Today s Lecture. Secure Communication. A Simple Protocol. Remote Authentication. A Simple Protocol. Rules. I m Alice. I m Alice

Similar documents
Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

Datasäkerhetsmetoder föreläsning 7

Information Security CS 526

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Spring 2010: CS419 Computer Security

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Cryptographic Protocols 1

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Securing Internet Communication

SSL/TLS. How to send your credit card number securely over the internet

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

CPSC 467b: Cryptography and Computer Security

Chapter 9: Key Management

AIT 682: Network and Systems Security

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

CS Protocol Design. Prof. Clarkson Spring 2017

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Securing Internet Communication: TLS

Cryptographic Checksums

CPSC 467: Cryptography and Computer Security

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Cryptography and Network Security

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

Internet security and privacy

Elements of Security

CS November 2018

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Configuring SSL Security

CSC 482/582: Computer Security. Security Protocols

But where'd that extra "s" come from, and what does it mean?

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

On the Internet, nobody knows you re a dog.

T Cryptography and Data Security

Configuring Secure Socket Layer HTTP

Key Management and Distribution

Security protocols and their verification. Mark Ryan University of Birmingham

KEY DISTRIBUTION AND USER AUTHENTICATION

Configuring Secure Socket Layer HTTP

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Configuring Secure Socket Layer HTTP

Transport Level Security

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Fall 2010/Lecture 32 1

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

E-commerce security: SSL/TLS, SET and others. 4.1

Digital Signatures. Secure Digest Functions

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

Network Security (NetSec)

Key Management and Distribution

Authentication Part IV NOTE: Part IV includes all of Part III!

Trust Infrastructure of SSL

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Operating Systems Design Exam 3 Review: Spring 2011

Lecture 1: Course Introduction

Security: Focus of Control. Authentication

Transport Layer Security

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Progressively Securing RIOT-OS!

Overview. SSL Cryptography Overview CHAPTER 1

Authentication and Key Distribution

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Chapter 8 Web Security

Chapter 6: Security of higher layers. (network security)

Auth. Key Exchange. Dan Boneh

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

Formal Methods for Assuring Security of Computer Networks

Apache Security with SSL Using FreeBSD

CT30A8800 Secured communications

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

HP Instant Support Enterprise Edition (ISEE) Security overview

Applied Cryptography Basic Protocols

Security Fundamentals

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 3

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Chapter 4: Securing TCP connections

Uniform Resource Locators (URL)

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

CS Certificates, part 2. Prof. Clarkson Spring 2017

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Exercises with solutions, Set 3

Securing Connections for IBM Traveler Apps. Bill Wimer STSM for IBM Collaboration Solutions December 13, 2016

Transcription:

Today s Lecture Secure Communication Tom Chothia Computer Security, Lecture 8 Protocols in and ob notation Some Key Establishment Protocol Secure Sockets Layer (SSL) / Transport Later Security (TLS) Certificates Remote Authentication How can you tell who you are talking to over the Internet? No online shopping, banking, e-mail, facebook, without remote authentication. Simple authentication protocols. Writing down protocols A sends message M to : I m written as: ob : I m ob Rules We write down protocols as a list of messages sent between principals, e.g. 1. A : Hello 2. A : Offer 3. A : Accept I m ob A : I m Message I m can be read by The Attacker. 1

Elvis I m { _ } Kab means symmetric key encryption { I m } Kab ob The Attacker can pretend to be anyone. E(A) : I m A : { I m } Kab If and ob share a key Kab, then an encrypt her message. A Nonce A E() : { I m } Kab E : { I m } Kab A 1. A 2. { N a } Kab 3. {N a + 1} Kab, { Pay Elvis 5 } Kab Attacker can intercept and replay messages. Assume the attacker owns the network. 1. A : A 2. A : { N a } Kab 3. A : { N a + 1 } Kab, { Pay Elvis 5 } Kab A Nonce A etter Protocol 1. A 1. A A 2. { N a } Kab A 2. { N a } Kab 3. {N a + 1} Kab, { Pay Elvis 5 } Kab 3. {N a, Pay Elvis 5 } Kab 4. A 6. {N a2 + 1} Kab, { Pay ob 5 } Kab 5. { N a2 } Kab E 6. {N a2 + 1} Kab, { Pay Elvis 5 } Kab 1. A : A, N a 2. A : { N a } Kab 3. A : {N a, Pay Elvis 5 } Kab 2

Key Establishment Protocol This protocol was possible because A and shared a key. The Needham-Schroeder Public Key Protocol Assume and ob know each others public keys, can they set up a symmetric key? Often the principals do not share a key, in which case we need a Key Establishment Protocol. 1. A : E ( N a, A ) 2. A : E A ( N a, N b ) 3. A : E ( N b ) E X (_) means public key encryption This usually involves a Trust Third Party who has a shared key with each party or public keys. N a and N b can then be used to generate a symmetric key An Attack Against the Needham-Schroeder Protocol The attacker acts as a man-in-the-middle: 1. A C : E C ( N a, A ) 1`. C(A) : E A ( N a, A ) 2`. C(A) : E A ( N a, N b ) 2. C A : E A ( N a, N b ) 3. A C : E C ( N b ) 3`. C(A) : E ( N b ) The Corrected Version A very simple fix: 1. A : E ( N a, A ) 2. A : E A ( N a, N b, ) 3. A : E ( N b ) Needham-Schroeder Symmetric Key Protocol What if and ob only have symmetric keys they shared with a server? K AS : is a good key for and the server K S : is a good key for ob and the server and ob trust the server. How can they set up a shared key K A with the server doing the least work possible? Needham-Schroeder Symmetric Key Protocol 1. A S : A,,N A 2. S A : { N A, K A,, {K A,A} K S } KAS 3. A : { K A, A } K S 4. A : { N } K A 5. A : { N +1 } K A Problem: Attacker can force an old key on by replaying messages 3, 4 & 5. 3

Needham-Schroeder Symmetric Key Protocol Kerberos A and S share the key K AS and and S share K AS oth A and trust S to generate a new key for them: K A N is a nonce, T is a timestamp and L is an expiration time. 3. E(A) : { K A, A } K S 4. E(A) : { N } K A 5. E(A) : { N +1 } K A Problem: Attacker can force an old key on by replaying messages 3,4 & 5. 1. A S : A,,N A 2. S A : {K A,, L, N A } K AS, {K A,A,L} KS 3. A : {A,T A } K A, {K A,A,L} KS 4. A : {T A +1} K A Kerberos A protocol for key establishment and authentication used in Windows, MacOS, Apache, OpenSSH,... 1. A S : A,,N A 2. S A : {K A,, L, N A } K AS, {K A,A,L} KS 3. A : {A,T A } K A, {K A,A,L} KS 4. A : {T A +1} K A The SSL/TLS Protocol The Secure Sockets Layer (SSL) protocol has been renamed the Transport Layer Security (TLS). It provides encrypted socket communication and authentication, based on public keys. It may use a range of ciphers (RSA,DES,DH,..) These are negotiated at the start of the run. Certificates ut how do you know the public key of the website? Every browser comes with the public verification keys for a number of trusted companies. These companies will verify the identity of others, and sign their public keys. X.509 Standard for Certificates X.509 certificates contain a subject, subject s public key, Issuer name, etc The issuer signs the hash of all the data To check a certificate I hash all the data and check the issuers public key. If I have the issuer s public key, and trust the issuer, I can then be sure of the subject s public key. 4

Transport Layer Security (TLS) The core protocol goes: Transport Layer Security (TLS) The core protocol goes: 1. C S : N C 2. S C : N S, Cert S 3. C S : E S (K_seed), Sign C (Hash1), {Hash2} K CS 4. S C : {Hash3} K CS Hash 1 = #(N C,N S, E S (K_seed)) Hash 2 = #(N C,N S, E S (K_seed), Sign C (Hash1) ) Hash 3 = #(N C,N S, E S (K_seed), Sign C (Hash1), {Hash2} K CS ) 1. C S : N C 2. S C : N S, Cert S 3. C S : E S (K_seed), Sign C (Hash1), {Hash2} K CS 4. S C : {Hash3} K CS All data is then encrypted with a session key based on N C, N S & K_seed, and hashed for integrity. The TSL Protocol The Internet Protocol Stack, (Most of the Time): The Internet Protocol Stack with TLS Stuff that you write TCP or UDP IP Ethernet or 802.11 Application Transport Network Link/Hardware The TLS layer runs between the Application and Transport layer. The encryption is transparent to the Application layer. Normal TCP and IP protocols etc. can be used at the low layers Application TLS Transport Network Link/Hardware 5

TLS in Java TLS with no Authentication Create a SSLServerSocketFactory using sockfact=sslserversocketfactory.getdefault(); Create a SSLServerSocket: secsock=sockfact.createserversocket(portno) Set the Ciphers: secsocket.setenabledciphersuites(ciphers); Listen on the socket for an encrypted connection: socket = (Socket) secsocket.accept(); Cipher Suites Public key infrastructure (PKI) Cipher Suites with encryptions and authentication: SSL_RSA_WITH_3DES_EDE_CC_SHA SSL_RSA_WITH_DES_CC_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_DHE_DSS_WITH_AES_128_CC_SHA TLS_DHE_DSS_WITH_AES_256_CC_SHA TLS_DHE_RSA_WITH_AES_128_CC_SHA TLS_DHE_RSA_WITH_AES_256_CC_SHA TLS_KR5_EXPORT_WITH_DES_CC_40_MD5 TLS_KR5_EXPORT_WITH_DES_CC_40_SHA... Cipher Suites with just authentication: SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA Cipher Suites with just encryptions: SSL_DH_anon_EXPORT_WITH_DES40_CC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CC_SHA SSL_DH_anon_WITH_DES_CC_SHA SSL_DH_anon_WITH_RC4_128_MD5 TLS_DH_anon_WITH_AES_128_CC_SHA TLS_DH_anon_WITH_AES_256_CC_SHA X.509 certificates are an example of a PKI. ad point: you need to pay a trusted third party. Another system is known as web of trust This lets you sign the public keys of any of your friends. Then anyone that trusts you learns all of your friend s keys. Next Lecture The basic building blocks of the web: HTTP HTML JavaScript JSP SQL 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback