Working ConnectionWorking Connection

Computer and Network Computer and Network SecuritySecurity

- SSL, IPsec, Firewalls –- SSL, IPsec, Firewalls –(Chapter 17, 18, 19, and 23)(Chapter 17, 18, 19, and 23)

Working ConnectionWorking Connection

Computer and Network Computer and Network SecuritySecurity

- SSL, IPsec, Firewalls –- SSL, IPsec, Firewalls –(Chapter 17, 18, 19, and 23)(Chapter 17, 18, 19, and 23)

So far, we talked about Basic Techniques of Security…

• Those are used in many different security scenarios– Secure email– Secure transport (SSL)– IPsec

Secure e-mail

• generates random symmetric private key, KS.• encrypts message with KS

• also encrypts KS with Bob’s public key.• sends both KS(m) and eB(KS) to Bob.

• Alice wants to send secret e-mail message, m, to Bob.

Secure e-mail (continued)• Alice wants to provide sender authentication message integrity.

• Alice digitally signs message.• sends both message (in the clear) and digital signature.

Secure e-mail (continued)• Alice wants to provide secrecy, sender authentication, message integrity.

Note: Alice uses both her private key, Bob’s public key.

Secure Sockets Layer (SSL)

• SSL developed by Netscape Communications– Operates on top of TCP– Provides secure connections

• HTTP, FTP, telnet, …

– Electronic ordering & payment; e-mail– SSL 3.0 submitted to IETF for standardization

• TLS standardized by IETF (RFC 2246)– Slight differences with SSL 3.0

– www.ietf.org/html.charters/tls-charter.html

Secure sockets layer (SSL)

• SSL works at transport layer. Provides security to any TCP-based app using SSL services.

• SSL: used between WWW browsers, servers for I-commerce (shttp).

• SSL security services:– server authentication– data encryption – client authentication

(optional)

• Server authentication:– SSL-enabled browser

includes public keys for trusted CAs.

– Browser requests server certificate, issued by trusted CA.

– Browser uses CA’s public key to extract server’s public key from certificate.

SSL (continued)Encrypted SSL session:• Browser generates

symmetric session key, encrypts it with server’s public key, sends encrypted key to server.

• Using its private key, server decrypts session key.

• Browser, server agree that future msgs will be encrypted.

• All data sent into TCP socket (by client or server) i encrypted with session key.

• SSL: basis of IETF Transport Layer Security (TLS).

• Client authentication can be done with client certificates.

Transport Layer Security (TLS)

• TLS protocols operate at two layers• TLS Record Protocol operates on top of TCP• Protocols on top of TLS Record Protocol

– TLS Handshake Protocol– TLS Change Cipher Specification Protocol– TLS Alert Protocol

TCP

TLS Record Protocol

HandshakeProtocol

Change cipher spec Protocol

AlertProtocol

HTTPProtocol

IP

TLS Record Protocol• TLS Record protocol provides

– Privacy service through secret key encryption• Encryption algorithm is negotiated at session

setup• Secret keys generated per connection using

another protocol such as Handshake protocol

– Reliability service through keyed message authentication code• Hash algorithm negotiated at session setup• Operates without hash only during session

negotiation

TLS Handshake Protocol• TLS Handshake protocol used by client & server

– Negotiate protocol version, encryption algorithm, key generation method

– Can authenticate each other using public key algorithm– Client & server establish a shared secret– Multiple secure connections can be set up after session

setup• Session specified by following parameters

– Session Identifier: byte sequence selected by server– Peer Certificate: certificate of peer– Compression method: used prior to encryption– Cipher spec: encryption & message authentication

code– Master Secret: 48-byte secret shared by client & server– Is resumable?: flag indicating if new connections can

be initiated

Client Server

ClientHello

TLS Handshake Process

ServerHello

Certificate*

ServerKeyExchange*

ServerHelloDone

Request connectionIncludes:Version #; Time & date;Session ID (if resuming);Ciphersuite (combinationsof key exchange, encryption, MAC, compression)

Send ServerHello if there is acceptable Ciphersuite combination; else, send failure alert & close connection.* Optional messages

Server Certificate

Server part of handshake done

Server part of key exchange:Diffie-Hellman, gx;; RSA, public key

ServerHello includes:Version #; Random number;Session ID ; Ciphersuite & compression selections

Compute shared key

May contain public key

New CipherSpec pending

TLS Record protocol initially specifies no compression or encryption

Client Server

ClientKeyExchange

[ChangeCipherSpec]

Finished

Client’s part of key agreement:Diffie-Hellman gy; RSA, random #s

Change Cipher protocol message notifies server that subsequent records protected under new CipherSpec & keys

Server changes CipherSpec

Hash using new CipherSpec; allows server to verify change in Cipherspec

Handshake Protocol continued

Compute shared key

Verify CipherSpec

Client Server

Application Data

Handshake Protocol completion

[ChangeCipherSpec]

Finished

Notify client that subsequent records protected under new CipherSpec & keys

Client changes CipherSpec

Hash using new CipherSpec; Client verifies new CipherSpec

TLS Record protocol encapsulates application-layer messages• Privacy through secret key cryptography• Reliability through MAC• Fragmentation of application messages into blocks for compression/encryption• Decompression/Decryption/Verification/Reassembly

Client ServerClientHello

TLS Handshake with Client Authentication

ServerHello

Certificate*ServerKeyExchange*

CertificateRequest

ServerHelloDone

Certificate*

ClientKeyExchange

CertificateVerify*

[ChangeCipherSpec]

Finished

Application Data

[ChangeCipherSpec]

Finished

Server requests certificate if client needs to be authenticated

Client sends suitable certificate

If server finds certificate unacceptable; server can send fatal failure alert message & close connection

Client prepares digital signature based on messages sent using its private key

Server verifies client has private key

IP Security (IPsec).• IPsec defined in RFCs 2401, 2402, 2406

• Provides authentication, integrity, confidentiality, and access control at the IP layer

• Provides a key management protocol to provide automatic key distribution techniques.

• Security service can be provided between a pair of communication nodes, where the node can be a host or a gateway (router or firewall).

• Two protocols & two modes to provide traffic security:- Authentication Header and Encapsulating Security

Payload- Transport mode or tunnel mode

IPsec: Network Layer Security• Network-layer secrecy:

– sending host encrypts the data in IP datagram

– TCP and UDP segments; ICMP and SNMP messages.

• Network-layer authentication– destination host can

authenticate source IP address

• Two principle protocols:– authentication header (AH)

protocol– encapsulation security

payload (ESP) protocol

• For both AH and ESP, source, destination handshake:– create network-layer

logical channel called a security association (SA)

• Each SA unidirectional.• Uniquely determined by:

– security protocol (AH or ESP)

– source IP address– 32-bit connection ID

IPsec Protocol Stack

• IPsec puts the two main protocols in between IP and the other protocols– AH - authentication header- ESP - encapsulating security

payload

• Tunnel vs. transport?• Other function provided by

external protocols and architectures– Key

Management/authentication– Policy

IPsec Protocol Suite

IPsec: Packet Handling

Security Association• A Security Association (SA) is a logical simplex

connection between two network-layer entities• Two SA’s required for bidirectional secure

communication• SA is specified by

– A unique identifier– Security services to be used– Cryptographic algorithms to be used– How shared keys will be established– Other attributes such as lifetime

• SA negotiated before security service begins

Integrity & Authentication Service• Integrity can be ascertained by sending a

cryptographic checksum or hash of message• Authentication also provided if hash covers:

– Shared secret key, sender’s identity & message– Fields that are changed while packet traverses

Internet are set to zero in calculation of hash• To protect against replay attacks, message

should carry a sequence number that is covered by the hash– Receiver accepts a packet only once– Receiver maintains a window of packets it accepts

• Receiver recalculates hash and compares to hash in received packet

Authentication Header (AH) Protocol

• Provides source host authentication, data integrity, but not secrecy.

• AH header inserted between IP header and IP data field.

• Protocol field = 51.• Intermediate routers

process datagrams as usual.

AH header includes:• connection identifier• authentication data: signed

message digest, calculated over original IP datagram, providing source authentication, data integrity.

• Next header field: specifies type of data (TCP, UDP, ICMP, etc.)

ESP Protocol

• Provides secrecy, host authentication, data integrity.

• Data, ESP trailer encrypted.• Next header field is in ESP

trailer.

• ESP authentication field is similar to AH authentication field.

• Protocol = 50.

IPsec: Tunnel vs. Transport mode

• Tunnel mode is most commonly used between gateways, or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it.

• Transport mode is used between end-stations or between an end-station and a gateway, if the gateway is being treated as a host—for example, an encrypted Telnet session from a workstation to a router, in which the router is the actual destination.

AH

ESP

Internet Key Exchange (IKE)• Built on of ISAKMP framework• Two phase protocol used to establish

parameters and keys for session– Phase 1: negotiate parameters, authenticate

peers, establish secure channel– Phase 2: Establish a security association (SA)

• The details are unimaginably complex• The SA defines algorithms, keys, and

policy used to secure the session

Gateway-to-Gateway

• Computers A and B have gateways interposed between their internal network and Internet

• Gateway can be a firewall– Controls external access to internal network– Packet filtering according to various header fields

• IP addresses, port numbers, ICMP types, fields within payload

• Secure tunnels can be established between gateways– All internal information including headers can be encrypted

Internet

A B

Remote user to Gateway

• Mobile host needs access to internal network• Gateway must provide user with access while

barring intruders from accessing internal network• May also need to protect identity of mobile user• IP-address of mobile user changes

Internet

Firewall Options• Firewalls can operate at different layers

– IP-layer filtering cannot operate on payload contents

• Circuit-Level Gateways– Direct client-to-server TCP connections not allowed– Relays TCP segments between actual client & actual

server

• Application-Level Gateways or Proxies– Interposed between actual client and actual server– Performs authentication and determines what

features are available to client– Monitors, filters & relays messages