Transport-level Security

Download Report

Transcript Transport-level Security

Csc 8222 Network Security
Web and Transport-level Security
WenZhan Song
Cryptography and Network Security
1
Web security
 See the top 10 security issues in web
applications:
http://www.slideshare.net/devnology/thetop-10-security-issues-in-web-applications
Cryptography and Network Security
2
Introduction
 Introduction
 Presentation of SSL
The inner workings of SSL
• Attacks on SSL
 HTTPS vs S-HTTP
• Comparison with SSL/TLS
• Attacks on S-HTTP
 Transport security
• TLS
• SSH, SET
 Conclusion
•
Cryptography and Network Security
3
Web Security
 Web now widely used by business,
government, individuals
 but Internet & Web are vulnerable
 have a variety of threats
integrity
 confidentiality
 denial of service
 authentication

 need added security mechanisms
Cryptography and Network Security
4
SSL (Secure Socket Layer)
 transport layer security service
 originally developed by Netscape
 version 3 designed with public input
 subsequently became Internet standard
known as TLS (Transport Layer Security)
 uses TCP to provide a reliable end-to-end
service
Cryptography and Network Security
5
SSL: Secure Sockets Layer
 widely deployed security
protocol
supported by almost all browsers,
web servers
 https
 billions $/year over SSL

 original design:
 Netscape, 1993
 variation -TLS: transport
layer security, RFC 2246
 provides
 confidentiality
 integrity
 authentication
Network Security
 original goals:
 Web e-commerce transactions
 encryption (especially creditcard numbers)
 Web-server authentication
 optional client authentication
 minimum hassle in doing
business with new merchant
 available to all TCP
applications
 secure
socket interface
SSL and TCP/IP
Application
Application
SSL
TCP
TCP
IP
IP
Normal Application
Application
with SSL
• SSL provides application programming interface (API)
to applications
• C and Java SSL libraries/classes readily available
•SSL has two layers of protocols
Network Security
SSL Architecture
Cryptography and Network Security
8
SSL Architecture
 SSL session
an association between client & server
 created by the Handshake Protocol
 define a set of cryptographic parameters
 may be shared by multiple SSL connections

 SSL connection
a transient, peer-to-peer, communications link
 associated with 1 SSL session

Cryptography and Network Security
9
SSL
Architecture
Everything
henceforth
is encrypted
TCP Fin follow
Network Security
SSL Record Protocol
 confidentiality
using symmetric encryption with a shared secret key
defined by Handshake Protocol
 IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC440, RC4-128
 message is compressed before encryption

 message integrity
using a MAC with shared secret key
 similar to HMAC but with different padding

Cryptography and Network Security
11
SSL Record Protocol
data
fragment and compress
data
fragment
record
header
data
fragment
MAC
encrypted
data and MAC
record
header
MAC
encrypted
data and MAC
record header: content type; version; length
MAC: includes sequence number, MAC key Mx
fragment: each SSL fragment 214 bytes (~16 Kbytes)
Network Security
Toy SSL: a simple secure channel
 handshake: Alice and Bob use their
certificates, private keys to authenticate
each other and exchange shared secret
 key derivation: Alice and Bob use shared
secret to derive set of keys
 data transfer: data to be transferred is
broken up into series of records
 connection closure: special messages to
securely close connection
Network Security
Toy: A simple handshake
 MS = master secret
 EMS = encrypted master secret
Network Security
Toy: Key derivation
 Considered bad to use same key for more than one
cryptographic operation

use different keys for message authentication code (MAC) and
encryption
 four keys:
 Kc = encryption key for data sent from client to server
 Mc = MAC key for data sent from client to server
 Ks = encryption key for data sent from server to client
 Ms = MAC key for data sent from server to client
 keys derived from key derivation function (KDF)
 takes master secret and (possibly) some additional random data
and creates the keys
Network Security
Toy: Data Records
 why not encrypt data in constant stream as we
write it to TCP?


where would we put the MAC? If at end, no message integrity
until all data processed.
E.g., with instant messaging, how can we do integrity check over
all bytes sent before displaying?
 instead, break stream in series of records
 Each record carries a MAC
 Receiver can act on each record as it arrives
 issue: in record, receiver needs to distinguish MAC
from data

want to use variable-length records
length
Network Security
data
MAC
Toy: Sequence Numbers
 attacker can capture and replay record or
re-order records
 solution: put sequence number into MAC:
MAC = MAC(Mx, sequence||data)
 Note: no sequence number field

 attacker could still replay all of the
records

use random nonce
Network Security
Toy: Control information
 truncation attack:
attacker forges TCP connection close segment
 One or both sides thinks there is less data than there
actually is.

 solution: record types, with one type for
closure

type 0 for data; type 1 for closure
 MAC = MAC(Mx, sequence||type||data)
length type
Network Security
data
MAC
Toy SSL: summary
encrypted
bob.com
Network Security
Toy SSL isn’t complete
 how long are fields?
 which encryption protocols?
 want negotiation?
allow client and server to support different encryption
algorithms
 allow client and server to choose together specific
algorithm before data transfer

Network Security
SSL Cipher Suite
 cipher suite



public-key algorithm
symmetric encryption algorithm
MAC algorithm
 SSL supports several
cipher suites
 negotiation: client,
server agree on cipher
suite
client offers choice
 server picks one

Network Security
Common SSL symmetric ciphers
 DES – Data Encryption
Standard: block
 3DES – Triple strength: block
 RC2 – Rivest Cipher 2: block
 RC4 – Rivest Cipher 4: stream
SSL Public key encryption
 RSA
SSL Handshake Protocol
 allows server & client to:
authenticate each other
 to negotiate encryption & MAC algorithms
 to negotiate cryptographic keys to be used

 comprises a series of messages in phases
Establish Security Capabilities
 Server Authentication and Key Exchange
 Client Authentication and Key Exchange
 Finish

Cryptography and Network Security
25
General purpose
1.Handshake
`
2. Data transmission
 Two step process:
• Handshake : exchange private keys using a public key encryption
algorithm
• Data transmission: exchange the required data using a private key
encryption
Cryptography and Network Security
26
SSL
Handshake
Protocol
Cryptography and Network Security
27
Table 6.2 SSL Handshake Protocol Message Types
SSL Handshake
1.
2.
3.
4.
5.
6.
client sends list of algorithms it supports, along
with client nonce
server chooses algorithms from list; sends back:
choice + certificate + server nonce
client verifies certificate, extracts server’s
public key, generates pre_master_secret,
encrypts with server’s public key, sends to
server
client and server independently compute
encryption and MAC keys from
pre_master_secret and nonces
client sends a MAC of all the handshake messages
server sends a MAC of all the handshake
messages
Network Security
Key derivation
 client nonce, server nonce, and pre-master secret
input into pseudo random-number generator.

produces master secret
 master secret and new nonces input into another
random-number generator: “key block”

Because of resumption: TBD
 key block sliced and diced:
 client MAC key
 server MAC key
 client encryption key
 server encryption key
 client initialization vector (IV)
 server initialization vector (IV)
Network Security
SSL Handshake (cont.)
last 2 steps protect handshake from tampering
 client typically offers range of algorithms,
some strong, some weak
 man-in-the middle could delete stronger
algorithms from list
 last 2 steps prevent this

Last two messages are encrypted
Network Security
SSL Handshake (cont.)
 why two random nonces?
 suppose
Trudy sniffs all messages
between Alice & Bob
 next day, Trudy sets up TCP connection
with Bob, sends exact same sequence of
records
 Bob (Amazon) thinks Alice made two separate
orders for the same thing
 solution: Bob sends different random nonce for each
connection. This causes encryption keys to be
different on the two days
 Trudy’s messages will fail Bob’s integrity check
Network Security
SSL Change Cipher Spec Protocol
 one of 3 SSL specific protocols which use
the SSL Record protocol
 a single message
 causes pending state to become current
 hence updating the cipher suite in use
Cryptography and Network Security
33
SSL Alert Protocol
 conveys SSL-related alerts to peer entity
 severity
 warning or fatal
 specific alert
 unexpected message, bad record mac, decompression
failure, handshake failure, illegal parameter
 close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked,
certificate expired, certificate unknown
 compressed & encrypted like all SSL data
Cryptography and Network Security
34
Attacks on SSL

Certificate Injection Attack
•
•
The list of trusted Certificate Authorities is altered
Can be avoided by upgrading the OS or switching to a safer one.
 Man in the Middle
•
Cipher Spec Rollback : regresses the public key encryption algorithms
Version Rollback : regression from SSL 3.0 to weaker SSL 2.0
Algorithm rollback : modify public encryption method
Truncation attack : TCP FIN|RST used to terminate connection
•
Can be avoided by randomly delaying the computations
•
Can be used on servers that accept small key sizes: 40 bits for symmetric
encryptions and 512 for the asymmetric one.
•
•
•
 Timing attack
 Brute force
Cryptography and Network Security
35
TLS (Transport Layer Security)
 IETF standard RFC 2246 similar to SSLv3
 with minor differences
in record format version number
 uses HMAC for MAC
 a pseudo-random function expands secrets
 has additional alert codes
 some changes in supported ciphers
 changes in certificate negotiations
 changes in use of padding

Cryptography and Network Security
36
TLS
TLS was developed by IETF to replace SSL version 3.
• Based on SSL version 3, with some changes:
• Replaced FORTEZZA key exchange option with DSS.
• Include the hash method HMAC used by IPSec for
authentication in IP headers.
• More differentiation between sub-protocols.
• TLS has mechanisms for backwards compatibility with SSL.
Cryptography and Network Security
37
TLS
TLS has about 30 possible cipher ‘suites’, combinations of
key exchange, encryption method, and hashing method.
• Key exchange includes: RSA, DSS, Kerberos
• Encryption includes: IDEA(CBC), RC2, RC4, DES, 3DES,
and AES
• Hashing: SHA and MD5
(Note: Some of the suites are intentionally weak export
versions.)
Cryptography and Network Security
38
HTTPS
(HTTP over SSL)
 Refers to the combination of HTTP and SSL to implement




secure communication between a Web browser and a Web
server
The HTTPS capability is built into all modern Web browsers
A user of a Web browser will see URL addresses that begin
with https:// rather than http://
If HTTPS is specified, port 443 is used, which invokes SSL
Documented in RFC 2818, HTTP Over TLS

There is no fundamental change in using HTTP over either SSL or TLS and
both implementations are referred to as HTTPS
 When HTTPS is used, the following elements of the
communication are encrypted:





URL of the requested document
Contents of the document
Contents of browser forms
Cookies sent from browser to server and from server to browser
Contents of HTTP header
Connection Initiation
For HTTPS, the agent acting as
the HTTP client also acts as the
TLS client
• The client initiates a connection to the server
on the appropriate port and then sends the
TLS ClientHello to begin the TLS handshake
• When the TLS handshake has finished, the
client may then initiate the first HTTP
request
• All HTTP data is to be sent as TLS application
data
There are three levels of awareness of
a connection in HTTPS:
• At the HTTP level, an HTTP client requests a
connection to an HTTP server by sending a
connection request to the next lowest layer
• Typically the next lowest layer is TCP, but it
may also be TLS/SSL
• At the level of TLS, a session is established
between a TLS client and a TLS server
• This session can support one or more
connections at any time
• A TLS request to establish a connection begins
with the establishment of a TCP connection
between the TCP entity on the client side and
the TCP entity on the server side
Connection Closure
 An HTTP client or server can indicate the closing of a
connection by including the line Connection: close
in an HTTP record
 The closure of an HTTPS connection requires that
TLS close the connection with the peer TLS entity on
the remote side, which will involve closing the
underlying TCP connection
 TLS implementations must initiate an exchange of
closure alerts before closing a connection

A TLS implementation may, after sending a closure alert, close the
connection without waiting for the peer to send its closure alert,
generating an “incomplete close”
 An unannounced TCP closure could be evidence of
some sort of attack so the HTTPS client should issue
some sort of security warning when this occurs
A
B
C
D
C- Secure-HTTP
Presentation of S-HTTP
 Designed by E. Rescorla and A. Schiffman
of EIT to secure HTTP connections
 Proposed in 1994 but never used
commercially
 Not to be confused with HTTPS: encrypts
HTTP messages at the application level
Security on the WWW
Cryptography and Network Security
42
A
B
C
D
C- Secure-HTTP
Location of S-HTTP
Secure-HTTP
Message encryption and
signature
Application Layer:
HTTP message
Transmission Control Protocol
(TCP)
HTTP-specific message
encryption
 Can possibly be used
over a secure channel
 Designed to be
compatible with HTTP
for handling at lower
layers

Internet Protocol
(IP)
Security on the WWW
Cryptography and Network Security
43
A
B
C
D
C- Secure-HTTP
S-HTTP vs. SSL/TLS
 HTTP-specific vs. general purpose SSL (IMAPS,




POPS, LDAPS…)
Burden of encryption not on
transmission/reception but rather on message
production/unpacking
Similar set of available ciphers, plus added
capabilities for signing (DSS, RSA)
Very general specifications, leaving a lot to
implement and a potential for incompatible
implementations
Only one reference implementation in NCSA
Mosaic
Security on the WWW
Cryptography and Network Security
44
A
B
C
D
C- Secure-HTTP
S-HTTP vs. HTTPS: functionalities
Security Service
S-HTTP
HTTPS
Privacy
Public or private cryptosystem
Encryption of the complete HTTP
transaction
Symmetric key cryptosystem
Complete communication encryption
Integrity
Simple MAC or signing
MAC only
Authentication
Key management on the keys used,
or digital signature
During the initial public key
exchange (server auth. mandatory,
client auth. optional)
Non-repudiation
Digital signature
Not provided
 S-HTTP can make use of key management
 Non-repudiation is not provided by SSL (e.g., HTTPS)
 Signing is optional, but a major attraction to S-HTTP
Security on the WWW
Cryptography and Network Security
45
A
B
C
D
C- Secure-HTTP
S-HTTP vs. HTTPS: proxy traversal
Proxy traversal: SSL connection
OR
cleartext
SSL tunnel
External
secure server
SSL tunnel
SSL-aware proxy
Enterprise environment
Proxy traversal: S-HTTP messaging
Encrypted data
Authentication
External
secure server
Security on the WWW
S-HTTP-aware proxy
Enterprise environment
Cryptography and Network Security
46
A
B
C
D
C- Secure-HTTP
S-HTTP inner working
 Message-based encryption
 Superset of HTTP: “outer” envelope
 Specific headers added
S-HTTP message
S-HTTP headers
HTTP payload headers:
Security-Scheme, Encryption-Identity,
Certificate-Info… + regular HTTP headers
Request:
Secure*Secure-HTTP/1.2
Response:
Secure-HTTP/1.2 200 OK
HTTP message body
Security on the WWW
Cryptography and Network Security
47
A
B
C
D
C- Secure-HTTP
S-HTTP attacks
 Basically the same as on SSL, since the ciphers are the same
 Default values more secure in S-HTTP than SSL at the time
of proposal (e.g. DES vs. RC4)
 S-HTTP generally stronger by design (more resilient to
proxy compromising)
 More complex and wider specifications create a potential for
faulty implementations
 No real-world use to field test the actual security of SHTTP
Security on the WWW
Cryptography and Network Security
48
A
B
C
D
D- Other protocols
HTTP Basic Authentication
HTTP has an authentication scheme as part of its original
protocol.
• Supported by almost all browsers and web servers.
• Password and username are sent in clear text
(base64 encoded) in the HTTP request message.
• Obviously not secure enough for sensitive information.
This scheme is being replaced by the slightly more secure
HTTP Digest Authentication, which sends a MD5 hash of the
password and other information.
Security on the WWW
Cryptography and Network Security
49
Secure Shell (SSH)
SSH client and server
applications are widely
available for most
operating systems
• Has become the method
of choice for remote login
and X tunneling
• Is rapidly becoming one
of the most pervasive
applications for
encryption technology
outside of embedded
systems
SSH2 fixes a number of
security flaws in the
original scheme
• Is documented as a
proposed standard in
IETF RFCs 4250 through
4256
A protocol for secure
network communications
designed to be relatively
simple and inexpensive to
implement
The initial version,
SSH1 was focused on
providing a secure
remote logon facility to
replace TELNET and
other remote logon
schemes that provided
no security
SSH also provides a
more general
client/server capability
and can be used for
such network functions
as file transfer and email
Transport Layer
Protocol
• Server authentication occurs at the transport layer, based
on the server possessing a public/private key pair
• A server may have multiple host keys using multiple
different asymmetric encryption algorithms
• Multiple hosts may share the same host key
• The server host key is used during key exchange to
authenticate the identity of the host
• RFC 4251 dictates two alternative trust models:
• The client has a local database that associates each host
name with the corresponding public host key
• The host name-to-key association is certified by a trusted
certification authority (CA); the client only knows the CA
root key and can verify the validity of all host keys certified
by accepted CAs
Table 6.3
SSH
Transport
Layer
Cryptographic
Algorithms
* = Required
** = Recommended
Authentication
Methods
Publickey
• The client sends a message to the server that contains the client’s public key,
with the message signed by the client’s private key
• When the server receives this message, it checks whether the supplied key is
acceptable for authentication and, if so, it checks whether the signature is
correct
Password
• The client sends a message containing a plaintext password, which is
protected by encryption by the Transport Layer Protocol
Hostbased
• Authentication is performed on the client’s host rather than the client itself
• This method works by having the client send a signature created with the
private key of the client host
• Rather than directly verifying the user’s identity, the SSH server verifies the
identity of the client host
Connection
Protocol
• The SSH Connection Protocol runs on top of the SSH Transport
Layer Protocol and assumes that a secure authentication
connection is in use
• The secure authentication connection, referred to as a tunnel, is used
by the Connection Protocol to multiplex a number of logical channels
• Channel mechanism
• All types of communication using SSH are supported using separate
channels
• Either side may open a channel
• For each channel, each side associates a unique channel number
• Channels are flow controlled using a window mechanism
• No data may be sent to a channel until a message is received to
indicate that window space is available
• The life of a channel progresses through three stages: opening a
channel, data transfer, and closing a channel
Channel Types
Four channel types are recognized in the SSH Connection Protocol specification
Session
• The remote execution of a program
• The program may be a shell, an application such as file transfer or e-mail, a system
command, or some built-in subsystem
• Once a session channel is opened, subsequent requests are used to start the remote
program
X11
• Refers to the X Window System, a computer software system and network protocol that
provides a graphical user interface (GUI) for networked computers
• X allows applications to run on a network server but to be displayed on a desktop
machine
Forwarded-tcpip
• Remote port forwarding
Direct-tcpip
• Local port forwarding
Port Forwarding
• One of the most useful features of SSH
• Provides the ability to convert any insecure TCP
connection into a secure SSH connection (also referred
to as SSH tunneling)
• Incoming TCP traffic is delivered to the appropriate
application on the basis of the port number (a port is
an identifier of a user of TCP)
• An application may employ multiple port numbers
Secure Electronic Transactions
(SET)
 open encryption & security specification
 to protect Internet credit card
transactions
 developed in 1996 by Mastercard, Visa etc
 not a payment system
 rather a set of security protocols &
formats
secure communications amongst parties
 trust from use of X.509v3 certificates
 privacy by restricted info to those who need it

Cryptography and Network Security
62
SET Components
Cryptography and Network Security
63
SET Transaction
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
customer opens account
customer receives a certificate
merchants have their own certificates
customer places an order
merchant is verified
order and payment are sent
merchant requests payment authorization
merchant confirms order
merchant provides goods or service
merchant requests payment
Cryptography and Network Security
64
Dual Signature
 customer creates dual messages
order information (OI) for merchant
 payment information (PI) for bank

 neither party needs details of other
 but must know they are linked
 use a dual signature for this

signed concatenated hashes of OI & PI
Cryptography and Network Security
65
Purchase Request – Customer
Cryptography and Network Security
66
Purchase Request – Merchant
Cryptography and Network Security
67
Purchase Request – Merchant
1.
2.
3.
4.
verifies cardholder certificates using CA sigs
verifies dual signature using customer's public
signature key to ensure order has not been
tampered with in transit & that it was signed
using cardholder's private signature key
processes order and forwards the payment
information to the payment gateway for
authorization (described later)
sends a purchase response to cardholder
Cryptography and Network Security
68
Payment Gateway Authorization
1.
2.
3.
4.
5.
6.
7.
8.
verifies all certificates
decrypts digital envelope of authorization block to obtain
symmetric key & then decrypts authorization block
verifies merchant's signature on authorization block
decrypts digital envelope of payment block to obtain
symmetric key & then decrypts payment block
verifies dual signature on payment block
verifies that transaction ID received from merchant
matches that in PI received (indirectly) from customer
requests & receives an authorization from issuer
sends authorization response back to merchant
Cryptography and Network Security
69
Payment Capture
 merchant sends payment gateway a
payment capture request
 gateway checks request
 then causes funds to be transferred to
merchants account
 notifies merchant using capture response
Cryptography and Network Security
70
Summary
• Web security considerations
• Web security threats
• Web traffic security approaches
• Secure sockets layer
•
•
•
•
•
•
SSL architecture
SSL record protocol
Change cipher spec protocol
Alert protocol
Handshake protocol
Cryptographic computations
• HTTPS
• Connection initiation
• Connection closure
• Transport layer security
Version number
Message authentication code
Pseudorandom function
Alert codes
Cipher suites
Client certificate types
Certificate_verify and finished
messages
• Cryptographic computations
• Padding
•
•
•
•
•
•
•
•
•
•
•
Secure shell (SSH)
Transport layer protocol
User authentication protocol
Communication protocol
• SET secure credit card
payment protocols