skip section 32.1 (ipsec and virtual private network-vpn) – they require information on ip that...
TRANSCRIPT
Skip section 32.1 (IPSec and Virtual Private Network-VPN) – They require information on IP that I’ve not yet covered.
Possible paper topic Will cover after TCP/IP, if time, but probably
won’t have it.
X.509 certificate (end of chapter 31)
identifies a server site and verifies it is who it says it is. It’s like an ID card stored electronically. Used for Internet transactions as part of a security
protocol Issued by a trusted Certification Authority (CA) Examples: thawte, verisign, entrust, godaddy.
EV (Extended validation) certificates http://en.wikipedia.org/wiki/Extended_Validation_C
ertificate I will not distinguish X.509 and EV but could be a
paper topic that gets into more detail than I will
CA’s responsibilities
Verify the entity is who they say they are. This is an investigative procedure into the entity
requesting the certificate. Create a certificate (and issue to the entity) to
contain the following information:
Certificate Contains:
Owner's public key (and algorithm) Owner's name Expiration date of the public key Name of the issuer (the CA that issued the Digital
Certificate) Serial number of the Digital Certificate Certificate thumbprint calculated with the CA’s private
key. This establishes the authenticity of the certificate and guarantees the certificate cannot be tampered with
Version # more
SSL/TLS – 32.2
TCP establishes a connection between two sites. SSL-Secure Sockets Layer End-to-end security protocols Authenticate server and client to each other Message integrity Originally designed by Netscape Used by virtually every Internet commerce site
TLS-Transport Layer Security TLS is the IETF version of SSL Openssl. For those of you with Linux accounts –
man openssl or man x509. Won’t distinguish here but plenty of room for a
paper topic.
32.8
Figure 32.14 Location of SSL and TLS in the Internet model
Possible sequence of steps for SSL is.
Client sends info to server SSL or TLS version # list of compression/encryption techniques key exchange algorithms supported session ID random data.
Server sends info to client what it supports and wants to use random data certificate
Both sides now know what the other can do.
Authenticate the server
Client verifies certificate it received from the server Check certificate expiration date Check certificate authority (is it in a list of trusted CAs
maintained by the client) use CA’s public key and apply it to the digital signature
(fingerprint, thumbprint) to get the digest value and authenticate – is this a valid certificate?
compare domain name in certificate w/ domain name of server (to prevent man-in-the-middle attack)
Client creates pre-master secret key and encrypts using server’s public key (obtained from the certificate); sends to server. Server gets it and decrypts using its private key.
Server may authenticate client. Client and server feed random data from both sides and
premaster secret into a hash algorithm to generate a session key.
Exchange information securely
32.13
Figure 32.15 Creation of cryptographic secrets in SSL
Some other references [http://support.microsoft.com/kb/257591] [http://msdn2.microsoft.com/en-us/library/aa380513.aspx] [
http://www.cisco.com/en/US/tech/tk583/tk618/tsd_technology_support_protocol_home.html]
You can see certificates
connect to an https site (e.g. www.bankmutual.com and select customer login)
Note the lock icon at the top next to the URL). click on the icon and select view certificates and
select various tabs and options. DO NOT ASSUME sites are secure Look for the lock icon or https as opposed to http in
the URL.
To see trusted CAs: Tools Internet Options and select Content tab Select Certificates button followed by one of the tabs. Select a CA and click the View button. Explore various tabs.
Book has a little more on SSL and TLS and could be used as part of a paper topic.
What if the certificate does not check out?
PGP (Pretty good Privacy) In the early 1990s, encryption algorithms were in the
same category as weapons and were declared as a munitions – making them subject to strict export laws.
PGP was developed by Phillip Zimmerman Putting it on the Internet was akin to exporting it,
according to the State dept. Subject of a 3-year criminal investigation Since then, export laws governing encryption have
been relaxed. Another reference at www.pgpi.org (trial versions
used to be available but are hard to find now-at least for more recent OS’s)
32.19
Figure 32.19 Position of PGP in the TCP/IP protocol suite
32.20
Table 32.4 PGP Algorithms
Example use of PGP (run on an older environment)
When the message is open the receiver sees:
---BEGIN PGP SIGNED MESSAGE---Hash: SHA1this is a test message---BEGIN PGP SIGNATURE---Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>iQA/AwUBPVHAkz012x9/
xPKqEQL7UQCg65yJ8I4c5o7s37iMvLcqqRtokhAAn3E2EzQd3vhFE41QGj3O8zvDSawR=knKs---END PGP SIGNATURE---
With the message open the user can select decrypt/verify from the PGP dropdown menu*** PGP Signature Status: good
*** Signer: William Shay ,[email protected].
*** Signed: 8/7/02 7:51:31 PM
*** Verified: 8/7/02 8:50:46 PM
*** BEGIN PGP VERIFIED MESSAGE ***
this is a test message
*** END PGP VERIFIED MESSAGE ***
Textbook covers a bit more and gets into key rings and such. I will skip that but this a possible paper topic.
Firewalls. - 32.4
Allows or disallows data to pass through. How does it decide?
Packet filtering
IP packet format
May accept or reject a packet based on its IP address and/or port number
For example, the client/server project works, in theory, if one machine is on campus and the other is off.
It is, however, subject to firewall rules.
Examples
Disallow incoming packets with port # 23 (disables telnet).
Disallow outgoing packets with specified destination addresses. Could be used to restrict employees from access certain external sites (competitors or game playing sites) during work hours.
Example: Some businesses disallow employees to access youtube, facebook, or similar sites.
Disallow outgoing with specified source addresses (to prevent address spoofing – a form of attack discussed later)
Initial firewall setup. Can allow all by default then specify which to reject
Runs the risk of missing something that should be rejected
Can reject all by default and then specify which to allow Runs the risk of people getting PO’d if you miss an
application that should pass
Possible policies: firewall setting (from Kurose & Ross) No outside web access: Drop all outgoing packets to an IP
address, port 80 (HTTP). No incoming TCP connections, except those for
organization's public Web server (130.207.244.203): Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80.
Prevent web-radios from eating up the available bandwidth: Drop all incoming UDP packets – except DNS packets.
Prevent network from being used for a smurf DoS attack: drop all ICMP ping packets going to a broadcast address.
Prevent your network from being tracerouted: drop all outgoing ICMP TTL expired traffic.
Application level gateway (proxy server)
Packet filtering uses layer 3/4 information Book example:
Only those Internet users who have previously established business relations with the company can have access to certain web pages.
Packet filtering won’t work Cannot distinguish the above cases
Runs a program for each type of application Intercepts all requests at a high layer and forwards (or rejects)
them as needed. More overhead than packet filtering (firewall must run
duplicate apps) Increased flexibility based on intent of applications
Stateful inspection (not in text)
Packets examined based on contents AND context (i.e. what has happened previously). Admin defines a rule base that determines course of
action. Example: a ping packet sends an echo-request packet Example: type ping url in a dos window – or in Linux
Could reject an echo-response packet if there was no previous echo-request packet in the other direction.
Deny an incoming acknowledgment to a request that never happened. Client established a ftp connection and server
attempts to initiate a file transfer before the client has requested it. Denied.
Maybe client tries to sneak a packet with a different port # through the existing connection. Denied.
Refs: [http://en.wikipedia.org/wiki/Stateful_firewall] [
http://www.webopedia.com/TERM/S/stateful_inspection.html]
Can purchase different levels of firewall protection. Can install on your machine. Can specify which apps can access the Internet or which
sources from the Internet can access your computer. Administrator defines a rule base defining actions. Firewalls can also restrict # packets per second (prevent
student from setting up game servers on campus)
Attacks (not in text) – I will provide an overview only – a possible paper topic
Smurf (DoS) attack: send a ping packet but falsify the source and use a
broadcast address for the destination. All nodes in the broadcast group reply to the “source”
inundating it with traffic. Presumably the attacker creates an infinite loop sending
such packets. [http://www.cert.org/advisories/CA-1998-01.html] [http://en.wikipedia.org/wiki/Denial-of-service_attack]
SYN flood send connection requests (with a false source) to a site. Site waits for a confirmation and times out if it does not
arrive. If requests are sent faster than timeouts occur, problems
occur. [http://www.cert.org/advisories/CA-1996-21.html]
Slowloris attack Utilizes legitimate HTTP traffic Sends partial http requests Sends additional information periodically to keep
socket connections open Ties up connections making them unavailable to
legitimate use Like SYN flood but over http http://www.funtoo.org/en/security/slowloris/ and
http://en.wikipedia.org/wiki/Slowloris
There are bad things are out there
Malware – a generic term covering a wide variety of bad things.
Virus – program attached to another that does unintended things May be destructive May not be (technically) All are disruptive and cause loss or work or trust
Worm: a program that can invade a computer but is NOT attached to another program. Might be running something that’s prone to accepting a
worm from the internet and run it. Might access your outlook contacts and send a copy of
itself to everyone there. Blaster worm: allow others to control your computer.
Trojan Horse: hidden part of other useful program Typically doesn’t replicate like worms and viruses
Summary
Packet sniffer: records copies of packets that it sees A good reason to secure wireless connections
Spyware: watch what you do and perhaps report it to someone else. You may be completely unaware
Botnet: collection of computers working together for a purpose
Clipper Chip (of historical interest):
[http://en.wikipedia.org/wiki/Clipper_chip] [http://www.epic.org/crypto/clipper/]
For wiretapping (provided by a court order), each clipper chip has encryption algorithm in a chip inserted into a phone. Press button & security devices exchange encryption
keys. Designed by engineers at NSA w/ no input from private
industry in response to private sectors developing their own to combat business and industrial espionage.
K = 80-bit session key to encrypt – needed for wiretap F = 80-bit family key (all chips in a group have the same one) N = 30-bit serial # (unique to a chip) S = 80-bit secret key – unique to each chip, used by law
enforcement
V = voice message – Ek(V) is the transmitted voice message
Clipper chip also generates EF(ES(K)+N) (+ is concatenate here)
Suppose a wiretap is approved; Apply DF to above to get ES(K)+N. Easy since F is not secret
S IS secret so cannot apply DS easily. Need to use N to get S but first need to know how S is formed and stored.
Two parties – each generates one 80-bit string. Call them S1 and S2.
Calculate S= S1 S2
Each of S1 and S2 are maintained by separate key escrow agencies along with chip serial number. Who the agencies are and who they report to is an issue.
Officials get N and, with a court order, get S1 and S2 from each agency.
Apply DS to get K and then apply DK to get V