Transcript Lecture3

Working Connection
Computer and Network Security
- SSL, IPsec, Firewalls –
(Chapter 17, 18, 19, and 23)
So far, we talked about
Basic Techniques of Security…
• Those are used in many different
security scenarios
– Secure email
– Secure transport (SSL)
– IPsec
Secure e-mail
• Alice wants to send secret e-mail message, m, to Bob.
• generates random symmetric private key, KS.
• encrypts message with KS
• also encrypts KS with Bob’s public key.
• sends both KS(m) and eB(KS) to Bob.
Secure e-mail (continued)
• Alice wants to provide sender authentication
message integrity.
• Alice digitally signs message.
• sends both message (in the clear) and digital signature.
Secure e-mail (continued)
• Alice wants to provide secrecy, sender authentication,
message integrity.
Note: Alice uses both her private key, Bob’s public key.
Secure Sockets Layer (SSL)
• SSL developed by Netscape Communications
– Operates on top of TCP
– Provides secure connections
• HTTP, FTP, telnet, …
– Electronic ordering & payment; e-mail
– SSL 3.0 submitted to IETF for standardization
• TLS standardized by IETF (RFC 2246)
– Slight differences with SSL 3.0
– www.ietf.org/html.charters/tls-charter.html
Secure sockets layer (SSL)
• SSL works at transport
• Server authentication:
layer. Provides security
– SSL-enabled browser
includes public keys for
to any TCP-based app
trusted CAs.
using SSL services.
– Browser requests server
• SSL: used between
certificate, issued by
WWW browsers, servers
trusted CA.
for I-commerce (shttp).
– Browser uses CA’s public
key to extract server’s
• SSL security services:
– server authentication
– data encryption
– client authentication
(optional)
public key from
certificate.
SSL (continued)
Encrypted SSL session:
• Browser generates symmetric
session key, encrypts it with
server’s public key, sends
encrypted key to server.
• Using its private key, server
decrypts session key.
• Browser, server agree that
future msgs will be
encrypted.
• All data sent into TCP socket
(by client or server) i
encrypted with session key.
• SSL: basis of IETF
Transport Layer
Security (TLS).
• Client authentication
can be done with client
certificates.
Transport Layer Security (TLS)
Handshake Change cipher
Protocol
spec Protocol
Alert
Protocol
HTTP
Protocol
TLS Record Protocol
TCP
IP
• TLS protocols operate at two layers
• TLS Record Protocol operates on top of TCP
• Protocols on top of TLS Record Protocol
– TLS Handshake Protocol
– TLS Change Cipher Specification Protocol
– TLS Alert Protocol
TLS Record Protocol
• TLS Record protocol provides
– Privacy service through secret key encryption
• Encryption algorithm is negotiated at session setup
• Secret keys generated per connection using another
protocol such as Handshake protocol
– Reliability service through keyed message
authentication code
• Hash algorithm negotiated at session setup
• Operates without hash only during session
negotiation
TLS Handshake Protocol
• TLS Handshake protocol used by client & server
– Negotiate protocol version, encryption algorithm, key
generation method
– Can authenticate each other using public key algorithm
– Client & server establish a shared secret
– Multiple secure connections can be set up after session
setup
• Session specified by following parameters
–
–
–
–
–
Session Identifier: byte sequence selected by server
Peer Certificate: certificate of peer
Compression method: used prior to encryption
Cipher spec: encryption & message authentication code
Master Secret: 48-byte secret shared by client &
server
– Is resumable?: flag indicating if new connections can be
initiated
TLS Handshake Process
Client
TLS Record protocol initially specifies no
compression or encryption
Request connection
Includes:
Version #; Time & date;
Session ID (if resuming);
Ciphersuite (combinations
of key exchange, encryption, MAC,
compression)
ClientHello
* Optional messages
Server
Send ServerHello if there is
acceptable Ciphersuite
combination; else, send
failure alert & close
connection.
ServerHello includes:
New CipherSpec pending
ServerHello
May contain public key
Certificate*
Compute shared key
ServerKeyExchange*
ServerHelloDone
Version #; Random number;
Session ID ; Ciphersuite &
compression selections
Server Certificate
Server part of key exchange:
Diffie-Hellman, gx;; RSA, public key
Server part of handshake done
Handshake Protocol continued
Client
Client’s part of key agreement:
Diffie-Hellman gy; RSA, random #s
Server
ClientKeyExchange
Change Cipher protocol
[ChangeCipherSpec]
message notifies server that
subsequent records protected
under new CipherSpec & keys
Hash using new CipherSpec;
allows server to verify change
in Cipherspec
Finished
Compute shared key
Server changes CipherSpec
Verify CipherSpec
Handshake Protocol completion
Client
Client changes CipherSpec
Client verifies new
CipherSpec
Server
[ChangeCipherSpec]
Finished
Notify client that subsequent
records protected under new
CipherSpec & keys
Hash using new CipherSpec;
Application Data
TLS Record protocol encapsulates application-layer
messages
• Privacy through secret key cryptography
• Reliability through MAC
• Fragmentation of application messages into blocks for
compression/encryption
• Decompression/Decryption/Verification/Reassembly
TLS Handshake with Client
Authentication
Client
ClientHello
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest
ServerHelloDone
Client sends suitable
certificate
Certificate*
ClientKeyExchange
Client prepares digital
signature based on
messages sent using its
private key
CertificateVerify*
[ChangeCipherSpec]
Finished
[ChangeCipherSpec]
Finished
Application Data
Server
Server requests certificate if
client needs to be
authenticated
If server finds certificate
unacceptable; server can
send fatal failure alert
message & close connection
Server verifies client has
private key
IP Security (IPsec)
•
•
•
•
•
.
IPsec defined
in RFCs 2401, 2402, 2406
Provides authentication, integrity, confidentiality, and
access control at the IP layer
Provides a key management protocol to provide
automatic key distribution techniques.
Security service can be provided between a pair of
communication nodes, where the node can be a host or a
gateway (router or firewall).
Two protocols & two modes to provide traffic security:
- Authentication Header and Encapsulating Security Payload
- Transport mode or tunnel mode
IPsec: Network Layer Security
• Network-layer secrecy:
– sending host encrypts the
data in IP datagram
– TCP and UDP segments; ICMP
and SNMP messages.
• Network-layer authentication
– destination host can
authenticate source IP
address
• Two principle protocols:
– authentication header (AH)
protocol
– encapsulation security payload
(ESP) protocol
• For both AH and ESP,
source, destination
handshake:
– create network-layer
logical channel called a
security association (SA)
• Each SA unidirectional.
• Uniquely determined by:
– security protocol (AH or
ESP)
– source IP address
– 32-bit connection ID
IPsec Protocol Stack
• IPsec puts the two main
protocols in between IP and
the other protocols
– AH - authentication header
- ESP - encapsulating security
payload
• Tunnel vs. transport?
• Other function provided by
external protocols and
architectures
– Key Management/authentication
– Policy
IPsec Protocol Suite
IPsec: Packet Handling
Security Association
• A Security Association (SA) is a logical simplex
connection between two network-layer entities
• Two SA’s required for bidirectional secure
communication
• SA is specified by
–
–
–
–
–
A unique identifier
Security services to be used
Cryptographic algorithms to be used
How shared keys will be established
Other attributes such as lifetime
• SA negotiated before security service begins
Integrity & Authentication Service
• Integrity can be ascertained by sending a
cryptographic checksum or hash of message
• Authentication also provided if hash covers:
– Shared secret key, sender’s identity & message
– Fields that are changed while packet traverses
Internet are set to zero in calculation of hash
• To protect against replay attacks, message
should carry a sequence number that is
covered by the hash
– Receiver accepts a packet only once
– Receiver maintains a window of packets it accepts
• Receiver recalculates hash and compares to
hash in received packet
Authentication Header (AH) Protocol
• Provides source host
authentication, data
integrity, but not secrecy.
• AH header inserted between
IP header and IP data field.
• Protocol field = 51.
• Intermediate routers
process datagrams as usual.
AH header includes:
• connection identifier
• authentication data: signed
message digest, calculated
over original IP datagram,
providing source
authentication, data
integrity.
• Next header field:
specifies type of data (TCP,
UDP, ICMP, etc.)
ESP Protocol
• Provides secrecy, host
authentication, data
integrity.
• Data, ESP trailer
encrypted.
• Next header field is in
ESP trailer.
• ESP authentication
field is similar to AH
authentication field.
• Protocol = 50.
IPsec: Tunnel vs. Transport mode
• Tunnel mode is most commonly used between
gateways, or at an end-station to a gateway,
the gateway acting as a proxy for the hosts
behind it.
• Transport mode is used between endstations or between an end-station and a
gateway, if the gateway is being treated as a
host—for example, an encrypted Telnet
session from a workstation to a router, in
which the router is the actual destination.
AH
ESP
Internet Key Exchange (IKE)
• Built on of ISAKMP framework
• Two phase protocol used to establish
parameters and keys for session
– Phase 1: negotiate parameters, authenticate
peers, establish secure channel
– Phase 2: Establish a security association (SA)
• The details are unimaginably complex
• The SA defines algorithms, keys, and policy
used to secure the session
Gateway-to-Gateway
Internet
A
B
• Computers A and B have gateways interposed between
their internal network and Internet
• Gateway can be a firewall
– Controls external access to internal network
– Packet filtering according to various header fields
• IP addresses, port numbers, ICMP types, fields within payload
• Secure tunnels can be established between gateways
– All internal information including headers can be encrypted
Remote user to Gateway
Internet
• Mobile host needs access to internal network
• Gateway must provide user with access while barring
intruders from accessing internal network
• May also need to protect identity of mobile user
• IP-address of mobile user changes
Firewall Options
• Firewalls can operate at different layers
– IP-layer filtering cannot operate on payload contents
• Circuit-Level Gateways
– Direct client-to-server TCP connections not allowed
– Relays TCP segments between actual client & actual
server
• Application-Level Gateways or Proxies
– Interposed between actual client and actual server
– Performs authentication and determines what features
are available to client
– Monitors, filters & relays messages