COMPUTER SECURITY 7. Secure Communication Channels: 2 case studies (2) Technologies' case studies (2) WEP Wired Equivalent Privacy (3) IPsec Internet Protocol Security (11) SSL Secure Sockets Layer (25) SSH Secure Shell (32) PEM Privacy Enhanced Mail (39) S/MIME Secure Multipurpose Internet Mail Extensions (41) OpenPGP Open Pretty Good Privacy (42) Pointers... (47) 1 47
7. Secure Communication Channels: 2 case studies Technologies' case studies WEP Wired Equivalent Privacy IPsec Internet Protocol Security SSL Secure Sockets Layer SSH Secure SHell PEM Privacy Enhanced Mail S/MIME Secure/Multipurpose Internet Mail Extensions OpenPGP Open Pretty Good Privacy 2 47
WEP Wired Equivalent Privacy confidentiality protection at the data link level (OSI) designed for wireless networks, IEEE 802.11 confidentiality protection similar to the wired IEEE 802 networks! TCP IP WEP/Data L.... considered weak right from the beginning (optional) entities authentication (by shared key!) App... mainly for its short (40 b) static keys (sensitive to brute force attacks) reinforced by 128b (and 256 b) key; per packet key system, Temporal Key Integrity Protocol (and later AES) replaced by WPA (Wi Fi Protected Access) and later by WPA2 with IEEE 802.11i 3 47
WEP: operation (Association!) contact Access Point to get net services Authentication Open System Mobile Station mere courtesy Shared Key Base Station (Access Point) proof of possession of shared key Conversation (option: w/ Confidentiality) exchange of packages (optionally ciphered with stream cipher) 4 47
...WEP: operation (cont.) Association (ASS): M S ASS, MSaddr, SSid ASS, Aid A P Fig. Association of Mobile Station, MS, to base station, AP (Access Point), in IEEE 802.11's protocol. SSid is the identifier of the group of services requested from AP. Aid is the association's identifier. 5 47
...WEP: operation (cont.) Authentication (AUTH): Open System M S AUTH, OS, 1 AUTH, OS, 2 A P Shared Key AUTH, SK, 1 M S AUTH, SK, R, 2 AUTH, SK, RC4K(R), 3 A P AUTH, SK, 4 6 47
...WEP: operation (cont.) Conversation (DATA): WEP option M S DATA, RC4K(data) DATA, RC4K(data)... A P RC4 stream cipher shared key K used in seed to RC4 engine 64 b seed = IV (24b) + K (40b) IV is visible (and does not change from packet to packet!) 7 47
Cipher process in WEP IV K Network Data CRC 32 Network Data ICV RC4 WEP packet data: IV Enciphered Network Data ICV enciphered Fig. Cipher process in WEP. (ICV Integrity Check Value; CRC Cyclic Redundancy Check) 8 47
IEEE 802.11's packet format generic fields: protected data part of packet (if W bit active): WEP packet data: IV Enciphered Network Data ICV enciphered 9 47
WPA2 improvements (IEEE 802.11i 2004) types of usage: WPA Personal (domestic use): WPA2 w/ AES PreShared Key WPA Enterprise: WPA2 w/ EAP TLS and RADIUS server cryptography tricks: key mixing function, better than mere concatenation of secret root key with initialization vector sequence counter, to protect against replay attacks 64 bit Message Integrity Check (MIC) Curiosity: most attacks still are through supplementary system WPS, Wi Fi Protected Setup! Ref.: standards.ieee.org/about/get/802/802.11.html 10 47
IPsec Internet Protocol Security multiple services confidentiality, integrity, protection against replay attacks symmetrical and asymmetrical cryptography multiple algorithms possible choice, possible future change multiple granularities TCP connection protection protection of connection between machine pairs protection of connection between routers connection oriented > security association SA 11 47
Security Association OSI level: network unidirectional connection identification: security parameter index SPI index for associations table, with all agreed information App... TCP IPsec/IP Data Link... stored info: IP destination address cryptographic algorithms and keys security protocol (AH or ESP) maximum traffic or duration of connection utilization mode (transport, tunnel...) 12 47
Security Policies table with instructions for packets' handling (Security Policy Database, SPD) info on sender and receiver receiver includes machine (IPsec on routers) and port typical options: discard packet, apply security services, reroute it table similar to gateways' and firewalls' Example: origin destination port 192.168.2.9 10.1.2.3 10.1.2.99 25 discard 192.168.19.7 10.1.2.3 10.1.2.99 25 reroute * 10.1.2.3 10.1.2.99 25 apply IPsec * 10.1.2.3 10.1.2.99 80 reroute * * * discard action 13 47
IPsec's operation setting of keys: IKE Internet Key Exchange parameter negotiation and mutual authentication setting up of a security association (SA) IKEv1, was unnecessarily complex; current version is 2 (RFC 4306) setting of services (using accorded keys and algorithms) integrity, protection against replay attacks AH Authentication Header protocol confidentiality, integrity, protection against replay attacks ESP Encapsulating Security Payload protocol References: tools.ietf.org/html/rfc[4301 4309] 14 47
IPsec: IKE Internet Key Exchange (v2) group of message pair's exchange (UDP, ports 500 or 4500) has 2 phases Phase 1 (IKE_SA): mutual authentication and base agreements IKE_SA_INIT + IKE_AUTH (4 messages is enough!): master key's generation by Diffie Hellman's algorithm mutual authentication (predefined keys or public keys via digital certificates) establishment of a security association (AH ou ESP) Phase 2 (CREATE_CHILD_SA, INFORMATIONAL): setting of additional SAs or exchange of control information message exchanges protected by session keys from Phase 1 multiple possibilities of negotiation and control 15 47
IPsec: AH ( Authentication Header) protocol integrity, protection against replay attacks Transport Data IPSec: IPh AH Transport Data authenticated* Fig. Protection by Authentication Header protocol. (* The mutable fields in IP header do not have integrity protection.) in transport mode, as explained below 16 47
...IPsec: AH protocol (cont.) Fig. Utilization of AH protocol (picture enhancing header fields). in transport mode, as explained below 17 47
... IPsec: AH protocol (cont.) Fields of AH: Next header: type of payload header. Examples: IP=4; AH=51; ESP=50; TCP=6; UDP=17. Payload len: length of AH protocol header (in 32b words) 2 Security parameters index: identifier of security association, SA Sequence number: (unique) identifier for all protected packets Authentication data: HMAC of payload (shared key!) Payload + padding: packet net data with padding 18 47
IPsec: ESP (Encapsulating Security Payload) protocol integrity, confidentiality, protection against replay attacks Transport Data IPSec: IPh ESPh Enciphered Transport Data ESPt authenticated* enciphered* Fig. Protection by Encapsulating Security Payload protocol. (* Only part of the ESP footer has integrity and confidentiality protection.) in transport mode, as explained below 19 47
...IPsec: ESP protocol (cont.) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Security Parameters Index (SPI) ^Auth. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Cov Sequence Number erage + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Payload Data* (variable) ^ ~ ~ Conf. + + + + + + + + + + + + + + + + + + + + + + + + + + Cov Padding (0 255 bytes) erage* + + + + + + + + + + + + + + + + + + + + + + + + + + Pad Length Next Header v v + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Authentication Data (variable) ~ ~ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Fig. Structure of packet protected with ESP protocol (in RFC 2406). (* if included in the Payload field, cryptographic synchronization data, e.g., an Initialization Vector, usually is not encrypted per se) in transport mode, as explained below 20 47
...IPsec: ESP protocol (cont.) Fields of ESP packets: Security parameters index: identifier of SA Sequence number: (unique) identifier of all protected packets Payload + padding: packet net data with padding. With confidential service, includes the initialization vector (IV) for the cipher algorithm. Pad length: number bytes of padding Next header: type of payload header Authentication data: HHMAC of payload (shared key!) 21 47
IPsec: Modes of operation (AH and ESP) transport protection of data from Transport layer APP... IPsec needs change in system's Network layer good for endpoint to endpoint communication TCP IPSec... tunnel protection of data from normal Network layer IPsec adds a new (sub Network) layer to system usually is used for protection between gateways so, not between communication endpoints APP... TCP IP IPSec... 22 47
IPsec: modes of operation with AH Transport mode: Transport Data IPSec: IPh AH Tunnel mode: Transport Data IP: IPSec: Transport Data IPh IPh AH Transport Data pre Network Data 23 47
IPsec: modes of operation with AH Transport mode: Transport Data IPSec: IPh ESPh Tunnel mode: ESPt Transport Data IP: IPSec: Enciphered Transport Data IPh IPh ESPh Transport Data Enciphered pre Network Data ESPt 24 47
SSL Secure Sockets Layer Services mutual authentication integrity protection of communication privacy protection of communication parameter negotiation between parties (client and server) data compression History protocol associated with WWWeb Netscape, 1995 HTTPS = HTTP + SSL SSL version 3, ~ TLS (Transport Layer Security) v.1, but not inter operable! IETF RFC 4346 25 47
SSL: location in OSI layers HTTP between Application and Transport layer SSL/TLS Session and Presentation TCP Problem: TCP ignores SSL! IP denial of service attack:... insertion of phony SSL packet, although TCP correct, in comm. flow: TCP accepts phony packet, but later rejects the real one SSL will signal error condition and secure channel will have to be restarted! 26 47
SSL: protocol structure in time: initial connection (handshake protocol) parameter negotiation and server authentication utilization (record protocol) protected conversation in space : connection control (handshake protocol!) Presentation layer! initial negotiation, alert messages, etc. message exchange support (record protocol!) Session layer! data packaging, ciphering, compression, etc. 27 47
SSL: connection establishment protocol Fig. SSLv3: possible (simplified!) steps of connection establishment protocol. 28 47
...SSL: connection establishment protocol (cont.) Steps: 1: A sends to server (B) cryptographic proposals and nonce RA. 2: B chooses cryptographic methods and sends A its own nonce RB. 3: B sends its digital certificates (its public key for the chosen authentication algorithm). At this point, B could ask A for a similar identification. But this is seldom done: client authentication is usually done later by the application (and over SSL). 4: B is satisfied, for now... 5: Ciphered with B's public key, A sends a random number (premaster key). A and B can now generate a session key: K = f(premaster key, RA, RB) 6 9: A and B signal each other the starting of ciphering of messages with K 29 47
SSL: Connection usage protocol Fig. SSLv3: Protocol for connection usage. The steps are taken by both entities. 30 47
...SSL (cont.) Exercise: Using the features of program openssl, connect to Web servers with SSL and study the protocol message exchanges. References: www.vanemery.com/linux/apache/openssl.html www.openssl.org 31 47
SSH Secure Shell Services Authentication, confidentiality and integrity of sessions of remote terminal file transfer port rerouting History SSH, 1995: Tatu Ylönen, TKK Helsinki University of Technology SSH 2, 1996: modularization, protocol negotiation, channel multiplexing, DH... proposed IETF standard, 2006: IETF RFC 4250 4 OpenSSH, free version! (www.openssh.org) 32 47
SSH: location in OSI layers OSI between Application and Transport layer Session and Presentation (just like SSL) APP... SSH TCP IP... SSH: protocol stack (~ in space!) Connection: user level services Authentication: of client towards server Transport: basic security services 33 47
SSH: connection protocol user level services: point to point security remote terminal file transfer tunneling port forwarding in client and in server forwarding of X11 protocol 34 47
SSH: transport protocol basic security services: server authentication (beware of 1st connection!) (Fig) confidentiality (negotiable algorithm) data integrity (negotiable algorithm) session identification (useful to upper layers) perfect forward secrecy ( random temporary session keys!) compression (optional!) Phase 1: Local (Lm) Remote (Rm) n1 has old KRm? accept new KRm? KRm (n1) ; KRm cont. Phase2 / break! SSL authentication protocol for server (practical work). 35 47
...SSH: transport protocol (cont.) Important problem does Client know that Server is the real one? + Yes, if he has access to genuine KS! But, does he normally has?...... 36 47
SSH: authentication protocol of client towards server: by public key (preferred!) (Fig) by password (most used!) (Fig) by machine (dangerous!) other... Phase 2: Local (Lm) Remote (Rm) ruser1! Authentication protocol for client by password and by public key (practical work). ruser1: pass1 pass1! Phase 2 (alt): ruser1: luser2: Klu2 ; Klu2 ruser1: pass1 pass1? Local (Lm) Remote (Rm) luser2 ; ruser1! n2 Klu2 (n2)! ruser1: luser2: Klu2 37 47
...SSH (cont.): Exercise: Using the debugging features of ssh, connect to servers and study the protocol message exchanges. References: tools.ietf.org/html/rfc[4250 4] www.rfc archive.org/getrfc.php?rfc=4716 38 47
PEM Privacy Enhanced Mail History has seen better days... (~1990; IETF RFC 1421...) but even then, was never a success would use a centralized PKI (Public Key Infrastructure) > main cause of success failure? Compatibility operates with normal email servers is located at the application OSI level does not need OS substitution PEM TCP IP... 39 47
PEM: features confidentiality, authentication and message integrity does not protect headers! (Subject:, To:, From:,...) types of message normal (ignoring PEM) with integrity protection (MIC CLEAR) with Base 64 coding and integrity protection (MIC ONLY) enciphered and with integrity protection (ENCRYPTED) asymmetrical and symmetrical cryptography symmetrical cipher, with session key session key is passed symmetrically or asymmetrically asymmetrical cryptography, with keys from digital certificates digital certificates are passed in messages independence from public key directory service! 40 47
S/MIME Secure Multipurpose Internet Mail Extensions consistent way to send and receive secure MIME data provides the cryptographic security services for electronic messaging: authentication message integrity non repudiation of origin (using digital signatures) privacy and data security (using encryption) can be used with traditional mail user agents and any transport mechanism that transports MIME data, such as HTTP...to be continued... 41 47
OpenPGP Open Pretty Good Privacy History original author (PGP): Philip Zimmermann, 1991 private electronic mail for everyone! «If privacy is outlawed, only outlaws will have privacy!» conflict with the government of the United States went on for years (1993 96) Compatibility identical to PEM's operates with normal email servers is located at the application OSI level does not need OS substitution OpenPGP TCP IP... 42 47
OpenPGP: features standard IETF version (RFC 4880) of PGP 's original idea and system goals and operation similar to PEM's: confidentiality, authentication and message integrity (except headers!) asymmetrical and symmetrical cryptography symmetrical cipher, with session key main differences: always used stronger algorithms (RSA, IDEA) also compacts messages the validation of public keys uses an interesting decentralized technique (ring of trust) competitor of S/MIME important free implementation: GPG Gnu Privacy Guard 43 47
OpenPGP: public key management the ring of trust each user assigns a certain degree of trust to another user (in the sense that finds he/she to be a reliable key signer!): unknown, none, marginal, total the system calculates the validity of a public key (of an user) based on the assigned trust to the users that have signed unknown, doubtful, valid classically, a key was valid if it was signed by: an user with total trust two users with marginal trust GnuPG allows the fine tuning of the algorithm by considering a key as valid if: a number of users with total trust signed it (default, 1!) a number of users with marginal trust signed it (default, 3) but only if the signature path (number of signed signatures) is limited (less than 5) 44 47
(in: The PGP Web of Trust, William Stallings, BYTE, Feb.1995) 45 47
Short comparison between OpenPGP, PEM and S/MIME OpenPGP certification of public keys validation of certificates PEM S/MIME directly or through digital certificates through digital certificates through digital certificates up to the user single hierarchy of multiple parallel Certification Authorities* hierarchies hard because relies easy, once the easy, based on PKIX's certification's procedure only on the user (web of hierarchy is established model, with X.509 trust) certificates up to the user complete (a single hierarchy) user chooses the hierarchy to trust security's potential great low great character encoding scheme Radix 64** ~ Base 64 + CRC Base 64 (RFC 1421) ~ Base 64 trust on system * top entity: IPRA Internet Policy Registration Authority ** also known as ASCII Armor 46 47
Pointers... The IEEE 802.11 standards, 2012 IEEE Standards Association The IPsec' IETF RFC, 1995 2010 R. Atkinson and others tools.ietf.org/html/rfc1421 The S/MIME's IETF RFC, 1998 2010 S. Dusse and others tools.ietf.org/html/rfc4251 The PEM's IETF RFC, 1987 1993 John Linn tools.ietf.org/html/rfc4346 The SSH's IETF RFC, 2006 T. Ylonen et al. tools.ietf.org/html/rfc4301 The TLS' IETF RFC, 1999 2006 T. Dierks and others standards.ieee.org/about/get/802/802.11.html tools.ietf.org/html/rfc5751 The OpenPGP's IETF RFC, 1996 2007 P. Zimmermann and others tools.ietf.org/html/rfc4880 47 47