Stuart Fitz-Gerald - Internet Security1 Internet Security Technologies Part 2: Network Security Stuart Fitz-Gerald With thanks to Chris Reade

Stuart Fitz-Gerald - Internet Security 1

Internet Security Technologies

Part 2: Network SecurityStuart Fitz-Gerald

With thanks to Chris Reade


Network Security

• Introduction• Internet Security Protocols

– Web authentication example– SSL/TLS– Kerberos – IPsec– others

• Firewalls• Mobility and Security

– Mobile Code, Mobile devices/people, Wireless

• (Certificates and PKI)


The problem

• Threats– Worms, Virus, Trojan Horse– Denial of Service– Spoofing– Bugs

• Policing– CERT/CC - Computer Emergency Response Team/ Co-ordination Centre

(set up after 1988 worm) www.cert.org– Regulations for ISPs (recording information accessible to police)

• Also need: – secure messages/data transmission– controlled access to resources (authentication and authorisation)

The nature of the Internet has changed significantly from the early years (late '70s), What was a collegiate enterprise is now a battlefield. Trying to make the Internet secure and safe is a complex issue (similar to ensuring safety on roads) and involves mixtures of regulations, policing, surveillance, vigilance.

http://www.cert.org/


enroll Credential and Provisioningidwg Intrusion Detection Exchange Formatinch Extended Incident Handlingipsec IP Security Protocolipseckey IPSEC KEYing information resource recordipsp IP Security Policykink Kerberized Internet Negotiation of Keyskrb-wg Kerberos WGltans Long-Term Archive and Notary Servicesmobike IKEv2 Mobility and Multihomingmsec Multicast Securityopenpgp An Open Specification for Pretty Good Privacypki4ipsec Profiling Use of PKI in IPSECpkix Public-Key Infrastructure (X.509)sacred Securely Available Credentialssasl Simple Authentication and Security Layersecsh Secure Shellsmime S/MIME Mail Securitystime Secure Network Time Protocolsyslog Security Issues in Network Event Loggingtls Transport Layer Security

Working groups of IETF in Security areahttp://www.ietf.org/html.charters/wg-dir.html

http://www.ietf.org/html.charters/wg-dir.html






Different aspects of security

• AuthenticationIdentification of author or participant

• AuthorisationChecking participant is allowed to do ...

• ConfidentialityProtecting information from eavesdropping

• IntegrityAbility to check info has not been altered

• NonrepudiationReceipts


Levels for addressing encryptionin the Internet protocol stack

ApplicationsLayer

TCP/UDPIP

Data LinkPhysical

Transport layer (SSH, SSL/TLS)

Network Access layer (Tunneling protocols)

Internet layer (IPsec,..)

Applications layer (Kerberos,DNSSEC, …)


Example - Authentication for Web

• Unlike e.g. FTP where a user authenticates for a session, HTTP does not have 'sessions'.

• BASIC Authentication for HTTP/1.0: • client requests a password protected page• server response asks for authentication• user gets dialogue box to enter username and

password• passwords sent in clear• browser can retain info for future accesses

(Problems with Replay attacks)

• DIGEST Authentication (HTTP/1.1) 1996• Similar, but uses hash values:


Digest Challenge/Response (HTTP/1.1)

Nonce derived from request - not remembered because server has no state! Response request should generate same nonce as first request.

Server can then do hash on stored password, name and nonce

N.B. Digest version not supported in all browsers, also does not address document sent in the clear! Where security matters, mostly use

BASIC + security/encryption at transport layer (SSL -TLS):

Client ServerHTTP request

nonce - challenge

HTTP request withhash value and name

namepasswordnonceHTTP methodURL

hashed


Better web security

A protocol to address all aspects of security for web transaction has been proposed (SHTTP - not to be confused with HTTPS)

This addressesconfidentiality of requests and responsesauthentication at both endsdata integritynon-repudiation of requests and responsesfreshness (replay avoiding)

BUT what about FTP/Telnet/ other applications?

A better approach - which is in wide use - is to share security protocol across all applications (SSL -TLS):


Secure Sockets Layer / Transport Layer Security(SSL/TLS Protocol)

TCP

IPData LinkPhysical

UDP

HTTPS HTTPSSMTP SMTPapplicationslayer

SSL/TLS

… …

versions of applicationsrunning over SSL/TLS

transportlayer


SSL/TLS(for authentication, authorisation and

privacy)• Applications using protocol

– https– ssmtp– snews– ssl-ldap– spop3

• History– Secure Sockets Layer (early Netscape 1994)

v2 released with Netscape 1.1v3 major changes/improvementsevolving into IETF Standard:

– TLS (Transport Layer Security 1999) = SSL v3.1


Features of SSL/TLS• Uses Digital Certificates and Digital Signatures for

– authentication of server– non repudiation of server– authentication of client (not common)– non repudiation of client

• Uses Encryption for data confidentiality– public key used to exchange session key (secret key)

• Uses MACs for data integrity• Cipher agnostic

– Choice of ciphers agreed between client/server(different ones for privacy/authent/integrity ..)

• Protocol agnostic– designed to run on TCP/IP but can also run on other reliable

connection-oriented protocols.


SSL/TLS variations support• Key exchange (to set up session key usually via public key)

– RSA– Diffie Hellman …

• Certificates– X.509v3– Diffie Hellman

• Encryption Ciphers (for client/server traffic)– RC4 128-bit keys- most common strong cipher– RC4 40-bit keys– TripleDES - 168-bit keys– Blowfish– IDEA - 128-bit keys– Fortezza - 80-bit keys (removed in TLS)– DES - 56-bit keys – RC2 - 40 bit keys

• MACs (integrity of messages) - keyed hash– MD5– SHA-1


Exchange phases

• Handshake– Agree on algorithms to use for

• symmetric cipher,• key exchange,• MACs

– Optionally Exchange certificates and check them(usually only server has certificate)

– Establish and share Master secret

• Exchange data(encrypted and with MACs)

• Server can request new cipher at any time


Example exchanges

Alice Bobcipher choices, nA

nA is a nonce created by Alice

session_id, certificateB, cipher, nB

{S}kB, hash of msgs using key K

S is a secret created by Alice (pre-master secret)kB is Bob's public key (from Bob's certificate) K = f(S, nA, nB) (calculated master secret)

hash of msgs using key K

msgs with MACs and encryptedusing keys derived from K

nB is a nonce created by Bob

data


Session resumption

Alice Bobsession_id, cipher choices, nA

session_id, cipher, nB, keyed hash of msgs

keyed hash of msgs

{data}


Example Application: HTTPS

The HTTPS protocol is a version of HTTP using SSL/TLS layer.

Supported by most browsers, so all details of SSL/TLS are taken care of without user needing to see them.

(User just sees https://….instead of http://…. )

Similarly, to create a secure version of a form where a server supports SSL/TLS,just put https:// … in submit action.

Non-repudiation not addressed by this protocol.


Kerberos

• Protocol for Network Authentication (application level protocol for use with an authentication server)

• Based on Needham-Schroeder protocol and uses secret keys for confidentiality.

• Possible alternative to Firewalls

– What is wrong with firewalls?

– Bad guys on the outside?

– Restricting users as to what they can do


Kerberos (ctd)

1) A sends to S: (nA ,A,B) nA is a nonce created by A

2) S creates session key kAB and 2 encrypted tuples of info ('boxes'): (i) ticket {kAB, A} kBS and (ii) a box with the key {nA, B, kAB } kAS

then sends these to A: {nA, B, kAB } kAS , {kAB, A} kBS

3) A can decrypt first box (only) using password to obtain session key kAB . A then creates an authenticator:

a timestamp encrypted with the session key: {t } kAB

A forwards ticket and authenticator to B : {t } kAB , {kAB, A} kBS

4) When B is also to be authenticated by A: B returns timestamp to A: {t,B} kAB (WHY is B also in the msg?)

5) (A and B Session continues using kAB )

S

A B

1

2

4

3

A is client, B is service to be accessed,S is (Kerberos) authentication server.A has registered a key (kAS) with S (password generated)


Kerberos (ticket granting service variation)http://www.isi.edu/gost/publications/kerberos-neuman-tso.htmlhttp://www.isi.edu/gost/publications/kerberos-neuman-tso.html

TGS

Client Verifier

1

4

6

5

AS

32

1,2 used when client logs in (password used once to decode reply).This authenticates access to TGS with a session key.3,4 used when client wants to authenticate herself to new service (verifier) -no password needed.5 used whenever authentication required to access a service (verifier)6 optional to authenticate verifier to client

AS= authenticating serviceTGS =ticket granting serviceVerifier = service requiring client authentication

If A needs to access many services, it is inconvenient to have user enter password to unlock reply (2) each time. So:

http://www.isi.edu/gost/publications/kerberos-neuman-tso.html



























Kerberos Limitations

• History (incompatible variations)but now being standardised by IETF

• Scaling limitations– AS, TGS can become a bottleneck (requiring

splitting job into 'realms' - means more messages in sequence)

• Vulnerability– AS, TGS have concentrated key info.


IPsec(IETF standard for IP security)

• Layer 3 (Network level) encrypts IP packets therefore universal for Internet

• Optional for IPv4 but compulsory for IPv6• Includes encryption and key management protocols and

uses MACs (MD5 and SHA-1)• Modes to encrypt entire packets (tunnelling mode) or

just payload (transport mode)• Not an answer to some authentication and replay

problems• Potential Conflicts with firewall management


Other Internet Security Protocols• Secure Shell (SSH)

– Problems with ftp, telnet, rlogin– ssh replaces telnet, rlogin. Uses Password OR Public Key (RSA).

Need sshd running on server.• Email

– PGP– S/Mime

• (SET - payment protocol - MasterCard and Visa 1996 - has not taken off)

• Socks (VPNs at Transport level)• SASL (Simple Authentication and Security Layer)

– Generic protocol framework for connection based protocols– Pluggable security modules and negotiation. (E.g. using SSL/TLS

is over the top in presence of Kerberos)– IETF working group

• SAML and WS-Security for web services…….


Firewalls and Proxies1) Packet filtering (basic - Screening router) filters as well as forward/redirect

Intranet(trusted)

INTERNET(untrusted)

Router

Sniff IP packet infoCheck IP source and Destination addresses on packetssome can also look at TCP info and port numbers being used(Earliest form of filtering: stateless = static)

Policy in the form of rules for redirection/rejection


2) Application Level Gateways (Proxies)Streams of packets decoded to look at application info. to make decisions and then relay (therefore slow down of traffic). Various architectures:

Intranet(trusted)

INTERNET(untrusted)

RouterRouter

Router

BastionHost

outer network segmentinner network segment DMZ(demilitarized zone)

Intranet(trusted)

INTERNET(untrusted)

RouterRouterBastionHost

screened subnet firewall:

dual homed firewall:


3) Circuit Level GatewaysMore sophisticated Proxy (e.g. Socks v5 proxy server) handles all sessions between client and server. Authenticates clients before connecting circuit to external server.

Intranet(trusted)

INTERNET(untrusted)Router

SOCKShost

Client

1) client authenticates with SOCKS host by negotiating authentication method 2) client requests connection to application server via SOCKS 3) SOCKS sets up proxy circuit and relays packets between client and application server

Authentication methods are e.g. password or Kerberos v5 GSS-API

Can require apps to be modified so scaling problems


4) Stateful/Dynamic Packet FiltersMore sophisticated packet filters which 'know' about protocols and associated sessions and packet streams. They can keep track of connections initiated by a previous protocol connection because they can analyse the packets to get this information.

Filters according to more flexible rules in addition to basic stateless packet filtering.

Advantages:More scalable - invisible to client applicationsGood performanceCan do Network Address Translation (NAT)Can add in e.g. anti-virus

Disadvantages:New protocols may require updates to software/firmware.

See, for example, CommsDesign article April 2002 'Taking a Stateful Approach to Firewall Design' Rahul Patel and Robert Friendhttp://www.commsdesign.com/design_corner/OEG20020404S0030


Extranets and Virtual Private Networks

Internet (Tunneling)

Intranet (trusted)

RouterFirewall Host VPN server(encrypt packets)

Client

Router

Client

Intranet (trusted)

Firewall HostVPN Server(decrypt packets)

Client

Client

Protocols:

PPTPpoint-to-point(early Microsoft)

L2TPlayer 2 = datalink(Cisco revised from L2F)

IPSec (IETF standard)network layer.several protocols which can be used as encryption protocol with above protocols or as complete VPN protocol


Mobility and Security

• Security in the Context of new assumptions

• Mobile Code• Mobile people/devices• Ad hoc networks (Internet and Phone

system unifying)• Wireless issues


Mobile code and Security

MobileCodeInternet

• Host needs to be sure what mobile code can access/do.

• Mobile code needs to be sure what host is allowed to do to it.

host(server or client)


Mobile code Security approaches• Java Security Model

– Strong Typing for Security– Byte Code and Verification– Permissions and Policies– Security Manager

• Code Signing (e.g. Authenticode)• PCC (Proof carrying code)• Type Systems for Mobile Code

– Purpose of type systems– Functional context– Messages and Communication– Mobility


Mobile People and Devices

Ad hoc networks - assumptions of co-operating nodes no longer valid

Future scenarios of many billions of network enabled devices (1mm3 devices already in production)

Wearable devices and physical access to sites

What are the implications for security?


Wireless and Security

Wireless (=WiFi = 802.11…standards)Has WEP (Wireless Equivalent Privacy) but found to be easily crackable because of weak encryption standards. Work is still on-going to find a good solution (2004). See 802.1x authentication or Wi-Fi Protected Access (WPA).

The failed WAP protocol stack for mobile phones, etc. was slightly different to wired protocol stack (but similar corresponding layers as in OSI model). Used WTLS based on TLS which sat between Network layer and Applications layer. The advent of XHTML and desire for minimising differences to Internet for wired/wireless effectively killed off WAP.


PKI (Public Key Infrastructure)

• Certificates• Certificating Authorities• Trust


Managing Certificates

What is a certificate?

Usually: binding of identity with public key, digitally signed by certificating authority (X.509 v3 certificate standard).

N.B. 'signed' implies need another certificate for CA… implies chain of certificates…root CA self signs certificates

Public Key Infrastructure (PKI)Distrib Certificate Management System (DCMS)

Types of certificate:CA certificatesServer CertificatesPersonal CertificatesSoftware Publisher Certificates


X.509v3 certificates

VersionCertificate serial number

Signature algorithm identifier

IssuerValidity period

Subject

Subject public key information[Issuer unique information][Subject unique information]

[Extensions]CA's digital signature


Next Week

Technological Diffusion• Check out Blackboard for reading

General Reading• A selection of articles will be made

available for you to read• New Reference:

Ferguson N and Schneier (2003) Practical Cryptography J Wiley

ISBN 0-471-22357-3

Documents

Stuart Fitz-Gerald - Internet Security1 Internet Security Technologies Part 2: Network Security Stuart Fitz-Gerald With thanks to Chris Reade