Web security (Spoofing & TLS & DNS)

Ge Zhang

Web surfing

DNS server

Web server

Internetyahoo

IP o

f yah

oo?

IP of yahoo?

1.2.3.41.

2.3.

4

Get index.htm from 1.2.3.4

Response from 1.2.3.4

Web security• Does your request go to the “right” server?

• How do you trust the Internet?

URL spoofing

• Hyperlinks in malicious emails and web pages • www.paypa1.com v.s. www.paypal.com• What web is referred by this link?

http://www.kau.se@0x82EE0716/index.php• Dotless IP address:

– http://130.238.7.22– http://0x82EE0716/– http://www.kau.se@0x82EE0716/– http://www.kau.se@0x82EE0716/index.php

Have you ever noticed these?

X.509 certificate

• Based on public key cryptography and digital signatures

• CA: certification authority

Unsigned certificate

H

Hash algorithm

Hash digest

E

signature

signed certificate

CA’s private key

Sign algorithm

Verification

• Others can use the CA’s public key to verify the signature

Unsigned certificate

H

Hash algorithm

Hash digest

D

signaturesigned certificate

CA’s public key

Compare

Validating a Certificate

• Metaphor (1): – CA: Karlstad university– Certificate owner: the students

(who get their master degree)– Verifier: employers

• Metaphor (2): – CA1: Swedish Ministry of

Education – CA2: Karlstad University

CA

Certificate ownerVerifier

issue

trust

CA 1

issue

CA 3CA 2

issu

e

CA 4

issu

e

Validating a Certificate

• Must recognize accepted CA in certificate chain– One CA may issue certificate for another CA

• Must verify that certificate has not been revoked– CA publishes Certificate Revocation List

(CRL)

• Self-signed certificate?

Man-in-the-middle attacks (by malicious intermediaries)

• Read the content of HTTP traffics– Your password (even hashed?)

• Modify the content of HTTP traffics– Transfer money from your account to the

attacker.

• …

Brief History of SSL/TLS

• SSLv2– Released in 1995 with Netscape 1.1– Key generation algorithm kept secret– Reverse engineered & broken by Wagner & Goldberg

• SSLv3– Fixed and improved, released in 1996– Public design process

• TLS: IETF’s version; the current standard

SSL/TLS Overview

• Establish a session (handshake layer)– Agree on algorithms– Share secrets– Perform authentication

• Transfer application data (record layer)– Ensure confidentiality and integrity

SSL Architecture

• Record Protocol: Message encryption/authentication• Handshake P.: Identity authentication & key exchange• Alert P.: Error notification (cryptographic or otherwise)• Change Cipher P.: Activate the pending crypto suite

IP

TCP

SSL Record Protocol

HTTP,etc.

SSL AlertProtocol

SSL Change CipherSpec. Protocol

SSL HandshakeProtocol

SSL Handshake Protocol

• Two parties: client and server

• Negotiate version of the protocol and the set of cryptographic algorithms to be used– Interoperability between different implementations of

the protocol

• Authenticate client and server (optional)– Use digital certificates to learn each other’s public

keys and verify each other’s identity

• Use public keys to establish a shared secret

Handshake Protocol (1)

• Client_hello: version, random, session id, cipher suite, compression method

• Server_hello: version, random, session id, cipher suite, compression method

Client Server

Client_hello

Server_hello

Handshake Protocol (2)

• Certificate: X.509 certificate chain

• Server_key_exchange: parameters, signature

• Certificate_request: type, authorities

• Server_hello_done: null

Client Server

Client_hello

Server_hello

Certificate

Server_key_exchange

Certificate_request

Server_hello_done

Handshake Protocol (3)

• Certificate: X.509 certificate chain

• Client_key_exchange: parameters, signature

• Certificate_verify: signature

Client Server

Client_hello

Server_hello

Certificate

Server_key_exchange

Certificate_request

Server_hello_done

CertificateClient_key_exchange

Certificate_verify

Handshake Protocol (4)

• Change_cipher_spec: a single message, which consists of a single byte with value 1.

• Finished: hash value

Client Server

Client_hello

Server_hello

Certificate

Server_key_exchange

Certificate_request

Server_hello_done

CertificateClient_key_exchange

Certificate_verify

Change_cipher_specFinished

Change_cipher_spec

Finished

SSL Encryption

• Master secret– Generated by both parties from premaster

secret and random values generated by both client and server

• Key material– Generated from the master secret and

shared random values• Encryption keys

– Extracted from the key material

SSL Record Protocol

Data (optionally compressed)

MAC (0,16, or 20 bytes)

Content type

Major version

Minor version

Length

Alerts and Closure

• Alert the other side of exceptions– Unexpected message– Bad record mac– Handshake failure– Illegal parameter– Bad certificate– …

• 2 levels– Warning– fatal

SSL Overhead

• 2-10 times slower than a TCP session

• Where do we lose time– Handshake phase

• Calculating the key materials

– Data Transfer phase• Symmetric key encryption

TLS/SSL Applications

• HTTP -> HTTPS

• Telnet -> SSH

• FTP -> SFTP

• SIP -> SIPS

• Resources: http://www.openssl.org/related/apps.html

Homework

• Visit a web site with HTTPS

• Use wireshark to capture the traffics

• Read the parsed traffics, especially pay attention on the handshake protocol.

The Domain Name System

• A database implemented by many name servers (NS)– Distributed– Replicated– Hierarchical

.

com. se. edu.

cmu.edu..kau.se

cs.kau.se.

ftp.cs.kau.se.www.cs.kau.se.

Authoritative Servers

• Authoritative DNS servers– An organization’s DNS servers, providing

authoritative information for organization’s servers

– Can be maintained by organization or service provider

DNS Query and Response

local DNS Server

End-user

www.kau.se A?

www.kau.se A 193.10.226.10

Root DNS Server

se DNS Server

kau.se DNS Server

Cache:www.kau.se A 193.10.226.10

www.kau.se A?

www.kau.se A

193.10.226.10

www.kau.se A

193.10.226.10

DNS Vulnerabilities

• No authentication.

– DNS_response.ID == DNS_request.ID ? (16 bit length)

– DNS_response.dport == DNS_request.dport?

• Significance: DNS is widely used in

– Web

– VoIP

– Email

– …

A Simple DNS Attack

local DNS Server

User’s Laptop

www.seb.se A?

www.seb.se A attacker_IP

Root DNS Server

se DNS Server

seb.se DNS Server

Attacker’s Laptop

Easy to observe UDP DNS query sent to well known server on well known port.

www.seb.se A 129.178.89.80

First response wins. Second response is silently dropped on the floor.

A cache poisoning Attack

local DNS Server

User’s Laptop

seb.se DNS ServerAttacker

www.seb.se

A?

ww

w.s

eb.s

e A

at

tack

er_I

P

Wit

h d

iffe

ren

t ID

s

Cached a bad record:www.seb.se A attacker_IP

www.seb.se A?

www.seb.se A attacker_IP

www.seb.se A? with

different IDs

A More Complex Attack

ns.attacker.com

kau Caching Server

Remote attacker

Query www.attacker.com

Response www.attacker.com A 128.9.128.127 attacker.com NS ns.attacker.com attacker.com NS www.seb.se ns.attacker.com A 128.9.128.2 www.seb.se A 128.9.128.127

Any kau Computer

Query www.seb.se

www.seb.se= 128.9.128.127

Question

• Is SSL/TLS useful to counteract these DNS attacks? Why?

• Homewrok:– Read RFC 2535 about DNSSec– http://www.faqs.org/rfcs/rfc2535.html

Key points

• URL spoofing: dotless IP address• X.509 certificate• Certificate chains• SSL/TLS

– Handshake protocol– Alert protocol– Record protocol– Change cipher spec protocol

• The overhead caused by SSL/TLS• DNS architecture• DNS cache poisoning