Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
École Internationale de PrintempsSystèmes Répartis : METIS’2008Architecture, Sécurité & Fiabilité
Rabat, 20-23 Mai 2008
Prof. Gildas AvoineUCL Belgium
Solutions pour la Sécurité des réseaux
Introduction
Confidentiality, Integrity, Authentication, Availability.
Is security important, or just a toy for academia?
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Security Incident: A Real Issue
Issues are real and have significant consequences.
Cost (direct, indirect).Image of the company.Competitive intelligence.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
How to Manage Security
Locksmiths don’t secure a building, architects do.
According to Thucydide: its not the walls that protect the citadel, but the spirit of its inhabitants.
Attack the weakest link.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Our Focus
We focus on the communication security.
Symmetric-key AuthenticationPublic-key AuthenticationSSL/TLS (public key, many-to-one)WEP (symmetric key, many-to-one)Kerberos (symmetric key, many-to-many)PGP (public key, many-to-many)
Symmetric-Key Auth.
PasswordsOne-Time PasswordsChallenge-Response
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Identification, AuthenticationIdentification: We identify a person or entity, that is we receive the name he agrees to provide.
Authentication: We get a proof that the person we speak with is the right one.
Example, when log-on: we use the username for identification, and the password for authentication.
Authentication can be done with the help of:Something he possesses (token).Something he is (biometrics).Something he knows (password, key).
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Passwords vs KeysPassword: human-memorizable.
Issue: weak entropy.
Keys: used by computers, not by humans.Issue: where to store them.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Pwd: Naïve Idea
Password fileUser
123456abc123qwerty
…
123456
All passwords are revealed if the password file is stolen!
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Passwords are never stored as such. The risk of theft would be too high.
Instead of passwords, we store a hash.Resistant to first preimage.Resistant to second preimage.Resistant to collision.Random oracle.
When logging in, the hashedpassword is compared with the stored hash.
Password Storage
hmessage (pwd)
hash
ciphertextE
plaintextkey
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
*%-=(++S%dc-z5’0lé
...
Implemented Idea
Password fileUser
123456
Hash
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Win NT/2000/XP (NT LM Hash)Win NT/2000/XP uses the NT Lan Manager Hash(aka NT hash).Passwords can be longer than 14 characters (but compatibility issues arise beyond 14 characters). Lowercase letters are not converted to uppercase.The hash function is MD4
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Win 9x Passwords (LM Hash)Win98/ME uses the Lan Manager Hash (LM hash).The password is cut in two blocks of 7 charactersafter completion to 14 characters with empty char.Lowercase letters are converted to uppercase.A separate hash is generated for each 7-char block.The 7 bytes block are used as DES keys to encrypt an 8-byte constant string:
0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Win 9x Passwords (LM Hash)
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
LM Hash & NT HashBy default, LM Hash and NT Hash are both stored on the computer for compatibility reasons.
We can deactivate the creation of LM hash: Require to modify the registry.Deactivated by default in Windows Vista.Choosing a pwd longer than 14 char desactivates the LM Hash.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Cracking a (the) Password(s)Online Attack
The system is used as an oracle (black box).Slow.How to avoid such an attack?
Offline AttackWe recover the passwords offline.Need to steal the hash file.How to avoid such an attack?
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
StorageThe hash file is encrypted, but by default the key can be extracted from the machine.
If the machine is running we need administratorprivileges plus a special exploit (pwdump) to extract the hashes (Windows).
If we can boot another OS, we can steal and decrypt the hashes.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Weak PasswordsPercentLength
0.93%13-32
0.93%12
2.7%11
13%10
17%9
25%8
23%7
15%6
1.1%5
0.82%1-4
Source: www.schneier.com
1.3%numbers only
8.3%non-alphanumeric
81%alphanumeric
9.6%letters only
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Dictionary AttacksBased on common dictionary words
Including dictionary words that have been altered:Reversed (e.g., “terces”)Mixed case (e.g., SeCreT)Character/Symbol replacement (e.g., “$ecret”)Words with vowels removed (e.g., “scrt”)Numbers concatenated to word (e.g., “house123”)
Based on common names.Based on user/account identifier.Short (under 6 characters).Based on keyboard patterns (e.g., “qwerty”).Composed of single symbol type (e.g., all characters).Resemble license plate values.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Top-used passwords are (in order):
“We used to quip that ‘password’ is the most common password. Now it's ‘password1.’ Who said users haven't learned anything about security?” (Schneier, 2006).
password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer,
monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, monkey.
Weak Passwords
Source: www.schneier.com
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Cracking Times
mAI-2OnMAI2SONMAISONT
876
100 days100 days1.2 daysLM Spec5 h5 h9 malphanum33m33 m77 salpha
lengthWindows LM Hash
mAI-2OnMAI2SONMAISONT
876
196 years1.7 years5.7 daysUNIX Spec630 days10 days3.9 halphanum14 days33 m77 salpha
lengthUnix (56 bits DES)
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Some Vulnerabilities
Written down passwords.Shoulder surfing.Social engineering.Key logger, Rootkit.Eavesdropping the network. Multi-website passwords.Audit trails.Guessing the password (low entropy).
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Alternative: One-Time PwdsA chain of hashes is generated.
The last element (hn) is provided to the verifier.
The first element (h1) is provided to the prover.
To authenticate himself, the prover sends hn-1 to the verifier.
Nobody is able to compute hn-1 except the prover.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Challenge-ResponseA challenge sent by the verifier is encrypted by the prover with a secret k.
The secret never transits on the channel.
The password is hashed to generate a key.
c
Ek(c)VerifierProver
Public-Key Authentication
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Certificate
Gildas Avoine
Certificate Primer
bla bla bla bla
bla bla bla bla
bla bla bla bla
bla bla bla bla
bla bla bla bla
bla bla bla blaSignatureby Gildas
Public key
Signatureby trusted
party
Trusted Party
Public key
Signatureby trusted
party
Root Certificate
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
X.509: Certificates in PracticeX.509: Standard from International Telecommunication Union (ITU), released in 1988Then IETF RFC-2459 (and updates).Three required fields:
TBS Certificate (TBS = “To Be Signed”)The useful payload of the certificate (see next slide).
Signature algorithmIdentifier for the cryptographic algorithm used by the CA to sign this certificate.
Signature valueSignature of the certificate by the CA.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
X.509: TBS CertificateSerial number
Unique number assigned by the CA to the certificate.Issuer field
Identifies the entity who has signed and issued the certificate.Subject
Identifies the entity associated with the public key (O:organization, C: country, OU: Organization Unit, CN: common name eg. DNS, ST: state, L: city, etc. no IP address).
ValidityNot before, not after.
Subject Public Key InfoPublic key and identify the algorithm with which the key is used(e.g., RSA, DSA, or DH)
Etc.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
UCL Webmail
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
RootCertificateExample
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Belgian Passport CertificateCertificate:Data:
Version: 3 (0x2)Serial Number: 10 (0xa)Signature Algorithm: sha1WithRSAEncryptionIssuer: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=CSCAPKI_BEValidity
Not Before: Apr 10 00:00:00 2006 GMTNot After : Jul 15 23:59:59 2011 GMT
Subject: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=DSPKI_BESubject Public Key Info:
Public Key Algorithm: rsaEncryptionRSA Public Key: (2048 bit)
Modulus (2048 bit):00:8f:9c:2c:f8:05:b5:bd:ed:51:1a:9f:b0:57:6e:86:53:07:46:ac:ab:b6:05:e7:d6:e8:a6:6a:7b:ba:9b:27:aa:8a:9f:80:ec:87:b3:9d:68:b7:29:cb:b1:df:de:5e:48:9e:34:21:9f:97:ea:98:7a:f7:f6:88:1c:ca:a3:b1:3f:b2:d8:36:9a:06:0b:b3:f0:02:20:ce:ff:a9:e2:12:00:b2:1d:71:df:3e:cc:64:83:e2:f9:e8:30:15:a5:62:95:ab:8e:8c:ee:dc:73:9a:9f:58:78:c9:38:fd:ae:7c:71:17:73:c8:64:23:d2:34:99:58:ef:bc:ca:dc:e3:38:39:d4:30:16:c1:8e:52:a9:b0:eb:7f:5f:06:65:02:bc:72:1e:eb:14:40:af:39:20:25:48:cf:2f:8e:1b:4f:2e:d6:fb:49:b7:ab:a3:e5:56:2e:31:a1:30:56:69:dc:4f:b4:d8:49:a4:af:e6:0c:e8:65:df:58:d5:ee:7f:80:02:d5:35:63:2a:14:81:0a:eb:7d:5e:17:f8:63:9a:67:28:b0:b8:f4:39:0b:cb:91:63:4b:e3:14:e0:69:dd:dd:92:26:b2:8b:a4:0c:4d:de:10:b8:96:2b:e7:f1:ac:2e:2f:11:15:bd:13:1d:61:c4:bf:69:24:28:9f:67:dd:b6:49:b5Exponent: 65537 (0x10001)
X509v3 extensions:X509v3 Authority Key Identifier:
keyid:00:84:19:14:B2:CE:7E:0A:DE:3A:26:F9:FD:DD:1F:F4:01:42:A8:0EX509v3 Key Usage: critical
Digital SignatureSignature Algorithm: sha1WithRSAEncryption
5d:ed:53:da:14:3d:e2:ab:2d:41:3c:ea:bc:55:3b:78:2a:2c:8e:0b:54:74:af:bd:a9:e1:c5:92:a4:f0:db:a9:0b:7d:0c:96:…
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Certification AuthoritiesIssuers of certificates found on web servers.
Source: www.securityspace.com
Verisign, GeoTrust, and Thawte: same group.
7.64Comodo Limited
0.79Snake Oil Ltd0.85SWsoft Inc0.86Chained SSL1.22SomeOrganization1.51AddTrust AB1.61Entrust.Net1.85Unkown
2.76StarfieldTechnologies
15.21Thawte19.56GeoTrust (Equifax)29.25Verisign
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Obtaining a Certificate1. Each new participant must present himself.
2. The CA (physically) authenticates the participant.
3. It asks the participant to generate a pair of public/private keys.
4. It creates a certificate with the participant’s identity, his public key, an expiry date, etc. and the CA’s signature.
5. It provides a copy of its own public key to the participant.
6. The new participant can communicate with all other participants who share a common “trusted ancestor”.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Public-Key vs Sym-Key
Advantages ?
Drawbacks ?
SSL/TLS
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Client-server communications, random client, corporate server.
Authentication of server based on public key.Trusted third party: certificate authority (CA).
SSL Primer
client server
eavesdropping
fake serverfake client
Modifying
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Secure Sockets Layer (SSL)The most widely deployed security protocol in the world.
SSL was developed by Netscape to offer secure access to web servers (https).
HistorySSL v1.0 never publicly released.SSL v2.0 released in 1994 (flawed).SSL v3.0 released in 1996, leads to TLS 1.0 (1999).
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Transport Layer Security TLS is an IETF’s standard based on SSL v3.0:
Slight modifications compared to SSL v3.0.TLS v1.0 and SSL v3.0 do not interoperate.TLS v1.0 sometimes called SSL v3.1.TLS v1.0 defined in RFC 2246.
Current approved version:TLS v.1.1Released in 2006RFC 4346Fixes a vulnerability discovered by Vaudenay.
Next proposed version:TLS v.1.2Draft expires Sept 2008, may lead to RFC 4492.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
SSL in the Layers
Data Link
Physical Layer
Network
Transport
SSLApplication
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
ApplicationsEither create a new protocol from an existing protocol:
Examples: HTTP (80) / HTTPS (443), FTP (21) / FTPS (990), SMTP (25) / SMTPS (995), POP3 (110) / POP3S (995), IMAP(143) / IMAPS (993).Disadvantage: only clients supporting TLS can connectAdvantage: we are sure that the communication are secure.
Or extend a protocol to negotiate SSL/TLS:Examples: (E)SMTP, POP3, IMAP, with the help of the STARTTLS command the client can ask to use TLS.Advantage: the client is not required to support TLS to use the service.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Example: WebHTTPS
The use of TLS or not is not negotiable.Guarantees confidentiality of transmitted data and authenticity (server, possibly client).The server must have a certificateThe client can have one (eg eBanking)
HTTPS
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
TLS LayersFor initializing
a session
For setting-up cryptographic
algorithms
For managing warnings and fatal
errors
For passing data from an application to the record
layer in a transparent manner
Processing data
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
TLS Record LayerProcessing of data:
FragmentationCompression (optional)AuthenticationEncryption
It delivers such processed fragments to the transport layer (TCP).At the receiving end, the inverse operations are carried out.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Record Layer SummaryData
Data Data MACMAC
Encrypted Data and MAC EncryptedHEADERHEADER
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
EncryptionEncryption is performed on compressed and authenticated records.Block ciphers:
DES (40 bits or 56 bits), 3DES, IDEA, RC2 (40 bits)Why 40-bit key alternative?AES (128 bits or 256 bits) in TLS v1.1
Stream ciphers:NULL, RC4 (40 bits or 128 bits).
The client should refuse 40-bit keys if such a cipher is suggested by the server (warning enforced in TLS 1.1).
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Handshake in BriefNegotiation of:
The protocol version (SSL 3.0, TLS 1.0, TLS 1.1).The algorithms:
Key exchange (RSA, Diffie-Hellman).Encryption (DES, 3DES, IDEA, RC4, RC2, AES).MAC (HMAC-MD5, HMAC-SHA).The client proposes the desired algorithms in order of preference, the server chooses.
Optional authentication of the partner using a certificate.Messages are not encrypted.Last messages authenticate the exchange.
WEP
Introduction to WLANWEP DescriptionAttacks on WEP (Theory)Attacks on WEP (Practice)
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Infrastructure ModeAccess points connect to wired network.Multiple mobile stations per Access Point.
Full internet connection for mobile users.University campus.Coffee shops.Airport lounges.
Wired network
Access Point (AP)
Mobile Devices
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Ad Hoc ModeWireless stations communicate directly, without a wired network.
On the fly networking.Impromptu meeting.Rescue operations.
LAN set up is difficult.Natural areas.
LAN set up is dangerous.Battle field.
People are not aware that they launch an ad hoc network eg. search for networks in a train…
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Eavesdropping RangeTypical use inside: ~30mTypical outdoor range with suited antenna: ~5 km.Record: 382 km by EsLaRed of Venezuel (2007).
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
War Driving
Just discovering WiFinetworks, no unauthorized access.
To war-drive:Laptop802.11 cardSoftwareGPSCar
While you drive:Listens and builds map of all WiFi networks found.
Examples:www.wigle.netwww.wardriving.com
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Map of WiFi APs.
Source: www.wigle.net
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Authentication, EncryptionAuthentication
Open systemsDo not broadcast AP’s SSIDMAC address filterWEPWPA / WPA2
EncryptionWEPWPA / WPA2
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Authentication: Open SystemsNo authentication at all.
Less and less used?Usually, providers impose authentication by default.
Not the case with Belgacom (Observed in 2007).Public free hot spots without authentication.Non-free hot spots in hotels, train stations, etc.
High Level Authentication (eg. RADIUS Server).Communities sharing their access.
Eg. Communauté Neuf Wifi.What kind of problem do we face?
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Authentication: AP’s SSID The AP broadcasts its SSID.
Allow clients to dynamically discover the AP.
Can be used to authenticate a clientClient must know the SSID.
Not secure because SSID can be eavesdropped.
When a legitimate client connects to the AP.
Can be used to restrict features.Eg. Club Internet by default (Observed in 2007).People pay to activate the wireless feature of their router.
Lack of broadcast can be due to the channel number.
Do not broadcast the SSID.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Authentication: AP’s SSID In practice, snif the environment with eg. Kismet, Airodump, Network Stumbler (Windows), etc.
Kismet in a Linux shell
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Authentication: MAC AddressThe router has a list of authorized MAC addresses.
The router checks the MAC address of the station trying to connect to the network.Attacker can read MAC address of a legitimate wireless station and replace his own MAC address with the stolen one.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Authentication: MAC Address
MAC addresses of the devices
connected to the AP
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
WEP Features
Authentication ("shared key" user authentication).Confidentiality (RC4 stream cipher encryption).Integrity checking (CRC-32 integrity mechanism).No key management.No protection against replay attacks.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Authentication + Enc: WEPWEP = Wired Equivalent Privacy.
Part of 802.11 Standard (1999)
The stated goal of WEP is to make wireless LAN as secure as a wired LAN.
According to Tanenbaum:“The 802.11 standard prescribes a data link-level security protocol called WEP (Wired Equivalent Privacy), which is designed to make the security of a wireless LAN as good as that of a wired LAN. Since the default for a wired LAN is no security at all, this goal is easy to achieve, and WEP achieves it as we shall see.”
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
No key management in WEP: every wireless station and AP has the same "preshared" key that is used during authentication and encryption.
This key is distributed manually.
No Key Management
Key AKey A
Key A
Key A
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
No Key ManagementIn practice:
Key is loaded in device by hand when set up.Often keep manufacturer’s default.
Printed under the router, in the user guide, etc.Never updated again.
Same key for everybody:In a large network, users may wish to have independent secure connections. Just a single non-honest WLAN user can break the security.
Static key:Since it is relatively easy to crack WEP encryption in a reasonably short time (see next slides), the keys should be changed often, but the preshared key concept does not support this.
Belgacom’s default WEP keys…(64 bits)
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Replay AttacksThe adversary can “replay” a packet she has already seen.
Solutions?
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
IntegrityIntegrity is ensured using a CRC.
CRC does not provide a cryptographic integrity check.CRC designed to detect random errors.Not designed to detect intelligent changes.
In WEP, the message is concatenated to the CRC, then encrypted.
The encrypted message can be modified s.t. it is still valid after decryption.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
MAC address
Challenge (128 bytes)
Response (encrypted)
Status code Authentication is successful, if
WEP decryption gives original
challenge text
WEP Authentication
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Stream Cipherplaintext
secret key
ciphertext
Stream Cipherkeystream
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
RC4 for WEP Encryption
plaintextsecret key
ciphertext
RC4keystream
checksumIV
24 bits 40 bits
IV
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
RC4: A Well-kown Stream CipherDesigned by Ron Rivest (MIT) in 1987 for RSA Labs.
Kept as a secret trade until 1994.Publicly disclosed in Sept. 1994 on Cypherpunks’ mailing list.
Bytes-orientedGenerate keystream byte at a step
Efficient in software (compared to LFSR, Block Ciph.).Encryption in software is about 10 times faster that DES.Simple and elegant.
Widely used:Commercial softwares as MS Office, Oracle Secure SQL.Network protocols as SSL, IPSec, WEP.Copy protection: inside MS XBOX.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Attacks on RC4Not under the spotlights as all other stream ciphers.Theoretical attacks.Weak keys.To be used carefully.
Remove the first bytes (e.g. the first 768 bytes) to avoid some attacks…Do not encrypt too long stream to avoid other attacks…If plaintext and ciphertext known, then keystream known.
No problem if keystream is not reused.If keystream reused, at least as bad as reuse of one-time pad.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
#1 Known-Plaintext AttackWEP uses 24-bit (3 byte) IV.
Each packet gets a new IV.RC4 packet key: IV pre-pended to long-term key, K.
If long-term key and IV are same, then same keystream is used.
There is a 50% chance of key-reuse after 212 packets (birthday paradox).
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
#1 Known-Plaintext AttackKeystream leaks, under known-plaintext attack.
Suppose we intercept a ciphertext C, and suppose we can guess the corresponding plaintext PLet Z = RC4(K, IV) be the RC4 keystreamSince C = P ⊕ Z, we can derive the RC4 keystream Z by P ⊕C = P ⊕ (P ⊕ Z) = Z
This is not a problem ... unless keystream is reused!
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
#2 CRC PropertyCRC is a linear function wrt to XOR:
CRC(X ⊕ Y) = CRC(X) ⊕ CRC(Y)Attacker observes (M | CRC(M)) ⊕ K where K is the key stream output.
For any ∆M, the attacker can compute CRC(∆M).Hence, the attacker can compute:
([M | CRC(M]) ⊕ K) ⊕ [∆M | CRC(∆M)]= ([M ⊕ ∆M) | (CRC(M) ⊕ CRC(∆M)]) ⊕ K= [M ⊕ ∆M) | CRC(M ⊕ ∆M)] ⊕ K
Example: Modify an IP address
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
#3 Statistical CryptanalysisFluhrer, Mantin, and Shamir (FMS) – 2001
Two years only after WEP was published.Some IVs are weak, ie, they allow to guess some internal states, leading to the key.IV and first byte of plaintext/ciphertext must be known.
IV is sent in the clear.Ciphertext is eavesdropped.First bytes of ARP or TCP are fixed or can be easily guessed.
4 million IVs to recover a 128-bit key.Number of IVs linear with the key-length (vs exponential)Key is revealed byte after byte (sequentially)
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Korek - 2004Proposed 17 attacks based on FMS.New classes of weak IVs.1 million IVs.2 bytes must be observable.
Tews, Weinmann, Pyshkin (PTW) - 2007Still new classes.80’000 IVs.More bytes must be observableVariant by Vaudenay/Vuagnoux (32’000 IVs)Key bytes are no longer necessarily guessed sequentially.
#3 Statistical Cryptanalysis
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
WEP Cryptanalytic AttackWEP data encrypted using RC4.
Packet key is IV and long-term key K.3-byte IV is pre-pended to K.Packet key is (IV,K).
IV is sent in the clear (not secret).New IV sent with every packet.Long-term key K never changed.
Assume Trudy (=attacker) knows IVs and ciphertext, and can guess the first bytes of the plaintext.Trudy wants to find the key K.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
3-byte IV pre-pended to key.
We denote the RC4 key bytes:K0,K1,K2,K3,K4,K5,…Where IV = (K0,K1,K2), which Trudy knowsTrudy wants to find K3,K4,K5,…
Attack due to Fluhrer, Mantin, and Shamir:Trudy watches IVs until she sees 3-byte IV of the form: IV=(K0,K1,K2) = (3,255,X) where X can be anything.Then RC4 key for this packet is key = (3,255,X,K3,K4,K5,…)
WEP Cryptanalytic Attack
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
RC4 StepsKSA (Key-Scheduling Algorithm)
InitializationScrambling
PRGA (Pseudo-Random Generation Algorithm)
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
WEP Cryptanalysis
……
Ki
iK4K3X255343210
i=3, j=(5+X)+(1)+K3=6+X+K3
i=2, j=3+S2+K2=3+2+X=5+X
i=1, j=3+S1+K1=3+1+255=3 [N]
i=0, j=0+S0+K0=0+0+3=3
initial state
…1…2…46+X+K35+X03i=3
…6+X+K3…2…415+X03i=2
…6+X+K3…5+X…41203i=1
…6+X+K3…5+X…40213i=0
…6+X+K3…5+X…43210init
…6+X+K3…5+X…43210i\S
Scramblingj = 0For i = 0 To N-1
j = (j + Si + Ki) mod NSwap(Si,Sj)
Initialization //N=256For i = 0 To N-1
Si = i
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Assumption: 6+X+K3 > 5+X (mod N).Otherwise 6+X+K3 will be to the left of 5+X.
Up to now, we have only considered the first 4 steps of initialization, i = 0,1,2,3.
In reality, there are 256 steps.For now, assume that initialization stops after i = 3.So, outputted keystream is:
WEP Cryptanalytic Attack
PRGA //init i=j=0i = (i + 1) mod N = 1j = (j + Si) mod N = S1 = 0Swap(Si, Sj) Swap(S1, S0)Output S(Si+Sj) mod N Output S3 = 6+X+K3
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Note: keystreamByte = 6+X+K3.
If keystreamByte is known, we can solve for K3 sinceK3 = (keystreamByte−6−X) mod N.
But initialization does not stop at i=3.
So can this “attack” really work?If elements at 0,1 and 3 not swapped in remaining initialization steps, attack works.
WEP Cryptanalytic Attack
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Can Trudy really recover the key?If she sees enough IVs she gets K3.
Suppose Trudy has found K3.Then how to find K4?
Consider IVs of the form: IV = (4,255,X).Then after initialization step i=4, one could show that:
keystreamByte = S4 = 10+X+K3+K4. And so on…
WEP Cryptanalytic Attack
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Attack Summary in Practice
Client IP Discovery phase.
(Flooding).
Sniffing IV’s and keystreams.
Key cracking.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Downloadable ToolsAirCrack-ng
http://www.aircrack-ng.orgImplement Korek, PTW (needs ARP flooding).Available eg in BackTrack.
WepCrackhttp://sourceforge.net/projects/wepcrack/“WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling.”Last version: Oct 2004
AirSnorthttp://airsnort.shmoo.com/Last update: 2005.Implement Korek’s attacks.
Kerberos
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
How do users prove their identities when requesting services from servers on the network?Solution: every server knows every user’s password.
Insecure: break into one server may compromise all users.Inefficient: passwords must be changed on every servers.Not convenient: passwords must be typed for each request.
Many-to-Many Authentication
users
servers
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
users
servers
User proves his identity and requests a credential.
Trusted third party provides a credential to the user.
Credential is supplied to get the expected service.
2
3
1The credential akaticket is an identity proof but does not necessarily give the ability to use a given service.
Server-Aided Authentication
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Server-Aided AuthenticationHypotheses:
There is an online (trusted) authentication server (AS).AS shares KC with client C.AS shared KS with server S.
Goal:To help C and S to share a session key K.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Very Weak Example
Identity of the Client
Identity of the Server
Source of the picture: Vaudenay’s lecture notes, EPFL, 2005
The client can give the server’s key to other clients.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Weak Example
An attacker can replace Ic by IA
Source of the picture: Vaudenay’s lecture notes, EPFL, 2005
A solution consists in not revealing the server’s key: AS encrypts itself the session key K with the server’s key. “sealed envelop”
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Still Weak Example
Source of the picture: Vaudenay’s lecture notes, EPFL, 2005
Replay attack by impersonating AS if K is
compromised, due to careless users: no means
to be sure that K is fresh.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Needham Schroeder (1978)
Source of the picture: Vaudenay’s lecture notes, EPFL, 2005
Replay attack by impersonating C if K is compromised, due to
careless users: no means to be sure that K is
fresh.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Kerberos VThe name Kerberos comes from Greek mythology.
It is the three-headed dog that guarded Hades’ entrance.
Created at the MIT, free of charge.Kerberos 4 (1988), obsolete.Kerberos 5 (1993), RFC 1510, then RFC 4120 (2005).
Deployed:Initially on Unix systems.Used in many commercial products eg Windows from 2K.
Based on symmetric-key cryptography.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Kerberos VOnce you log into a workstation after authentication, you can access remote resources without any more input of username and password .
Kerberos software on the workstation will finish the authentication automatically on behalf of you.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
C SAS
TGS
56
43
12
Kerberos ElementsClient C.Authentication server AS
a.k.a. KDC (key distribution center)Ticket granting server TGS.Server S which the client wants to access to.
1- Request a Ticket Granting ticket
2- Provide a Ticket Granting Ticket
3- Request a Ticket for a given service
4- Provide a Ticket for a given service
5- Forward the Ticket
6- Provide a service
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
TicketsTo access a service, the client must have a ticket for that service.
The user can get this ticket from the Ticket Granting Server (TGS).
The service ticket confirms that the user can access the service.
The Ticket Granting Ticket (TGT) only confirms the identity of the user.
The client shows a ticket + an authenticator.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Tickets, AuthenticatorsThe ticket contains:
Ic: the client’s identity.v: validity period.Kc,s: symmetric session key to be used between the client and the server.Others: Flags, IP address, etc.
It is encrypted with the key of the server Ks.
The authenticator is just the client’s identity and a timestamp encrypted with the session key.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
C SAS
TGS
12
Between C and ASTo start, the user must authenticate at the AS to have access to the TGS.C sends his name and the name of the TGS he wants to access to the AS.The AS replies with a Ticket Granting Ticket encrypted with TGS’s key and a session key encrypted with C’s key.
(1) Ic, Itgs, N(2) {Itgs,N,kc,tgs}Kc, {Ic,v,Kc,tgs}Ktgs
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
User & Service AuthenticationThe user types his username and password on his machine.
The client applies a one-way function (in practice a hash function) on the password in order to get the cryptographic key Kc.
Server’s keys are random bit-strings.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
C SAS
TGS
43
Between C and TGSThe client sends the ticket as well as an authenticator to the TGS.
The ticket contains the session key Kc,tgs.The TGS uses the session key to verify the authenticator.The TGS knows whether C is authorized to access the server S.The TGS delivers a ticket to access the service.
(3) Is,N’,{Ic,v,Kc,tgs}Ktgs {Ic,t}Kc,tgs(4) {Is,N’,kc,s}Kc,tgs, {Ic,v,Kc,s}Ks
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Between C and S
C SAS
TGS
56
The service ticket again contains the client’s identity, his IP address, a validity period and the session key to be used between the client and server.The client has also received a copy of the session key, encrypted with the previous session key.He sends an authenticator and the ticket to the server.
(5) {Ic,v,Kc,s}Ks, {Ic,t}Kc,s(6) {t+1}Kc,s
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
DiscussionIt is the client's responsibility to store his authentication data (the tickets), the servers are stateless.
The authentication server is accessed only once during the ticket validity (typically 8 hours).
Clients can access services with their tickets even if the authentication server is down.
Once a client is authenticated, his ticket cannot be revoked.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Ski Pass AnalogyThe developers of Kerberos propose an analogy between Kerberos and a ski package.
You get a three-pass ski (TGT) from your travel agency against a proof of identity (and money…).Then, the three-day ski pass (TGT) can be used at four different resorts. You show the pass at whichever resort you decide to go (until it expires), and you receive a lift ticket (ST) for that resort.Once you have the lift ticket (ST), you can ski all you want at that resort (until it expires).If you go to another resort later, you once again show the three-pass ski (TGT), and you get another lift ticket (ST) for the new resort.
S/MIME
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
CertificatesS/MIME.
Hierarchical.Users trust a certification authority.
PGP.Peer-to-peer.Users trust some other users.One or several identities (names, e-mail addresses).One or several signatures per identity.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Mime (Multipurpose Internet Mail Extensions) is a standard used to represent any object in e-mails or other electronic documents (e.g. HTTP replies).A Mime document at least contains the following two headers:
Mime-version.Content-type.
text/plaintext/htmlimage/gifvideo/mpegmultipart/mixedetc.
Mime
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
S/Mime BasicsS/Mime proposed by RSA Security in 1997, S/Mime now owned by IETF.
S/Mime adds digital signature and encryption to Mime messages.
S/Mime exclusively uses X.509 certificates, signed by a certification authority (chain of trust).
Thus, before using S/Mime we have to obtain a certificate from a CA.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
S/MIME: PrinciplesReceived: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) by mmp.sipr-dc.ucl.ac.be for [email protected]; Wed, 30 Apr 2008 01:04:21 +0200 (CEST)Received: from [192.168.1.2] (45.66-136-217.adsl-dyn.isp.belgacom.be [217.136.66.45]) by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for <[email protected]>;Wed, 30 Apr 2008 01:04:29 +0200 (CEST)Date: Wed, 30 Apr 2008 01:04:14 +0200From: avoine <[email protected]>Subject: testTo: [email protected]: <[email protected]>MIME-version: 1.0Content-type: multipart/signed; protocol="application/x-pkcs7-signature";micalg=sha1; boundary=------------ms070301020000070200060202
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
This is a cryptographically signed message in MIME format.
--------------ms070301020000070200060202Content-Type: text/plain; charset=ISO-8859-1; format=flowedContent-Transfer-Encoding: 7bit
Hello World!
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
S/MIME: PrinciplesHello World!
--------------ms070301020000070200060202Content-Type: application/x-pkcs7-signature; name="smime.p7s"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="smime.p7s"Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIICezCAncwggHgoAMCAQICBQCJgWDNMA0GCSqGSIb3DQEBBQUAMCkxFDASBgNVBAoTC1NlbGYtU2ln
(…)
hvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYBqlFmpWmAD1er41TC6xECUG508seotHJZphg4ueJqfegikYos7gkBLm93hHFOr70gkuvLbqNtMX4ro0I2Jd2iIdfrY03jDIZFKVt5vg1+LGKv/3ZfX1T6kv9+nJU7M8epOcYdP+IJjr6JgyqVGMW95WDyA0sKMOuA2/2unjqrgHgAAAAAAAA==--------------ms070301020000070200060202--
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
S/MIME: PrinciplesHybrid encryption.
What does this mean?One recipient.Several recipients.
PGPBasicsPublic-Key ValidityKey DistributionKey Revocation
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
PGP History 1/PGP = Pretty Good Privacy Several flavors: PGP, PGPi, GPG.PGP.
Published by Philip Zimmermann in 1991.Portable software initially containing classical algorithms MD5, IDEA, RSA.First software allowing anybody to completely protect their documents and messages.3 years of enquiry and harassment by the American government
Patented algorithms (RSA patented in the US until 2000).Suspicion of violating export regulations.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
PGP History 2/1997:
Selling of PGP Inc. to McAffee (Network Associates).Code no longer public
During the 39th IETF meeting at Munich, Zimmermann and Callas requested the IETF to setup a working group on the standardization of PGP (OpenPGP [RFC1991, aug 96], [RFC2440, nov 98], [RFC4880, nov 07]).Richard Stallman at the Individual-Network Betriebstagung at Aachen requested the European hackers to implement public key softwares (US citizens were not allowed to do so outside us).
2001:Zimmermann leaves Network Associates.Network Associates abandons PGP.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
2002:PGP Corporation is created, buys back PGP rights.Code is again public.Free vs Trial download.
Basic functionalities remain available after 30 days.But not the additional functionalities eg disk encryption.
Complete system compliant with OpenPGP.www.pgp.comCurrent version: 9.8
PGP History 3/
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
PGP History 4/PGPi
Developed by Ståle S. Ytteborg(Norway) to counter the US export regulations.
Maintained from 1997 to 2000.
Obtained from the printed source code of PGP.
MIT Press thus published a book with the PGP source code.
www.pgpi.org
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
PGP History 5/GPG
GPG = GnuPG = GNU Privacy Guard.GnuPG is the GNU GPL version of PGP. Initially, used Elgamaland Blowfish instead of RSA and IDEA.Follow the Open PGP Standard.Version 0.0.0 released on December 1997.Initially called G10.
www.gnupg.orgCurrent version: 2.0GUI Frontends:
http://www.gnupg.org/related_software/frontends.en.html
Das Briefgeheimnis sowie dasPost- und Fernmeldegeheimnissind unverletzlich.Grundgesetz, Artikel 10, Abs 1.
Secrecy of letters as well as sanctity of mail, telephone and telegraph are inviolable. Basic Law, Article 10, Paragraph 1
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
PGP SpecialtiesEncryption / Signature.
Key management.What is called a PGP key is actually a PGP certificate.Web of trust.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Signed Message Example
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Symmetric Encryption [RFC4880]TDES [Mandatory]
Slow. Considered to be secure.IDEA
Still patented till 2010. Seem to be secure, resisted to all cryptanalysis for 17 years…
CAST5 (128 bit-key) [should impl. CAST5]Less studied than the other algorithms.
Blowfish (128 bit-key)Less studied than the other algorithms.
Twofish (256 bit-key) (AES contest top-5 finalists)Rather new.
AES (128/192/256 bit-key) [should impl. AES128]THE standard since 2000.
All of them seem to be secure.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Public-Key [RFC4880]Encryption
RSAElgamal [Mandatory] (randomized encryption)
SignatureRSADSA [Mandatory]Elgamal no longer recommended for signature.
Attack by Phong Nguyen (2003) when Elgamal keys used for both encryption and signature.The flaw was exploitable during 4 years…
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Hash Functions [RFC4880]MD5
Deprecated.SHA-1 [Mandatory]
Its use should be avoided.SHA-224/256/384/512
Seem Ok.RIPEMD-160
Seem Ok. Tiger
Seem Ok.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Protection of the Private KeyThe private key cannot be memorized by the user.How can we protect our private key?It is stored on the hard disk.
Encrypted with from a password (no means to access it without the user’s collaboration). The password is hashed to generate a symmetric key.Once decrypted, it is in the computer’s memory (dangerous).
It may be stored on a smart card.Access to the card is protected by a password.The key never leaves the card, it’s the data that transits through the card to get encrypted, decrypted or signed.
The passphrase must be as strong as the key (i.e., same entropy at least).
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Key Size [Lenstra,Verheul, 01]
307299204887153680102471
public key (bits)
symmetric key (bits)
What should be the minimum passphrase-length (in chars) to protect a 1024-bit
RSA private key?
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Public Key ValidityHow to be sure that the key we use to encrypt a message is the correct one.
Directory.Who did put the key into the directory?
Fake identity associated to the key?Is the directory a legitimate one?
Face to face, check the ID, check the hash of the key, sign the key (Why?)
Certificates.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Validity and Trust in PGPTwo important notions in PGP.
Validity: I know that this key belongs to Bob.Trust: I know that Bob does not sign keys arbitrarily.
When we sign a key, we declare its validity.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Validity and Trust in PGPWe can also declare a full or partial trust.A key is valid if the sum of the partial trusts of its valid signatures is at least 1.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Key PublicationSeveral PGP key servers exist across the world.
http://pgp.mit.edu/
They contain all keys of all PGP users that want to publish their key.
If Alice is sure that the key associated to Clara belongs to Clara, she can sign Clara’s key and re-submit it to the servers.
If Eddy trusts Alice, he can accept Clara’s key.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Key RevocationHow can we revoke a key published on a server?Servers are replicated: withdrawing a key is useless because another server will duplicate it again.How can we prove that we are allowed to revoke a key if we lost it?We generate a key revocation certificate when we generate the key. The confidentiality of this certificate is not a major issue.We put a validity deadline to the key when we generate it.
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
Cryptographic Key Summary
Which keys are involved when Alice sends an encrypted/signed message to Bob?
Conclusion
Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction
ConclusionSymmetric-key crypto or public-key crypto.One Key / One service.Avoid to use the key directly.
Session Key (forward secrecy).Key generation (Who, How eg issue in PRNGs).Key distribution.Identify the trusted parties.Revocation of the public-keys.
More generally, think about how to react to an attack.Check the weak link (cf PGP).