EE579T-Class 4

Download Report

Transcript EE579T-Class 4

EE579T
Network Security
4: Authentication, Encryption, and VPN’s
Prof. Richard A. Stanley
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #1
Thought for the Day
“Never attribute to a conspiracy that
which can be explained by incompetence.”
Judge Larry Silberman
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #2
Overview of Tonight’s Class
•
•
•
•
•
•
Review last week’s lesson
Look at network security in the news
Course project discussion
Encryption overview
Authentication
Virtual Private Networks
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #3
Last Week...
• Attacking the network topology is basic,
and not limited to the the network media
• Firewalls can be a useful security tool
– Control access to/from network segments
– Filter traffic by type, source/destination,
content
– Provide logs of activity
• Firewalls are not a panacea, and can even be
dangerous if not properly configured
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #4
Network Security Last Week-1
• World Economic Forum security breach
– 161MBS of data totaling 80,000 pages of text and
tables in Excel spreadsheets
– 27,000 names of current and prior WEF participants
with detailed private data Personal data on prominent
WEF participants
– 1400 credit card numbers with the names and
sometimes with spouses' names included
– 3200 WEF participants' travel intermarry data including
hotel names, room numbers, and arrival and departure
details
– User passwords for all participants on the WEF Davos
information system
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #5
Network Security Last Week- 2
• WEF security breach (continued)
– Hackers approached newspapers with secret
data, later verified as correct
– Persons involved include Yasser Arafat, Bill
Gates, Madeline Albright
– Possible link to anti-globalization hacktivism?
– Crime or prank?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #6
Network Security Last Week- 3
• Wireless LAN security breached
– Wired Equivalent Privacy algorithm broken
– Altered equipment can be used to intercept or
disrupt legitimate networks
• Acer, Compaq introduce notebook
computers with fingerprint scanners
• Personalization Consortium releases new
privacy guidelines (voluntary)
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #7
Course Projects
•
•
•
•
•
Teams
Topics
Schedule
What’s expected
Issues
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #8
Access Control
• Determines and monitors who can do what
with what in the computer
• Is much more than establishing a physical
perimeter around the computer
• Can be achieved without a physical
perimeter
• Is a vulnerable link if not protected
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #9
Subjects and Objects
•
•
•
•
Remember your English grammar
Subjects act
Objects are acted upon
These roles are not graven in stone
– If you hit the ball, you are the subject
– If the ball hits you, you are the object
• It is just the same in computer science
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #10
Access Control Model
Subject
Reference
Monitor
Request
Object
Any of these points is a vulnerability. How to protect?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #11
NIC’s
• All network segment packets are potentially
visible to the NIC
• The NIC is set (by software) to respond
only to packets addressed to itself
• If it is set in promiscuous mode, it will trap
ALL packets
• Packet payloads are in plain text
• Is there a potential problem here?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #12
Encryption Primer
•
•
•
•
•
Cryptography = “secret writing”
Input = clear text
Output = cipher text
Cipher text = clear text + key (in general)
Two basic types of cipher
– Secret (symmetric) key
– Public (asymmetric) key
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #13
Encryption
• A means for rendering plain language text
(cleartext) into recoverable gibberish
(ciphertext)
• Only ONE provably secure cryptosystem
– One-time pad
– Secure even if pad or operator captured
– BUT…errors can lead to decryption
– http://www.cia.gov/csi/books/venona/preface.htm
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #14
Why Use Anything Except Onetime Pads?
•
•
•
•
•
Speed of encipherment
Letters vs. numbers
Logistics
Usability
Error rates
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #15
Symmetric Ciphers
• Same code at each end
• Important that message length < cipher
length
• Billions of combinations possible
• Codes changed frequently
• Each circuit requires a code pair
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #16
Enigma
Perhaps the most famous
cipher machine in history.
This is an early model. Later
versions had as many as five rotors.
Enigma was a tactical machine-designed for battlefield use.
Even today, Enigma would provide
excellent security…IF no errors
occurred on the part of the operators.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #17
Sigaba
Similar in theory
to Enigma.
Designed for strategic
(fixed station) use; note
direct punching of
teletypewriter paper
tape for transmission.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #18
Cipher Example (Vernam)
• Encipher
• Decipher
• Plain: 001 010 011 100
• +key: 111 011 010 101
• Cipher: 110 001 001 001
• Cipher: 110 001 001 001
• +key: 111 011 010 101
• Plain: 001 010 011 100
The ciphertext is simply the plain text added to the key,
modulo 2. This is a reversible process, as seen above.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #19
Breaking Symmetric Ciphers
• Brute force
– Inelegant, but sometimes effective if enough
computing power can be brought to bear
– If cipher is complex enough, this doesn’t work
• Exploit errors
– Same message enciphered in two codes
– Plaintext attack
– Exploit operator errors
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #20
Asymmetric Ciphers
• Also known as public key cryptography
• Until Diffie-Hellman, this concept was
heretical. It is still counterintuitive.
• Key has two parts
– Public: everybody knows or can know
– Private: only holder knows
• Based on large prime numbers
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #21
Brute Force Attacks on PK
Systems
Assume a number N, having L decimal digits (N@10L).
Now posit a computer capable of 1010 divisions/second.
The computer can factor any N, using the trial division method,
in approximately N0.5/1010 seconds.
If N has 100 digits, this process will require approximately
1040 seconds.
However, the currently estimated age of the Universe is
approximately 3.8 x 1017 seconds.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #22
Public Key Cryptography
Alice
Bob
Bob’s private key
Bob’s public key
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #23
Curious Public Key Properties
• The encryption function is one-way
• The encryption process is fungible
– Can encrypt with public key and decrypt with
private key, and vice versa
• So what?
– How about using this approach to sign
documents?
– Can a signed document be used for
authentication?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #24
Crypto Weaknesses
• All cryptosystems depend on the security of
the key for their security
– If a symmetric system, he who has the key
reads the mail
– Asymmetric systems rely on the private
remaining private. How good an assumption is
this?
• Attacks on assumptions work better than
attacks on the front door
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #25
Cryptography
• Many ways to combine clear text and key;
all are functionally equivalent (but NOT
equivalent in other ways)
• Key things to know for computer security
purposes are:
– Cryptography is not a panacea
– Two-way functions are potential problems
– Key management is a difficult problem
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #26
Identification
• Not as simple as it seems
– Who are you?
– Can you prove it?
– How?
• Now--how can I prove you are who you
purport to be?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #27
Identification & Authentication
• Identification
– A unique entity descriptor
• Authentication
– verifying the claimed identification
These are two sides of the same coin, but they are NOT the same thing
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #28
Means of Identification
•
•
•
•
Password
Physical key
Token
Biometric
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #29
Authentication
• Validates you are who you claim to be
–
–
–
–
–
Something you know
Something you have
Who you are
What you do
Where you are
• An intruder who has the authentication keys
looks just like the real user!
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #30
Something You Know
• Password
• PIN
• Some other piece of information (e.g. your
mother’s maiden name -- very popular)
• NB: anyone who obtains this information is
-- so far as the computer knows -- you. Is
there a problem here?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #31
Something You Have
• Physical token
–
–
–
–
Physical key
Magnetic card
Smart card
Calculator
• What if you lose it?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #32
Who You Are
• Biometrics
–
–
–
–
–
Fingerprints
Face geometry
Voiceprints
Retinal scanning
Hand geometry
• False positives, negatives
• User acceptance
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #33
What You Do
• Mechanical tasks
– Signature (pressure, speed)
– Joystick
• False positives, negatives
• Potential for forgery, etc.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #34
Where You Are
• Limit use by user location
• Vet location by GPS, etc.
• Reliability, dependability, complexity
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #35
I See You, Can You See Me?
• Passwords and authentication can do a
decent job of identifying the user to the
computer if they are closely coupled
• How does the user know who he/she is
connected to?
• Why does the user care?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #36
Authentication of the Computer
• Public key infrastructure
• Digital certificates
– Certificate authority
– Certificate revocation
• Is it foolproof?
• Is it legal?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #37
Networked Systems Security
• Users not necessarily registered at the node
they are accessing
– How to authenticate users?
– What is basis for access control decisions?
• Some options:
– User ID
– User address
– Service being invoked
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #38
User Identity Checking
• Unix approach for remote services
– ftp, telnet
• How do user rights travel with the user?
– Local vs. remote nodes
– Labeling inconsistencies
– Write vs. read
• What about trusted hosts?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #39
Controlled Invocation
• Program typically given user’s access rights
and then run on remote node
– This is called delegation
– Is there a problem here?
• More desirable to delegate rights selectively
– Proxy servers often used for this
– Proxy runs with its own rights
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #40
System Design Decisions
•
•
•
•
•
Focus of control: data, operations, users
Security layer: where should it be?
Simplicity versus feature-rich
Enforcement: central vs. distributed?
Protection: how to keep attacker from
lower levels?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #41
Security Enforcement
• Where is a user authenticated?
– Centrally?
• Authentication servers
• Ticket-granting servers
– Locally?
• Firewalls
• Where are access control decisions made?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #42
Authentication
• Kerberos
– Q: Who is/was Kerberos?
– A: The three-headed dog that guards the
entrance to Hell (also Cerberus)
– www.web.mit.edu/kerberos/www/
• Distributed System Security alternatives
• Personal security tokens
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #43
Kerberos Components
•
•
•
•
Users (of course!)
Kerberos Authentication Server (KAS)
Ticket-granting Server (TGS)
Strong cryptography
– Triple DES
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #44
How Does Kerberos Work?
• Example: Alice desires to establish a secure
authenticated session with Bob
• Step 1: Alice logs onto her local host,
entering user ID and password, and requests
service from a TGS
– Message 1 generated from Alice to TGS
– Contains ID, TGS name, ticket expiry, nonce
– Sent in cleartext
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #45
Kerberos Protocol
TGS
KAS
Alice
Bob
1
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #46
Step Two
• KAS generates a message back to Alice
– Contents
• Session key
• Ticket
• Nonce (another one from what Alice sent)
– Contents encrypted with Alice’s secret key
(which is known to her and the KAS)
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #47
Kerberos Protocol
TGS
2
KAS
Alice
Bob
1
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #48
Step Three
• Alice creates an authenticator
– Alice’s ID
– Creation time
– Encrypted with session key from KAS
• Sends authenticator, ticket, requested expiry
date, another nonce, name of service
requested to TGS
• Encrypted with KAS, TGS secret key
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #49
Kerberos Protocol
TGS
3
2
KAS
Alice
Bob
1
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #50
Step Four
• TGS generates session key to use with Alice
• TGS sends session key for use with Bob
and a ticket to use with Bob back to Alice
– Encrypted with session key between Alice and
TGS
• Alice stores the encrypted ticket and
decrypts the new session key to use with
Bob
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #51
Kerberos Protocol
TGS
3
4
2
KAS
Alice
Bob
1
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #52
Step Five
• Alice asks Bob for an authenticated session
– Sends ticket, new authenticator using the
session key between Alice and Bob
• Bob decrypts the ticket (secret key w/TGS)
–
–
–
–
Checks validity (has it expired?)
Obtains session key
Decrypts authenticator from Alice
Verifies time stamp
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #53
Kerberos Protocol
TGS
3
4
2
KAS
5
Alice
Bob
1
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #54
Step Six, and Last
• Bob sends message to Alice
– Contains last time stamp received
– Encrypted with session key for Bob & Alice
• Alice decrypts the time stamp and compares
it to her own time stamp
• If time stamps match, Bob is authenticated,
and session proceeds
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #55
Kerberos Protocol
TGS
3
4
2
KAS
5
Alice
Bob
6
1
Authenticated Session Now Established!
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #56
Distributed System Security
Architecture
•
•
•
•
Originally developed at DEC
Several variations on the theme
Uses credentials, certificates, and tokens
Certificate entities
– Certificate Authority (CA)
• issues certificates, can be off-line
– Certificate Distribution Center (CDC)
• stores certificates, must be on-line for authentication
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #57
DSSA: Before We Begin
• Users obtain digital certificates
– Based on public key technology
– Certificate contains user name, public key,
name of the CA, expiry date, and other details
that may be desired
– Certificate purports to identify the user; this is
attested to by the CA
– Certificate binds public key to the user
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #58
DSSA: Step One
• Alice asks the CDC for Bob’s certificate
CDC
1
Bob
Alice
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #59
DSSA: Step Two
• CDC sends Alice Bob’s certificate
CDC
1
2
Bob
Alice
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #60
DSSA: Step Three
• Alice verifies Bob’s public key, generates
session key, sends authenticator+signed
ticket+delegator to Bob
CDC
1
2
3
Bob
Alice
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #61
DSSA: Step Four
• Bob asks CDC for Alice’s certificate
CDC
1
4
2
3
Bob
Alice
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #62
DSSA: Step Six
• Bob authenticates Alice’s public key using
her certificate, retrieves session key, verifies
times, etc., and sends Alice an authenticator
CDC
5
1
4
2
3
Bob
Alice
6
Authenticated Session Now Established!
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #63
Some Authentication Issues
• Certificate revocation list
• Time synchronization
• How do you trust the CA?
– Digital notaries
• Standards
– X.509 predominates, but not only one (e.g.,
PGP)
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #64
Personal Cryptographic Tokens
• Smart cards, loading keys, etc.
• How do you bind the user to the token?
– If the token is stolen, I become you without
hard binding
– If the binding is too hard to use, the user won’t
use it
• Other issues?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #65
Virtual Private Network
•
•
•
•
Authenticated,
encrypted,
communications channel
…across some kind of public network, such
as the Internet, which is itself possibly not
secure
• BUT..we don’t care if the public network is
secure or not!
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #66
VPN Prerequisites
• Each site must have a VPN-capable device
at the network perimeter
• Each site must know the other site’s IP
subnet addresses
• Both sites must agree on authentication
• Both sites must agree on encryption and
exchange keys as needed
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #67
VPN Example
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #68
Adequate Encryption
• How sensitive is the data?
• How long must it be kept secret?
– Work factor
• What is the impact of its compromise
weighed against the cost of encryption (i.e.
what is the cost/benefit ration?)
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #69
Summary
• Authentication is critical to achieving
network security, and is harder because the
user is at a distance from the computer
• Encryption is key to authentication
– Symmetric
– Asymmetric
• VPN’s provide a way to create a private
“tunnel” through a public network
– Not a panacea
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #70
Homework - 1
1. Write an essay of 500-1000 words on the
strengths and weaknesses of public key
encryption.
2. Research the basic standards for public key
encryption. What are they? Where can
they be found?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #71
Homework - 2
3. Compare and contrast public and private
key cryptography for achieving network
security. How would you use private key
crypto to distribute public keys?
4. Refer to Figure 10.5 of the text. Describe
the passage of a packet from machine
192.168.1.23 to 192.168.3.3. Be specific as
to what happens at boundaries.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #72
Homework - 3
5. Conduct your own research as to the
availability and price of network sniffers for
Windows-based computers. Do not run
these on any network without written
permission of the network administrator!
What is your assessment of the security of
your network based on your findings?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #73
Assignment for Next Week
• Plan for project teaming
• Next week’s topic: HTTP and All That Jazz!
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/4 #74