network security refik molva institut eurécom b.p. 193 f-06904 sophia antipolis cedex - france...

Network Security

Refik MOLVAInstitut Eurécom

B.P. 193F-06904 Sophia Antipolis Cedex - France

[email protected]

Network Security - R. Molva - Institut Eurecom 2002 2

Outline

THEORY

1. Symmetric Cryptography2. Asymmetric Cryptography3. Hash Functions and Integrity4. Authentication5. Key Management

APPLICATIONS

6. Internet Security Using Firewalls 7. Internet Security with Cryptographic Mechanisms9. Multicast Security


Security Services

7498-2 ISO standard defines :

security services and mechanisms in the context of OSI function placement in OSI layers

does not cover the security of standalone systems.

authentication

access control

confidentiality

integrity

non-repudiation


Services vs. Layers

1. Application Layer Security

finest granularity (user and program verification) end-to-end security non-transparent to applications

2. Transport Layer

medium level granularity (end-users are not visible) end-to-end security transparent to applications

3. Network Layer

low granularity no end-to-end security (hop-by-hop security relies on intermediate systems) transparent to applications

4. Physical Layer

like network layer security, plus ease of integration limited functionality (hardware only)


CryptographyThe art of writing in or deciphering secret code by transforming the message content.

Different from steganography which aims at hiding the message without transforming it.

Cryptography Cryptanalysisencryption code breakingdecryption

Cryptology

Cryptography is the building block for most security mechanisms.


Symmetric Cryptography

P E C D P

The same key is required both for encryption and decryption

Secrecy of K is essential

requirement for secret key management using an on-line trusted third party (TTP)

K must be shared by at least two parties

no signature

K secret-key based


DES

Input64-bit

Output64-bit

k1 k2

k16 k15

k15 k16

k2 k1

IP IP-1

E (encryption)

D (decryption)IP : initial permutation, IP-1(IP(x)) = x

Ri : key-dependent functions

ki : 16 sub-keys(48 bits) (key schedule)

result of shift and select operations on 56-bit K

R1 R2

R1R2

R15

R16

R16

R15


Advanced Encryption Standard (AES)

Rijndael - Winner of an extensive selection process• New encryption standard (FIPS 197) - replacement to DES – May 26, 2002• Triple DES is still a valid standard (FIPS 46-3)

• Key size: 128, 192, or 256 bits• 10, 12 or 14 rounds, depending on the key size.

• byte-oriented cipher operations in each round• Round function:

– 8x8 S-box applied to each byte– rows of the array shifted– columns of the array mixed– subkey bytes XORed into each byte of the array

– column mixing is omitted in the last round.


AES-Rijndael Performance

• “…a machine that could recover a DES key in a second then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.”

• Key setup time– 200 keys /msec in 32 bit C / Apple G4 PowerPC

• Encryption speed – 52 Mbits/s in 32 bit C / Apple PowerPC– 4.8 Mbits/s in Java / Intel Pentium Pro 200


Asymmetric Cryptography

P E C D P

Different keys for encryption and decryption

Each user has a secret key (K) and a public key (K’)

No shared secret between the origin and the recipient

no need to manage secret keys but integrity of K’ must be assured with an off-line trusted third party (TTP)

digital signature is possible

K’

public-key cryptography

K



each user U has a secret key KSU and a public key KPU

everybody can access KPU (public database)

only U knows KSUName : A, Key : KPa

Name : B, Key : KPb

Name : C, Key : KPc

A, KPa

A, KPa

AEKPa (message)

DKSu (EKPu(X)) = x et EKPu (DKSu(X)) = x

KSa

EKPa (message)



Public-key algorithms are based on one-way functions.

One-way functions (OWF)

f : X Y is one-way if f(x) is easy to compute for all x in X but for essentially all y in Im(f) it is computationally infeasible to find x in X such that f(x) = y.

X

f

y = f(x)

f-1

Example : discrete exponential (Diffie-Hellman)

X y = f(x)

f = axmod n

f = logay


Trapdoor OWF

f is a trapdoor one-way function if

f is a OWF with the additional property that

given some extra information called trapdoor it becomes easy to compute the reverse of f (x such that f(x) = y).

Example : f(x) = x5mod n

n= pq , p and q are large primes

f is a OWF (it is infeasible to compute f-1)

but if p and q are known f-1 becomes easy to compute (cf. RSA).

No proof of existence for OWF.

Security of public-key schemes is based on OWF.

no proof of security for public-key schemes


The DIFFIE-HELLMAN Algorithm

Known by A Public Known by B

x a,p y

ax mod p ax mod p ay mod p ay mod p

ay mod p

ax mod p

compute : (ay ) x mod p

compute : (ax ) y mod p

= ayx mod p

= axy mod p

pioneer of public key algorithms

A and B set a shared secret (axy mod p ) without exchanging secret information. axy mod p can be used as a secret key with a symmetrical algorithm to encrypt data. relies on the difficulty of computing discrete log.


RSA

message structured in n bit blocks

for each block P of cleartext :

encryption: C = P e mod r

decryption: P = C d mod r

main property (non-trivial):

(xe)d (xd)e x (mod r)

security relies on the choice of r, e and d


RSA - Principle

1. pick two very large (100 digits) prime numbers p,q

2. compute r = pq

3. compute (r) = (p-1) (q-1)

4. pick e, small number, prime with (r), e < (r)

5. compute d : d.e 1 (mod (r))

Why (x e)d (xd)e x (mod r) ?

Euler's Theorem: a (r) 1 (mod r) am.(r)+1 a (mod r)

from 5. : d.e = e.d = m. (r)+1

so : (xe)d (xd)e x (mod r)

Note : m must be invertible, property can be demonstrated with general m using Chinese Remaindering.


RSA - Example

1. p =17, q =13

2. r = 221

3. (r) = (p-1) (q-1) = 192

4. e = 11

5. d = 35 , d.e ( 1 (mod 192)

e = 11

P = 123 C = 12311(mod 221)

C = 115

d = 35

C = 11535(mod 221)

P = 123E D


RSA

Origin E/DKb/s

CYLINK 7

CRYPTECH 17

CENT 5.3

BT 5

AT&T 19

Pijnenburg 50

security factoring r (512 bits, 154 digits) into p and q best known factoring algorithm : 1 M years

512-bit chips

1000 times slower than DES in hardware100 times slower than DES in software


El Gamal Public Key Encryption

DH key agreement in encryption

Known by Ax (random)

axy mod p

Public Key(p, a, ay mod p)

Known by By

ay mod p

m1=DH key agreement+ m2=encrypted message

Decryption:m1 axy mod pm = m2.(m1

y)-1 mod p = m.axy.((ax)y)-1 mod p

Encryption:m1 = ax mod pm2 = m.axy mod p

p is prime, x and y in Zp-1

a is a generator in Zp.

b=ay mod pKPB = ( p, a, bis the public key.KSB = y is the secret key.


Symmetric vs. Asymmetric CryptographySymmetric Cryptography

secret key shared by (at least) two parties

Pros key is short (64-128 bits) fast encryption/decryption extensive history perfect secrecy exists

Cons key distribution(by on-line TTP) is mandatory no signature (possible only with additional means)

Asymmetric Cryptography one private key, one public key per party

Pros no requirement for secret key distribution digital signature is possible

Cons key is long (> 512 bits) computationally intensive security relies on the difficulty of number-theoretic problems, no perfect secrecy


Symmetric vs. Asymmetric Cryptography Summary

Use Asymmetric Cryptography for

key distribution (for symmetric keys) digital signature

Use Symmetric Cryptography for

bulk data encryption

data integrity


Plaintext


DES-ECB Encryption


DES-CBC Encryption


CBC Mode

Cipher Block Chaining 64-bit blocks

Ci = E K(Pi Ci-1)

C0 = EK(P0 IV), IV (Initialization Vector) transmitted in cleartext

Pi = DK(Ci) Ci-1

chaining effect : Ci depends on all the Pj with j i last block of C : depends on all the plaintext blocks converts DES into a stream cipher 1 E/D operation per 64 bits

E DP

Pn

C

Cn

64 bits 64 bitsCn-1 Cn-1

K K

P

Pn

IV

C0


CBC- Error propagation Decryption of Pi requires Ci and Ci-1

Error extension :• error in block Ci or loss of complete block Ci

• only Pi and Pi+1 are affected• subsequent blocks are not affected (self-synchronization)• new vulnerability: controlled modification by the intruder - transmission error

on bit i of block Cj results in loss of Pj and complementing of bit i in Pj+1.

no self-synchronization on bit slips :• all subsequent blocks are lost

requirement for framing and error control on C

Relationship between Error Control and CBC Encryption :

Errorcontrol

Errorcontrol

E

D

D

E


CFB ModeCipher Feedback

n = variable block size for C and P, n

1 E/D operation / n bitss0 : initial value of the register, transmitted in cleartext

P PC

K K

64 bits

E E

shift register shift register

Select n left bits

Select n left bits

n

64 64

64 64

n

n n

n

n n

IV64 bits


OFB ModeOutput Feedbackvariable quantum size (n

1 E/D operation per n bitss0 : initial value of the register, transmitted in cleartexts0 must be different for each new messagestream cipher : one-time pad with pseudo-random number generation

P PC

K K

64 bits

E E

shift register shift register

Select n left bits

Select n left bits

64 64

64 64

n

n n

n

nnn

IV


Outline

THEORY1. Symmetric Cryptography2. Asymmetric Cryptography3. Hash Functions and Integrity4. Authentication5. Key Management

APPLICATIONS



Hash Functionsmessage

h

message digest

Arbitrary length

fixed length (n 128 bits)Main purpose :

Modification Detection Codes (MDC), Manipulation Detection Codes or Message Integrity Check (MIC)

Objective : data integrity with additional security means

h(m) serves as a representative of message m

if m changes, h(m) changes with high probability

Security properties :

• one-way: given y, finding x | h(x) = y is difficult.• collision resistence : it is difficult to find x x' | h(x) = h(x').


General Model for Building Hash Functions

fixed length constant

compressionfunction

fixed length constant

output

x1 x2 xnxarbitrary length input

H0

H1

f

compressionfunction

f fixed length input

fixed length input

compressionfunction

ffixed length input

Hn = h(x) H (iterated hash function)

Additional : input preprocessing by adding padding and length block


Message Authentication Codes

• Encryption of MAC

MAC = EK(h(M)) with DES or RSA

• Keyed hashing

MAC = h(K1 | M | K2)

Examples from Internet :

Keyed MD5 (RFC 1828, 08/1995)

HMAC (RFC 2104, 02/1997)

HMAC ( K , text ) = H ( K xor pad1 | H ( K xor pad2 | text ) )

MD5

Key + padding IP packet Key padding

Authentication Data (128 bits)

512 n x 512


Data integrity

message

message

message

message

message

MAC function

MDC function

MDC function

MAC

MDC E

K

K

unsecured channel

unsecured channel

unsecured channel

secured channelMDC

MDC=unkeyed hash


Outline


APPLICATIONS



Authentication Protocols (1/2)

• Secret function of a predictable item

• Synchronization requirement• synchronized clocks very difficult with distributed systems

how to secure a global time service ?

• counters losses how to secure re-synchronization?

• Protocol requires only 1 message

BA hK(time stamp or counter)


Authentication Protocols (2/2)

• Secret function of an unpredictable item (nonce : random number used only once)

• No need for synchronization • 2 messages

• Mutual authentication

hK(Na), Nb

hK(Nb)

hK(N)

NA B

A BNa


S/keyOne-time password authentication technique based on a secure hash function

h hh h2(K)h(K)K hn(K)

K is secreth is a public one-way hash function :it is computationally infeasible to derive hi-1(K) from hi(K)

User Authenticationserverknows K

SKu = hn(k)

1st Auth. Msg : U, M=hn-1(K)

2nd Auth. Msg : U, M=hn-2(K)

accept ifh(M) = SKu

Sku:= M(= hn-1(K))

accept ifh(M) = SKu

Sku:= M(= hn-2(K))

Only the user who knows K can generate the hi(K) values in the reverse order : hn(K), hn-1(K), hn-2(K),…, h(K)

...


Passive Devices

storage of non-secret verification value W in the device W=OWF(S), S is a secret kept by the user

verification by a reader

authentication: - user enters secret value S- reader computes V=OWF(S)- reader compares V with W stored in the device

magnetic stripe cards

cards with a memory chip


Active Devices

Able to run cryptographic algorithms and strong authentication protocols

Eliminate the risk of exhaustive attacks and replay on the PIN

1. Personal computers2. Tokens3. Smart cards

Principle :

PIN-based verification of the user by the personal device. PIN is not disclosed outside the protected area.

Personal device runs the authentication protocol on behalf of the user through untrusted environments. Strong authentication protocols resist to attacks from hostile public environment.


Tokens

User : relay between (untrusted) public terminal and the personal token

+ : cheap and easy to retrofit on existing systems- : ergonomics

AuthenticationServer

Token


Smart CardsCommunication between smart card and authentication server is transparent for the user

After the user verification, the smart card runs the strong authenticationprotocol :• symmetrical (DES) or asymmetrical (RSA) algorithm• nonce-, time stamp-, or counter-based

The card can perform other services :• data encryption• digital signature• message integrity

Advanced smart cards include :• an operating system• a file system with access control• a Java virtual machine

+ : the most secure and user-friendly- : cost of deployment, retrofitting : a reader is required on each terminal


Digital Signature

Generation of A’s signature on message M:

S= EKSa(h(M))

h is an unkeyed hash function (MD5, SHA-1, . . .)

KSa is A’s private RSA key

Verification of A’s signature by any other party:

compute h(M) using A’s public key KPa, check if

DKPa(S) = h(M)


Outline


APPLICATIONS



Key Management

Most security mechanisms are based on cryptography.

Cryptography requires:

generationdistribution storage archivaldeletion . . . . . .

of (secret and public) keys


Key Generationrandom number generation problem

·a random bit generator can be used to generate random numbers·a random bit generator outputs a sequence of statistically independent and unbiased bits.

Solutions : ·physical sources biased, de-skewing is necessary impractical

·pseudorandom bit generators Based on a truly random binary sequence of length k, generate a sequence of length l >> k using a deterministic algorithm.

The output sequence appears to be random.

Among all possible outputs (if it were truly random) only a fraction 2k/2l can be generated.

The goal is to expand the truly random "seed" to a longer pseudorandom sequence.


Pseudorandom Bit Generators (PRBG)Security properties:

• resistance to statistical tests : the output of a pseudorandom bit generator should not be distinguishable from a truly random sequence of the same length by a polynomial-time algorithm.

• resistance to next-bit test : the next bit of the output sequence cannot be predicted based on the bit sequence that is already generated using a polynomial-time algorithm.

• the two conditions are equivalent• a PRBG that fulfills one of these properties is said cryptographically secure.

• in addition the k-bit seed must be large enough so that an exhaustive search over possible seeds is infeasible.

Ex : linear congruence xn = axn-1 + b mod p is not secure because given a partial output sequence, the remainder

of the output bits can be predicted.


n=pq, e are defined like in the basic RSA algorithm.

Generation of an l bit pseudorandom sequence :

1. pick a random integer x0 in [1, n-1] as the seed

2. For i from 1 to l do

2.1. xi := xei-1 mod n

2.2. zi : = the least significant bit of xi

output sequence = [z1, z2, …, zl]

The security property (resistance to next-bit test) is proven based on the difficulty of factorization.

RSA-based Cryptographically Secure PRBG


Practical Secure PRBGs

Use one-way hash functions.

random_numbern = h(s+n) n = 0, 1, 2, … s is the secret seed.

predictable after re-initialization

the initialization must be randomized :

(Kerberos)K’ = DESK (universal time)Rn=DESK’(n) n = 0, 1, 2, … based on the secret key K

These PRBGs are not cryptographically secure because there is no proof of the PRBG security property but they are sufficiently secure for most applications.


Key Distribution

• Symmetrical cryptography

distribution of secret keys

key distribution must assure the confidentiality of secret keys

key distribution service must be on-line

• Asymmetrical cryptography

distribution of public keys

key distribution must assure the integrity of public keys

key distribution service can be off-line


Distribution of Secret Keys

Problem : how to distribute a secret session key Kab to parties A and B who do not share a secret channel ?

Complexity : a new session key is needed for each new session and per security function (authentication, data confidentiality, integrity)

Alternatives (n: number of parties) :

• Manual : complexity of initial key installation : O(n2)

• Hybrid scheme (O(n))

• Algorithmic (O(n))

• Key server (O(n))


Hybrid scheme

Use public-key cryptography to distribute secret session keys.Use secret key (symmetrical) cryptography for bulk data encryption.

A

KSa

B

KSb

abKwith

hycryptograp lsymmetrica

using mechanismany

KSaKPb MACA,...),t,(Kab,E A,


Algorithmic Key Distribution

Perfect forward secrecy: breaking any long-term key (signature key) does not threaten the secrecy of past session keys (Kab).

No forward secrecy with the hybrid scheme.

g, p

p modg

: compute

xrandomPick

x

A Public B

)(MSignatureverify AA

)(MSignature p, modgM AAX

A

)(MSignatureverify BB

p mod)(gK

: computeyx

ab p mod)(gK

: Computexy

ab

)(MSignaturep, modgM BBy

B

p modg

: compute

y randompick

y


Key distribution with a key server

Trust in key server:• security of session keys• entity authentication

A

Ka

B

Kb

Key Server

Ka

Kb2. Here are theenvelopes for A and B

1. I am A, I want a key to communicate with B

3. Here is the shared key prove that you are B

4. Here is my proof, prove that you are A

5. Here is my proof

A and B share the same key


Key distribution with a key server

Kab: session key Ka, Kb: terminal keys

Trust in key server: • Kab is fresh and kept secret

B (resp. A) believes: whoever proves knowledge of secret Kab is A (resp. B).Key distribution must be strongly linked with authentication.

A

Ka

B

Kb

Key Server

Ka

Kb

abK using mechanismsecurity data

(Nb)E 5. Kab

bKab N(Na),E 4.

A,...)t,(Kab,E,N A, 3. Kba

1. A, B

A,...)t,(Kab,E

B,...)t,(Kab,E 2.

Kb

Ka


Public-key Integrity Problem

The integrity of public keys must be assured.

Solutions :

• Authentication trees

• Public-key certification

Problem :

xKS using

datasecret decrypt

B) todestined data(secret EKPx

xKPkey publicmy is here B, am I

A X

xx KP and KS generate

B) esimpersonat (intruder,


Identity Certificate

Public Key certificate of entity A (key=KPa) created by X:

• signed by trusted party X using secret key KSx

• can be checked by using public key KPX

Prerequisite for verifying a certificate: KPX must be known and trusted.

• identity certificates are required for all services implemented using public-key encryption (entity authentication, data origin authentication, data integrity, non-repudiation of origin, key distribution)

• the security of these services entirely relies on the validity (integrity) of the certificate that includes the public key.

• On the contrary of a common belief, a certificate alone does not prove anything, it must be used together with a mechanism like an authentication protocol through which the owner of the public-key demonstrates his knowledge of the corresponding private key.

t,...)),,ID(h(KPRSAt,..., ,ID ,KP)(KPC aaKSxaaaX


TTP Functions

• Certification Authority (CA)• Registration Authority (RA)

• Name Service• Certificate Directory• Key Generator


Certification Scenario

Key pair generated by user

Certificate

Directory

CA

RA

KG

User

1 key pair

4 Certificate

3

name, public-key

2

identity validation, public-key

(proof of knowledge of private key)

(integrity-protection, entity authentication)


Certificate ChainsProblem:

A and B belong to domains managed by CA X and CA Y.No direct cross certificate exists between X and Y.But cross certificates exist from Y to Z and from Z to X.

Domain 1 Domain 2

Domain 3

CA=X CA=Y

CA=Z

XKP A trusts YKP trustsB

(B)C (Y),C (Z),C YZX

(B)C (Y),C (Z),C YZX

(Z)CX (Y)C (Z),C ZX

A gets KPZ by verifying CX(Z) using KPX that is trusted a priori. He gets KPY by verifying

CZ(Y) using KPZ. He finally verifies B' s public-key in CY(B) using KPY.


Hierarchical Model

Alternative domain partitionings:• single domain: all chains start at Root; all users trust a priori only KPRoot.• multiple domains: chain between two domains start from the closest common node; each user trusts a priori his closest authority and Root.

Drawbacks:• certificate chains can be too long• lack of centralization in real life situations

Root

Y

Z

DC

BA

X

W

U V : U issues (V)CU


Outline


APPLICATIONS



Internet Security DirectionsCryptographic securityprotect only sensitive resources using logical means

Pros• flexible (service type and security level)• end-to-end (application and user security)• no impact on global network Cons• deployment (retrofitting in end-systems)• cost of migration (protocol impact)

Internet

Data LinkIP

e-commerce

HTTP SMTP FTP TELNET

DNS SNMP RIP BGP

TCP/UDP OSPF

Secure virtual channel using cryptography


Internet Security Directions

Domain ControlIsolate trusted network from untrusted Internet by filtering traffic across the border

Pros• no impact on the intranet components• no impact on application software and users• ease of deployment for company intranetsCons• impediment to the global network concept• no end-to-end security• insufficient for e-commerce applications

Internet (untrusted)

Intranet (trusted)

Filt

er


Filtering Components

Traffic filtering based on (combination of) :

• packet filters

• application gateways

• circuit gateways


Packet Filters• Function integrated with packet forwarding

• Principle:• for each IP packet received from a local interface• check the packet against the set of access rules• forward, discard and/or log the packet according to the result of the rule-based verification

• Access rules are based on (a selection of):• information of the TCP/IP header:

- source and destination IP addresses- source and destination port numbers- protocol type (TCP/UDP)- flags (ACK, SYN)

• the identity of the incoming interface• direction of the packet (in/out)

• implemented by• router (CISCO)• IP forwarding algorithm in a host (Linux)• dedicated device (Firewall-1 Checkpoint, Screend, etc.)


Application GatewaysOpposite approach to packet filtering:

Instead of a general purpose mechanism for all kind of traffic, a special purpose access control mechanism is used for each application. • Idea:Application gateway is a proxy server. Each proxy server acts as an intermediate between the client and the actual server. Proxy server performs varoous verifications on the application protocol between the client and server.

Generic operation of an application gateway:• the client first connects to proxy server• proxy server performs authentication and access control verification• if the client is authorized, proxy server connects to the actual destination• further communication between the client and the actual server is relayed through the proxy server and some optional filtering can be applied on the data exchange.

An application gateway is a process, not a host. There is an application gateway for each application protocol that is authorized.Application gateways can be combined with a packet filter.


Application Gateways

Simpler Packet FilteringBasic model for packet filtering with application gateways:

Authorized connections

Network 2 (trusted)

Network 1 (untrusted)

Packet Filter

Application Gateway Host

Interface 1

Interface 2

Interface 3 iGW


Circuit Gatewaysgeneric proxy for all TCP based applications

Basic principle:• client-server connections are forced to pass through the gateway by a change in the transport layer software of the client.• relaying takes place at the transport layer(TCP).• the layers above TCP (application) are not affected at all.Encapsulation of client-server connection by client-gateway connection:

relay DataData

Connection response

Connection response

Connection request

establish relay

ServerGWClient

Connection request (data=server name)

Verification


Packet filtering Firewall

• Router blocks all or most access to internal network.

• Router can allow selective access to services.

• Usually inherently danagerous services as NIS, NFS, X11 are blocked

Local Network Packet

Filter

Router

Internet


Dual-Homed Gateway

• Gateway host has a separate interface (network adapter) to each network.• Packet (IP) forwarding on the gateway is disabled.• Proxy server performs application layer access control.

Default condition: only traffic authorized by application gateways can cross the boundary

In a simple setup proxy servers for telnet, ftp, http and a mail server can be located on the firewall.

Firewall

Local Network

Proxy Servers

bastion Host

Internet


Screened Host Firewall

• packet filter "forces" all inbound packets to connect to the gateway or "bastion host".• packet filter lets out only packets from the gateway.• Proxy servers performs application layer access control.

Main difference from Dual-homed Gateway:

no true network isolation

Internet

Local Network

Firewall

Open Services

Proxy Servers Bastion Host Packet

Filter

Router


Screened Subnet FirewallBuffer Subnet = De-militarized Zone (DMZ)

• Internal packet filter "forces" all exit packets to connect to the gateway.• External packet filter "forces" all entry packets to connect to the gateway or to open services.• External packet filter lets out only packets from the gateway or from open services.• Internal packet filter lets in only packets from the gateway.• Proxy servers perform application layer access control.

Local Network

Open Services

De-militarized Zone

Proxy Servers Bastion HostInternal

Packet Filter Router

External Packet Filter Router

Internet


Other Useful Tools

• TCP_WRAPPER• host-based access control and logging for TCP-based services• located at each host• integrated with inetd

• Tripwire• host-based integrity verification • detects modification of essential files• based on hashing

• SATAN, ISS• vulnerability testing on UNIX networks• based on well-known security flaws

• COPS• vulnerability testing on UNIX systems

• ISS Real Secure, Netranger, etc.• network intrusion detection• based on traffic analysis and recognition of well-known attack sequences


Outline


APPLICATIONS



Cryptographic Security

ATM xDSL Ethernet

ARP RARP

Internet Protocol

OSPFICMP IGMP

Transmission Control Protocol

SNMPDomain Name System

Routing Information Protocol

EGP BGP

User Datagram Protocol

Transport Layer Security

Routing Security

Internet Layer Security

Data Link Layer


Internet Layer Security Architecture

IPsecRFC 2401 - Architecture Document

• IP Authentication Header (IP AH)

• IP Encapsulating Security Payload (ESP)

• Keyed Hash Functions

• Key management and Security Associations

• No protection for ARP in IPv4• Secure equivalent in IPv6 using ICMP


IP Authentication HeaderCryptographic Authentication for IPv4 and IPv6 DatagramsRFC 2402

Services provided:

• support for variable functions and parameters (SPI)

• data origin authentication

• data integrity

• replay detection

Services not provided:

• confidentiality

• traffic secrecy

• denial of service detection


IP AH

Authentication Data (variable)

Sequence Number

Security Parameter Index (SPI)

0 8 16 24

Secure Hash Function

000IP Datagram

mutable fields Auth.Data

000000000000


IP AH • Transport mode AH placement in the IP datagram:

• Tunnel mode AH placement in the IP datagram:

coverage of authentication (except for mutable fields)



Original IP Header

AH TCP Data

Original IP Header

Hop-by-hop extensions

AH End-to-end extensions

TCP Data

TCP DataAHEncapsulating IP Header

Original IP Header +

Extension fields

IPv6

IPv4


IP AH

Secure Hash Function alternatives:

• Keyed MD5 (RFC 1828)

• HMAC (RFC 2104)

• Asymmetric or Symmetric Encryption of MD5 output

Key + padding IP packet Key padding

MD5

Authentication Data (128 bits)

n x 512512

))text pad(K xor H pad(K xor H text)(K, HMAC 21


IP Encapsulating Security Payload

RFC 2406Services provided:• data confidentiality• data integrity with replay detection• traffic confidentiality (optional)

Authentication Data (variable)

Padding

Payload

Sequence Number

Security Parameter Index (SPI)

Cov

erag

e of

C

onfid

entia

lity

Cov

erag

e of

A

u the

ntic

atio

n

0 8 16 24


IP ESP

Coverage of confidentiality

Original IP Header SPI Seq.Nr. TCP Data Padding

Auth. Data

ESP header ESP payload ESP trailer

Coverage of authentication

Original IP Header

Hop-by-hop extensions SPI Seq.Nr.

AuthData

PaddingDataTCPend-to-end extensions



ESP header ESP payload ESP trailer

New IP Header

new extensions SPISeq.Nr. Auth

DataPaddingDataTCPoriginal IP Header



ESP header ESP trailerOriginal IP datagram

IPv4

IPv6

Transport

Mode

Tunnel

Mode


End-to-end security with IPsec

: One or more SA’s applied to the same traffic stream IP1 : original IP header IP2 : encapsulating IP header

ULH : Upper Layer Header

Transport Mode Tunnel Mode

ULH

ULH

ULH

ULH

ULH

AH ESPIP1

IP1

IP1 AH

ESP

AH IP1

IP1ESP

IP2

IP2

Internet or Intranet

1Host 2Host


Simple virtual private network with IPsec

Intranet Internet Intranet

1Host 2Host1SG 2SG

Tunnel Mode

ULH

ULH

IP1

IP1

AH

ESP

IP2

IP2


Remote access with IPsec

Internet Intranet

SG1Host 2Host

1SA

2SA


ATM xDSL Ethernet

ARP RARP

Internet Protocol

OSPFICMP IGMP

Transmission Control Protocol

SNMPDomain Name System

Routing Information Protocol

EGP BGP

User Datagram Protocol

Transport Layer Security

Routing Security

Internet Layer Security

Data Link Layer

Internet Security Architecture


Transport Layer Security (TLS) Protocol

RFC 2246Based on Secure Sockets Layer (SSL) from Netscape Communications

Services provided :

• peer entity authentication• data confidentiality• data integrity (replay detection)• generation/distribution of session keys• security parameter negotiation

Two sub-layers:

• TLS Record Protocol

• TLS Handshake Protocol

• Record sub-layer encapsulates Application Data and Handshake Protocol


TLS Handshake ProtocolSession Negotiation between peer Transport EntitiesA session consists of:• session Id• X509 public-key certificate of the peer• compression algorithm• encryption algorithm• MAC algorithm (MD5, SHA, etc.)• cryptographic attributes- Session data are used by the TLS Record Layer for encryption and integrity protection of higher layer protocols- A session can be reused by several transport connections.

Application Data

Certificate ClientKeyExchange

ServerClient

ServerHello Certificate ServerKeyExchange

ClientHello


WWW Security

Vulnerabilities:

• HTTP: risks due to communication over Internet

• CGI: malicious script can expose server resources

• Java: malicious applet can expose client resources

Local resources Local resources

serverbrowser

applet

CGI

HTTP urlgateway program


HTTP and CGI Security

Client-server communication:• Standard: authentication by the server

• uuencoded cleartext passwords• domain-based access control• per subtree of the html document directory

• application layer: Secure HTTP• transport layer: SSL Netscape (see Transport Layer Security)• proxy server to filter traffic at domain boundary

CGI:• restricted access to cgi-bin directory• user-provided parameter verification in the cgi scripts• limited use of setuid bit with cgi scripts• limited use of process creation in cgi scripts • hide source of cgi scripts from the net


Mobile Code

Malicious applet (executable content) can cause:- diclosure of client information- modification of client information- denial of service on client resources

Flexibility and power at the cost of higher risk

Libraries

Applet

Browser

Client

Network


Java SecurityLanguage features• object-oriented data encapsulation• type-safety• final attribute• absence of pointers• garbage collection• namespace encapsulationProtection against malicious Applets: Sandbox Approach Bytecode Verifier converts bytecode from the network into local class, checking:

• stack overflows• pointers• access restrictions• object and method access

Class Loader• protects integrity of local classes• forces class import from origin node• signature verification by subtyped SignedClassLoader

Security Manager• access control by the runtime environment (browser)• used by the other objects


Outline


APPLICATIONS



Multicast Security

• Key Management

• Data Origin Authentication

• Data Confidentiality


Key Management• Security requirements

– membership (JOIN/LEAVE) security;– Containment.

• Scalability

– Processing cost– Membership dynamics

• No group-wide re-key message

– Treat the group as single entity

• Existing algorithms :– one key for the whole group– the group is a set of subgroups : different keys in each subgroup


Multicast Key management

• Keygraphs [Wong et al. 98]

K0

K1234 K5678

K12 K34 K56 K78

K1 K2 K3 K4 K5 K6 K7 K8

u7u1 u2 u3 u4 u5 u6 u8

K0 = Group Key

u4’s keys = {K3,K34, K1234,K0}

u4 JOINS : trivial

u4 LEAVES :

{K34’, K1234’,K0’}K3 u3

{K1234’, K0’}K12 u1, u2

{K0’}K5678 u5,u6,u7,u8

advantage : number of re-key messages are in the logarithmic order

there is no containment.


Multicast Key ManagementSub-group approach

• Iolus [Mittra, 97] • intermediate nodes involved in key distribution

GSI GSI

GSI GSI GSI

K1

K2

K5

K3

K6 K4

GSC (Group Security Controller) defines the groups and the GSI

GSI (Group Security Intermediary): 1- decrypt M with the key of the group; 2 - recrypt M with the key of the other group he’s involved in.

GSC

advantage : containment + scalability

disadvantage : we have to trust GSIs


Multicast Key Management Sub-group Approach

• [Molva et al. 99] • Based on asymmetric algorithms

a2

a3 a4 a5

a6 a7

a1 Source sends:

0

01 mod)( 1

SMT

pSS a

S4

Recipients in subgroup:

pSS aaaa mod)( 7321

1

40


Multicast Key Management (4/4)

• MARKS [Briscoe 99]

t1

t3 t4

t7 t8 t9 t10

t2

t5 t6

t11 t12 t13 t14

t0

k1 k2 k3 k4 k5 k6 k7 k8

L

L

L L

L

LL

R

R

R R

RR R

access to segments between s4 and s8

using t2 and t10

k4 = t10 ; k5 = L(L(t2)); etc.

L and R are one-way functions.


Broadcast Encryption(2/3)

• k-resilient scheme [Fiat et al. 1994]

S

u1 u2 u3 un…..

Every user ui is assigned a set of keys Ki

S sends {M}K and a key envelope to a user set T

Each users in T retrieves K from the key envelope using Ki

mathematically proven k-resilient.


Broadcast encryption(3/3)

• f-redundant key cover schemes [Abdalla et al. 2000]

u8

u9

u2

u10

u11

u3

u6

u12

u7

u13

u4

u5

K4

U

K1

K2

K3

K5

k(ui) = {Kj} \ uiKj

S {u2,u6,u10,u12} : M

S computes Cmin(K) and sends the same message encrypted with the keys in Cmin(K) (minimal key cover).

=> f-redundancy: some of users outside the intended destination group will be able to access M

U = universe of users ui

Ki = sets of users (one key per set)


Data Encryption (1/3)

• [Pannetrat et al. 2002] Based on same idea as the key distribution algorithm using intermediate nodes

• Symmetric encryption in XOR-Counter mode.

– Apply several layers of encryption at the source and recipients.

– Only two operations in the intermediate elements

• One decryption

• One encryption


Data Encryption (2/3)

• Link Model

P3

P2

P1

m

P4

P3

P2

m

P5

P4

P3

m

P6

P5

P4

m

P7

P6

P5

m

k1,k2,k3

m

k5,k6,k7

m

k1

k4

k2

k5

k3

k6

k4

k7


Data Encryption(3/3)

• Group Model

k2

k10

k2

k5

k5,k6,k7

k5,k6,k8

k3,k4,k10


Multicast Authentication (1/4)

• Requirements– A Multiparty Problem

• One source and an unlimited number of recipients• The source does not trust the recipients authentication technique must be asymmetric

– A Packet Streaming Problem• Individual authentication of each packet• Authentication of packet sequences • cost/packet• Packet loss rate• Real time

• A digital signature per packet is not a practical solution• 1 digital signature for a set of packets• Packet chaining using hash functions



• TESLA [Perrig et al. 2000]

• Lamport’s hash chaining like in S/Key:

K0, K1, K2, . . . Kn \ Ki = h(Ki+1)

• Authenticated multicast message sent at time interval i:

Mi, MAC(Ki, Mi), Ki-1

• Mi authenticated using a further message in the stream

• Synchronization required to detect re-plays: Kj only valid in interval Ij

• The first message asymmetrically authenticated using a digital signature.


P P P P P P P P P P P P

E.C.1

Sign

E.C.2

has

hha

shha

shha

shha

shhash

Advantages :

•Spread the cost of a signature over several packets.

•Erasure code to tolerate losses.

•No need to send duplicate hash values


• [Pannetrat et al. 2002]



• Alternative feedback schemes

P P P P P P P P

P P P P P P P P

P P P P


Thank You

network security refik molva institut eurécom b.p. 193 f-06904 sophia antipolis cedex - france...

Documents