563.4 Web Services Presented by: Carl A. Gunter University of Illinois Spring 2006.
CSE 331: Introduction to Networks and Security Fall 2000 Instructor: Carl A. Gunter Slide Set 7.
-
Upload
barbra-knight -
Category
Documents
-
view
216 -
download
0
Transcript of CSE 331: Introduction to Networks and Security Fall 2000 Instructor: Carl A. Gunter Slide Set 7.
CSE 331: Introduction to Networks and Security
Fall 2000Instructor: Carl A. Gunter
Slide Set 7
Secure Socket Layer (SSL)
Session protocol with: Server authentication. Client authentication optional. Integrity checksum. Confidentiality.
Possibly the most important security-related ecommerce protocol.
Connection sets up security parameters.
Many sessions possible within a given connection.
Network Layer Security
HTTP FTP SMTP
TCP
IP/IPSec
Transport Layer Security
HTTP FTP SMTP
TCP
IP
SSL or TLS
Application Layer Security
S/MIME PGP SET
TCP
IP
SMTP HTTP
UDP
Kerberos
SSL Protocol Stack
TCP
IP
SSL Record Protocol
HandshakeChange
Cipher SpecAlert HTTP
SSL Record
ContentType
MajorVersion
MinorVersion
Length
Payload
Content Types
Handshake
Change Cipher Spec
Alert
Opaque Content
Type Length Content
1 byte 3 bytes 0 bytes
1
Level Alert
Higher-Level Protocol Content
1 byte
1 byte 1 byte
1 bytes
Creating Opaque Content
Begin with application data. Fragment it into blocks of 2**14
bytes or less. Optionally compress the fragments. Add a message authentication code
(MAC) to the compressed data to ensure integrity.
Encrypt the data to ensure confidentiality.
Add SSL record header (4 fields).
What Is Needed?
Negotiation of cryptographic protocols.
Initial authentication. Key exchange to set up:
Bulk encryption. MAC.
How is this Done?
The handshake protocol negotiates the protocols to be used for authentication and bulk encryption.
The handshake protocol carries out initial authentication.
The handshake protocol establishes a 48 byte pre-master secret. Client and server use this to derive a 48 byte
master secret. The master secret is used to generate a key
block of sufficient length to supply all needed cryptographic parameters.
MAC Calculation
A MAC write secret, MACWS, is extracted from the key block.
A hash function H is selected: either MD5 or SSH.
The MAC is defined as follows.
H( MACWS || pad2 || H( MACWS || pad1 || seq_no || SSLCompressed.type || SSLCompressed.length || SSLCompressed.fragment ))
SSL Key Exchange Protocols
RSA Fixed Diffie-Hellman Ephemeral Diffie-Hellman Anonymous Diffie-Hellman Fortezza
SSL Bulk Encryption Protocols
Protocol (type, key length) IDEA (block, 128) RC2-40 (block, 40) DES-40 (block, 40) DES (block, 56) 3DES (block, 168) Fortezza (block, 80) RC4-40 (stream, 40) RC4-128 (stream, 128)
SSL Handshake Protocol Phases
Establish Security Capabilities Server Authentication and Key
Exchange Client Authentication and Key
Exchange Finish
Establish Security Capabilities
Client Hello
Server Hello
Client Server
Time
Client Hello
1. Highest version number understood by client.
2. 32-bit timestamp and 28-bit nonce.3. Session identifier.
Nonzero value: update parameters of existing connection.
Zero value: new connection and session.
4. CipherSuite list in order of preference. A CipherSuite identifies a key exchange protocol and other parameters.
5. List of compression methods.
CipherSuite
BulkCipherAlgorithm (as given earlier).
MACAlgorithm (SHA-1 or MD5). CipherType (stream or block). IsExportable (true or false). HashSize: 0, 16 (for MD5), or 20 (for
SHA-1) bytes.
Server Hello
1. Highest version number supplied by client and acceptable to server.
2. Time and nonce from server (independent of same from client).
3. Session identifier. If non-zero from client then same value from
server. Otherwise proposed by server.
4. First cipher suite proposed by client and supported by server.
5. First compression method proposed by client and supported by server.
Server Auth & Key Exchange
Server Hello Done
Client Server
Time
Certificate Request
Server Key Exchange
Certificate
Optional
Certificate
List of x.509 certificates. Required for all protocols except
anonymous Diffie-Hellman.
Server Key Exchange
Protocol-dependent keying material. Needed for all except RSA and fixed
Diffie-Hellman. Example: in anonymous Diffie-
Hellman this message consists of a prime number, a primitive root for it, and the Diffie-Hellman public key for the server.
Certificate Request
Requests a certificate type (e.g. DSS for ephemeral Diffie-Hellman).
Specifies a list of certificate authorities.
Server Done
Indicates that all messages in the server authentication phase have been sent and server is now awaiting a client response.
Client Auth & Key Exchange
Client Server
Time
Certificate Request
Client Key Exchange
Certificate
Optional
Optional
Certificate
Client sends an X.509 certificate as requested by server or sends a No Certificate Alert.
Client Key Exchange
Protocol-dependent keying material. Example: In RSA the client generates
a 48 byte secret and encrypts it using the public key of the server (from the Server Key Exchange message).
Certificate Verification
Contains explicit verification of client certificate.
Client signs the hash of a concatenation of the master secret and handshake messages.
Client Auth & Key ExchangeClient Server
Time
Change Cipher Spec
Finish
Change Cipher Spec
Finish
Client and Server
The Change CipherSpec message causes the CipherSpec to become active. This is not a handshake record, but a record in the Change CipherSpec protocol.
Each party sends the Finished message under the new CipherSpec.
The message contains hashes using MD5 and SHA-1 containing the master secret and the handshake messages.
Master Secret
The Master Secret is computed from the Pre-Master Secret as follows:
MasterSecret = MD5( PreMasterSecret || SHA(“A” || PreMasterSecret || ClientHello.random || ServerHello.random)) || MD5( PreMasterSecret || SHA(“BB” || PreMasterSecret || ClientHello.random || ServerHello.random)) || MD5( PreMasterSecret || SHA(“CCC” || PreMasterSecret || ClientHello.random || ServerHello.random))
Cryptographic Parameters
The remaining cryptographic parameters are computed by iterating the following pattern.
KeyBlock = MD5( MasterSecret || SHA(“A” || MasterSecret || ClientHello.random || ServerHello.random)) || MD5( MasterSecret || SHA(“BB” || MasterSecret || ClientHello.random || ServerHello.random)) || MD5( MasterSecret || SHA(“CCC” || MasterSecret || ClientHello.random || ServerHello.random)) ||
Cryptographic Parameters
Client write MAC secret. Server write MAC secret. Client write key. Server write key. Client write IV. Server write IV.
Alerts
Unexpected message. Bad MAC. Decompression failure. Handshake failure, unable to
negotiate an acceptable set of security protocols.
Illegal parameter in handshake message.
Close notify.
Alerts, Continued
No certificate. Bad certificate. Unsupported certificate. Certificate revoked. Certificate expired. Certificate unknown: an unspecified
issue arose in certificate verification.
Electronic Commerce
Electronic data interchange. Some illustrative scenarios. Tools supporting ecommerce. Public key infrastructure.
EDI
Electronic data interchange (EDI) is a format for computer-to-computer business exchanges like: Purchase orders, Invoices, Payment advices.
Standards. ANSI x12. United nations economic commission for
Europe: EDI for administration, commerce, and transport (EDIFACT).
EDI on the Internet
Early use of EDI was mainly on Value Added Networks (VAN’s) based primarily on dedicated and dailup links, and terminal emulation.
Internet offers a lower cost option and more flexibility. Connecting VAN’s to the Internet. Using electronic messaging (MIME).
E-Commerce and Security
Security is the primary technical issue for expanding electronic commerce.
Cryptography is one tool among many for achieving the necessary guarantees.
Approaches to e-commerce must be delivered using widely-accepted tools and techniques.
Secure E-Mail
Privacy Enhanced Mail (PEM). MIME Object Security Services
(MOSS). S/MIME. (Applying PKCS #7 to MIME
body parts.) ITU X.400 secure messaging
protocols. (Not compatible with Internet messaging.)
Message Security Protocol (MSP). (Comprehensive set of DoD protocols.)
Web Security
Secure Socket Layer (SSL). Secure HTTP (S-HTTP).
Request/response protocol. https:// versus shttp://
Mobile or Downloadable Code
Java. Protection via language runtime system
guarantees. ActiveX. Microsoft Authenticode.
Other Protocols
EDI security: ANSI X12.58 or S/MIME. Secure Electronic Transaction (SET).
Visa and MasterCard. CyberCash. Intermediary between
Web-based merchants and credit card banks.
CheckFree. Electronic checks. First Virtual. Credit card payments
via email.
Public Key Infrastructure
Mutual authentication of participants in a transaction requires a system of identities.
Principals are identified by public keys.
These keys can be used for authentication, but only if “spoofing” is prevented.
A PKI provides a basis for establishing trust.
PKI Systems
ITU X.509 (viz. IETF PKIX). PGP “web of trust”. DNS sec. Simple public key infrastructure
(SPKI - IETF alternative to X.509). QCM (Web-like system from
Penn/AT&T).
X.509
Part of the X.500 series of standards: the ISO/ITU Directory.
Originally intended to support access control for the directory as part of the Directory Access Protocol (DAP).
Dominant candidate now for PKI to support electronic commerce, although adoption has been slow.
X.509 Certificates
X.509 certificates bind a subject to a public key.This binding is signed by a Certificate Authority (CA).
Subject Name
Subject Public Key
CA Name
CA Signature
Subject Name
Subject Public Key
CA Name
CA Signature
Chaining
Pennsylvania CA
Pennsylvania CA Key
USA CA
Philly CA
Philly CA Key
Pennsylvania CA
Joe Smith
Joe’s Key
Philly CA
Subject
Subject’s Key
Issuer
Certificate Distribution
Certificate accompanying signature. Directory service.
DAP. LDAP. DNS SEC.
Email (S/MIME and MOSS). Primary technique: cut and paste
from web pages!
X.509 Certificate Format (v3)
Required fields. Optional fields.
Required Fields
Version of format (1,2, or 3 currently). Serial number. Signature algorithm identifier.
Examples: DSS with SHA hash. RSA with MD5 hash.
Issuer (CA) X.500 name. Validity period (start and expiry
times).
Required Fields, Continued
Subject X.500 name. Subject public key information.
Algorithm identifier. Public key value.
Issuer signature.
Optional Fields
Issuer unique identifier. Subject unique identifier. Extensions.
Extension type. Critical/Non-critical. Extension field value.
Certificate Revocation Lists
Sometimes it is necessary to terminate certificates before their expiration time.
How does the relying party know that the certificate has been revoked?
Mitre report for NIST suggests certificate revocation will be the largest maintenance cost for PKI’s.
Many distribution strategies proposed.
Semantics of CRL’s
Three certificates.1. Q says P is the public key of Alice.2. R says P is the public key of Alice.3. Q says R is the public key of Bob.
Three kinds of revocation.1. P is not the public key of Alice. (3 not
2.)2. Q no longer vouches for whether P is the
public key of Alice. (2 and 3.)3. The key of Q has been compromised. (2
not 3.)1998 Fox and LaMacchia
Revoke
The Future
Strong market trend towards using public keys and certificates.
Many PKI security vendors arriving on the market.
None of these widely used.
The Future, Continued
Export problems continue. Large-scale CA hierarchies analogous
to DNS have not emerged. PKI’s have very limited use
compared to potential. Will this change?
Network Security
Here are some of the reasons that networks have security problems: Sharing Complexity Unknown perimeter Many points of attack Anonymity Unknown paths
What are the Threats?
Interception of data in transit Access to programs or data at
remote hosts Modification of programs or data
remote hosts Modification of data in transit Insertion of communications
impersonating a user
Threats, Continued
Insertion of a repeat of a repeat of a previous communication
Blocking of selected traffic Blocking of all traffic Running a program at a remote host.
Layers for Encryption
Link Network Transport Application
Division of Labor in the Internet
Hosts
Routers
Networks
Link
Network
Transport
Application
Link
Network
Transport
Application
Link
Network
Link
Network
TCP/IP Protocol Stack
Host HostRouter Router
Message Processing Sequence
Link
Network
Transport
App2
Link
Network
Transport
Link
Network
Link
Network
App1 App2App1
Encapsulation
LinkLink IP TCP Application
Link Layer Frame
Network LayerHeader
Transport LayerHeader
Application LayerPayload
Link Layer Encryption
LinkLink IP TCP Application
Encrypted
Network Layer Encryption
LinkLink IP TCP Application
LinkLink New IP TCP ApplicationKey ID IP
Encrypted
Transport Layer Encryption
LinkLink IP TCP Application
LinkLink IP TCP ApplicationKey ID
Encrypted
Transport Layer Security Protocol
Link
Network
TLSP
App2
Link
Network
TLSP
Link
Network
Link
Network
App1 App2App1
Transport Transport
Application Layer Encryption
LinkLink IP TCP Application
LinkLink IP TCP ApplicationKey ID
Encrypted
Message Processing Sequence
Link
Network
Transport
App2
Link
Network
Transport
Link
Network
Link
Network
App1 App2App1
App2 Sec App2 Sec
Link Layer Encryption
Advantages: transparent to applications hardware solution possible
Disadvantages: encryption hop-by-hop
IP Layer Encryption
Advantages transparent to applications amenable to hardware
Disadvantages routing more complex
Transport Layer Encryption
Advantages transparent to applications
Disadvantages probably implemented in software
Application Layer Encryption
Advantages: customize to application no special protocol stack required:
transparent to networking Disadvantages:
hard to share between applications
Firewalls
GatewayInside Outside
Filter Filter
Filters protect against “bad” packets.A gateway machine restores needed services.Protect services offered internally from outside access.Provide outside services to hosts located inside.
Possible Firewall Architecture
Hosts
Routers
Networks
Internal Network
External Network
Gateway
DMZ
Filtering Routers
“Demilitarized Zone”
Benefits of Firewalls
Increased security for internal hosts. Reduced amount of effort required to
counter break ins. Possible added convenience of
operation within firewall (with some risk).
Reduced legal and other costs associated with sponsoring hacker activities.
Costs of Firewalls
Hardware purchase and maintenance
Software development or purchase, and update costs
Administrative setup and training, and ongoing administrative costs and trouble-shooting
Lost business or inconvenience from broken gateway
Loss of some services that an open connection would supply.
Firewall Placement
Kinds of Firewalls
Filtering: operates by filtering based on packet headers
Circuit: operates at the level of TCP Application: operates at the level of
the application
Filtering Firewalls
Filtering can take advantage of the following information from network and transport layer headers: Source Destination Source Port Destination Port Flags
IPv4 Packet Format
IPv4 (Version field set to “4”)
Version Hlen TOS Length
Ident Flags Offset
TTL Protocol Checksum
SourceAddr
DestinationAddr
Options(variable length) Pad
Other Headersand Payload
TCP and UDP packets
Protocols support O.S. “port numbers”:
SrcPort DstPort
Checksum Length SequenceNum
SrcPort DstPort
Options (variable)
Checksum UrgPtr
HL 0 Flags Advert.Wind.
Acknowledgment
Other Headersand Payload
UDP TCP
Other Headersand Payload
Three-Way Handshake
TCP State Transitions
Ports
Ports are used to distinguish applications and services on a machine.
Low numbered ports are often reserved for server listening.
High numbered ports are often assigned for client requests.
Port 7 (UDP,TCP): echo server
Port 13 (UDP,TCP): daytime
Port 20 (TCP): FTP data Port 21 (TCP): FTP control Port 23 (TCP): telnet Port 25 (TCP): SMTP Port 79 (TCP): finger Port 80 (TCP): HTTP Port 123 (UDP): NTP Port 2049 (UDP): NFS Ports 6000 to 6xxx (TCP):
X11
Filter Example
Action ourhost port theirhost port commentblock * * SPIGOT * we don’t trust these peopleallow GW 25 * * connect to our SMTP port
Action ourhost port theirhost port commentblock * * * * default
Apply rules from top to bottom with assumed default entry:
Bad entry intended to allow connections to SMTP from inside:
Action ourhost port theirhost port commentallow * * * 25 connection to their SMTP
This allows all connections from port 25, but an outside machinecan run anything on its port 25.
Filter Example Continued
Action src port dest port flags commentallow {our hosts} * * 25 our pkts to their SMTPallow * 25 * * ACK their replies
Permit outgoing calls to port 25.
When to Filter
Router
Inside Outside
On Input or Output
Filtering on output can be more efficient since it can be combined with table lookup of the route.
However, some information is lost at this stage such as the physical input port on which the packet arrived.
This can be useful information to prevent address spoofing.
Filtering on input can protect the router itself.
Recommend: Filter ASAP
Action src port dest port commentblock SPIGOT * * * we don’t trust themallow * * GW 25 connect to our SMTPallow GW 25 * * our reply packets
Action src port dest port commentblock * * SPIGOT * subtle differenceallow * * GW 25 connect to our SMTPallow GW 25 * * our reply packets
Is preferred over:
Example of a Pitfall
Filter output to allow incoming and outgoing mail, but prohibit all else.
Apply this output filter set to both interfaces of the router. Does it work?
Unintended consequence: allows all communication on high numbered ports!
Action dest port commentallow * 25 incoming mailallow * >= 1024 outgoing responsesblock * * nothing else
Router
Inside Outside
Router
Net 1
Outside
Larger Example
Gateway
Net 2
Net 3
AB
Security Policy
Very limited connections through the router between GW and the outside world.
Very limited, but possibly different, connections are permitted between GW and anything in Net 2 or Net 3.
Anything can pass between Net 2 and Net 3.
Outgoing calls only are allowed between Net 2 or Net 3 and the outside world.
Using Input Filters
This is very difficult or impossible to achieve with output filtering only.
Example: how can output filters be used to ensure that a spoofed source from the outside does not make it appear that the packet goes from Net 2 to Net 3?
Filter on Input to Interface A
Action src port dest port flags commentblock {net 1} * * * * block forgeriesblock {net 2} * * * *block {net 3} * * * *allow * * GW 25 legal calls to usallow * * {net 2} * ACK replies to our callsallow * * {net 3} * ACK
Filter on Input to Interface B
Action src port dest port flags commentallow GW * {partners} 25 mail relayallow GW * {net 2} * ACK replies to inside callsallow GW * {net 3} * ACKblock GW * {net 2} * stop other GW callsblock GW * {net 3} *allow GW * * * let GW call the world
Doing it with Output Filtering
For a two-port router, input filtering on one port is the same asoutput filtering on the other.
RouterXY
Use two routers!
Two Routers, Same Rules
Router
Outside
Gateway
Net 2
Net 3
A
BRouter
Application Level Gateways
The gateway acts as an intermediary at the level of the application, receiving outgoing commands, relaying them, obtaining responses and relaying them back to the source.
Mail gateways are a typical example. Very strong control over security, but Special purpose software is required.
Circuit Level Gateways
Caller connects to a TCP port on the gateway and the gateway connects to a TCP port on the other side. It relays bytes, acting like a wire.
More general-purpose than application-level but allows finer control than filtering only.
Example: valuable logs of connections can be kept.