CIS 6930/4930 Computer and Network Security. Final exam review

Similar documents
AIT 682: Network and Systems Security

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CSC 474/574 Information Systems Security

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Authentication Handshakes

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

CSC/ECE 774 Advanced Network Security

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

CSCE 715: Network Systems Security

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Trusted Intermediaries

AIT 682: Network and Systems Security

CSC 774 Network Security

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Security Handshake Pitfalls

Chapter 9 Public Key Cryptography. WANG YANG

Public Key Algorithms

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

David Wetherall, with some slides from Radia Perlman s security lectures.

Security Handshake Pitfalls

Public Key Algorithms

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Computer Networks. Wenzhong Li. Nanjing University

CSC 474/574 Information Systems Security

Network Security Chapter 8

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 2 Applied Cryptography (Part 2)

Kurose & Ross, Chapters (5 th ed.)

Chapter 6/8. IP Security

Encryption. INST 346, Section 0201 April 3, 2018

14. Internet Security (J. Kurose)

IP Security. Have a range of application specific security mechanisms

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

IP Security IK2218/EP2120

CS Computer Networks 1: Authentication

Cryptographic Checksums

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Real-time protocol. Chapter 16: Real-Time Communication Security

Diffie-Hellman. Part 1 Cryptography 136

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

CS 494/594 Computer and Network Security

Information Security CS 526

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Security Handshake Pitfalls

(2½ hours) Total Marks: 75

What did we talk about last time? Public key cryptography A little number theory

Overview. Public Key Algorithms I

COSC4377. Chapter 8 roadmap

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Chapter 9: Key Management

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

T Cryptography and Data Security

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Chapter 5: Network Layer Security

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

EEC-682/782 Computer Networks I

Cryptography and Network Security. Sixth Edition by William Stallings

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Spring 2010: CS419 Computer Security

CSC 474/574 Information Systems Security

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Cryptographic Protocols 1

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

CMSC 414 S09 Exam 2 Page 1 of 6 Name:

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

CSC 6575: Internet Security Fall 2017

Lecture 1: Course Introduction

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

CSC 8560 Computer Networks: Network Security

Virtual Private Network

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE 127: Computer Security Cryptography. Kirill Levchenko

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

6. Security Handshake Pitfalls Contents

Lecture 9: Network Level Security IPSec

Cryptography (Overview)

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems

Transcription:

CIS 6930/4930 Computer and Network Security Final exam review

About the Test This is an open book and open note exam. You are allowed to read your textbook and notes during the exam; You may bring your laptop to the exam but you are not allowed to access to internet during the exam. Before midterm 30%, after midterm 70% 4/12/2017 2

Introduction to Cryptography Basic Security Concepts Confidentiality, integrity, availability Introduction to Cryptography Secret key cryptography Sender and receiver share the same key Applications Communication over insecure channel, Secure storage, Authentication, Integrity check 4/12/2017 3

Introduction to Cryptography Introduction to Cryptography Public key cryptography Public key: publicly known Private key: kept secret by owner Encryption/decryption mode How the keys are used? Digital signature mode How the keys are used? Application: Secure communication, secure storage, authentication, digital signature, key exchange 4/12/2017 4

Introduction to Cryptography Introduction to Cryptography Hash function Map a message of arbitrary length to a fixed-length short message Desirable properties Performance, one-way, weak collision free, strong collision free 4/12/2017 5

DES DES Parameters Block size (input/output 64 bits) key size (56 bits) number of rounds (16 rounds) subkey generalization algorithm round function 4/12/2017 6

DES Round: f (Mangler) Function function f = Mangler Input block i 32-bit half block L i R i Expansion f K i 48 bits K i S-Box (substitution) L i+1 R i+1 Output block i+1 Permutation 32-bit half block 7

Modes of Block Cipher Operations ECB (Electronic Code Book) CBC (Cipher Block Chaining Mode) OFB (Output Feedback Mode) CFB (Cipher Feedback Mode) 4/12/2017 8

Modes of Block Cipher Operations Properties of Each Mode Chaining dependencies Error propagation Error recovery 4/12/2017 9

Double DES and Triple DES You need to understand how double and triple DES works Double DES C=Ek2(Ek1(P)) Triple DES C = Ek1(Dk2(Ek1(P)) Meet-in-the-middle attacks Operation modes using Triple DES 4/12/2017 10

The Meet-in-the-Middle Attack 1. Choose a plaintext P and generate ciphertext C, using double-des with K1+K2 2. Then a. encrypt P using single-des for all possible 2 56 values K 1 to generate all possible single-des ciphertexts for P: X 1,X 2,,X 2 56 ; store these in a table indexed by ciphertex values b. decrypt C using single-des for all possible 2 56 values K 2 to generate all possible single-des plaintexts for C: Y 1,Y 2,,Y 2 56 ; for each value, check the table 11

3. Meet-in-the-middle: Steps (Cont d) Each match (X i = Y j ) reveals a candidate key pair K i +K j There are 2 112 pairs but there are only 2 64 X s 4. On average, how many pairs have identical X and Y? For any pair (X, Y), the probability that X = Y is 1/ 2 64 There are 2 112 pairs. The average number of pairs that result in identical X and Y is 2 112 / 2 64 = 2 48 12

Steps (Cont d) 5. The attacker uses a second pair of plaintext and ciphertext to try the 2 48 Key pairs There are 2 48 pairs and there are 2 64 X s (Y s) The average number of pairs that result in identical X and Y is 2 48 / 2 64 = 2-16 The expected number of survived candidate key pairs is less than 1. After examine two pairs of plaintext and ciphtertext, the attacker identifies the key 13

Number Theory Summary Fermat: If p is prime and a is positive integer not divisible by p, then a p-1 1 (mod p) Example: 11 is prime, 3 not divisible by 11, so 3 11-1 = 59049 1 (mod 11) Euler: For every a and n that are relatively prime, then a ø(n) 1 mod n Example: For a = 3, n = 10, which relatively prime: (10) = 4, 3 (10) = 3 4 = 81 1 mod 10 Variant: for all a in Z n *, and all non-negative k, a k (n)+1 a mod n Example: for n = 20, a = 7, (n) = 8, and k = 3: 7 3*8+1 7 mod 20 Generalized Euler s Theorem: for n = pq (p and q are distinct primes), all a in Z n, and all non-negative k, a k (n)+1 a mod n Example: for n = 15, a = 6, (n) = 8, and k = 3: 6 3*8+1 6 mod 15 x y mod n = x y mod (n) mod n (foundation for RSA public key cryptographic) Example: x = 5, y = 7, n = 6, (6) = 2, 5 7 mod 6 = 5 7 mod 2 mod 6 = 5 mod 6 14

Public Key Cryptography RSA Algorithm Basis: factorization of large numbers is hard Variable key length (1024 bits or greater) Variable plaintext block size plaintext block size must be smaller than key size ciphertext block size is same as key size 4/12/2017 15

Generating a Public/Private Key Pair Find large primes p and q Let n = p*q do not disclose p and q! (n) = (p-1)*(q-1) Choose an e that is relatively prime to (n) public key = <e,n> Find d = multiplicative inverse of e mod (n) (i.e., e*d = 1 mod (n)) private key = <d,n> 16

RSA Operations For plaintext message m and ciphertext c Encryption: c = m e mod n, m < n Decryption: m = c d mod n Signing: s = m d mod n, m < n Verification: m = s e mod n 17

Diffie-Hellman Protocol For negotiating a shared secret key using only public communication Does not provide authentication of communicating parties What s involved? p is a large prime number (about 512 bits) g is a primitive root of p, and g < p p and g are publicly known 18

D-H Key Exchange Protocol Alice Publishes g and p Bob Reads g and p Picks random number S A (and keeps private) Computes T A = g S A mod p Picks random number S B (and keeps private) Computes T B = g S B mod p Sends T A to Bob, Sends T B to Alice, Computes T B S A mod p = Computes T A S B mod p 19

Key Exchange (Cont d) Alice and Bob have now both computed the same secret g S A S B mod p, which can then be used as the shared secret key K S A is the discrete logarithm of g S A mod p and S B is the discrete logarithm of g S B mod p = 20

Why is This Secure? Discrete log problem is hard: given a x mod b, a, and b, it is computationally infeasible to compute x 21

D-H Limitations Expensive exponential operation is required possible timing attacks?? Algorithm is useful for key negotiation only i.e., not for public key encryption/verification Not for user authentication In fact, you can negotiate a key with a complete stranger! 22

Man-In-The-Middle Attack Trudy impersonates as Alice to Bob, and also impersonates as Bob to Alice Alice Trudy Bob K1 = (g S A) S B K2 = (g S B) S A 23

Authenticating D-H Messages That is, you know who you re negotiating with, and that the messages haven t been modified Requires that communicating parties already share something Then use shared information to enable authentication 24

Using D-H in Phone Book Mode 1. Alice and Bob each chooses a secret number, generate T A and T B 2. Alice and Bob publish T A, T B, i.e., Alice can get Bob s T B at any time, Bob can get Alice s T A at any time 3. Alice and Bob can then generate a shared key without communicating but, they must be using the same p and g Essential requirement: reliability of the published values (no one can substitute false values) 25

Digital Signature Standard (DSS) Useful only for digital signing (no encryption or key exchange) Components SHA-1 to generate a hash value (some other hash functions also allowed now) Digital Signature Algorithm (DSA) to generate the digital signature from this hash value Designed to be fast for the signer rather than verifier 26

Digital Signature Algorithm (DSA) 1. Announce public parameters used for signing pick p (a prime with >= 1024 bits) pick q (a 160 bit prime) such that q (p 1) choose g h (p 1)/q mod p, where 1 < h < (p 1), such that g > 1 note: g is of order q mod p ex.: p = 103 ex.: q = 17 (divides 102) ex.: if h = 2, g = 2 6 mod 103 = 64 ex.: powers of 64 mod 103 = 64 79 9 61 93 81 34 13 8 100 14 72 76 23 30 66 1 17 values 27

DSA (Cont d) 2. User Alice generates a long-term private key x random integer with 0 < x < q 3. Alice generates a long-term public key y y = g x mod p ex.: x= 13 ex.: y = 64 13 mod 103 = 76 28

DSA (Cont d) 4. Alice randomly picks a per message secret number k such that 0 < k < q, and generates k -1 mod q 5. Signing message M r = (g k mod p) mod q s = [k 1 *(H(M)+x*r)] mod q transmitted info = M, r, s ex.: k = 12, 12-1 mod 17 = 10 ex.: r = (64 12 mod 103) mod 17 = 4 ex.: s = [10 * (75 + 13*4)] mod 17 = 12 ex.: H(M) = 75 ex.: M, 4, 12 29

Verifying a DSA Signature Known : g, p, q, y Received from signer: M, r, s 1. w = (s) 1 mod q 2. u 1 = [H(M) *w] mod q 3. u 2 = (r*w) mod q 4. v = [(g u1 *y u2 ) mod p] mod q ex.: p = 103, q = 17, g = 64, y = 76, H(M) = 75 5. If v = r, then the signature is verified ex.: M, 4, 12 ex.: w = 12-1 mod 17 = 10 ex.: u 1 = 75*10 mod 17 = 2 ex.: u 2 = 4*10 mod 17 = 6 ex.: v = [(64 2 * 76 6 ) mod 103] mod 17 = 4 30

Authentication Authentication is the process of reliably verifying certain information. Examples User authentication Allow a user to prove his/her identity to another entity (e.g., a system, a device). Message authentication Verify that a message has not been altered without proper authorization. 31

Password-Based User Authentication User demonstrates knowledge of a secret value to authenticate most common method of user authentication response challenge 32

Password Storage Storing unencrypted passwords in a file is high risk compromising the file system compromises all the stored passwords Better idea: use the password to compute a oneway function (e.g., a hash, an encryption), and store the output of the one-way function When a user inputs the requested password 1. compute its one-way function 2. compare with the stored value 33

Common Password Choices Pet names Common names Common words Dates Variations of above (backwards, append a few digits, etc.) 34

Dictionary Attacks (Cont d) Attack 3 (offline): To speed up search, pre-compute F(dictionary) A simple look up gives the password Eagle Wine Rose F XkPT %$DVC #AED! Look up TdWx% XkPT KYEN Dictionary Pre-computed Dictionary Password file 35

Password Salt To make the dictionary attack a bit more difficult Salt is a n-bit number between 0 and 2 n Derived from, for example, the system clock and the process identifier 36

S/Key Password Generation 1. Alice selects a password x 2. Alice specifies n, the number of passwords to generate 3. Alice s computer then generates a sequence of passwords x 1 = H(x) x 2 = H(x 1 ) x n = H(x n-1 ) x x (Password) H H H H x1 x2 x3 x4 37

Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate each other Establish session keys This process is not trivial; flaws in this process undermine secure communication 38

Mutual Authentication Alice I m Alice R 1 f(k Alice-Bob, R 1 ) Bob R 2 f(k Alice-Bob, R 2 ) Optimize Alice I m Alice, R 2 R 1, f(k Alice-Bob, R 2 ) f(k Alice-Bob, R 1 ) Bob 39

Mutual Authentication (Cont d) Reflection attack Trudy I m Alice, R 2 R 1, f(k Alice-Bob, R 2 ) f(k Alice-Bob, R 1 ) Bob Trudy I m Alice, R 1 R 3, f(k Alice-Bob, R 1 ) Bob 40

Mutual Authentication (Cont d) Alice I m Alice, R 2 R 1, f(k Alice-Bob, R 2 ) f(k Alice-Bob, R 1 ) Bob Alice I m Alice R 1 Countermeasure f(k Alice-Bob, R 1 ), R 2 f(k Alice-Bob, R 2 ) Bob 41

Trusted Key Servers How do a large number of users authenticate each other? inefficient / impractical for every pair of users to negotiate a secret key or share passwords Alternative: everybody shares a key with (and authenticates to) a single trusted third party Assumes there is a way to negotiate a key with the third party 42

Trusted (cont d) Shared keys between the Key Distribution Center (KDC) and users A B K A-KDC KDC K E-KDC K C-KDC K D-KDC C E D 43

Hierarchy (cont d) A K A-K1 K B-K1 KDC-1 Domain 2 B C K C-K1 K E-K2 E KDC-2 Domain 1 K D-K2 D 44

Needham-Schroeder Protocol Classic protocol for authentication with KDC Many others have been modeled after it (e.g., Kerberos) Alice N 1, Alice wants to talk to Bob K Alice {N 1, Bob, K AB, ticket to Bob}, where ticket to Bob = K Bob {K AB, Alice} Generate K AB KDC Bob ticket to Bob, K AB {N 2 } K AB {N 2 1, N 3 } K AB {N 3 1} How is Bob authenticated? How is Alice authenticated? How is KDC authenticated? What are the N s used for? Why is N-1 needed? 45

Needham-Schroeder Protocol (Cont d) A vulnerability When Trudy gets a previous key K AB used by Alice, Trudy may reuse a previous ticket issued to Bob for Alice Essential reason The ticket to Bob stays valid even if Alice changes her key 46

Expanded Needham-Schroeder Protocol I want to talk to you K Bob {N B } Alice Generate K AB ; extract N B N 1, Alice wants to talk to Bob, K Bob {N B } K Alice {N 1, Bob, K AB, ticket to Bob}, where ticket to Bob = K Bob {K AB, Alice, N B } KDC Bob ticket to Bob, K AB {N 2 } K AB {N 2 1, N 3 } K AB {N 3 1} 47

Otway-Rees Protocol Alice N C, Alice, Bob, K Alice {N A, N C, Alice, Bob } Bob Generate K AB Extract N B KDC K Alice {N A, N C, Alice, Bob }, K Bob {N B, N C, Alice, Bob } N C, K Alice {N A, K AB }, K Bob {N B, K AB } K Alice {N A, K AB } K AB {anything recognizable} Only has five messages KDC checks if N C matches in both cipher-texts Make sure that Bob is really Bob 48

Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC) Representative solution: Kerberos Based on secret key cryptography Solution #2 Public Key Infrastructure (PKI) Based on public key cryptography 49

Goals of Kerberos 1. User server mutual authentication 2. Users should only need to authenticate once to obtain services from multiple servers 3. Should scale to large numbers of users and servers makes use of a Key Distribution Center so servers don t need to store information about users 50

Some Properties Kerberos uses only secret key (symmetric) encryption originally, only DES, but now 3DES and AES as well A stateless protocol KDCs do not need to remember what messages have previously been generated or exchanged the state of the protocol negotiation is contained in the message contents 51

Protocol Sketch (Common Case) Alice #1 Login + Password #4 Request service from V #2 Alice wants to authenticate #3 Here s Alice s TGT #5 Alice wants service from V KDC Alice s Workstation #6 Here is key + ticket to use #7 Here is Alice s ticket for service + key to use #8 Alice s request for service is granted, using key supplied Server V 52

Some Differences with v4 1. v5 uses ASN.1 syntax to represent messages a standardized syntax, not particularly easy to read but, very flexible (optional fields, variable field lengths, extensible value sets, ) 2. v5 extends the set of encryption algorithms 3. v5 supports much longer ticket lifetimes 4. v5 allows Pre-authentication to thwart password attacks 5. v5 allows delegation of user access / rights 53

Delegation Giving someone else the right to access your services Some not-so-good ways to implement give someone else your password / key give someone else your tickets (TKT V s) Kerberos v5 provides 3 better choices 54

Pre-Authentication #3. KDC W: K A-KDC (ID A TS 1 Lifetime 1 K A-KDC ID KDC TGT) Reminder: Msg #3 is encrypted by the KDC with K A-KDC An adversary may send many authentication requests to cause the Denial-of-Service. Solution: before Msg #3, require Alice to send pre-authentication data to the KDC i.e., a timestamp encrypted with the shared master key this proves Alice knows the key 55

Pre-Authentication (Cont d) K V-KDC (ID A Addr A K A-V Lifetime 5 TS 5 ID V ) Msg#6 provides an opportunity for Alice to mount a password-guessing attack against the server key K V-KDC solution: servers are not allowed to generate keys based on (weak) passwords 56

What Is PKI Informally, the infrastructure supporting the use of public key cryptography. A PKI consists of Certificate Authority (CA) Certificates A repository for retrieving certificates A method of revoking/updating certificates 57

Certification Authorities (CA) A CA is a trusted node that maintains the public keys for all nodes (Each node maintains its own private key) 2 3 1 CA 4 If a new node is inserted in the network, only that new node and the CA need to be configured with the public key for that node 5 6 58

Certificates A CA is involved in authenticating users public keys by generating certificates A certificate is a signed message vouching that a particular name goes with a particular public key Example: 1. [Alice s public key is 876234] carol 2. [Carol s public key is 676554] Ted & [Alice s public key is 876234] carol Knowing the CA s public key, users can verify the certificate and authenticate Alice s public key 59

Certificates Certificates can hold expiration date and time Alice keeps the same certificate as long as she has the same public key and the certificate does not expire Alice can append the certificate to her messages so that others know for sure her public key 60

CA Advantages 1. The CA does not need to be online. [Why?] 2. If a CA crashes, then nodes that already have their certificates can still operate. 3. Certificates are not security sensitive (in terms of confidentiality). Can a compromised CA decrypt a conversation between two parties? Can a compromised CA fool Alice into accepting an incorrect public key for Bob, and then impersonate Bob to Alice? 61

PKI Models 1. Monopoly model 2. Monopoly + RA 3. Delegated CAs 4. Oligarchy model 5. Anarchy model 6. Name constraints 7. Top-down with name constraints 8. Bottom-up with name constraints 62

Certificate Revocation Certificates for public keys (Campus IDs) might need to be revoked from the system Someone is fired Someone is graduated Someone s certificate (card) is stolen 63

Certificate Revocation Certificates typically have an associated expiration time Typically in the order of months (too long to wait if it needs to be revoked) Solutions: Maintain a Certificate Revocation List (CRL) A CRL is issued periodically by the CA and contains all the revoked certificates Each transaction is checked against the CRL 64

CRLs 1. Why are CRLs issued periodically even if no certificates are revoked? 2. How frequent should CRLs be issued? 3. If a CRL is maintained, why associate an expiration time with certificates? 65

Delta CRL A Delta CRL includes lists changes from the last complete CRL Delta CRLs may be issued periodically (frequently) and full CRLs are issued less frequently 66

Good-lists vs. Bad-lists How about maintaining a list of valid certificates in the CRL instead of the revoked certificates? Is this more secure? Why? Problems: 1. A good list is likely to be much larger than the bad list (worse performance) 2. Organizations might not want to maintain its list of valid certificates public. Solution: The good-list can maintain only hashes of the valid certificates 67

IPsec Objectives (Cont d) IP layer security mechanism for IPv4 and IPv6 Not all applications need to be security aware Can be transparent to users Provide authentication and confidentiality mechanisms. 68

IPsec Architecture IPsec module 1 IPsec module 2 SPD SPD IKE IKE SAD IPsec SA IPsec SAD SPD: Security Policy Database; IKE: Internet Key Exchange; SA: Security Association; SAD: Security Association Database. 69

IPsec Architecture (Cont d) Two Protocols (Mechanisms) Authentication Header (AH) Encapsulating Security Payload (ESP) IKE Protocol Internet Key Management 70

Tunnel Mode Encrypted Tunnel Gateway Gateway A Encrypted B New IP Header AH or ESP Header Orig IP Header TCP Data 71

Tunnel Mode (Cont d) Outer IP header IPsec header Inner IP header Higher layer protocol Destination IPsec entity ESP AH Real IP destination ESP applies only to the tunneled packet AH can be applied to portions of the outer header 72

Transport Mode A Encrypted/Authenticated B New IP Header AH or ESP Header TCP Data 73

Transport Mode (Cont d) IP header IP options IPsec header Higher layer protocol Real IP destination ESP AH ESP protects higher layer payload only AH can protect IP headers as well as higher layer payload 74

Security Association (SA) An association between a sender and a receiver Consists of a set of security related parameters E.g., sequence number, encryption key Determine IPsec processing for senders Determine IPsec decoding for destination SAs are not fixed! Generated and customized per traffic flows 75

Security Parameters Index (SPI) A bit string assigned to an SA. Carried in AH and ESP headers to enable the receiving system to select the SA under which the packet will be processed. 32 bits SPI + Dest IP address + IPsec Protocol Uniquely identifies each SA in SA Database (SAD) 76

Security Policy Database (SPD) Policy entries define which SA or SA Bundles to use on IP traffic Each host or gateway has their own SPD Index into SPD by Selector fields Selectors: IP and upper-layer protocol field values. Examples: Dest IP, Source IP, Transport Protocol, IPSec Protocol, Source & Dest Ports, 77

Outbound Processing Outbound packet (on A) IP Packet Is it for IPsec? If so, which policy entry to select? SPD (Policy) SA Database A B Determine the SA and its SPI IPSec processing SPI & IPsec Packet Send to B 78

Inbound Processing Inbound packet (on B) From A A B SPI & Packet SA Database SPD (Policy) Use SPI to index the SAD Was packet properly secured? un-process Original IP Packet 79

Authentication Header (AH) Data integrity Entire packet has not been tampered with Authentication Can trust IP address source Use MAC to authenticate Anti-replay feature Integrity check value 80

IPsec Authentication Header SAD Next Header (TCP/UDP) Payload Length 6-2=4 Reserved SPI Sequence Number ICV 81

Encapsulated Security Protocol (ESP) Confidentiality for upper layer protocol Partial traffic flow confidentiality (Tunnel mode only) Data origin authentication 82

Authentication coverage Encrypted ESP Transport Example Original IP Header SPI Sequence Number Payload (TCP Header and Data) Variable Length Padding (0-255 bytes) Pad Length Next Header Integrity Check Value 83

Key Management Why do we need Internet key management AH and ESP require encryption and authentication keys Process to negotiate and establish IPsec SAs between two entities 84

Security Principles (Cont d) Perfect forward secrecy (PFS) Compromise of current keys (session key or longterm key) doesn t compromise past session keys. Concern for encryption keys but not for authentication keys. 85

Examples of Non Perfect Forward Secrecy Alice sends all messages with Bob s public key, Bob sends all messages with Alice s public key Kerberos Alice chooses session keys, and sends them to Bob, all encrypted with Bob s public key 86

Automatic Key Management Key establishment and management combined SKIP Key establishment protocol Oakley focus on key exchange Key management Internet Security Association & Key Management Protocol (ISAKMP) Focus on SA and key management Clearly separated from key exchange. 87

SKIP (Cont d) Two types of keys: 1. KEK 2. Packet key Certificate repository Bob s certificate Alice s certificate Alice Bob K p encrypted with KEK. Payload encrypted with K p. 88

SKIP (Cont d) Limitations No Perfect Forward Secrecy No concept of SA; difficult to work with the current IPsec architecture Not the standard, but remains as an alternative. 89

Oakley Oakley is a refinement of the basic Diffie- Hellman key exchange protocol. Why need refinement? Resource clogging attack Replay attack Man-in-the-middle attack Choice of D-H groups 90

Ephemeral Diffie-Hellman Short-term public key Short-term public key Session key is computed on the basis of short-term DH public keys. Exchange of these short-term public keys requires authentication and integrity. Digital signatures. Keyed message digests. Perfect forward secrecy? 91

Ephemeral Diffie-Hellman Question: What happens if the long term key is compromised? 92

Oakley ISAKMP Key exchange protocol Developed to use with ISAKMP ISAKMP Internet security association and key management protocol Defines procedures and packet formats to establish, negotiate, modify, and delete security associations. Defines payloads for security association, key exchange, etc. 93

IKE Overview (Cont d) Request-response protocol Initiator Responder Two phases Phase 1: Establish an IKE (ISAKMP) SA Phase 2: Use the IKE SA to establish IPsec SAs 94

IKE Overview (Cont d) Several Modes Phase 1: Main mode: identity protection Aggressive mode Phase 2: Quick mode Other modes New group mode Establish a new group to use in future negotiations Not in phase 1 or 2; Must only be used after phase 1 Informational exchanges 95

IKE Phase 1 Negotiating cryptographic parameters Specifies suites of acceptable algorithms: {(3DES, MD5, RSA public key encryption, DH), (AES, SHA-1, pre-shared key, elliptic curve), } Specifies a MUST be implemented set of algorithms: Encryption=DES, hash=md5/sha-1, authentication=pre-shared key/dh The lifetime of the SA can also be negotiated 96

IKE Phase 1 Four authentication methods Authentication with public signature key Authentication with public key encryption Authentication with public key encryption, revised Authentication with a pre-shared key 97

IKE Phase 2 -- Quick Mode Negotiates parameters for the phase-2 SA Information exchanged with quick mode must be protected by the phase-1 SA Essentially a SA negotiation and an exchange of nonces Used to derive keying materials for IPsec SAs 98

IKE Phase 2 -- Quick Mode (Cont d) 3-messages protocol X, Y, CP, traffic, SPI A, nonce A, g a mod p X, Y, CPA, traffic, SPI B, nonce B, g b mod p X, Y, ack 99

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback