CSE 331: Introduction to Networks and Security

Fall 2000Instructor: Carl A. Gunter

Slide Set 7

Secure Socket Layer (SSL)

Session protocol with: Server authentication. Client authentication optional. Integrity checksum. Confidentiality.

Possibly the most important security-related ecommerce protocol.

Connection sets up security parameters.

Many sessions possible within a given connection.

Network Layer Security

HTTP FTP SMTP

TCP

IP/IPSec

Transport Layer Security

HTTP FTP SMTP

TCP

IP

SSL or TLS

Application Layer Security

S/MIME PGP SET

TCP

IP

SMTP HTTP

UDP

Kerberos

SSL Protocol Stack

TCP

IP

SSL Record Protocol

HandshakeChange

Cipher SpecAlert HTTP

SSL Record

ContentType

MajorVersion

MinorVersion

Length

Payload

Content Types

Handshake

Change Cipher Spec

Alert

Opaque Content

Type Length Content

1 byte 3 bytes 0 bytes

1

Level Alert

Higher-Level Protocol Content

1 byte

1 byte 1 byte

1 bytes

Creating Opaque Content

Begin with application data. Fragment it into blocks of 2**14

bytes or less. Optionally compress the fragments. Add a message authentication code

(MAC) to the compressed data to ensure integrity.

Encrypt the data to ensure confidentiality.

Add SSL record header (4 fields).

What Is Needed?

Negotiation of cryptographic protocols.

Initial authentication. Key exchange to set up:

Bulk encryption. MAC.

How is this Done?

The handshake protocol negotiates the protocols to be used for authentication and bulk encryption.

The handshake protocol carries out initial authentication.

The handshake protocol establishes a 48 byte pre-master secret. Client and server use this to derive a 48 byte

master secret. The master secret is used to generate a key

block of sufficient length to supply all needed cryptographic parameters.

MAC Calculation

A MAC write secret, MACWS, is extracted from the key block.

A hash function H is selected: either MD5 or SSH.

The MAC is defined as follows.

H( MACWS || pad2 || H( MACWS || pad1 || seq_no || SSLCompressed.type || SSLCompressed.length || SSLCompressed.fragment ))

SSL Key Exchange Protocols

RSA Fixed Diffie-Hellman Ephemeral Diffie-Hellman Anonymous Diffie-Hellman Fortezza

SSL Bulk Encryption Protocols

Protocol (type, key length) IDEA (block, 128) RC2-40 (block, 40) DES-40 (block, 40) DES (block, 56) 3DES (block, 168) Fortezza (block, 80) RC4-40 (stream, 40) RC4-128 (stream, 128)

SSL Handshake Protocol Phases

Establish Security Capabilities Server Authentication and Key

Exchange Client Authentication and Key

Exchange Finish

Establish Security Capabilities

Client Hello

Server Hello

Client Server

Time

Client Hello

1. Highest version number understood by client.

2. 32-bit timestamp and 28-bit nonce.3. Session identifier.

Nonzero value: update parameters of existing connection.

Zero value: new connection and session.

4. CipherSuite list in order of preference. A CipherSuite identifies a key exchange protocol and other parameters.

5. List of compression methods.

CipherSuite

BulkCipherAlgorithm (as given earlier).

MACAlgorithm (SHA-1 or MD5). CipherType (stream or block). IsExportable (true or false). HashSize: 0, 16 (for MD5), or 20 (for

SHA-1) bytes.

Server Hello

1. Highest version number supplied by client and acceptable to server.

2. Time and nonce from server (independent of same from client).

3. Session identifier. If non-zero from client then same value from

server. Otherwise proposed by server.

4. First cipher suite proposed by client and supported by server.

5. First compression method proposed by client and supported by server.

Server Auth & Key Exchange

Server Hello Done

Client Server

Time

Certificate Request

Server Key Exchange

Certificate

Optional

Certificate

List of x.509 certificates. Required for all protocols except

anonymous Diffie-Hellman.

Server Key Exchange

Protocol-dependent keying material. Needed for all except RSA and fixed

Diffie-Hellman. Example: in anonymous Diffie-

Hellman this message consists of a prime number, a primitive root for it, and the Diffie-Hellman public key for the server.

Certificate Request

Requests a certificate type (e.g. DSS for ephemeral Diffie-Hellman).

Specifies a list of certificate authorities.

Server Done

Indicates that all messages in the server authentication phase have been sent and server is now awaiting a client response.

Client Auth & Key Exchange

Client Server

Time

Certificate Request

Client Key Exchange

Certificate

Optional

Optional

Certificate

Client sends an X.509 certificate as requested by server or sends a No Certificate Alert.

Client Key Exchange

Protocol-dependent keying material. Example: In RSA the client generates

a 48 byte secret and encrypts it using the public key of the server (from the Server Key Exchange message).

Certificate Verification

Contains explicit verification of client certificate.

Client signs the hash of a concatenation of the master secret and handshake messages.

Client Auth & Key ExchangeClient Server

Time

Change Cipher Spec

Finish

Change Cipher Spec

Finish

Client and Server

The Change CipherSpec message causes the CipherSpec to become active. This is not a handshake record, but a record in the Change CipherSpec protocol.

Each party sends the Finished message under the new CipherSpec.

The message contains hashes using MD5 and SHA-1 containing the master secret and the handshake messages.

Master Secret

The Master Secret is computed from the Pre-Master Secret as follows:

MasterSecret = MD5( PreMasterSecret || SHA(“A” || PreMasterSecret || ClientHello.random || ServerHello.random)) || MD5( PreMasterSecret || SHA(“BB” || PreMasterSecret || ClientHello.random || ServerHello.random)) || MD5( PreMasterSecret || SHA(“CCC” || PreMasterSecret || ClientHello.random || ServerHello.random))

Cryptographic Parameters

The remaining cryptographic parameters are computed by iterating the following pattern.

KeyBlock = MD5( MasterSecret || SHA(“A” || MasterSecret || ClientHello.random || ServerHello.random)) || MD5( MasterSecret || SHA(“BB” || MasterSecret || ClientHello.random || ServerHello.random)) || MD5( MasterSecret || SHA(“CCC” || MasterSecret || ClientHello.random || ServerHello.random)) ||

Cryptographic Parameters

Client write MAC secret. Server write MAC secret. Client write key. Server write key. Client write IV. Server write IV.

Alerts

Unexpected message. Bad MAC. Decompression failure. Handshake failure, unable to

negotiate an acceptable set of security protocols.

Illegal parameter in handshake message.

Close notify.

Alerts, Continued

No certificate. Bad certificate. Unsupported certificate. Certificate revoked. Certificate expired. Certificate unknown: an unspecified

issue arose in certificate verification.

Electronic Commerce

Electronic data interchange. Some illustrative scenarios. Tools supporting ecommerce. Public key infrastructure.

EDI

Electronic data interchange (EDI) is a format for computer-to-computer business exchanges like: Purchase orders, Invoices, Payment advices.

Standards. ANSI x12. United nations economic commission for

Europe: EDI for administration, commerce, and transport (EDIFACT).

EDI on the Internet

Early use of EDI was mainly on Value Added Networks (VAN’s) based primarily on dedicated and dailup links, and terminal emulation.

Internet offers a lower cost option and more flexibility. Connecting VAN’s to the Internet. Using electronic messaging (MIME).

E-Commerce and Security

Security is the primary technical issue for expanding electronic commerce.

Cryptography is one tool among many for achieving the necessary guarantees.

Approaches to e-commerce must be delivered using widely-accepted tools and techniques.

Secure E-Mail

Privacy Enhanced Mail (PEM). MIME Object Security Services

(MOSS). S/MIME. (Applying PKCS #7 to MIME

body parts.) ITU X.400 secure messaging

protocols. (Not compatible with Internet messaging.)

Message Security Protocol (MSP). (Comprehensive set of DoD protocols.)

Web Security

Secure Socket Layer (SSL). Secure HTTP (S-HTTP).

Request/response protocol. https:// versus shttp://

Mobile or Downloadable Code

Java. Protection via language runtime system

guarantees. ActiveX. Microsoft Authenticode.

Other Protocols

EDI security: ANSI X12.58 or S/MIME. Secure Electronic Transaction (SET).

Visa and MasterCard. CyberCash. Intermediary between

Web-based merchants and credit card banks.

CheckFree. Electronic checks. First Virtual. Credit card payments

via email.

Public Key Infrastructure

Mutual authentication of participants in a transaction requires a system of identities.

Principals are identified by public keys.

These keys can be used for authentication, but only if “spoofing” is prevented.

A PKI provides a basis for establishing trust.

PKI Systems

ITU X.509 (viz. IETF PKIX). PGP “web of trust”. DNS sec. Simple public key infrastructure

(SPKI - IETF alternative to X.509). QCM (Web-like system from

Penn/AT&T).

X.509

Part of the X.500 series of standards: the ISO/ITU Directory.

Originally intended to support access control for the directory as part of the Directory Access Protocol (DAP).

Dominant candidate now for PKI to support electronic commerce, although adoption has been slow.

X.509 Certificates

X.509 certificates bind a subject to a public key.This binding is signed by a Certificate Authority (CA).

Subject Name

Subject Public Key

CA Name

CA Signature

Subject Name

Subject Public Key

CA Name

CA Signature

Chaining

Pennsylvania CA

Pennsylvania CA Key

USA CA

Philly CA

Philly CA Key

Pennsylvania CA

Joe Smith

Joe’s Key

Philly CA

Subject

Subject’s Key

Issuer

Certificate Distribution

Certificate accompanying signature. Directory service.

DAP. LDAP. DNS SEC.

Email (S/MIME and MOSS). Primary technique: cut and paste

from web pages!

X.509 Certificate Format (v3)

Required fields. Optional fields.

Required Fields

Version of format (1,2, or 3 currently). Serial number. Signature algorithm identifier.

Examples: DSS with SHA hash. RSA with MD5 hash.

Issuer (CA) X.500 name. Validity period (start and expiry

times).

Required Fields, Continued

Subject X.500 name. Subject public key information.

Algorithm identifier. Public key value.

Issuer signature.

Optional Fields

Issuer unique identifier. Subject unique identifier. Extensions.

Extension type. Critical/Non-critical. Extension field value.

Certificate Revocation Lists

Sometimes it is necessary to terminate certificates before their expiration time.

How does the relying party know that the certificate has been revoked?

Mitre report for NIST suggests certificate revocation will be the largest maintenance cost for PKI’s.

Many distribution strategies proposed.

Semantics of CRL’s

Three certificates.1. Q says P is the public key of Alice.2. R says P is the public key of Alice.3. Q says R is the public key of Bob.

Three kinds of revocation.1. P is not the public key of Alice. (3 not

2.)2. Q no longer vouches for whether P is the

public key of Alice. (2 and 3.)3. The key of Q has been compromised. (2

not 3.)1998 Fox and LaMacchia

Revoke

The Future

Strong market trend towards using public keys and certificates.

Many PKI security vendors arriving on the market.

None of these widely used.

The Future, Continued

Export problems continue. Large-scale CA hierarchies analogous

to DNS have not emerged. PKI’s have very limited use

compared to potential. Will this change?

Network Security

Here are some of the reasons that networks have security problems: Sharing Complexity Unknown perimeter Many points of attack Anonymity Unknown paths

What are the Threats?

Interception of data in transit Access to programs or data at

remote hosts Modification of programs or data

remote hosts Modification of data in transit Insertion of communications

impersonating a user

Threats, Continued

Insertion of a repeat of a repeat of a previous communication

Blocking of selected traffic Blocking of all traffic Running a program at a remote host.

Layers for Encryption

Link Network Transport Application

Division of Labor in the Internet

Hosts

Routers

Networks

Link

Network

Transport

Application

Link

Network

Transport

Application

Link

Network

Link

Network

TCP/IP Protocol Stack

Host HostRouter Router

Message Processing Sequence

Link

Network

Transport

App2

Link

Network

Transport

Link

Network

Link

Network

App1 App2App1

Encapsulation

LinkLink IP TCP Application

Link Layer Frame

Network LayerHeader

Transport LayerHeader

Application LayerPayload

Link Layer Encryption

LinkLink IP TCP Application

Encrypted

Network Layer Encryption

LinkLink IP TCP Application

LinkLink New IP TCP ApplicationKey ID IP

Encrypted

Transport Layer Encryption

LinkLink IP TCP Application

LinkLink IP TCP ApplicationKey ID

Encrypted

Transport Layer Security Protocol

Link

Network

TLSP

App2

Link

Network

TLSP

Link

Network

Link

Network

App1 App2App1

Transport Transport

Application Layer Encryption

LinkLink IP TCP Application

LinkLink IP TCP ApplicationKey ID

Encrypted

Message Processing Sequence

Link

Network

Transport

App2

Link

Network

Transport

Link

Network

Link

Network

App1 App2App1

App2 Sec App2 Sec

Link Layer Encryption

Advantages: transparent to applications hardware solution possible

Disadvantages: encryption hop-by-hop

IP Layer Encryption

Advantages transparent to applications amenable to hardware

Disadvantages routing more complex

Transport Layer Encryption

Advantages transparent to applications

Disadvantages probably implemented in software

Application Layer Encryption

Advantages: customize to application no special protocol stack required:

transparent to networking Disadvantages:

hard to share between applications

Firewalls

GatewayInside Outside

Filter Filter

Filters protect against “bad” packets.A gateway machine restores needed services.Protect services offered internally from outside access.Provide outside services to hosts located inside.

Possible Firewall Architecture

Hosts

Routers

Networks

Internal Network

External Network

Gateway

DMZ

Filtering Routers

“Demilitarized Zone”

Benefits of Firewalls

Increased security for internal hosts. Reduced amount of effort required to

counter break ins. Possible added convenience of

operation within firewall (with some risk).

Reduced legal and other costs associated with sponsoring hacker activities.

Costs of Firewalls

Hardware purchase and maintenance

Software development or purchase, and update costs

Administrative setup and training, and ongoing administrative costs and trouble-shooting

Lost business or inconvenience from broken gateway

Loss of some services that an open connection would supply.

Firewall Placement

Kinds of Firewalls

Filtering: operates by filtering based on packet headers

Circuit: operates at the level of TCP Application: operates at the level of

the application

Filtering Firewalls

Filtering can take advantage of the following information from network and transport layer headers: Source Destination Source Port Destination Port Flags

IPv4 Packet Format

IPv4 (Version field set to “4”)

Version Hlen TOS Length

Ident Flags Offset

TTL Protocol Checksum

SourceAddr

DestinationAddr

Options(variable length) Pad

Other Headersand Payload

TCP and UDP packets

Protocols support O.S. “port numbers”:

SrcPort DstPort

Checksum Length SequenceNum

SrcPort DstPort

Options (variable)

Checksum UrgPtr

HL 0 Flags Advert.Wind.

Acknowledgment

Other Headersand Payload

UDP TCP

Other Headersand Payload

Three-Way Handshake

TCP State Transitions

Ports

Ports are used to distinguish applications and services on a machine.

Low numbered ports are often reserved for server listening.

High numbered ports are often assigned for client requests.

Port 7 (UDP,TCP): echo server

Port 13 (UDP,TCP): daytime

Port 20 (TCP): FTP data Port 21 (TCP): FTP control Port 23 (TCP): telnet Port 25 (TCP): SMTP Port 79 (TCP): finger Port 80 (TCP): HTTP Port 123 (UDP): NTP Port 2049 (UDP): NFS Ports 6000 to 6xxx (TCP):

X11

Filter Example

Action ourhost port theirhost port commentblock * * SPIGOT * we don’t trust these peopleallow GW 25 * * connect to our SMTP port

Action ourhost port theirhost port commentblock * * * * default

Apply rules from top to bottom with assumed default entry:

Bad entry intended to allow connections to SMTP from inside:

Action ourhost port theirhost port commentallow * * * 25 connection to their SMTP

This allows all connections from port 25, but an outside machinecan run anything on its port 25.

Filter Example Continued

Action src port dest port flags commentallow {our hosts} * * 25 our pkts to their SMTPallow * 25 * * ACK their replies

Permit outgoing calls to port 25.

When to Filter

Router

Inside Outside

On Input or Output

Filtering on output can be more efficient since it can be combined with table lookup of the route.

However, some information is lost at this stage such as the physical input port on which the packet arrived.

This can be useful information to prevent address spoofing.

Filtering on input can protect the router itself.

Recommend: Filter ASAP

Action src port dest port commentblock SPIGOT * * * we don’t trust themallow * * GW 25 connect to our SMTPallow GW 25 * * our reply packets

Action src port dest port commentblock * * SPIGOT * subtle differenceallow * * GW 25 connect to our SMTPallow GW 25 * * our reply packets

Is preferred over:

Example of a Pitfall

Filter output to allow incoming and outgoing mail, but prohibit all else.

Apply this output filter set to both interfaces of the router. Does it work?

Unintended consequence: allows all communication on high numbered ports!

Action dest port commentallow * 25 incoming mailallow * >= 1024 outgoing responsesblock * * nothing else

Router

Inside Outside

Router

Net 1

Outside

Larger Example

Gateway

Net 2

Net 3

AB

Security Policy

Very limited connections through the router between GW and the outside world.

Very limited, but possibly different, connections are permitted between GW and anything in Net 2 or Net 3.

Anything can pass between Net 2 and Net 3.

Outgoing calls only are allowed between Net 2 or Net 3 and the outside world.

Using Input Filters

This is very difficult or impossible to achieve with output filtering only.

Example: how can output filters be used to ensure that a spoofed source from the outside does not make it appear that the packet goes from Net 2 to Net 3?

Filter on Input to Interface A

Action src port dest port flags commentblock {net 1} * * * * block forgeriesblock {net 2} * * * *block {net 3} * * * *allow * * GW 25 legal calls to usallow * * {net 2} * ACK replies to our callsallow * * {net 3} * ACK

Filter on Input to Interface B

Action src port dest port flags commentallow GW * {partners} 25 mail relayallow GW * {net 2} * ACK replies to inside callsallow GW * {net 3} * ACKblock GW * {net 2} * stop other GW callsblock GW * {net 3} *allow GW * * * let GW call the world

Doing it with Output Filtering

For a two-port router, input filtering on one port is the same asoutput filtering on the other.

RouterXY

Use two routers!

Two Routers, Same Rules

Router

Outside

Gateway

Net 2

Net 3

A

BRouter

Application Level Gateways

The gateway acts as an intermediary at the level of the application, receiving outgoing commands, relaying them, obtaining responses and relaying them back to the source.

Mail gateways are a typical example. Very strong control over security, but Special purpose software is required.

Circuit Level Gateways

Caller connects to a TCP port on the gateway and the gateway connects to a TCP port on the other side. It relays bytes, acting like a wire.

More general-purpose than application-level but allows finer control than filtering only.

Example: valuable logs of connections can be kept.