Core Security Services and Bootstrapping in the Cherubim Security System

Similar documents
BCA III Network security and Cryptography Examination-2016 Model Paper 1

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems

(2½ hours) Total Marks: 75

David Wetherall, with some slides from Radia Perlman s security lectures.

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Password. authentication through passwords

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Encryption. INST 346, Section 0201 April 3, 2018

APNIC elearning: Cryptography Basics

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

PROTECTING CONVERSATIONS

KALASALINGAM UNIVERSITY

Security. Communication security. System Security

CSC/ECE 774 Advanced Network Security

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Cryptography (Overview)

Session key establishment protocols

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Session key establishment protocols

The Linux Kernel Cryptographic API

Cryptographic Concepts

Introduction to Cryptography. Vasil Slavov William Jewell College

1.264 Lecture 28. Cryptography: Asymmetric keys

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

CS 161 Computer Security

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Encrypting and Decrypting using CTR and CBC Modes in C# with BouncyCastle

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Kurose & Ross, Chapters (5 th ed.)

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

NETWORK SECURITY & CRYPTOGRAPHY

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

Overview. SSL Cryptography Overview CHAPTER 1

CS 161 Computer Security

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Technological foundation

CSC 774 Network Security

CS 161 Computer Security

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Security Handshake Pitfalls

Public Key Algorithms

Security and Anonymity

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

CSE 127: Computer Security Cryptography. Kirill Levchenko

Lecture 1: Course Introduction

The Design of an Anonymous and a Fair Novel E-cash System

Security with VA Smalltalk

Practical Aspects of Modern Cryptography

NIST Cryptographic Toolkit

A simple approach of Peer-to-Peer E-Cash system

Data Security and Privacy. Topic 14: Authentication and Key Establishment

(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography

Spring 2010: CS419 Computer Security

Symmetric Encryption

CIS 4360 Secure Computer Systems Symmetric Cryptography

Encryption 2. Tom Chothia Computer Security: Lecture 3

CPSC 467b: Cryptography and Computer Security

Symmetric, Asymmetric, and One Way Technologies

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

EEC-484/584 Computer Networks

Oracle Solaris Userland Cryptographic Framework Software Version 1.0 and 1.1

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptographic Checksums

Cryptography MIS

T Cryptography and Data Security

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Cryptography and Network Security

Public Key Algorithms

UNIT - IV Cryptographic Hash Function 31.1

Lecture 2 Applied Cryptography (Part 2)

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Lecture 1 Applied Cryptography (Part 1)

Sample excerpt. Virtual Private Networks. Contents

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Authentication Handshakes

Unit 8 Review. Secure your network! CS144, Stanford University

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Study Guide to Mideterm Exam

Sharing Secrets using Encryption Facility - Handson

S. Erfani, ECE Dept., University of Windsor Network Security

Grenzen der Kryptographie

Security Handshake Pitfalls

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

EEC-682/782 Computer Networks I

n-bit Output Feedback

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Proving who you are. Passwords and TLS

Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Appendix A: Introduction to cryptographic algorithms and protocols

Transcription:

Core Security Services and Bootstrapping in the Cherubim Security System Charles Willis cfwillis@uiuc.edu Technical Report 2 July 1998 University of Illinois at Urbana-Champaign Department of Computer Science 1304 W. Springfield Ave Urbana IL 61801

Abstract This report describes the implementation of the core security services and bootstrapping architecture in the Cherubim Security System. The core security services encapsulate the basic facilities required for the Cherubim dynamic security policy research project, including encryption, digital signatures, and authentication. The core security services provide a uniform interface to an implementation that can be built with a variety of standard security components. The secure bootstrapping process allows Cherubim clients, using a smartcard, to have universal remote access to standard services. This allows us to build a security system with maximum configurability and extensibility which is essential to many emerging applications like active networks and mobile computing 2

Table of Contents Abstract...2 Table of Contents...3 Introduction...4 Core Security Services...4 Why Build Yet Another Cryptographic API?...4 The Heart of the System...4 Encryption...4 Decryption...5 Digital Signatures...5 Signature Verification...5 Secure Hashing...6 Secret Key generation from a Passphrase...6 Authentication and Key Negotiation...7 Sequence of Events...7 Diffie-Hellman exchange parameters...8 Cherubim Bootstrapping Mechanism...9 The Classloader Hierarchy...9 Implementation...10 Initial Booting...10 Authentication and Key Negotiation...11 Requesting Classes...11 The Class Response...12 Home Server GUI...12 Specifics...12 System State...14 Conclusion...15 3

Introduction This report describes the basic security services upon which the Cherubim architecture is built. The lowest level of the security services is the Core Security Services which abstract the basic cryptographic functions and secret key generation. On top of this base is built higher level functions, namely authentication and secure bootstrapping. These security services provide an abstraction of the cryptographic functionality on the host computer so that applications and higher level components in the Cherubim project will have uniform access to cryptographic functionality. Core Security Services The Core Security Services consist of the basic cryptographic functions that are used to build up higher level functionality and protocols. Why Build Yet Another Cryptographic API? A new, simple interface was created because the existing interfaces are overly complicated for the type of operations that are needed for the Cherubim system. In fact, the Cherubim Core Security Services can be built on top of existing, more complicated, cryptographic APIs. The reference implementation of the Core Security Services (the socalled Generic Core Security Services) is built on top of the Java Cryptographic API developed by Sun Microsystems, as implemented by IAIK. One important specification is the format for specifying algorithms to be used for the core operations. Algorithms in the Cherubim system are to be specified in the same format as in the Java Cryptography Architecture API Specification & Reference available online at http://java.sun.com/products/jdk/1.2/docs/guide/security/cryptospec.html. The Heart of the System At the very heart of the Core Security Services are the basic cryptographic operations: Encryption This is the process of encoding data to protect it from eavesdroppers in the network. Encryption in Cherubim can be done with a variety of algorithms (such as IDEA or DES), modes (such as ECB - electronic code book, CFB cipher feedback, or CBC 4

cipher block chaining), and padding schemes (such as PKCS#5 or PKCS#7). The algorithm name is not specified as an argument to this method or the decrypt method because it retrieved by calling key.getalgorithm(). byte[] encrypt(byte[] data, Key key) throws NoSuchAlgorithmException, KeyException, IllegalBlockSizeException, BadPaddingException, NoSuchPaddingException; Decryption This is the complement of encryption; that is, the process of decoding data after it has been encrypted and transmitted over the network. Decryption in Cherubim can be done by any of the algorithms that can be used for encryption. byte[] decrypt(byte[] data, Key key) throws NoSuchAlgorithmException, KeyException, IllegalBlockSizeException, BadPaddingException, NoSuchPaddingException; Digital Signatures Digital signatures are the electronic equivalent of a person s written signature. When someone receives a document or message with a person s signature, he or she can be sure that it really came from that person. Digital Signatures can be done in algorithms like RSA, DSA, or El Gamal. byte[] sign(byte[] data, PrivateKey key, String algorithm) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException; Signature Verification Signature verification is the electronic equivalent of comparing a person s written signature to a reference copy. If a person s signature on a document verifies, the receiver is assured that the person signed the document. Like a good detective, the Cherubim system will detect if an adversary transfers the signature from one document to another. Signatures created using any of the algorithms above can be verified. 5

boolean verify(byte[] data, byte[] signature, PublicKey key, String algorithm) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException; Secure Hashing Hashing is the process of transforming a document of any length into a (hopefully) unique number that is relatively small, typically 128-256 bits. It is desirable for a secure hash function to have the property that it is nearly impossible to find two documents that hash to the same value. The Cherubim system supports several hash algorithms including SHA-1 and MD5. byte[] hash(byte[] data, String algorithm) throws NoSuchAlgorithmException; Secret Key generation from a Passphrase One interesting feature of the security services is that ability to generate a secret key from a passphrase that the user enters. This is used in order to encrypt private keys, etc for storage on disk. SecretKey passphrasetosecretkey(string passphrase, String algorithm, int keylength, String hashalgorithm, String characterencoding) throws NoSuchAlgorithmException, UnsupportedEncodingException; The basic idea is simple, hash the passphrase using the specified character encoding and hash algorithm. Then, copy hashed passphrase into the rawkey. If the hashed secret is too short it will be repeated to fill the rawkey. If the hashed secret is too long, the last blocks will get xored with the first blocks (this may wrap around several times, that is okay). Following is the algorithm used in simplified Java (for clarity). At the start of this algorithm, the array hashed contains the hashed passphrase and the array rawkey is the size of the desired key, but full of zeros. Keep in mind that ^ is xor and % is modulo. 6

for(int i = 0; i < max(hashed.length, rawkey.length); i++) { rawkey[i%(rawkey.length)] = (hashed[i%(hashed.length)] ^ rawkey[i%(rawkey.length)]); Authentication and Key Negotiation Key Negotiation is accomplished using the Diffie-Hellman protocol. This protocol was developed by W. Diffie and M. E. Hellman and published in New Directions in Cryptography, IEEE Transactions on Information Theory, November 1976. For a good description of this protocol and its variants, consult Applied Cryptography, Second Edition by Bruce Schneier, 1996. Authentication is also performed by this protocol because signatures are added to the Diffie-Hellman messages sent in both directions as illustrated below. Sequence of Events Described here are the implementation details for this authentication and key exchange. This process is also illustrated in Figure 1. The parameters of the exchange (p and g) are hard coded into the system. 1. Client machine sends a SignedDHMessage (a signed Diffie-Hellman message, signed by the Smartcard) to the server. This message contains the clients part of the key exchange (the generator g to the power of the client s exponent a, modulo the prime p), the destination of the message (to prevent an attacker from rerouting messages), a timestamp (to prevent a replay attack), and the specific algorithm and length of the session key to be created. This message is signed with the user s private key. 2. Server verifies the signature, timestamp, and destination on the message. The timestamp gives each message a five minute window of validity in order to account for transmission time and clock skew. 3. Server sends a SignedDHMessage to the client with similar information. 4. Client verifies the signature, timestamp, and destination on the message in the same manner as the server did above. 5. Client and Server generate the shared secret as described in the protocol. 6. Client and Server hash shared secret to a secret key. The shared secret is hashed using a secure hash algorithm. SHA-1 is the default, but others like MD5 or MD4 could be used. The final problem is that the output of the hash may not be the same size as the key that is desired. If the secret is too short, it is merely repeated enough times to fill the key. If the hashed secret it too long, the secret is wrapped around using XOR. 7

Finally, the session key expires after one hour. After this time, key negotiation is repeated. This limits the amount of ciphertext that an attacker will have available to break the encryption key. It also strikes a good balance between minimizing the amount of data that could be recovered by an attacker who guesses the key, and maintaining good system performance by avoiding too many key negotiations. Client a Server b <g a, destination, timestamp, algorithm,keylength>, signature g ab g ab <g b, destination, timestamp, algorithm, keylength>, signature HASH HASH Session Key Session Key Figure 1 The Diffie-Hellman Authentication Protocol Diffie-Hellman exchange parameters These parameters are hard coded into the system in order to ensure uniformity and prevent a possible attack using weak parameters. The first parameter is a 2048 bit prime number. It is shown below in hexidecimal. 8

p = ac6bdb41324a9a9bf166de5e1389582faf72b6651987ee07fc3192943 db56050a37329cbb4a099ed8193e0757767a13dd52312ab4b03310dcd 7f48a9da04fd50e8083969edb767b0cf6095179a163ab3661a05fbd5f aaae82918a9962f0b93b855f97993ec975eeaa80d740adbf4ff747359 d041d5c33ea71d281e446b14773bca97b43a23fb801676bd207a436c6 481f1d2b9078717461a5b9d32e688f87748544523b524b0d57d5ea77a 2775d2ecfa032cfbdbf52fb3786160279004e57ae6af874e7303ce532 99ccc041c7bc308d82a5698f3a8d0c38271ae35f8e9dbfbb694b5c803 d89f7ae435de236d525f54759b65e372fcd68ef20fa7111f9e4aff73 The second parameter is called the generator (or g for short). For this prime number, choosing an appropriate generator is easy. g = 2 Cherubim Bootstrapping Mechanism This section describes the secure bootstrapping mechanism used by clients in the Cherubim system. First, the classloader hierarchy is explained, which will illustrate how the bootstrapping concept fits into the overall Cherubim system. Then, the mechanisms that secure the bootstrapping process are described. The basic idea of the Cherubim bootstrapping system is quite simple. A classloader is used and if a class is needed that is not available locally, the classloader loads it over the network. There are a fair number of details to consider, but this is the general concept. The Classloader Hierarchy The classes in the Cherubim system are split into three categories that are loaded by different classloaders as described here and illustrated in Figure 2: Primordial Classes - The primordial classes contain the java core classes (packages that begin with java.), as well as the necessary cryptographic code from the Cherubim and other packages. The java core classes are assumed to be present and reliable on the client machine, while the other primordial classes are taken to the client machine by the user on a smartcard or similar device. Jurassic Classes - The jurassic classes consist of those classes present on the user's home machine. This includes the classes that make up the jacorb object request broker, the classes that make up any applications that reside on the user's home machine, and the Cherubim policy library (which consists of the basic blocks from which specific policies are constructed). 9

Active Capabilities Classloader Specific Active Capability Code Jurassic Classloader Jacorb classes, home application classes, Cherubim policy library Primordial Classloader Java core classes, Necessary Cherubim and other classes Active Capability Classes - These classes are loaded by the active capabilties classloader and are the code that makes up the access control specifications in the Cherubim system. More information on active capabilites is available in the other reports on the Cherubim web site. Implementation In order to securely load the jurassic classes over the network to the client machine, encryption, authentication, and digital signatures are necessary. This section describes the specifics of how the client and server authenticate one another and agree on a session key, as well as how the client machine loads the jurassic classes from the home machine. Initial Booting Figure 2 The Classloader Hierarchy Initial booting of the Cherubim System proceeds as enumerated here. For each step of the process, we assume certain things from the underlying operating system. We assume that the attacker is another user on the system. 1. Client machine boots its Operating System and Java Virtual Machine (JVM) the specifics of this process are not considered in our project, but this may be done with the system developed for AEGIS or a similar system. Care must be taken so that another trojan horse operating system or JVM is not loaded instead of the desired one. Also, the operating system must ensure that the java core classes (i.e. the file classes.zip) is authentic. 2. User runs Boot program from the smartcard. Here, the operating system must ensure that the correct program is executed. 3. Boot program prompts for passphrase. This requires that the operating system provide a secure channel from the keyboard to the JVM so that other users cannot eavesdrop and learn the passphrase. 10

4. Boot program hashes passphrase into a symmetric key. 5. Boot program uses symmetric key to decrypt smartcard (which contains the user s private keys and other information). For this reason, the operating system must load the JVM into a protected area of memory because the user s passphrase and private keys will be present in the JVM s memory. Other users must not be able to access the JVM s memory, and further the operating system must not write memory pages to disk in such a way that other users could subsequently read them. 6. Client machine makes a socket connection to the user's home machine 7. Home machine spawns a Connection thread to communicate with the client 8. Client begins key negotiation with the server At this point it may seem that we are trusting a lot on the client machine. This is true, the focus of the Cherubim system and its bootstrapping architecture is system where the machine (including hardware, operating system, and administration) is trusted, but the network is not. As will be seen below, the Cherubim system makes no assumptions about the integrity of the network or the authenticity of any host with which it communicates. Authentication and Key Negotiation Authentication and Key Negotiation are performed using the Diffie-Hellman protocol as explained above. Once the hosts have authenticated themselves to one another and decided upon a session key, the client can begin loading classes over the network. Requesting Classes After this authentication has taken place, the Client can then request classes as follows: Packet Data Format Class Name TimeStamp (5 min) Sequence Number Destination Signature Encrypted with IDEA Key Figure 3 The Class Request Message Format 1. JurassicClassloader receives request for a class on the client 2. JurassicClassloader checks to see if requested class is in the class cache; if so, return it 3. JurassicClassloader checks to see if the primordial classloader can load the class (i.e. if the class is in the CLASSPATH); if so, return it 4. JurassicClassloader checks if existing session key is more than one hour old; if so, negotiate a new one as above 11

5. JurassicClassloader sends a SEClassRequest (a signed, encrypted class request, signed by the Smartcard and encrypted with the IDEA session key) to the home server over the existing socket 6. Server verifies the signature, timestamp, destination, and sequence number on the SEClassRequest The Class Response Packet Data Format Class Name TimeStamp (5 min) Sequence Number Destination Class Signature Encrypted with IDEA Key 1. Server loads the requested class off the local disk, if available 2. Server sends the class in a SEClassResponse (a signed, encrypted class response, encrypted with the IDEA session key) to the client 3. JurassicClassloader verifies the signature, timestamp, destination, and sequence number on the message 4. JurassicClassloader adds the class in the message to the class cache 5. JurassicClassloader returns the class in the message to the process that called it Home Server GUI Finally, a graphical user interface has been created for the home server side of the bootstrapping process. This interface displays the clients that are connected to this home machine, their state in the key negotiation process, and messages from the server internals to the administrator. By clicking on one of the users connected, another dialog box is displayed with more specific information. A screenshot of this interface is shown in figure 5. Specifics Figure 4 The Class Response Message The bootstrapping system for the Cherubim project is highly configurable, with reasonable (perhaps slightly paranoid) defaults for all parameters. It allows the user to choose the encryption, signature, and hash algorithm involved as well as the size of the keys. Message Digesting default is SHA-1, though other algorithms like MD4, MD5, or RIPE-MD 160 could be used. 12

Figure 5 Screen Shot of the Home Server GUI Digital Signatures default is SHA-1/RSA, though other algorithms like DSA or El Gamal could be used. Session Keys default is IDEA, though DES, Triple DES (3DES), Blowfish, or SPEED could be used. System defaults to using Cipher Block Chaining Mode and PKCS#5 padding though this can be changed as well. Passphrase hashing default is to use SHA-1 hash algorithm. The resulting data is converted into a Secret Key as described above. Character encoding for hashing passphrase default is UTF8 because this is a common character encoding that should be present on all systems. Symmetric Key for writing to stable storage again the default here is IDEA in Cipher Block Chaining mode and using PKCS#5 padding, but other algorithms, modes, and padding schemes can be used. 13

Diffie-Hellman key exchange parameters these parameters are hard coded in the system as described in the authentication section above. System State The system state is in many ways the glue that bind the security services described in this report to the rest of the Cherubim system. System state is a static object in the Cherubim system. It contains all the information that other parts of the system need regarding the current state of the system. The most important part of the system state is the CherubimPrincipal. This object encapsulates a principal in the Cherubim system. That is, it contains the principal s unique name, key pair, secure socket layer (SSL) certificate chain, and active capabilities. Also important is the fact that the principal s private key should not leave the CherubimPrincipal class. This class has methods to sign data. (though currently the key leaves to set up the SSL trust decider this needs to be fixed). For a user, a Smartcard object is used instead of a CherubimPrincipal object (the former being a subclass of the latter). The extra information contained in the Smartcard is the user s home agent (and some other information?). CherubimPrincipal object representing the principal Active Capabilities database of active capabilities keyed on the CORBA name of the object Core current implementation of the Core interface Network represents the current state of the network, used by the Cryptographic Policy Cryptographic Policy maps Network configuration to SSL Cipher Suites Jurassic Class Loader this is the Class Loader that is being used to load classes from the home machine. This object also communicates active capabilities to and from the home machine. 14

Conclusion This will allow not only secure communications among hosts on the active network (essential for the transportation of active agents or active capabilities), but also allow for secure connections between active routers. This will make a great step toward securing the Cherubim system from malicious users on the network. Those seeking further information should consult the Cherubim project web site online (http://choices.cs.uiuc.edu/security/cherubim/) where other papers and reports from this project can be found. Also available is the API documentation for the security services described in this report (http://choices.cs.uiuc.edu/security/cherubim/core/javadoc/packages.html). 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback