Transcript Computer Security: Principles and Practice, 1/e

Internet Security Protocols and
Standards
Weekly Security News
https://nakedsecurity.sophos.com/tag/60-second-security/
MIME
• Extension to the old
RFC 822 specification
of an Internet mail
format
o RFC 822 defines a simple
heading with To, From, Subject
o Assumes ASCII text format
• Provides a number of
new header fields that
define information
about the body of the
message
S/MIME
• Secure/Multipurpose
Internet Mail Extension
• Security enhancement
to the MIME Internet
e-mail format
o Based on technology from
RSA Data Security
• Provides the ability to
sign and/or encrypt
e-mail messages
Bob's private
key
This is an
S/MIME
message from
Bob to Alice.
Bob will sign
and encrypt the
message before
sending it to
This is an
S/MIME
message from
Bob to Alice.
Bob will sign
and encrypt the
message before
sending it to
Plaintext message
(unisigned)
Digital signature
added
(DSS/SHA)
One-time
session key
Alice's public
key
DhYz949avHVA
t5UpjUXn8L79o
ADnluV3vpuhE
HMEcMBB1K9
Y8ZoJOYAmF2
BsIpLbjDkNJQR
j98IklSSmju650
SoDlFkYYtTqw
po9812KKlmHx
cFGIU8700qQrR
sdfgIUYTp0m8
H7G4FF32jkoN
NNmj78uqwplH
Message with
signature encrypted
with one-time
session key
(Triple DES)
Encrypted copy
of session key
added
(El Gamal)
Document converted
to Radix-64 format
Figure 22.1 Typical S/MIME Process for Creating an S/MIME Message
Signed and Clear-Signed
Data
• Default algorithms used for signing messages are
DSS and SHA-1
• RSA public-key encryption algorithm can be used
with SHA-1 or the MD5 message digest algorithm for
forming signatures
• Radix-64 or base64 mapping is used to map the
signature and message into printable ASCII
characters
S/MIME Public Key
Certificates
• Default algorithms used for encrypting S/MIME
messages are 3DES and EIGamal
o EIGamal is based on the Diffie-Hellman public-key exchange algorithm
• If encryption is used alone radix-64 is used to
convert the ciphertext to ASCII format
• Basic tool that permits widespread use of S/MIME is
the public-key certificate
• S/MIME uses certificates that conform to the
international standard X.509v3
Enveloped
data
Encrypted
content
and
associated
keys
Signed data
Clearsigned data
Signed and
enveloped
data
Encoded
message +
signed
digest
Cleartext
message +
encoded
signed
digest
Nesting of
signed
and
encrypted
entities
DomainKeys Identified
Mail (DKIM)
• Specification of cryptographically signing e-mail
messages permitting a signing domain to claim
responsibility for a message in the mail stream
• Proposed Internet Standard (RFC 4871: DomainKeys
Identified Mail (DKIM) Signatures)
• Has been widely adopted by a range of e-mail
providers
Message transfer
agent (MTA)
SMTP
Message transfer
agent (MTA)
SMTP
(SMTP,
local)
SMTP
Mail submission
agent (MSA)
Mail delivery
agent (MDA)
Message handling
system (MHS)
(SMTP,
local)
SMTP
Message user
agent (MUA)
Message transfer
agent (MTA)
Message store
(MS)
Message
author
(IMAP, POP,
local)
Message
recipient
Figure 22.2 Function Modules and
Standardized Protocols Used Between Them
Message user
agent (MUA)
MTA
MTA
SMTP
SMTP
DNS Public key query/response
SMTP
MDA
DNS
MSA
Signer
SMTP
POP, IMAP
MUA
MUA
Mail origination
network
Mail delivery
network
DNS = domain name system
MDA = mail delivery agent
MSA = mail submission agent
MTA = message transfer agent
MUA = message user agent
Figure 22.3 Simple Example of DKIM Deployment
Verifier
Question?
• How can we download normal email or web
pages so that the content is hidden?
Answer – SSL/TLS
• We can do so by TLS or SSL. Transport Layer Security (TLS) and
Secure Sockets Layer (SSL), are cryptographic protocols that
provide security and data integrity for communications over
networks such as the Internet.
• TLS and SSL encrypt the segments of network connections at the
Transport Layer end-to-end.
Secure Sockets Layer (SSL) and
Transport Layer Security (TLS)
• One of the most
widely used security
services
Two
implementation
choices:
• General-purpose
service implemented
as a set of protocols
that rely on TCP
Provided as
part of the
underlying
protocol suite
• Subsequently became
Internet standard
RFC4346: Transport
Layer Security (TLS)
Embedded in
specific
packages
Handshake
Protocol
Change
Cipher Spec
Protocol
Alert
Protocol
HTTP
Record Protocol
TCP
IP
Figure 22.4 SSL/TLS Protocol Stack
Heartbeat
Protocol
TLS Concepts
TLS Session
• An association between
a client and a server
• Created by the
Handshake Protocol
• Define a set of
cryptographic security
parameters
• Used to avoid the
expensive negotiation of
new security parameters
for each connection
TLS Connection
• A transport (in the OSI
layering model definition)
that provides a suitable
type of service
• Peer-to-peer relationships
• Transient
• Every connection is
associated with one
session
Application Data
Fragment
Compress
Add MAC
Encrypt
Append SSL
Record Header
Figure 22.5 TLS Record Protocol Operation
Change Cipher Spec Protocol
• One of four TLS specific protocols that use the TLS
Record Protocol
• Is the simplest
• Consists of a single message which consists of a
single byte with the value 1
• Sole purpose of this message is to cause pending
state to be copied into the current state
• Hence updating the cipher suite in use
Alert Protocol
Conveys TLS-related alerts
to peer entity
Alert messages are
compressed and encrypted
First byte takes the value
warning (1) or fatal (2) to
convey the severity of the
message
Each message consists of
two bytes:
Second byte contains a
code that indicates the
specific alert
If the level is fatal, TSL
immediately terminates the
connection
Other connections on the
same session may continue,
but no new connections on
this session may be
established
Handshake Protocol
• Most complex part of TLS
• Is used before any application data are transmitted
• Allows server and client to:
Authenticate
each other
Negotiate
encryption and
MAC
algorithms
Negotiate
cryptographic
keys to be
used
• Comprises a series of messages exchanged by
client and server
• Exchange has four phases
Client
Server
client_h
ello
server_
hello
a
certific
key
server_
te
_exchan
te_req
certifica
Time
he
server_
change
_
uest
Phase 2
Server may send certificate, key exchange,
and request certificate. Server signals end
of hello message phase.
te
e y_ e xc h
certific
a
ge
e
llo_don
certific
a
client_k
Phase 1
Establish security capabilities, including
protocol version, session ID, cipher suite,
compression method, and initial random
numbers.
an ge
te_verif
y
cipher_
Phase 3
Client sends certificate if requested. Client
sends key exchange. Client may send
certificate verification.
spec
finished
change_
cipher_
spec
Phase 4
Change cipher suite and finish
handshake protocol.
finished
Note: Shaded transfers are
optional or situation-dependent
messages that are not always sent.
Figure 22.6 Handshake Protocol Action
Heartbeat Protocol
• A periodic signal generated by hardware or software to
indicate normal operation or to synchronize other parts
of a system
• Typically used to monitor the availability of a protocol
entity
• Defined in 2012 in RFC 6250
• Runs on top of the TLS Record Protocol
• Use is established during Phase 1 of the Handshake
Protocol
• Each peer indicates whether it supports heartbeats
• Serves two purposes:
o Assures the sender that the recipient is still alive
o Generates activity across the connection during idle periods
Heartbleed
•
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by
the vulnerable versions of the OpenSSL software.
•
OpenSSL is the most popular open source cryptographic library and TLS implementation used to
encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby
site, site you install software might be using vulnerable OpenSSL.
•
Many of online services use TLS to both to identify themselves to you and to protect your privacy
and transactions. You might have networked appliances with logins secured by this buggy
implementation of the TLS. Furthermore you might have client side software on your computer that
could expose the data from your computer if you connect to compromised services.
•
The most notable software using OpenSSL are the open source web servers like Apache and nginx.
The combined market share of just those two out of the active sites on the Internet was over 66%
according to Netcraft's April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for
example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private
networks (SSL VPNs), network appliances and wide variety of client side software
•
This compromises the secret keys used to identify the service providers and to encrypt the traffic,
the names and passwords of the users and the actual content. This allows attackers to eavesdrop
on communications, steal data directly from the services and users and to impersonate services
and users.
•
Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and
distribution, appliance vendors, independent software vendors have to adopt the fix and notify
their users.
•
Bugs in single software or library come and go and are fixed by new versions. However this bug has
left large amount of private keys and other secrets exposed to the Internet. Considering the long
exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.
The Code Segment
The Heartbleed bug is in OpenSSL’s TLS heartbeat implementation. Generally, the goal
of this heartbeat is to be able to verify that a connection is still open by sending some
sort of arbitrary message and expecting a response to it.
When a TLS heartbeat is sent, it comes with a couple notable pieces of information:
• Some arbitrary payload data. This is intended to be repeated back to the sender so the
sender can verify the connection is still alive and the right data is being transmitted
through the communication channel.
• the length of that data, in bytes (16 bit unsigned int). We’ll call it len_payload.
The OpenSSL implementation used to do the following in a nutshell:
• Allocate a heartbeat response, using len_payload as the intended payload size
• memcpy() len_payload bytes from the payload into the response.
• Send the heartbeat response (with all len_payload bytes) happily back to the original
sender.
The problem is that the OpenSSL implementation never bothered to check that
len_payload is actually correct, and that the request actually has that many bytes of
payload. So, a malicious person could send a heartbeat request indicating a payload
length of up to 2^16 (65536), but actually send a shorter payload. What happens in this
case is that memcpy ends up copying beyond the bounds of the payload into the
response, giving up to 64k of OpenSSL’s memory contents to an attacker.
SSL/TLS Attacks
Attacks on the
Handshake Protocol
Attacks on the record
and application data
protocols
Four general
categories:
Attacks on the PKI
Other attacks
HTTPS
(HTTP over SSL)
•
•
Combination of HTTP and SSL to implement secure
communication between a Web browser and a Web
server
Built into all modern Web browsers
o Search engines now support HTTPS
o URL addresses begin with https://
•
•
•
Documented in RFC 2818, HTTP Over TLS
Agent acting as the HTTP client also acts as the TLS client
Closure of an HTTPS connection requires that TLS close
the connection with the peer TLS entity on the remote
side, which will involve closing the underlying TCP
connection
IP Security (IPsec)
• Various application security mechanisms
o S/MIME, Kerberos, SSL/HTTPS
• Security concerns cross protocol layers
• Would like security implemented by the
network for all applications
• Authentication and encryption security
features included in next-generation IPv6
• Also usable in existing IPv4
IPsec
Authentication
Confidentiality
Key management
• Assures that a
received packet was,
in fact, transmitted by
the party identified as
the source in the
packet header and
that the packet has
not been altered in
transit
• Enables
communicating
nodes to encrypt
messages to prevent
eavesdropping by
third parties
• Concerned with the
secure exchange of
keys
• Provided by the
Internet exchange
standard IKEv2
Applications of IPsec
Secure
branch office
connectivity
over the
Internet
Secure
remote
access over
the Internet
Establishing
extranet and
intranet
connectivity
with partners
Enhancing
electronic
commerce
security
Benefits of IPsec
• When implemented in a firewall or router, it provides
strong security to all traffic crossing the perimeter
• In a firewall it is resistant to bypass
• Below transport layer, hence transparent to
applications
• Can be transparent to end users
• Can provide security for individual users
• Secures routing architecture
Provides two
main functions:
The Scope of IPsec
• A combined
authentication/encr
yption function
called Encapsulating
Security Payload
(ESP)
• Key exchange
function
VPNs want both
authentication
and encryption
Also an authenticationonly function,
implemented using an
Authentication Header
(AH)
• Because message
authentication is provided by
ESP, the use of AH is included
in IPsecv3 for backward
compatibility but should not
be used in new applications
Specification
is quite
complex
• Numerous
RFC’s
2401/4302/
4303/4306
• A one-way relationship
between sender and
receiver that affords
security for traffic flow
o If a peer relationship is needed
for two-way secure exchange
then two security associations are
required
• Is uniquely identified by
the Destination Address
in the IPv4 or IPv6 header
and the SPI in the
enclosed extension
header (AH or ESP)
Defined by 3
parameters:
Security Parameter
Index (SPI)
IP Destination
Address
Protocol Identifier
Bit:
0
16
24
Security Parameters Index (SPI)
Authentication Coverage
Confidentiality Coverage
Sequence Number
Payload Data (variable)
Padding (0 - 255 bytes)
Pad Length
Authentication Data (variable)
Figure 22.8 IPSec ESP Format
Next Header
31
Transport and Tunnel Modes
Transport Mode
• Extends to the payload of
an IP packet
• Typically used for end-toend communication
between two hosts
• ESP encrypts and optionally
authenticates the IP
payload but not the IP
header
Tunnel Mode
•
Provides protection to the
entire IP packet
•
The entire original packet
travels through a tunnel from
one point of an IP network to
another
•
Used when one or both ends of
a security association are a
security gateway
•
A number of hosts on networks
behind firewalls may engage in
secure communications
without implementing IPsec
Summary
• Secure E-mail and
S/MIME
o MIME
o S/MIME
• DomainKeys identified
mail
o Internet mail architecture
o DKIM strategy
• SSL and TLS
o
o
o
o
TLS architecture
TLS protocols
TLS attacks
SSL/TLS attacks
• HTTPS
o Connection
institution
o Connection closure
• IPv4 and IPv6
security
IP security overview
The scope of IPsec
Security associations
Encapsulating
security payload
o Transport and tunnel
modes
o
o
o
o
The End