Upload
others
View
18
Download
0
Embed Size (px)
Citation preview
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 1 hcr:innovationcse@gg
UNIT – IV SECURITY PRACTICE Authentication applications – Kerberos – Kerberos Encryption Techniques – PGP – Radix64 – IP Security
Architecture – Payload – Key management – Web security requirements – SSL – TLS – SET
Authentication applications authentication functions developed to support application-level authentication & digital signatures
Kerberos – a private-key authentication service
X.509 - a public-key directory authentication service
Kerberos Overview
authentication service designed for use in a distributed environment.
makes use of a trusted third-party authentication service
o enables clients and servers to establish authenticated communication.
developed as part of Project Athena at MIT
Addresses the following threats
o user pretend to be another user operating from that workstation
o user may alter the network address and impersonate the workstation
o eavesdrop on exchanges and use a replay attack for gaining entry or disrupt
provides a centralized authentication server to authenticate users to servers and servers to users
relies exclusively on symmetric encryption, making no use of public-key encryption
two versions in use 4 & 5
Motivation / Requirements (SRTS)
Secure
o A network eavesdropper should not be able to obtain the necessary information to impersonate a user.
o strong enough such that a potential opponent does not find it to be the weak link.
Reliable
o should be highly reliable
o should employ a distributed server architecture,
one system able to back up another.
Transparent
o user should not be aware that authentication is taking place
beyond the requirement to enter a password.
Scalable
o capable of supporting large numbers of clients and servers
modular, distributed architecture.
Kerberos Encryption Techniques
Simple Kerberos Dialogue
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 2 hcr:innovationcse@gg
Kerberos Overview
Kerberos Version 4 Message Exchanges
i) Authentication Service Exchange to obtain ticket-granting ticket
1) Client requests ticket-granting ticket
User logs on to workstation and requests service on host
2) AS returns ticket-granting ticket
AS verifies user's access right in database, creates ticket-granting ticket and session key. Results are
encrypted using key derived from user's password
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 3 hcr:innovationcse@gg
ii) Ticket-Granting Service Exchange to obtain service-granting ticket
3) Client requests service-granting ticket
Workstation prompts user for password and uses password to decrypt incoming message, then sends ticket
and authenticator that contains user's name, network address, and time to TGS
4) TGS returns service-granting ticket
TGS decrypts ticket and authenticator, verifies request, then creates ticket for requested server
iii) Client/Server Authentication Exchange to obtain service
5) Client requests service
Workstation sends ticket and authenticator to server
6) Optional authentication of server to client
Server verifies that ticket and authenticator match, then grants access to service. If mutual authentication is
required, server returns an authenticator
Kerberos Realms And Multiple Kerberi
Kerberos realm
a set of managed nodes that share the same Kerberos database.
database resides on the Kerberos master computer system, kept in a physically secure room.
o A read-only copy on other Kerberos computer systems.
all changes to the database must be made on the master computer system.
o requires the Kerberos master password
Kerberos principal
a service or user that is known to the Kerberos system.
Each Kerberos principal is identified by its principal name.
Principal names consist of three parts: a service or user name, an instance name, and a realm name
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 4 hcr:innovationcse@gg
Requirements
1. The Kerberos server must have the user ID and hashed passwords of all participating users in its database.
All users are registered with the Kerberos server.
2. The Kerberos server must share a secret key with each server. All servers are registered with the Kerberos
server
3. The Kerberos server in each interoperating realm shares a secret key with the server in the other realm. The
two Kerberos servers are registered with each other
Exchanges
Request for Service in another Realm
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 5 hcr:innovationcse@gg
Environmental shortcomings of Kerberos version 4
Encryption system dependence
Export restriction on DES as well as doubts about the strength of DES
In version 5,
ciphertext is tagged with an encryption type identifier so that any encryption technique may be used
Encryption keys are tagged with a type and a length,
o allowing the same key to be used in different algorithms
o allowing the specification of different variations on a given algorithm.
Internet protocol dependence:
Version 4 requires the use of Internet Protocol (IP) addresses. Other address types, such as the ISO
network address, are not accommodated.
Version 5 network addresses are tagged with type and length, allowing any network address
Message byte ordering
In version 4, the sender of a message employs a byte ordering of its Own
In version 5, all message structures are defined using Abstract Syntax Notation One (ASN.1) and Basic
Encoding Rules (BER), which provide an unambiguous byte ordering.
Ticket lifetime:
Lifetime values in version 4 are encoded in an 8-bit quantity in units of five minutes.
o 1280 minutes, or over 21 hours
In version 5, tickets include an explicit start time and end time, allowing tickets with arbitrary lifetimes
Authentication forwarding:
Version 4 does not allow credentials issued to one client to be forwarded to some other host and used by
some other client
Version 5 provides this capability
Interrealm authentication:
In version 4, interoperability among N realms requires on the order of N2 Kerberos-to-Kerberos
relationships
Version 5 supports a method that requires fewer relationships
Technical deficiencies
Double encryption
second encryption is not necessary and is computationally wasteful
PCBC encryption
Version 4 uses nonstandard mode of DES known as propagating cipher block chaining (PCBC)
Version 5 provides explicit integrity mechanisms, allowing the standard CBC mode to be used
o a checksum or hash code is attached to the message prior to encryption
Session keys
Password attacks
Both versions are vulnerable to a password attack
Version 5 does provide a mechanism known as Preauthentication
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 6 hcr:innovationcse@gg
Kerberos Version 5 Message Exchanges
Authentication Service Exchange to obtain ticket-granting ticket
Ticket-Granting Service Exchange to obtain service-granting ticket
Client/Server Authentication Exchange to obtain service
New Elements
Realm: Indicates realm of user
Options: Used to request that certain flags be set in the returned ticket
Times: Used by the client to request the following time settings in the ticket:
o from: the desired start time for the requested ticket
o till: the requested expiration time for the requested ticket
o rtime: requested renew-till time
Nonce: A random value to be repeated in message (2) to assure that the response is fresh
Kerberos Version 5 Flags
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 7 hcr:innovationcse@gg
PGP PGP is an open-source, freely available software package for e-mail security.
It provides
o authentication through the use of digital signature,
o confidentiality through the use of symmetric block encryption,
o compression using the ZIP algorithm, and
o e-mail compatibility using the radix-64 encoding scheme.
PGP incorporates tools for developing a public-key trust model and public-key certificate management
Largely the effort of a single person, Phil Zimmermann
Reasons for PGP’s growth
available free worldwide - on a variety of platforms
o like Windows, UNIX, Macintosh ….
o commercial version comes with vendor support.
based on algorithms that are considered extremely secure
o the package includes RSA, DSS, and Diffie-Hellman for public-key encryption;
o CAST-128, IDEA, and 3DES for symmetric encryption;
o SHA-1 for hash coding.
It has a wide range of applicability,
o From corporations to individuals
It was not developed by, nor is it controlled by, any governmental or standards organization.
o For those with an instinctive distrust of “the establishment,” this makes PGP attractive.
PGP is on an Internet standards track (RFC 3156; MIME Security with OpenPGP).
Notation
Summary of PGP Services
Function Algorithms Used Description
Digital signature DSS/SHA or RSA/SHA A hash code of a message is created using SHA-1. This message digest is encrypted using DSS or RSA with the sender's private key and included with the message
Message encryption
CAST or IDEA or Three-key Triple DES with Diffie-Hellman or RSA
A message is encrypted using CAST-128or IDEA or 3DES with a one-time session key generated by the sender. The session key is encrypted using Diffie- Hellman or RSA with the recipient's public key and included with the message
Compression ZIP A message may be compressed, for storage or transmission, using ZIP
Email compatibility
Radix 64 conversion To provide transparency for email applications, an encrypted message may be converted to an ASCII string using radix 64 conversion.
Segmentation To accommodate maximum message size limitations, PGP performs segmentation and reassembly.
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 8 hcr:innovationcse@gg
Operation
The PGP does five services
Authentication
Confidentiality
Compression
Email compatibility
Segmentation
Authentication
The sequence is as follows
The sender creates a message
SHA-1 is used to generate a 160-bit hash code of the message
The hash code is encrypted with RSA using the sender's private key, and the result is prepended to the
message.
The receiver uses RSA with the sender's public key to decrypt and recover the hash code
The receiver generates a new hash code for the message and compares it with the decrypted hash code. If
the two match, the message is accepted as authentic
The combination of SHA-1 and RSA provides an effective digital signature scheme.
the recipient is assured that,
o Because of the strength of RSA, only the possessor of the matching private key can generate the
signature.
o Because of the strength of SHA-1, no one else could generate a new message that matches the hash
code and, hence, the signature of the original message
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 9 hcr:innovationcse@gg
Confidentiality
provided by encrypting messages to be transmitted or to be stored locally as files
Sequence
The sender generates a message and a random 128-bit number to be used as a session key for this
message only
The message is encrypted, using CAST-128 (or IDEA or 3DES) with the session key.
o 64-bit cipher feedback (CFB) mode is used
The session key is encrypted with RSA, using the recipient's public key, and is prepended to the message.
The receiver uses RSA with its private key to decrypt and recover the session key
The session key is used to decrypt the message
Confidentiality and Authentication
a signature is generated for the plaintext message and prepended to the message
the plaintext message plus signature is encrypted using CAST-128 (or IDEA or 3DES)
the session key is encrypted using RSA (or ElGamal)
Compression
By default, PGP compresses the message after applying the signature but before encryption.
This has the benefit of saving space both for e-mail transmission and for file storage
indicated by Z for compression and Z-1 for decompression in the above figure
The compression algorithm used is ZIP
The signature is generated before compression for two reasons:
o one can store only the uncompressed message together with the signature for future verification
o Applying the hash function and signature after compression would constrain all PGP implementations to
the same version of the compression algorithm
Message encryption is applied after compression to strengthen cryptographic security.
o the compressed message has less redundancy than the original plaintext, cryptanalysis is more difficult
Email compatibility
When PGP is used, at least part of the block to be transmitted is encrypted.
the resulting block consists of a stream of arbitrary 8-bit octets
many electronic mail systems only permit the use of blocks consisting of ASCII text
To accommodate this restriction, PGP provides the service of converting the raw 8-bit binary stream to a
stream of printable
The scheme used for this purpose is Radix-64 Conversion
Each group of three octets of binary data is mapped into four ASCII characters
appends a CRC to detect transmission errors
it blindly converts the input stream to radix-64 format regardless of content, even if the input happens to be
ASCII text
o the output will be unreadable to the casual observer, which provides a certain level of confidentiality
Segmentation and Reassembly
E-mail facilities often are restricted to a maximum message length like 50,000 octets
Any message longer than that must be broken up into smaller segments, each of which is mailed separately
To accommodate this restriction, PGP automatically subdivides a message that is too large into segments
that are small enough to send via e-mail.
The segmentation is done after all of the other processing, including the radix-64 conversion.
Thus, the session key component and signature component appear only once, at the beginning of the first
segment.
At the receiving end, PGP must strip off all e-mail headers and reassemble the entire original block
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 10 hcr:innovationcse@gg
Transmission and Reception of PGP Messages
Cryptographic Keys and Key Rings
PGP makes use of four types of keys:
1. one-time session symmetric keys,
2. public keys,
3. private keys
4. passphrase-based symmetric keys
Three separate requirements for these keys
1. A means of generating unpredictable session keys is needed
2. We would like to allow a user to have multiple public-key/private-key pairs
o the user may wish to change his or her key pair from time to time
o a user may wish to have multiple key pairs at a given time
to interact with different groups of correspondents
simply to enhance security by limiting the amount of material encrypted with any one key
3. Each PGP entity must maintain a file of its own public/private key pairs as well as a file of public keys of
correspondents
Session Key Generation
Random 128-bit numbers are generated using CAST-128 itself.
The input to the random number generator consists of a 128-bit key and two 64-bit blocks that are treated as
plaintext to be encrypted.
Using cipher feedback mode, the CAST-128 encrypter produces two 64-bit cipher text blocks, which are
concatenated to form the 128-bit session key
Key Identifiers
any given user may have multiple public/private key pairs.
the recipient need to know which of its public keys was used to encrypt the session key
The solution adopted by PGP is to assign a key ID to each public key that is, with very high probability,
unique within a user ID
consists of its least significant 64 bits
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 11 hcr:innovationcse@gg
the key ID of public PUa is (PUa mod 264
).
A key ID is also required for the PGP digital signature
General Format of PGP Message (from A to B)
A message consists of three components:
1. the message component,
2. a signature (optional),
3. a session key component (optional)
Message Component
includes the actual data to be stored or transmitted, as well as a filename and a timestamp that specifies the
time of creation
Signature Component
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 12 hcr:innovationcse@gg
Timestamp: The time at which the signature was made
Message digest: The 160-bit SHA-1 digest, encrypted with the sender's private signature key
Leading two octets of message digest
o to determine if the correct public key was used
o also serve as a 16-bit frame check sequence for the message
Key ID of sender's public key: Identifies the public key that should be used
Session Key Component
includes the session key and the identifier of the recipient's public key that was used by the sender to encrypt
the session key.
The entire block is usually encoded with radix-64 encoding.
Key Rings
two key IDs are included in any PGP message that provides both confidentiality and authentication.
The scheme used in PGP is to provide a pair of data structures at each node,
o one to store the public/private key pairs owned by that node
o one to store the public keys of other users known at this node.
These data structures are referred to, respectively, as the private-key ring and the public-key ring
Private-Key Ring
a table, in which each row represents one of the public/private key pairs owned by this user
Each row contains the following entries:
o Timestamp: The date/time when this key pair was generated.
o Key ID: The least significant 64 bits of the public key for this entry.
o Public key: The public-key portion of the pair.
o Private key: The private-key portion of the pair; this field is encrypted.
o User ID: Typically, this will be the user's e-mail address or any other name
can be indexed by either User ID or Key ID
the private key itself is not stored in the key ring
this key is encrypted using CAST-128 (or IDEA or 3DES).
Procedure For Encrypting The Private Key
The user selects a passphrase to be used for encrypting private keys
When the system generates a new public/private key pair using RSA,
o it asks the user for the passphrase.
o Using SHA-1, a 160-bit hash code is generated from the passphrase
o the passphrase is discarded
The system encrypts the private key using CAST-128 with the 128 bits of the hash code as the key.
o The hash code is then discarded,
o the encrypted private key is stored in the private-key
Procedure To Retrieve A Private Key
user must supply the passphrase.
PGP will retrieve the encrypted private key,
generate the hash code of the passphrase,
decrypt the encrypted private key using CAST-128 with the hash code
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 13 hcr:innovationcse@gg
Public-Key Ring
used to store public keys of other users that are known to this user
Essential fields
o Timestamp: The date/time when this entry was generated.
o Key ID: The least significant 64 bits of the public key for this entry.
o Public Key: The public key for this entry.
o User ID: Identifies the owner of this key. Multiple user IDs may be associated with a single public key
can be indexed by either User ID or Key ID;
PGP Message Generation
(from User A to User B; no compression or radix 64 conversion)
Signing the message
PGP retrieves the sender's private key from the private-key ring using your_userid as an index.
PGP prompts the user for the passphrase to recover the unencrypted private key.
The signature component of the message is constructed
Encrypting the message
PGP generates a session key and encrypts the message.
PGP retrieves the recipient's public key from the public-key ring using her_userid as an index.
The session key component of the message is constructed
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 14 hcr:innovationcse@gg
PGP Message Reception
(from User A to User B; no compression or radix 64 conversion)
Decrypting the message
PGP retrieves the receiver's private key from the private-key ring, using the Key ID field in the session key
component of the message as an index.
PGP prompts the user for the passphrase to recover the unencrypted private key
PGP then recovers the session key and decrypts the message
Authenticating the message
PGP retrieves the sender's public key from the public-key ring, using the Key ID field in the signature key
component of the message as an index
PGP recovers the transmitted message digest
PGP computes the message digest for the received message and compares it to the transmitted message
digest to authenticate
Public-Key Management (TBD) Skipped
Approaches to Public-Key Management - The Use of Trust - Contents of Trust Flag Byte - PGP Trust Model
Example - Revoking Public Keys
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 15 hcr:innovationcse@gg
Radix64 Both PGP and S/MIME make use of an encoding technique referred to as radix-64 conversion.
This technique maps arbitrary binary input into printable character output.
Characteristics
The range of the function is a character set that is universally representable at all sites, not a specific binary
encoding of that character set.
o Thus, the characters themselves can be encoded into whatever form is needed by a specific system.
o Example
the character "E" is represented
in an ASCII-based system as hexadecimal 45
in an EBCDIC-based system as hexadecimal C5.
The character set consists of 65 printable characters, one of which is used for padding.
o With 26 = 64 available characters, each character can be used to represent 6 bits of input
No control characters are included in the set.
o message can traverse mail-handling systems that scan the data stream for control characters
The hyphen character ("-")is not used.
o This character has significance in the RFC 822 format and should therefore be avoided
Printable Encoding of Binary Data into Radix-64 Format
Example
consider the 24-bit raw text sequence 00100011 01011100 10010001, which can be expressed in hexadecimal
as 235C91. We arrange this input in blocks of 6 bits: 001000 110101 110010 010001
The extracted 6-bit decimal values are 8, 53, 50, 17.Looking these up in Table yields the radix-64 encoding as
the following characters: I1yR. If these characters are stored in 8-bit ASCII format with parity bit set to zero, we
have 01001001 00110001 01111001 01010010. In hexadecimal, this is 49317952.
Summary
Input Data
Binary representation 00100011 01011100 10010001
Hexadecimal representation 235C91
Radix-64 Encoding of Input Data
Character representation I1yR
ASCII code (8 bit, zero parity) 01001001 00110001 01111001 01010010
Hexadecimal representation 49317952
6-bit Encoding
0 A
26 a
52 0
62 +
63 /
(Pad) =
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 16 hcr:innovationcse@gg
IP Security Architecture IP security (IPSec) is a capability that can be added to either current version of the Internet Protocol (IPv4
or IPv6), by means of additional headers.
IPSec encompasses three functional areas: authentication, confidentiality, and key management.
Authentication makes use of the HMAC message authentication code. Authentication can be applied to the
entire original IP packet (tunnel mode) or to all of the packet except for the IP header (transport mode).
Confidentiality is provided by an encryption format known as encapsulating security payload. Both tunnel
and transport modes can be accommodated.
IPSec defines a number of techniques for key management
IP Security Overview
Applications of IPSec
IPSec provides the capability to secure communications across a LAN, across private and public WANs, and
across the Internet. Examples of its use include the following
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
An IP Security Scenario
Benefits of IPSec
When IPSec is implemented in a firewall or router, traffic within a company or workgroup does not incur the
overhead of security-related processing
IPSec in a firewall is resistant to bypass if all traffic from the outside must use IP
IPSec is below the transport layer (TCP, UDP) and so is transparent to applications
IPSec can be transparent to end users. There is no need to train users.
IPSec can provide security for individual users if needed
Routing Applications
IPSec can assure that - A router advertisement comes from an authorized router - A neighbor advertisement - A
redirect message - A routing update is not forged.
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 17 hcr:innovationcse@gg
IP Security Architecture
IPSec Document
Overview
RFC 2401: An overview of a security
architecture
RFC 2402: Description of a packet
authentication extension to IPv4 and
IPv6
RFC 2406: Description of a packet
encryption extension to IPv4 and IPv6
RFC 2408: Specification of key
management capabilities
Architecture:
Covers the general concepts, security
requirements, definitions, and
mechanisms defining IPSec technology
Encapsulating Security Payload (ESP)
Covers the packet format and general
issues related to the use of the ESP for
packet encryption and, optionally,
authentication.
Authentication Header (AH):
Covers the packet format and general issues related to the use of AH for packet authentication.
Encryption Algorithm:
A set of documents that describe how various encryption algorithms are used for ESP.
Authentication Algorithm:
A set of documents that describe how various authentication algorithms are used for AH and for the
authentication option of ESP.
Key Management:
Documents that describe key management schemes.
Domain of Interpretation (DOI):
Contains values needed for the other documents to relate to each other. These include identifiers for approved
encryption and authentication algorithms, as well as operational parameters such as key lifetime
IPSec Services
IPSec provides security services at the IP layer
Two protocols are used to provide security:
o an authentication protocol designated by the header of the protocol, Authentication Header (AH);
o a combined encryption/authentication protocol designated by the format of the packet for that protocol,
Encapsulating Security Payload (ESP)
The services are
Access control
Connectionless integrity
Data origin authentication
Rejection of replayed packets (a form of partial sequence integrity)
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 18 hcr:innovationcse@gg
Confidentiality (encryption)
Limited traffic flow confidentiality
Security Associations
An association is a one-way relationship between a sender and a receiver that affords security services to
the traffic carried on it.
If a peer relationship is needed, for two-way secure exchange, then two security associations are required.
A security association is uniquely identified by three parameters:
Security Parameters Index (SPI):
A bit string assigned to this SA and having local significance only.
The SPI is carried in AH and ESP headers to enable the receiving system to select the SA under which a
received packet will be processed.
IP Destination Address
Currently, only unicast addresses are allowed; this is the address of the destination endpoint of the SA, which
may be an end user system or a network system such as a firewall or router.
Security Protocol Identifier
This indicates whether the association is an AH or ESP security association.
SA Parameters
A security association is normally defined by the following parameters
Sequence Number Counter
o A 32-bit value used to generate the Sequence Number field in AH or ESP headers
Sequence Counter Overflow
o A flag indicating whether overflow of the Sequence Number
o Counter should generate an auditable event and prevent further transmission of packets
Anti-Replay Window
o Used to determine whether an inbound AH or ESP packet is a replay
AH Information
o Authentication algorithm, keys, key lifetimes, and related parameters being used with AH
ESP Information
o Encryption and authentication algorithm, keys, initialization values, key lifetimes,related parameters
Lifetime of This Security Association
o A time interval or byte count after which an SA must be replaced with a new SA or terminated
IPSec Protocol Mode
o Tunnel, transport, or wildcard
Path MTU
o Any observed path maximum transmission unit (maximum size of a packet that can be transmitted
without fragmentation) and aging variables (required for all implementations).
SA Selectors
The means by which IP traffic is related to specific SAs is the nominal Security Policy Database (SPD).
Each SPD entry is defined by a set of IP and upper-layer protocol field values, called selectors
these selectors are used to filter outgoing traffic in order to map it into a particular SA.
The following selectors determine an SPD entry
Destination IP Address
o may be a single IP address, an enumerated list or range of addresses, or a wildcard address
Source IP Address
UserID
Data Sensitivity Level
Transport Layer Protocol
Source and Destination Ports
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 19 hcr:innovationcse@gg
Transport and Tunnel Modes
Both AH and ESP support two modes of use: transport and tunnel mode
Transport Mode
provides protection primarily for upper-layer protocols
protection extends to the payload of an IP packet.
o Examples a TCP or UDP segment or an ICMP packet
used for end-to-end communication between two hosts (e.g., a client and a server, or two workstations)
ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header.
AH in transport mode authenticates the IP payload and selected portions of the IP header
Tunnel Mode
Tunnel mode provides protection to the entire IP packet
the entire packet plus security fields is treated as the payload of new "outer" IP packet with a new header
The entire original, or inner, packet travels through a "tunnel" from one point of an IP network to another
Because the original packet is encapsulated, the new, larger packet may have totally different source and
destination addresses, adding to the security
used when one or both ends of an SA are a security gateway, such as a firewall or router with IPSec.
With tunnel mode, a number of hosts on networks behind firewalls may engage in secure communications
without implementing IPSec.
The unprotected packets generated by such hosts are tunneled through external networks by tunnel mode
SAs set up by the IPSec software in the firewall or secure router at the boundary of the local network
ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet
AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 20 hcr:innovationcse@gg
Authentication Header (Skip) TBD
Payload The Encapsulating Security Payload provides confidentiality services, including confidentiality of message
contents and limited traffic flow confidentiality.
ESP can also provide an authentication service
IPSec ESP format
Encryption and Authentication Algorithms
Padding
Transport and Tunnel Modes
o Transport Mode ESP
o Tunnel Mode ESP
IPSec ESP format
Security Parameters Index (32 bits): Identifies a security association.
Sequence Number (32 bits): A monotonically increasing counter value; this provides an antireplay
function, as discussed for AH.
Payload Data (variable): This is a transport-level segment (transport mode) or IP packet (tunnel mode)
that is protected by encryption.
Padding (0255 bytes): The purpose of this field is discussed later.
Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field.
Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying the first
header in that payload (for example, an extension header in IPv6, or an upper-layer protocol such as TCP).
Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that
contains the Integrity Check Value computed over the ESP packet minus the Authentication Data field
Encryption and Authentication Algorithms
implementation must support DES in cipher block chaining (CBC) mode
A number of other algorithms are
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 21 hcr:innovationcse@gg
o Three-key triple DES
o RC5
o IDEA
o Three-key triple IDEA
o CAST
o Blowfish
Padding
If an encryption algorithm requires the plaintext to be a multiple of some number of bytes (e.g., the multiple
of a single block for a block cipher), the Padding field is used to expand the plaintext
The ESP format requires that the Pad Length and Next Header fields be right aligned within a 32- bit word.
Equivalently, the ciphertext must be an integer multiple of 32 bits. The Padding field is used to assure this
alignment.
Additional padding may be added to provide partial traffic flow confidentiality by concealing the actual
length of the payload
Transport and Tunnel Modes
Transport Mode ESP
1. At the source, the block of data consisting of the ESP trailer plus the entire transport-layer segment is
encrypted and the plaintext of this block is replaced with its ciphertext to form the IP packet for
transmission. Authentication is added if this option is selected
2. The packet is then routed to the destination. Each intermediate router needs to examine and process the IP
header plus any plaintext IP extension headers but does not need to examine the ciphertext.
3. The destination node examines and processes the IP header plus any plaintext IP extension headers.
Then, on the basis of the SPI in the ESP header, the destination node decrypts the remainder of the packet
to recover the plaintext transport-layer segment
Tunnel Mode ESP
1. The source prepares an inner IP packet with a destination address of the target internal host. This packet is
prefixed by an ESP header; then the packet and ESP trailer are encrypted and Authentication Data may be
added. The resulting block is encapsulated with a new IP header (base header plus optional extensions
such as routing and hop-by-hop options for IPv6) whose destination address is the firewall; this forms the
outer IP packet.
2. The outer packet is routed to the destination firewall. Each intermediate router needs to examine and
process the outer IP header plus any outer IP extension headers but does not need to examine the
ciphertext.
3. The destination firewall examines and processes the outer IP header plus any outer IP extension headers.
Then, on the basis of the SPI in the ESP header, the destination node decrypts the remainder of the packet
to recover the plaintext inner IP packet. This packet is then transmitted in the internal network.
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 22 hcr:innovationcse@gg
4. The inner packet is routed through zero or more routers in the internal network to the destination host
Key management (Skip) TBD
Web security requirements
Web Security Threats
Threats Consequences Countermeasures
Integrity Modification of user data
Trojan horse browser
Modification of memory
Modification of message traffic in
transit
Loss of information
Compromise of machine
Vulnerabilty to all other
threats
Cryptographic
checksums
Confidentiality Eavesdropping on the Net
Theft of info from server
Theft of data from client
Info about network configuration
Info about which client talks to
server
Loss of information
Loss of privacy Encryption, web
proxies
Denial of
Service
Killing of user threads
Flooding machine with bogus
requests
Filling up disk or memory
Isolating machine by DNS attacks
Disruptive
Annoying
Prevent user from getting
work done
Difficult to prevent
Authentication Impersonation of legitimate users
Data forgery
Misrepresentation of user
Belief that false
information is valid
Cryptographic
techniques
Classification based on the location of the threat
category of computer system security
o Web server,
o Web browser,
category of network security
o Network traffic between browser and server
Web Traffic Security Approaches
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 23 hcr:innovationcse@gg
differ with respect to
scope of applicability
relative location within the TCP/IP protocol stack
Network Level
use IP Security
transparent to end users and applications and provides a general-purpose solution
IPSec includes a filtering capability so that only selected traffic need incur the overheads
Transport Level
implement security just above TCP
examples: Secure Sockets Layer (SSL) and the follow-on Transport Layer Security (TLS)
two implementation choices
o as part of the underlying protocol suite - transparent to applications
o can be embedded in specific packages
example: Netscape and Microsoft Explorer browsers come equipped with SSL
Application Level
Application-specific security services are embedded within the particular application.
service can be tailored to the specific needs of a given application
example: Secure Electronic Transaction (SET)
SSL Secure socket layer (SSL) provides security services between TCP and applications that use TCP. The
Internet standard version is called transport layer service (TLS).
SSL/TLS provides confidentiality using symmetric encryption and message integrity using a message
authentication code.
SSL/TLS includes protocol mechanisms to enable two TCP users to determine the security mechanisms
and services they will use.
Netscape originated SSL
TLS can be viewed as essentially an SSLv3.1 and backward compatible with SSLv3 (in use)
SSL Architecture
SSL Protocol Stack
make use of TCP to provide a reliable
end-to-end secure service
SSL is two layers of protocols
SSL Record Protocol provides basic
security services to various higher-
layer protocols
Three higher-layer protocols are
defined as part of SSL: the
o Handshake Protocol,
o The Change Cipher Spec
Protocol,
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 24 hcr:innovationcse@gg
o The Alert Protocol
Two important SSL concepts
SSL session
an association between a client and a server
created by the Handshake Protocol
define a set of cryptographic security parameters which can be shared among multiple connections
SSL connection
a transport that provides a suitable type of service
transient, peer-to-peer relationships, associated with one session
Session States
number of states associated with each session (examples: receive and send)
defined by the following parameters
o Session identifier
o Peer certificate
o Compression method
o Cipher spec
Specifies the bulk data encryption algorithm (such as null, AES, etc.)
hash algorithm (such as MD5 or SHA-1) used for MAC calculation
defines cryptographic attributes such as the hash_size
o Master secret
o Is resumable
can be used to initiate new connections
Parameters That Define Connection State
Server and client random
Server write MAC secret
Client write MAC secret
Server write key
Client write key
Initialization vectors
Sequence numbers
SSL Record Protocol
The SSL Record Protocol provides two services for SSL connections:
Confidentiality
o defines a shared secret key that is used for conventional encryption of SSL payloads.
Message Integrity
o defines a shared secret key that is used to form a
message authentication code (MAC).
The Record Protocol takes
an application message to be transmitted,
fragments the data into manageable blocks
o blocks of 214
bytes (16384 bytes) or less.
optionally compresses the data
applies a MAC, encrypts, adds a header
o hash(MAC_write_secret || pad_2 ||
hash(MAC_write_secret || pad_1 || seq_num ||
SSLCompressed.type || SSLCompressed.length ||
SSLCompressed.fragment))
transmits the resulting unit in a TCP segment.
Received data are
o decrypted, verified, decompressed, reassembled, delivered to higher-level users
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 25 hcr:innovationcse@gg
SSL Record Format
The final step of SSL Record Protocol processing is to prepend a header
Content Type (8 bits) : change_cipher_spec, alert, handshake, and application_data
Major Version (8 bits)
Minor Version (8 bits)
Compressed Length (16 bits)
SSL Record Protocol Operation
SSL Record Protocol Payload
Change Cipher Spec Protocol
consists of a single message - single byte with the value 1
purpose of this message is to cause the pending state to be copied into the current state, which updates the
cipher suite to be used on this connection
Alert Protocol
used to convey SSL-related alerts to the peer entity
Each message in this protocol consists of two bytes
o The first byte takes the value warning(1) or fatal(2) to convey the severity of the message
o second byte contains a code that indicates the specific alert
Examples of alerts:
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 26 hcr:innovationcse@gg
fatal alerts: unexpected_message, bad_record_mac, decompression_failure, handshake_failure,
illegal_parameter
other alerts: close_notify, no_certificate, bad_certificate, unsupported_certificate, certificate_revoked,
certificate_expired, certificate_unknown
Handshake Protocol
Shaded transfers are optional or situation-dependent messages that are not always sent
Phase 1. Establish Security Capabilities
client_hello message
Version, Random, Session ID, CipherSuite, Compression Method
server_hello message
same parameters as the client_hello message
The following key exchange methods are supported
RSA, Fixed Diffie-Hellman, Ephemeral Diffie-Hellman, Anonymous Diffie-Hellman, Fortezza
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 27 hcr:innovationcse@gg
Phase 2. Server Authentication and Key Exchange
certificate message
required for any agreed-on key exchange method except anonymous Diffie-Hellman
server_key_exchange message
hash is defined as
hash(ClientHello.random || ServerHello.random || ServerParams)
certificate_request message
two parameters: certificate_type and certificate_authorities
server_done message
sent by the server to indicate the end of the server hello and associated messages
Phase 3. Client Authentication and Key Exchange
certificate message
client_key_exchange message
certificate_verify message
CertificateVerify.signature.md5_hash
MD5(master_secret || pad_2 || MD5(handshake_messages ||
master_secret || pad_1));
Certificate.signature.sha_hash
SHA(master_secret || pad_2 || SHA(handshake_messages ||
master_secret || pad_1));
Phase 4. Finish
change_cipher_spec message
finished message
The content of the finished message is the concatenation of two hash values:
MD5(master_secret || pad2 || MD5(handshake_messages ||
Sender || master_secret || pad1))
SHA(master_secret || pad2 || SHA(handshake_messages ||
Sender || master_secret || pad1))
Transport Layer Security -TLS TLS is an IETF standardization initiative whose goal is to produce an Internet standard version of SSL.
TLS is defined as a Proposed Internet Standard in RFC 2246.
RFC 2246 is very similar to SSLv3.
Differences with SSLv3
Version Number
For the current version of TLS, the Major Version is 3 and the Minor Version is 1
Message Authentication Code
two differences between the SSLv3 and TLS MAC schemes
TLS makes use of the HMAC algorithm defined in RFC 2104
SSLv3 uses the same algorithm, except that the padding bytes are concatenated with the secret key
The MAC calculation covers all of the fields covered by the SSLv3 calculation, plus the field
TLSCompressed.version
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 28 hcr:innovationcse@gg
Pseudorandom Function
TLS makes use of a pseudorandom function referred to as PRF to expand secrets into blocks of data for
purposes of key generation or validation.
Alert Codes
TLS supports all of the alert codes defined in SSLv3 with the exception of no_certificate.
A number of additional codes are defined in TLS; of these, the following are always fatal:
decryption_failed, record_overflow, unknown_ca, access_denied, decode_error, export_restriction,
protocol_version, insufficient_security, internal_error, decrypt_error, user_canceled, no_renegotiation
Cipher Suites
Key Exchange: TLS supports all of the key exchange techniques of SSLv3 with the exception of Fortezza.
Symmetric Encryption Algorithms: TLS includes all of the symmetric encryption algorithms found in
SSLv3, with the exception of Fortezza
Client Certificate Types
TLS defines the following certificate types to be requested in a certificate_request message: rsa_sign, dss_sign,
rsa_fixed_dh, and dss_fixed_dh.
Certificate_Verify and Finished Messages
In the TLS certificate_verify message, the MD5 and SHA-1 hashes are calculated only over
handshake_messages
the finished message in TLS is a hash based on the shared master_secret, the previous handshake
messages, and a label that identifies client or server
Cryptographic Computations
The form of the TLS calculation is different from that of SSLv3 and is defined as follows:
master_secret = PRF(pre_master_secret, "master secret", ClientHello.random || ServerHello.random)
Padding
In TLS, the padding can be any amount that results in a total that is a multiple of the cipher's block length, up to
a maximum of 255 bytes.
Secure Electronic Transaction - SET SET Overview
Requirements
Key Features of SET
SET Participants
Secure Electronic Commerce Components
Dual Signature
o Construction of Dual Signature
Payment Processing
o SET Transaction Types
o Purchase Request
o Payment Authorization
o Payment Capture
SET Overview
SET is an open encryption and security specification designed to protect credit card transactions on the
Internet.
SET is not itself a payment system.
it is a set of security protocols and formats that enables users to employ the existing credit card payment
infrastructure on an open network, such as the Internet, in a secure fashion.
SET provides three services:
o Provides a secure communications channel among all parties involved in a transaction
o Provides trust by the use of X.509v3 digital certificates
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 29 hcr:innovationcse@gg
o Ensures privacy because the information is only available to parties in a transaction when and where
necessary
Requirements
1. Provide confidentiality of payment and ordering information
2. Ensure the integrity of all transmitted data
3. Provide authentication that a cardholder is a legitimate user of a credit card account
4. Provide authentication that a merchant can accept credit card transactions through its relationship with a
financial institution
5. Ensure the use of the best security practices and system design techniques to protect all legitimate parties
in an electronic commerce transaction
6. Create a protocol that neither depends on transport security mechanisms nor prevents their use
7. Facilitate and encourage interoperability among software and network providers
Key Features of SET
1. Confidentiality of information
o prevents the merchant from learning the cardholder's credit card number
o DES is used to provide confidentiality
2. Integrity of data
o RSA digital signatures, using SHA-1 hash codes, provide message integrity.
o Certain messages are also protected by HMAC using SHA-1.
3. Cardholder account authentication
o SET uses X.509v3 digital certificates with RSA signatures
4. Merchant authentication
SET Participants
Cardholder
an authorized holder of a payment card (e.g., MasterCard, Visa)
Merchant
person or organization that has goods or services to sell to the cardholder
Issuer
This is a financial institution, such as a bank, that provides the cardholder with the payment card
Acquirer
This is a financial institution that establishes an account with a merchant and processes payment card
authorizations and payments
Payment gateway
This is a function operated by the acquirer or a designated third party that processes merchant payment
messages
Certification authority (CA)
This is an entity that is trusted to issue X.509v3 public-key certificates for cardholders, merchants, and payment
gateways
Sequence of events
1. The customer opens an account.
2. The customer receives a certificate
3. Merchants have their own certificates
4. The customer places an order
5. The merchant is verified
6. The order and payment are sent
7. The merchant requests payment authorization
8. The merchant confirms the order
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 30 hcr:innovationcse@gg
9. The merchant provides the goods or service
10. The merchant requests payment
Secure Electronic Commerce Components
Dual Signature
The purpose of the dual signature is to link two messages that are intended for two different recipients
the customer wants to send the order information (OI) to the merchant
the payment information (PI) to the bank
Steps
1. The merchant has received OI and verified the signature.
2. The bank has received PI and verified the signature.
3. The customer has linked the OI and PI and can prove the linkage
Construction of Dual Signature
PI = Payment Information OI = Order Information
H = Hash function (SHA-1) || = Concatenation
PIMD = PI message digest OIMD = OI message digest
POMD = Payment Order message digest E = Encryption (RSA)
PRc = Customer's private signature key
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 31 hcr:innovationcse@gg
Payment Processing
SET Transaction Types
1. Cardholder registration
2. Merchant registration
3. Purchase request
4. Payment authorization
5. Payment capture
6. Certificate inquiry and status
7. Purchase inquiry
8. Authorization reversal
9. Capture reversal
10. Credit
11. Credit reversal
12. Payment gateway certificate request
13. Batch administration
14. Error message
Purchase Request
Cardholder Sends Purchase Request
The purchase request exchange consists of four messages:
Initiate Request
Initiate Response
Purchase Request
o Purchase-related information
o Order-related information
o Cardholder certificate
Purchase Response
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 32 hcr:innovationcse@gg
Merchant Verifies Customer Purchase Request
When the merchant receives the Purchase Request message, it performs the following actions
Verifies the cardholder certificates by means of its CA signatures
Verifies the dual signature using the customer's public signature key
Processes the order and forwards the payment information to the payment gateway for authorization
Sends a purchase response to the cardholder
Payment Authorization
The payment authorization exchange consists of two messages:
Authorization Request
Authorization response
Authorization Request
Purchase-related information
Authorization-related information
Certificates
The payment gateway performs the following tasks
1. Verifies all certificates
2. Decrypts the digital envelope of the authorization block to obtain the symmetric key and then decrypts the
authorization block
3. Verifies the merchant's signature on the authorization block
CS669 Network Security Unit - IV
MTech CSE (PT, 2011-14) SRM, Ramapuram 33 hcr:innovationcse@gg
4. Decrypts the digital envelope of the payment block to obtain the symmetric key and then decrypts the
payment block
5. Verifies the dual signature on the payment block
6. Verifies that the transaction ID received from the merchant matches that in the PI received (indirectly) from
the customer
7. Requests and receives an authorization from the issuer
Authorization response
It includes the following elements
Authorization-related information
o Includes an authorization block, signed with the gateway's private signature key and encrypted with a
one-time symmetric key generated by the gateway
Capture token information
o This information will be used to effect payment later
Certificate
o The gateway's signature key certificate
Payment Capture
To obtain payment, the merchant engages the payment gateway in a payment capture transaction, consisting
of a capture request and a capture response message
Capture Request message
the merchant generates, signs, and encrypts a capture request block, which includes the payment amount
and the transaction ID.
the payment gateway receives the capture request message, it decrypts and verifies the capture request
block and decrypts and verifies the capture token block
It then creates a clearing request that is sent to the issuer over the private payment network. This request
causes funds to be transferred to the merchant's account
Capture Response message
The gateway then notifies the merchant of payment via this message
The message includes a capture response block that the gateway signs and encrypts
Disclaimer
Intended for educational purposes only. Not intended for any sort of commercial use
Purely created to help students with limited preparation time
Text and picture used were taken from the reference items
Reference
Cryptography and Network Security, Fourth Edition – William Stallings
Credits
Thanks to my family members who supported me, while I spent considerable amount of time to prepare these notes. Feedback is always welcome at [email protected]
http://williamstallings.com/Crypto/Crypto4e.html