Internet & Web Security

Institute for Visualization and Perception ResearchI VPR 1

© Copyright 1998 Haim Levkowitz

Internet & Web Security



Overview

• Encryption and authentication ...

• Communication and data-sharing applications ...

• Web security and firewalls ...



Encryption and authentication ...

• Foundations of Internet security

• Data confidentiality and integrity

• Authentication

• Example systems



Communication and data-sharing applications ...

• Mail and news

• Virtual terminal services

• File sharing

• Example systems



Web security and firewalls ...

• WWW security

• Network security issues

• SATAN

• Useful tools



Foundations of Internet security ...

• Internet security ...

• Layered protocol models ...

• Security and Layered Internet Protocols ...



Internet security ...

• Authentication ...

• Access control ...

• Integrity ...

• Confidentiality ...



Authentication ...

• Something you are (SYA)

• Something you know (SYK)

• Something you have (SYH)



Access control ...

• Who gets access to what

• Authentication, rights, privileges



Integrity ...

• Current vs. original (pure) condition of data



Confidentiality ...

• E-mail "like postcards"

• FTP, WWW



Layered protocol models ...• Protocol message contents ...

• Identities

• Sender, receiver

• Message length

• Message data

• Layered protocols ...

• Protocol enveloping ...

• OSI reference model ...

• Internet TCP/IP model ...

• Protocol enveloping in TCP/IP ...



Layered protocols ...• N layers

Layer N

Layer N – 1

Layer 1

Layer N

Layer N – 1

Layer 1

Computer 1 Computer 2



Protocol enveloping ...

Layer N

Layer N – 1

Layer 1

Layer N

Layer N – 1

Layer 1

Computer 1 Computer 2



OSI reference model ...

• Open Systems Interconnection abstract model

• Does not define: PL bindings, OS bindings, API issues, UI issues

• Defines: 7 protocol layers ...



Defines: 7 protocol layers ...

• Physical ...

• Data link ...

• Network ...

• Transport ...

• Session ...

• Presentation ...

• Application ...

Application-related services

Network-related services

Application

Presentation

Session

Transport

Network

Data Link

Physical



Physical ...

• Network transmission medium

• E.g., coaxial, twisted-pair, fiber-optic

• Raw bit-stream service

• Responsible only for writing / reading bits to / from physical medium



Data link ...• Group bits into frames

• Goal: reliable delivery mechanism• Error detection

• Noise, interference• Collisions

• Flow control• Avoid unnecessary frame loss

• Saturated buffers



Network ...

• Extend data link layer • From local to neighboring / distant networks• E.g., Ethernet, Token Ring

• Incompatible physical and link layers• ==> Internetworks (networks of networks)• Topology: routers• Two network layer services ...



Two network layer services ...• connection-oriented (CO)

• "reliable" / "virtual-circuit"

• well ordered data stream

• guarantee lost, order, duplicate

• connectionless (CL)

• "unreliable" / "datagram"

• no guarantees



Transport ...

• higher-level tasks (not end-to-end delivery)• multiplexing• OSI: 5 incompatible transport protocols

• CL, w/ CL network• CL, w/ CO network• CO, w/ CO network• CO, w/ CL network

• highest network aware



Session ...

• how data exchanged in dialog• two-way simultaneous (full-duplex)• two-way alternate (half-duplex)• one-way (simplex)

• checkpointing• synch points in data stream• resume aborted transfer at last encountered

synch point



Presentation ...

• hide diff in data rep'n

• e.g., ASCII vs. EBCDIC

• generic rep’n w/ ISO ASN.) spec ...



generic rep'n w/ ISO ASN. spec ...

• (Abstract Syntax Notation One)• Boolean• Integer (arb. length)• Real (arb. length & prec.)• Enumerated (days of week, months of year, etc.)• Bit string (arb. length)• Octet (byte) string (arb. length)• Null (any undef'd value)



Application ...

• service consumer

• via APIs



Internet TCP/IP model ...

• 5 layers• physical, data link, network, transport,

application• session, presentation

• by application, w/ assistance of API• Network layer: IP ...• Transport layer: TCP & UDP ...• Application layer ...



Network layer: IP ...

• move data between endpoints

• if not on same host ==> routing

• IP protocol

• IP datagram (packet)



Transport layer: TCP & UDP ...

• Transmission Control Protocol (TCP)

• connection-oriented

• User Datagram Protocol (UDP)

• connectionless



Application layer ...

• FTP

• SMTP: Simple Mail Transfer Protocol

• NNTP: Network News

• HTTP



Protocol enveloping in TCP/IP ...

• Application data --> TCP segment --> IP datagram --> Ethernet frame

Application FTP, SMTP, HTTP,

TCP UDP ICMP

IP

Data Link Ethernet, Token Ring, FDDI

Physical

Protocol Suite



Security and Layered Internet Protocols ...

• Physical and link layer ...

• Security at the IP layer ...

• TCP/UDP layer ...

• Application layer ...



Physical and link layer ...

• physical transmission medium

• access control

• confidentiality



Security at the IP layer ...

• network snooping (sniffing) ...

• Message replay ...

• Message alteration ...

• Message delay and denial ...

• Authentication issues ...

• Unauthorized access ...

• Routing attacks ...



network snooping (sniffing) ...

• abuse of tools for debugging / network problems ...

• network interface into promiscuous mode ...

• solution: encrypt



abuse of tools for debugging / network problems ...• e.g., Network General's Expert Sniffer

• etherfind (SunOS)

• tcpdump (free on Internet)

• Sniffer FAQ

• comp.security, news.answers

• ftp://ftp.iss.net/pub/faq/sniff

• http://www.iss.net/iss/sniff.html



network interface into promiscuous mode ...

• report all packets to sniffer

• display / record

• analyze

• super user on unix / VMS

• remote also possible



Message replay ...

• snoop & record conversation between systems A & B

• play back messages from A to B

• replay, as if A

• e.g., restore earlier password file (and account)



Message alteration ...

• modify contents

• modify checksomes to cover alterations

• solution: encrypt for data integrity



Message delay and denial ...• delay: datagrams held indefinitely

• unauthorized control of router• authenticate to prevent

• denial: datagrams discarded before delivery• overwhelm router / other comm. end

system• datagram overflow ==> lost



Authentication issues ...

• address masquerading ...

• address spoofing ...



Address masquerading ...

• configure network interface w/ other system's IP address

• NFS: access solely based on IP address

• one system down, another can masquerade



Address spoofing ...

• aka TCP sequence number attack

• exploits weakness of TCP

• net effect at IP layer

• How ...

• Defense ...



How ...

• Legitimate 3-way handshake A <--> B ...

• C impersonates A ...



Legitimate 3-way handshake A <--> B ...

• A --> B: SYN + ISN(A) (initial sequence number)

• A <-- B: SYN + ISN(B) + ACK(ISN(A))

• A --> B: ACK(ISN(B))

• A <--> B: application data



C impersonates A ...• C --> B: counterfeit IP datagram SYN +

ISN(C)• A <-- B: SYN + ISN(B) + ACK(ISN(C))

• A down; doesn't know• C --> B: ACK(ISN(B))

• C predicts ISN(B)• TCP ISN generator: 32-bit clock (w/ time)

• C --> B: rsh command



Defense ...

• 1. no address-based auhentication

• 2. screening router• filter packets based on

configurable rules• inbound attacks from

outside• outbound attacks from

inside

S: 108.3.54.9 D: 117.25.9.1

S: 117.25.16.41 D: 117.25.2.7

blocked

blocked

accepted

accepted

Internal 117.25.xxx.yyy

external



Unauthorized access ...

• Packet filtering

• Screeing router

• Firewall

Application

Transport (TCP, UDP)

Network (IP)

Data Link

Physical



Routing attacks ...

• normally: dynamic routing• instead: source routing (legit for tests)• use to bypass filter• or, pass through attacking location

• alteration, delay, denial• ICMP (Internet Control Message

Protocol) redirects



TCP/UDP layer ...

• Some of same problems as at IP layer• No guarantee of confidentiality• packet filtering• hijacking

• modify controls through "hijacked" privileges

• e.g., steal telnet session



Application layer ...

• Application gateways ...

• APIs ...



Application gateways ...

• firewalls at app layer

• mail (SMTP) gateway ...

• proxy ...

• server filter ...



mail (SMTP) gateway ...

• change headers of outgoing messages to hide internal topology

• e.g., [email protected] --> [email protected]

• deliver inbound messages correctly



proxy ...• w/ firewall• both server (to inside client) and client

(to outside server)• block inside from direct connection to

outside• single outbound access point ==>

• sophisticated logging & access control



server filter ...

• host sw

• filter access to own servers

• mini firewall: guard passage into local host



APIs ...

• portability

• transparency

• modularity

• compatibility

• supportability

• Longevity



Encryption and authentication ...

• Foundations of Internet security ...

• Data confidentiality and integrity ...

• Authentication

• Example systems



Data confidentiality and integrity ...

• Encryption, decryption, digital signatures ...

• Simple cryptosystem ...• Keys cryptosystems ...• One-way hash functions• Encryption and decryption

algorithms ...



Encryption, decryption, digital signatures ...

• Encryption

• Plaintext --> ciphertext

• Decryption

• Plaintext <-- ciphertext

• Digital signature

• authentication



Simple cryptosystem ...

• Caesar Cipher

• Simple substitution cipher

• ROT-13

• half alphabet ==> 2 x ==> plaintext

ABCDEFGHIJKLMNOPQRSTUVWXYZ

DEFGHIJKLMNOPQRSTUVWXYZABC



Keys cryptosystems …

• keys and keyspace ...

• secret-key and public-key ...

• key management ...

• strength of key systems ...



keys and keyspace …

• ROT: key is N

• Brute force: 25 values of N

• IDEA in PGP: 2 128 numeric keys

• 1 billion keys / sec ==> >10,781,000,000,000,000,000,000 years



secret-key and public-key ...



key management ...

• secret• agree on same / have diff

• public• really belong to alleged owner?

• centralized trust• CAs: certification authorities

• decentralized trust• trusted entity signs public key of

unknown



strength of key systems ...

• key secrecy

• no back door (trap door)

• resistance to attack

• brute force

• analytical …



Analytical ...

• cryptanalysts' attacks

• ciphertext-only

• known-plaintext

• chosen-plaintext

• adaptive-chosen-plaintext

• chosen-ciphertext



Encryption and decryption algorithms ...

• DES

• IDEA

• RC2 and RC4

• Diffie-Hellman

• RSA

• Skipjack and Clipper



Us cryptographic export restrictions

• 56-bit key max



Authentication ...

• Authentication techniques

• User-to-host authentication ...

• Host-to-host authentication ...

• User-to-user authentication



User-to-host authentication ...

• static passwords in cleartext

• static passwords with one-way hash

• One-time passwords

• Trusted third parties



Host-to-host authentication ...

• No authentication

• Disclosing passwords

• Digital signature and encryption



Example systems ...



Overview






Communication and data-sharing applications ...

• Mail and news ...

• Virtual terminal services ...

• File sharing ...

• Example systems ...



Mail and news ...• Core application protocols ...

• sendmail ...

• Privacy Enhanced Mail (PEM) ...

• RIPEM ...

• Pretty Good Privacy (PGP) ...

• Anonymous remailers

• MIME



Core application protocols ...

• SMTP

• POP3

• IMAP4

• NNTP



sendmail ...

• DEBUG mode

• .forward files

• aliases database

• CERT advisories



Privacy Enhanced Mail (PEM) ...

• PEM message types

• Digital signatures

• Encryption

• Certificates and key management



RIPEM ...

• Generating a key pair

• Encrypting a message

• Decrypting a message

• Singing a cleartet message

• Verifying a signature



Pretty Good Privacy (PGP) ...



Virtual terminal services ...

• Virtual terminal operation

• Secure terminals

• Telnet

• BSD trusted host mechanism

• Server filters

• logdaemon



File sharing ...

• Trivial FTP (TFTP)

• FTP

• NFS



Example systems ...

• X Windows



Overview






Web security and firewalls ...

• WWW security ...

• Network security issues ...

• SATAN

• Useful tools



WWW security ...

• Web model

• Browsers and servers

• NCSA httpd ...

• New directions in Web security ...



NCSA httpd ...

• Building the server

• Server configuration files

• Basic authentication

• Managing access control files

• httpd log files

• CGI programming

• CERT advisories



New directions in Web security ...

• Digest authentication

• S-HTTP

• SSL



Network security issues ...

• IP security option (IPSO)

• swIPe

• IPv4 and IPv6 security protocols

• SNMPv1 and SNMPv2

• Firwalls: Filters and Gateways



SATAN



Useful tools

Documents

Internet & Web Security