cs 5950/6030 network security class 31 (f, 11/11/05) leszek lilien department of computer science...

CS 5950/6030 Network SecurityClass 31 (F, 11/11/05)

Leszek LilienDepartment of Computer Science

Western Michigan University

Based on Security in Computing. Third Edition by Pfleeger and Pfleeger.Using some slides (as indicated) courtesy of:Prof. Aaron Striegel — at U. of Notre Dame

Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. WashingtonProf. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The

Netherlands

Slides not created by the above authors are © by Leszek T. Lilien, 2005Requests to use original slides for non-profit purposes will be gladly granted upon a written

request.

2

7. Security in Networks...

7.2. Threats in Networks...

7.3. Networks Security Controlsa) Introduction b) Security threat analysisc) Impact of network architecture/design and implementation

on security—PART 1

c) Impact of network architecture/design and implementationon security—PART 2

d) Encryptioni. Link encryption vs. end-to-end (e2e) encryptionii. Virtual private network (VPN)iii. PKI and certificates—PART 1

Class 30

© by Leszek T. Lilien, 2005

3

c. Impact of network architecture/ design & implement. on security (1)

Security principles for good analysis, design, implementation, and maintenance (as discussed in sections on Pgm Security and OS Security) apply to networks

Architecture can improve security by:1) Segmentation2) Redundancy

3) Single points of failure4) Other means


4

d. Encryption Arguably most important/versatile tool for network

security

We have seen that it can be used for: Confidentiality/Privacy Authentication Integrity Limiting data access

Kinds of encryption in networks:i. Link encryption vs. end-to-end (e2e) encryptionii. Virtual private network (VPN)

iii. PKI and certificatesiv. SSH protocolv. SSL protocol (a.k.a. TLS protocol)vi. IPsec protocol suitevii. Signed codeviii. Encrypted e-mail


5

(i) Link vs. end-to-end encryption (1)1) Link encryption = between 2 hosts

Data encrypted just before they are placed on physical communication links

At OSI Layer 1 (or, perhaps, Layer 2)

Fig. 7-21, p. 431 Properties of link encryption (cf. Fig. 7-21)

Msgs/pkts unprotected inside S’s/R’s host I.e., unprotected at OSI layers 2-7 of S’s/R’s host

(in plaintext) Packets protected in transit between all hosts Pkts unprotected inside intermediate hosts

I.e., unprotected at OSI layers 2-3 of interm. hosts=> unprotected at data link and network layers at intermediate hosts (if link encryption at Layer 1) Layers 2-3 provide addressing and routing


6

(ii) Virtual private network (VPN) (1) Virtual private network (VPN) = connection over public

network giving its user impression of being on private network

It could be viewed as „logical link” encryptionCould be viewed as e2e encr. between client & server

Protecting remote user’s connection with her network Greatest risk for remote connection via public network:

Between user’s workstation (client) and perimeter of „home” network (with server)

Firewall protects network against external traffic (more later)

Physically Protected Network Perimeter

Firewall Internal

Server

User’sWorkstatio

n(Client)


7

(iii) PKI and certificates (1) Public key infrastructure (PKI) = enables use of

public key cryptography (asymmetric cryptography) Usually in large & distributed environment

Elements of PKI:1) Policies (higher level than procedures)

Define rules of operation E.g., how to handle keys and sensitive info E.g., how to match control level to risk level

2) Procedures (lower level than policies) Dictate how keys should be generated,

managed, used

3) Products Implement policies and procedures

Generate, store, manage keys


8

PKI and certificates (2) PKI services:

1) PKI creates certificates Certificate binds entity’s identity to entity’s public key

Entity = user or system or applicationor ...

2) PKI gives out certificates from its database3) PKI signs certificates

Adding its credibility to certificate’s authenticity4) PKI confirms/denies validity of a certificate

When queried about it5) PKI invalidates certificates

For entities that are no longer certified by PKIOR For entities whose private key has been

exposed


9

Class 30 Ended Here


10

7. Security in Networks...

7.2. Threats in Networks...

7.3. Networks Security Controls...

c) Impact of network archit./design and implem. on security—PART 2

d) Encryptioni. Link encryption vs. end-to-end (e2e) encryptionii. Virtual private network (VPN)iii. PKI and certificates—PART 1iii. PKI and certificates—PART 2iv. SSH protocolv. SSL protocol (a.k.a. TLS protocol)vi. IPsec protocol suite—PART 1

Class 30


Class 31

11

PKI and certificates (3) PKI sets up:

1) Certificate authorities (CAs)2) Registration authority

1) Certificate authority (CA) CA can be in-house or external (commercial TTP

= trusted third party) CA is trusted

Entities delegate to CA creation, issuance, acceptance, and revocation of their certificates

CA actions: Managing public key certificates (whole life cycle) Issuing certificates by binding entity’s identity

to its public key Binding is done via CA’s digital signature

Determining expiration dates for certificates Revoking certificates when necessary

By publishing revocation lists© by Leszek T. Lilien, 2005

12

PKI and certificates (4) Example of CA analog: credit card company (CCC)

Certificate analog: credit card (binds identity to account)

Revocation list analog: lists of invalid credit cards CCC is trusted

Customers delegate to CCC creation, issuance, acceptance, and revocation of their credit cards

CCC actions: Managing credit cards (whole life cycle) Issuing credit cards by binding customer’s

identity to customer’s account Binding is done via CCC’s protected databases

Determining expiration dates for credit cards Revoking credit cards when necessary

By checking list of invalid credit cards (before computer-verification transaction era, CCC published booklets of invalidated credit cards)


13

PKI and certificates (5)

2) Registration authority (RA) = interface between user and CA

Duties: Capture and authenticate user’s identity Submit certificate requests to appropriate CA

Analog: U.S. Citizen applying for passport and U.S. Postal Service (USPS)

Passport (official U.S. authentication) <-> certificate

USPS authenticates citizen By verifies citizen’s driver license + other proofs of identity

USPS submits passport request forms to appropriate passport office of the U.S. Gov’t Passport office <-> CA

USPS brings passport to customer’s home Note: Trustworthiness of USPS authentication

determines level of trust that can be placed in passports


14

PKI and certificates (6) PKI efforts stateside and overseas

Building PKI for various purposes E.g., Federal PKI Initiative – to provide secure

communication to U.S. gov’t agencies It also specifies how commercial s/w using PKI

should operate (so gov’t can use off-the-shelf products)

Major PKI product vendors in the U.S.: Baltimore Technologies Northern Telecom/Entrust Identrus

Certificates can bind: Identity to public key – classic, most common Other bindings under research

E.g., binding financial status to key (credit card companies) Draft standards: ANSI X9.45, Simple Public Key

Infrastructure (SPKI)© by Leszek T. Lilien, 2005

15

PKI and certificates (7)

PKI is not yet mature Many outstanding issues

Cf. Table 7-6, p. 439

Still, many points are clear: CA should be approved/verfied by independent

body CA’s private keys must be stored in tamper-

resistant security module (maybe with h/w support) Access to CAs and RAs should be tightly

controlled Using strong authentication (e.g., 2FA or 3FA with smart

cards)


16

(iv) SSH protocol (SSH = Secure SHell)

SSH protocol (newer: v.2) – provides authenticated and encrypted communication with shell/OS command interpreter

Originally defined for Unix Replaced insecure utilities for remote access

Such as Telnet / rlogin / rsh

Protects against spoofing attacks (falsifying one end of communication, incl. masquerading, sesssion hijacking, MITM) & message modification / falsification

Involves negotiation between local and remote sites

Negotiate which encryption algorithm to use E.g., DES? IDEA? AES?

Negotiate which authentication technique to use E.g., public key? Kerberos?© by Leszek T. Lilien, 2005

17

(v) SSL protocol (a.k.a. TLS prot.) (1) SSL protocol (v3) = (approx.) TLS protocol - interfaces

betwen app (on client C) and TCP/IP protocols to provide server S authentication, optional C authentication, and encrypted communication channel between C and S for session between C and S

SSL = Secure Sockets Layer / TLS = Transport Layer Security Originally defined by Netscape to protect browser-to-server

communication Simple but effective – most widely used secure commu-

nication protocol on Internet (incl. WWW browsers/servers)

Involves negotiation between C and S Negotiate which encryption suite to use for session

E.g., DES? RC4 w/ 128-bit/40-bit key? RC2? Fortezza? [Bishop] Negotiate which hashing technique to use for session

E.g., SHA1 or MD5?


18

SSL protocol (a.k.a. TLS protocol) (2) SSL use scenario (handshake protocol)

C requests an SSL session by sending: Hello-C, Rand-C (random nr), list of cipher (encryption) algorithms & hash algorithms known to C

Hash used to checksum messages S responds with msgs including: Hello-S, Rand-S,

cipher & hash algorithm selected by S (from C’s list) , S’s certificate, KPUB-S, [OPTIONAL: request for cert. fr. C]

C can use S’s certificate (X.509v3 cert.) to verify S’s authenticity

[OPTIONAL: C replies with: C’s certificate] C returns „pre-master secret” encrypted under KPUB-

S Pre-master secret - e.g., 48 random B if selected cipher is RSA

[Bishop-CompSec-A&S, p.296]

...continued...© by Leszek T. Lilien, 2005

19

SSL protocol (a.k.a. TLS protocol) (3)

...continued...

C and S calculate „master secret” using: „Pre-master secret” Constant strings ‘A’, ‘BB’ and ‘CCC’ Rand-C and Rand-S, SHA hashing algorithm [ibid, p. 294]

C and S switch to encrypted communication using „master secret” as session key

C and S exchange application data for session duration (i.e., for as long as they stay connected)

TLS is potentially vulnerable to MITM attacks[Conklin eta al., p.163]


20

(vi) IPsec protocol suite (1) IPsec (IP Security Protocol Suite) = standard for

securing IP communications by encrypting and/or authenticating all IP packets

IPsec is public (published / scrutinized)

By design, protects against threats including: spoofing (incl. session hijacking) / eavesdropping

Choice of ciphers/hash protocols Communicating parties negotiate which ones

to use IPsec defines some ciphers/hash as required in

every IPsec implementaion


21

IPsec protocol suite (2)

IPsec provides security at IP layer in IPv6 or IPv4[Stall.p.499]

IP versions: IPv4 = v.4 — older IP protocol version (still in use) IPv6 = v.6 — newer IP protocol version

IPv6 — larger address space Developed (1992-1998) since IPv4 runs out of address space

— IPv4 has 32-bit source/destination addresses— IPv6 has 128-bit source/destination addresses

IPv6 — also other functional enhancements To accommodate faster networks To accommodate mix of multimedia data streams

IPsec protects all layers above IP layer (where it „resides”) In particular, protects TCP or UDP protocols Protects „automatically” Protects transparently (no modifications to TCP, UDP

needed)


22


Basis of IPsec: security association (SA) = set of security parameters for a secured 1-way communication channel

2 SAs needed for 2-way communication [St,487]

Components of SA:1) Encryption algorithm and „mode”

E.g., for DES, mode = CDC – cipher bloc chaining

2) Encryption key3) Encryption params (e.g., initialization vector for

encryption)

4) Authentication protocol and key5) SA lifespan

Allows long-running sessions to select new crypto key

6) Address of opposite end of SA (source <---> destination)

7) Sensitivity level of protected data (e.g., unclassified / restricted /

confidential / secret / top secret)© by Leszek T. Lilien, 2005

23


Security parameter index (SPI) data structure Resides on each host H running IPsec Used to select 1 of n SAs that exist on H

Different SAs for concurrent communications with different remote Hs

Fundamental IPsec data structures / protocols1) AH = authentication header / AH protocol

For authentication-only IPsec service: Authenticates S (sender )

2) ESP = encapsulated security payload / ESP protocol

For encryption-only IPsec serviceOR For combined encryption/authentication

IPsec service© by Leszek T. Lilien, 2005

24


IPsec can be used for various crypto sessions: VPN e2e (incl. app 2 app) For network mgmt (e.g., for routing)

IPsec scenario TCP layer passes conventional TCP Header & Data

down to IP layer IP layer calls upon IPsec to encapsulate conventional

TCP Header & Data into ESP (encapsulated security payload)

Fig. 7-28, p. 441 IP layer adds IP Header IP layer passes packet down to physical layer Physical layer adds Physical Header & Physical

Trailer© by Leszek T. Lilien, 2005

25

End of Class 31


cs 5950/6030 network security class 31 (f, 11/11/05) leszek lilien department of computer science...

Documents

network layers

network security class

public network

virtual private network

endtoend encryption

perimeter of home network

logical link encryption

properties of link encryption