. a) Possible to include Server cert in header portion of HTML page but HTML file very large E.g. <HEAD> <CERTS FMT=X.509> </CERTS> </HEAD> b) Also possible to have server-side include in header portion of HTML document, i.e. coding that tells server to get cert and send it to client But more processing required and can slow down response time for clients <HEAD> <!--#certs name= ServerCert -- > </HEAD> GMIT Galway Page 71 of 194

72 Systems and Network Technology 2. Code security spec for document referenced in anchor Different security spec for each anchor or same security spec for each anchor Format of anchor with no security spec <A HREF=" /schedule.html"> Schedule </A> Format of anchor with security spec <A HREF="shttp:// /schedule.html" CRYPTOPTS="SHTTP-Privacy-Enhancements: recvrequired=sign"> Schedule </A> GMIT Galway Page 72 of 194

73 Systems and Network Technology Client and Server exchange formatted data CRYPTOPTS= CryptHdr : origmode=hdropt; recvmode=hdropt CRYPTOPTS CryptHdr: SHTTP-Privacy-Domain SHTTP-Privacy-Enhancements SHTTP-Certificate-Types SHTTP-Key-Exchange-Algorithms SHTTP-Signature-Algorithms SHTTP-Message-Digest-Algorithms SHTTP-Symmetric-Content-Algorithm Clients might interpret anchor with no CRYPTOPTS differently, Server should: Always specify CRYPTOPTS wanted Always refuse CRYPTOPTS don't want. Accept defaults for CRYPTOPTS only when it doesn't matter what CRYPTOPTS are used If same CRYPTOPTS are used by a number of anchors, possible to include anchors in header portion of HTML document and give them a name In anchor coding then use name of CRYPTOPTS Default values for each CRYPTOPTS header GMIT Galway Page 73 of 194

74 Systems and Network Technology Orig mode : Mode server uses to send responses to client 1. orig-optional : Server can respond using specified Hrdoption if client requires it 2. orig-required : Server sends all responses using specified Hrdoption 3. orig-refused : Server does not send any response using specified Hrdoption Recv mode : Mode server uses to accept requests from client 1. recv-optional : Server can accept requests using specified Hrdoption but server does not require client to make requests using this mode 2. recv-required : Server only accepts requests from client using specified Hrdoption 3. recv-refused : Server does not accept any requests made using specified Hrdoption GMIT Galway Page 74 of 194

75 Systems and Network Technology SHTTP-Privacy-Enhancements Specifies security enhancements associated with messages, e.g. server may encrypt, sign or both, and client may encrypt, sign, both Options chosen must be consistent with SHTTP-Privacy- Domains CRYPTOPTS="SHTTP-Privacy-Enhancements: origrequired=sign ;recv-required=encrypt,sign" Tells client: Server will send client signed responses for document referenced in anchor Server will require that client encrypt and sign requests for document referenced in anchor SHTTP-Certificate-Types Specifies acceptable certificate format, e.g. X.509 SHTTP-Key-Exchange-Algorithms Indicates algorithms used for key exchange, e.g. RSA, Krb, Inband, Outband SHTTP-Signature-Algorithms Specifies algorithm for digital signatures, currently only supports RSA, DSS GMIT Galway Page 75 of 194

76 Systems and Network Technology SHTTP-Message-Digest-Algorithms Specifies algorithm for providing data integrity, e.g. MD2, MD5, SHA SHTTP-Symmetric-Content-Algorithm Specify algorithm used to encrypt contents message, e.g. DES, RC2 SHTTP-Privacy-Domains Specifies the format used for encrypted message, e.g. PKCS-7, MOSS, PEM, GMIT Galway Page 76 of 194

77 Systems and Network Technology Example 1: <HEAD> <CRYPTOPS NAME = Security Options > SHTTP-Privacy-Domains : orig-optional=pkcs-7,pem; recv-optional=pkcs-7,pem SHTTP-Certificate-Types: orig-required=x.509; recv-optional=x.509 SHTTP-Key-Exchange-Algorithms:orig-optional=Inband,DH; recv-required=dh SHTTP-Signature-Algorithms: orig-required=nist-dss; recv-required=nist-dss SHTTP-Privacy-Enhancements: orig-required=sign; recv-optional=encrypt </CRYPTOPS> </HEAD> Body of document <A HREF = SHTTP:// /Schedule.html CRYPTOPTS= Security Options Schedule </A> Example 2: GMIT Galway Page 77 of 194

78 Systems and Network Technology Body of document <A HREF = SHTTP:// /Schedule.html CRYPTOPS = SHTTP-Privacy-Domains : orig-optional=pkcs-7,pem; recv-optional=pkcs-7,pem; SHTTP-Certificate-Types: orig-required=x.509; recv-optional=x.509; SHTTP-Key-Exchange-Algorithms: orig-optional=inband, DH; recv-required=dh; SHTTP-Signature-Algorithms: orig-required=nist-dss; recv-required=nist-dss; SHTTP-Privacy-Enhancements: orig-required=sign; recv-optional=encrypt Schedule </A> Example 3: Most important CRYPTOPTS CRYPTOPS= SHTTP-Privacy-Enhancements : orig-optional = sign; recv-optional = encrypt, sign; GMIT Galway Page 78 of 194

79 Difference between SSL and S-HTTP Both use different approaches to provide security services for Web users SSL : Executes negotiation protocol to establish connection Transparent to user and application SSL at socket layer, just above TCP-IP Proprietary security protocol Session based Uses server-side certificates Connection private Symmetric enc for data Connection authentication GMIT Galway Page 79 of 194

80 S-HTTP: Protocols integrated with HTTP, message based, request/ response Security services negotiated through headers and attributes attached to HTML page Services only available to HTTP connections and application is aware of S-HTTP services S-HTTP at application layer GMIT Galway Page 80 of 194

81 IP Security (IPsec) Protocol Internet and TCP/IP not built with security in m ind IETF formed IP Security Protocol Working Group to developed IP Security protocol (IPsec) IPsec not single protocol, but suite of protocols providing mechanism for data integrity, authentication, privacy, and non-repudiation for IP Intended primarily for IPv6, IPsec can also be employed by IPv4 Provides secure communication across LAN, private and public WANs and across Internet Benefits of IPSec When IPSec implemented in firewall / router, provides strong security that is applied to all traffic crossing perimeter Transparent to application as below TCP layer Transparent to end user, no keys, user training etc GMIT Galway Page 81 of 194

82 Central to IPsec is concept of Security Association (SA) and a Security Association database / repository SA is simplex logical connection between two communicating IP endpoints that provides security services to traffic carried by it Endpoint of SA can be IP host or IP security gateway Providing security to more typical scenario of two-way (bi-directional) communication requires establishment of two SA's (one in each direction) SA is uniquely identified by three parameters: 1. Security Parameter Index (SPI): Entry in local repository that holds info on the particular SA 2. IP Destination Address: Address of the destination endpoint of the SA 3. Security Protocol Identifier: Indicates whether association is a AH or a ESP security association GMIT Galway Page 82 of 194

83 Two new headers with IPsec 1. Authentication Header (AH) 2. Encapsulating Security Payload (ESP) 1. IP Authentication Header (AH) Provides Integrity and Authentication for IP packets using Hashed Message Authentication Code (HMAC) with MD5 (or HMAC with SHA-1) No Encryption but two parties must share a secret key Authenticated (except for mutable fields) IP Header AH TCP Header Data + Padding Next Header Payload Length Resv Security Parameter Index (SPI) Sequence Number Field Authentication Data (variable length) HMAC GMIT Galway Page 83 of 194

84 Contents of AH: Next Header: 8-bit field that identifies type of header following this header i.e. after AH Payload Length: 8-bit field that indicates length of AH Reserved: Security Parameters Index (SPI): 32-bit value that points to entry in receivers database where shared key stored Sequence Number: 32-bit field containing a sequence number for each datagram -> Prevents replay attacks Authentication Data: Variable-length, 32-bit aligned field containing Integrity Check Value (ICV) for packet Computed using authentication algorithm specified by SA, such as MD5, or SHA-1 Not all fields in IP header included in Authentication check, i.e. some field values change as move from router to router GMIT Galway Page 84 of 194

85 2. IP Encapsulating Security Payload (ESP) Provides Message Integrity and Encryption ESP privacy (confidentiality, encryption) is provided using DES-CBC, etc Optionally ESP provides same features as AH, i.e. Integrity and authentication using HMAC with MD5 or SHA-1 Authenticated IP Header ESP Header TCP Header Data + Padding HMAC (Opt) Encrypt GMIT Galway Page 85 of 194

86 Contents of ESP packet are: Security Parameters Index: 32-bit value that points to entry in receivers database where shared key stored Sequence Number: Counter Payload Data: A variable-length field containing data - Enc and Auth Contents of this field could be encrypted using higher layer data or an encrypted IP packet. Authentication Data: Optional Security Parameter Index (SPI) Sequence Number Payload ( Inc Padding) Data Authentication Data GMIT Galway Page 86 of 194

87 IPsec authentication scheme for both AH and ESP uses HMAC HMAC keyed-hashing message authentication code that uses shared secret key between two parties rather than public key methods Secret key will be employed with hash algorithm in a way that provides mutual authentication but, prevents key from being transmitted on line IPsec key management procedures will be used to manage key exchange between the two parties Note: Hash functions operate on a fixed-size block of data GMIT Galway Page 87 of 194

88 IPsec can be used in either of two modes 1. Transport Mode: Provides protection primarily for upper-layer protocols 2. Tunnel Mode: Provides protection for entire IP packet 1. Transport mode SA is a security association between two hosts IPsec header (either AH or ESP) inserted just after original IP header IPsec header contains security info, SA identifier, new sequence number, possibly integrity check Provides authentication and/or encryption service to higher layer protocol. Mode supported by IPsec hosts only GMIT Galway Page 88 of 194

89 2. Tunnel mode SA is a security association applied to an IP tunnel. Entire IP packet, header and all, encapsulated in body of new IP packet Mode useful when tunnel ends at location other than final destination, e.g. security firewall - inner nodes unaware of IPsec "Outer" IP header specifies destination for IPsec data and "inner" IP header specifies destination for IP packet. Mode supported by both hosts and security gateways GMIT Galway Page 89 of 194

90 Authentication Header in both Transport and Tunnel mode Initially, IPv4 packet contains an IP header (which may contain IP options), followed by higher layer protocol header (e.g. TCP), followed by higher layer data itself Orig IP Hdr TCP Data After applying AH (Transport Mode) Orig IP Hdr AH TCP Data Authenticated (except for mutable fields) After applying AH (Tunnel Mode) New IP Hdr AH Orig IP Hdr TCP Data Authenticated GMIT Galway Page 90 of 194

91 ESP Header in both Transport and Tunnel mode Orig IP Hdr TCP Data After applying ESP (Transport Mode) Orig IP Hdr ESP Hdr TCP Data ESP Tr ESP Auth Encrypted Authenticated In tunnel mode, original IP packet is encrypted and placed inside of an "outer" IP packet, while entire ESP packet is authenticated. After applying ESP (Tunnel Mode) New IP Hdr ESP Hdr Orig IP Hdr TCP Data ESP Tr ESP Auth Encrypted Authenticated GMIT Galway Page 91 of 194

92 GMIT Galway Page 92 of 194

93 GMIT Galway Page 93 of 194

94 Security Associations and Key Management Accomplished in one of two ways. 1. Simplest form is manual management. Security administer manually configures each system with key and SA data necessary for secure comm with other systems. 2. Scalable, automated SA/key management scheme: a) Internet Security Association and Key Management Protocol (ISAKMP) defines procedures and packet formats to establish, negotiate, modify and delete security associations Provides framework for exchanging information about authentication and key management ISAKMP's security association and key mgt totally separate from key exchange. b) OAKLEY Key Determination Protocol describes scheme by which two authenticated parties can exchange key information. Uses Diffie-Hellman key exchange algorithm c) Internet Key Exchange (IKE) algorithm default automated key management protocol for IPsec. GMIT Galway Page 94 of 194

95 Security Rating of Computer Systems EU developed ITSEC ( IT Security Evaluation Criteria ) US developed TCSEC ( Trusted Computer System Evaluation Criteria ) TCSEC group various requirements into four divisions : 1. Division D - No security features at all 2. Division C - Discretionary Protection, C1, C2 Id and Authentication DAC Audit Security Testing System Architecture 3. Division B - Mandatory Protection, B1,B2,B3 MAC Covert Channel Analysis Configuration Analysis 4. Division A - Most Secure, A Verified Protection ITSEC seven evaluation ratings from E0 (lowest) to (E6) highest GMIT Galway Page 95 of 194

96 Internet Firewalls System or group of systems that enforces security policy between org network and Internet Logically, firewall is separator, restricter, analyser Physical implementation varies from site to site Most often, firewall is set of hardware components, router, a host computer, or some combination of above Very rarely a single physical object Usually, firewall has multiple parts, some of these parts may do other tasks besides function as part of the firewall Benefits: Simplifies security mgt as security consolidated on firewall rather than distributed Convenient point where security can be monitored and alarms generated Logical place where network address translators deployed Point to audit and log Internet usage GMIT Galway Page 96 of 194

97 Limitations: Cannot protect against attacks that do not go through firewall - Back Door Cannot protect against traitors or against transfer of virus-infected software Single point of failure Cost : Hardware, Software, Personnel A firewall can't set itself up correctly GMIT Galway Page 97 of 194

98 Security Philosophy: Everything not specifically permitted is denied - Closed Everything not specifically denied is permitted - Open Org must decide where security ranks compared with ease-of-use Various grades of Firewalls, ranging from No security features Filters only Filters and Gateways Filters, Gateways, DNS, Mail Handling No access GMIT Galway Page 98 of 194

99 Firewall consists of any / none / all : P r i v a t e Name / Address Requests Access for Higher Level Protocols Handling DNS Gateways I n t e r n e t IP level Packets Filters Secure OS Components of firewall system: Packet-Filtering Router Application-Level Gateway Circuit-Level Gateway GMIT Galway Page 99 of 194

100 Packet-Filtering Router Router implemented at Network Layer i.e. layer 3 in ISO Reference Model. Router makes permit/deny decision for each packet received, blocks transmission based on protocol, address and/or port id Filter rules comprised of action field and selection criteria Action : Block ( Deny ) Permit ( Allow ) GMIT Galway Page 100 of 194

101 Selection Criteria : Source / Destination Address Source / Destination Port Protocol : E.g. TCP, UDP, ICMP Direction Example: Block all incoming Telnet connections, deny all packets with TCP dest port = 23 Weakest form of firewall Congested, complex routing tables Maintaining updated locations IP Spoofing Direct connection between inside and outside, i.e. same Source / Destination IP addresses used GMIT Galway Page 101 of 194

102 Application-Level Gateway Application Gateway implemented at Application Layer i.e. layer 7 in ISO Reference Model. Stricter security policy than Packet-Filtering Router Application-level gateways filters traffic using Application specific rules Each application will require special purpose code installed on gateway HTTP, FTP, Telnet, SMTP, etc If code not installed on gateway, service not supported Closed system Increased cost: Gateway Hardware platform Proxy Server application Time / knowledge Decrease in level of service Lack of transparency Number of different software implementations: Proxy Server SOCKS Server Direct connection between inside and outside impossible, Intermediately required, Source / Destination Addresses changed at gateway, inner IP addresses hidden! GMIT Galway Page 102 of 194

103 Advantages of Proxying Proxy services can be good at logging Proxy services can provide caching Proxy services can do intelligent filtering: Proxy services are much more capable of filtering HTTP by content type (to remove Java or JavaScript) and better at virus detection than packet filtering systems Proxy systems can perform user-level authentication Proxy systems automatically provide protection for weak or faulty IP implementations GMIT Galway Page 103 of 194

104 Disadvantages of Proxying Proxy services lag behind nonproxied services Widely available for the older and simpler services, proven software for newer or less widely used services is harder to find. Proxy services may require different servers for each service, different proxy server for each protocol Proxy services usually require modifications to clients, applications, or procedures GMIT Galway Page 104 of 194

105 Application level gateway referred to 'Bastion Host', designated system specially armoured and protected against attacks Gets its name from highly fortified projections on the outer walls of medieval castles Executes striped down, bare bones secure OS Only services that adm considers essential installed on bastion host, Telnet, DNS, FTP, SMTP, HTTP GMIT Galway Page 105 of 194

106 Programs on bastion Host small and uncomplicated Configuration shown above often called a Dual-Homed host Concept of cache on Bastion Host / Proxy Server GMIT Galway Page 106 of 194

107 Proxy Server Client required to access proxy server prior to accessing application server Proxy will intercept all application specific user access to Internet Separate proxy servers for various application LAN HTTP HTTP Firewall HTTP Proxy Server Internet FTP FTP Proxy Server DNS DNS Proxy Server HTTP Proxy Servers function is to receive a request from a Web browser, to perform that request (possibly after authorisation checks) and return results to the browser The IP address of the internal never appear on the Internet, just the address of the proxy GMIT Galway Page 107 of 194

108 But: Browser configuration more complex Added data transfers causing delays Added restrictions, timeouts, download sizes etc, GMIT Galway Page 108 of 194

109 Intelligent Proxy: Proxy server can do a great deal more than simply relay requests, caching GMIT Galway Page 109 of 194