1

Certificates, SSL, and One time passwords

Fall 2010David Brumley

2

Recap• Recap:

– Intro to network security

• Today:– X509 Certificates– SSL/TLS– IPSec– Remote authentication

• HW2 is out

3

Alice

AlicePublic keyExpiration Date

Certificate

Certificates bind a public key to a user

4

Alice

AlicePublic keyExpiration Date

Certificate

Certificate Authority (CA)

5

Alice

AlicePublic keyExpiration Date

Certificate

CA Signature

6

Alice

AlicePublic keyExpiration Date

Certificate

Cert Parameters

7

Alice

Alice Sends:User ID || public key || …

Certificate Authority (CA)

8

Alice

Alice Generates and Gives:User ID || public key || …

Certificate Authority (CA)

CA Computes:D=H(User ID || public key || …)Sig = Sign(D, CA private key)Gives Alice Sig

9

Alice

Alice Generates and Gives:User ID || public key || …

Certificate Authority (CA)

CA Computes:D=H(User ID || public key || …)Sig = Sign(D, Serial, CA private key)Gives Alice <Sig, Serial>

Alice’s Certificate[User ID || public key || …] || CA Name || Serial || Sig || <add.

params>

10

X.509 Authentication Service

• universally accepted standard for formatting public-key certificates– widely used in network security applications, including

IPSec, SSL, SET, and S/MIME• part of CCITT X.500 directory service standards• uses public-key crypto & digital signatures

–algorithms not standardised, but RSA recommended

11

X.509 Certificates

12

Secure Sockets Layer (SSL) & Transport Layer Security (TLS)

• transport layer security service– originally developed by Netscape– version 3 designed with public input

• subsequently became Internet standard RFC2246: Transport Layer Security (TLS)

• use TCP to provide a reliable end-to-end service• may be provided in underlying protocol suite• or embedded in specific packages

13

SSL

Alice Bob.com

1. ClientHello

Encryption with Symmetric Cipher (e.g., AES) withshared secret

2. ServerHello

3. ClientKeyExchange

14

Protocol Stack

Telnet …

IP

TCP

SSL Record Protocol

HandshakeChangeCipher

Alert

HTTP

SSL/TLS

15

SSL Record Protocol Services

• message integrity– using a MAC with shared secret key– similar to HMAC but with different padding

• confidentiality– using symmetric encryption with a shared secret key defined

by Handshake Protocol– AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-

128– message is compressed before encryption

Telnet …

IP

TCP

SSL Record Protocol

HandshakeChangeCipher

Alert

HTTP

16

SSL Record Protocol Operation

Telnet …

IP

TCP

SSL Record Protocol

HandshakeChangeCipher

Alert

HTTP

17

SSL Change Cipher Spec Protocol• Initiate change the keying material used for

encryption between the client and server.• one of 3 SSL specific protocols which use the SSL

Record protocol• a single message. Initiates handshake protocol

Telnet …

IP

TCP

SSL Record Protocol

HandshakeChangeCipher

Alert

HTTP

18

SSL Alert Protocol• conveys SSL-related alerts to peer entity• severity

» warning or fatal

• specific alert» fatal: unexpected message, bad record mac, decompression

failure, handshake failure, illegal parameter» warning: close notify, no certificate, bad certificate, unsupported

certificate, certificate revoked, certificate expired, certificate unknown

• compressed & encrypted like all SSL data

Telnet …

IP

TCP

SSL Record Protocol

HandshakeChangeCipher

Alert

HTTP

19

SSL Handshake Protocol

• allows server & client to:– authenticate each other– to negotiate encryption & MAC algorithms– to negotiate cryptographic keys to be used

• comprises a series of messages in phases1. Establish Security Capabilities2. Server Authentication and Key Exchange3. Client Authentication and Key Exchange4. Finish

Telnet …

IP

TCP

SSL Record Protocol

HandshakeChangeCipher

Alert

HTTP

20

Detailed Handshake Protocol

21

SSL with RSA

1. ClientHello

2. ServerHello Certificate with (Ns, es)

3. ClientKeyExchange Sends c

i. Picks random rii. f = Format(r)iii. c= fe mod N)

i. f’ = cd mod Nii. r’ = unformat(f’)

BlockCipher(r’, messages)Detect misformatted messages and abort if r’ != r

Problem: Attackers exposing private key expose all traffic

22

Remote Timing Attacks are Practical

23

SSL with Ephemeral DH

1. ClientHello

2. ServerHello Certificate with (Ns, es) & DH p, g, c

3. ClientKeyExchange Sends c

i. Picks random rii. f = ga mod piii. c= RSASign(f mod Ns)

• Pre-master shared secret: gab mod p

• RSA Signature defeats man-in-the-middle

• Fixes RSA problem

• Much, much slower so not used often

i. Verify Sig

ii. Pick random x

iii. Compute:c = fx mod p

24

Certificate Revocation

Alice Bob.com

1. ClientHello

2. ServerHello (send cert., e.g., pub key e)

Is Bob.com’s key still legit?

25

Certificate Revocation

Alice Bob.com

1. ClientHello

2. ServerHello (send cert., e.g., pub key e)

Verification Authority (VA)

Verification Protocol

26

Certificate Verification Protocols

• Expiration Date

• OCSP – Online Cert Status Protocol

• Certificate Revocation Lists (CRL) and Certificate Revocation Trees (CRT)

27

Online Cert Status Protocol

Alice Verification Authority (VA)

1. Request(Bob’s Cert)

2. Check DB

3. Response(Sign(Bob’s Cert {OK,BAD})

VA Signing Key)

• Implemented in IE7 (Vista+), Firefox, Safari, Opera, Chrome (Vista+)

• What do we do when VA key bad?

28

Online Cert Status Protocol

Alice Verification Authority (VA)

1. Request(Bob’s Cert)

2. Check DB

3. Response(Sign(Bob’s Cert {OK,BAD})

VA Signing Key)

• Implemented in IE7 (Vista+), Firefox, Safari, Opera, Chrome (Vista+)

• What do we do when VA key bad?

29

CRT’s: Efficient Variant of OCSP [kocher98]

Secure and Trustworthy Verification

Authority (VA)

1. Create CRT

Insecure VA1 Replica

Insecure VA2 Replica

Insecure VA3 Replica

2. Distribute CRT

Alice

3. Query replica

30

Certificate Revocation Tree Generation

C1 C2 C3 C4 Ci-1 Ci…

Revoked cert Cj sorted by serial

h h h

h h

h

VASig = Sign(Hroot , VA signing key)

Verification Authority (VA)

H1 H2 H3

H3

H4

H5 H6

Hroot

31

Secure and Trustworthy Verification

Authority (VA)

Insecure VA1 Replica

Insecure VA2 Replica

Insecure VA3 Replica

32

Insecure VA2 ReplicaAlice

1. Is Bob’s Cert C2 revoked

2. [C1, H2, H6, VASig]

C1 C2 C3 C4 Ci-1 Ci…

Revoked cert Cj sorted by serial

h h h

h h

h

VASig)

H1 H2 H3

H3

H4

H5 H6

Hroot3. Alice validates C2 on list:a. H’root=H(H(C1, C2), H2, …, H6)b. H’ =?= Hc. VA Sig valid?

Copy

Size of Proof:O(log i)

33

IPSec

34

IP Security• various application security mechanisms

– eg. S/MIME, PGP, Kerberos, SSL/HTTPS• security concerns cross protocol layers• hence would like security implemented by the

network for all applications

35

IPSec• general IP Security mechanisms• provides

– authentication– privacy– key management

• applicable to use over LANs, across public & private WANs, & for the Internet

36

IPSec Uses

37

Benefits of IPSec

• in a firewall/router provides strong security to all traffic crossing the perimeter

• in a firewall/router is resistant to bypass• The application can request the operating system to

set up a security association before starting a TCP connection or a UDP exchange

• can be transparent to end users• can provide security for individual users• secures routing architecture

38

IP Security Architecture• mandatory in IPv6, optional in IPv4

• have two security header extensions:– Authentication Header (AH) (authentication

only)– Encapsulating Security Payload (ESP)

(auth/encryption)

• VPNs want both authentication/encryption– hence usually use ESP

• specification is quite complex– numerous RFC’s 2401/2402/2406/2408

39

Authentication Header (AH)• provides support for data integrity & authentication

of IP packets– end system/router can authenticate user/app– prevents address spoofing attacks by tracking sequence

numbers• based on use of a MAC

– HMAC-MD5-96 or HMAC-SHA-1-96• parties must share a secret key

40

Authentication Header

41

Encapsulating Security Payload (ESP)

42

Key Management

• handles key generation & distribution• typically need 2 pairs of keys

– 2 per direction for AH & ESP• manual key management

– sysadmin manually configures every system• automated key management

– automated system for on demand creation of keys for SA’s in large systems

– has Oakley & ISAKMP elements

43

Remote Authentication

44

Authentication Mechanisms in Practice:Passwords

– Used to authenticate people– Low entropy– Replay attacks possible– Secrets stored on server

– Aside: “Extra questions” for password recovery insecure

Security Properties?

45

Authentication Mechanisms in Practice:Biometrics

– No remote login– No revocation– Best used for 2-factor authentication (to increase password

entropy)

Security Properties?

46

Lamport Hashes (One-Time Passwords)

1. Setup: Alice picks p and computes:w = h(h(h(h….(h(p))))))

– Denote n hashes by hn(p)– Puts w on server, stores p and n

2. Alice authenticates:– n = n -1– x = hn(p)– Send x– Server verifies h(x) = w– Server stores x if correct

n times

47

Security properties of One-Time Pads

1. Protects against replay/eavesdropping

2. No secrets on server

3. Limited # of authentications

4. Insecure against man-in-the-middle

48

Secure Tokens

k0 = initial shared secretk = H(k) every t seconds

49

Secure Tokens

k0 = initial shared secretk = H(k) every t seconds

Security Properties?

50

That is all for today