Security Course
Download
Report
Transcript Security Course
20-771: Computer Security
Lecture 3: SSL
Robert Thibadeau
School of Computer Science
Carnegie Mellon University
Institute for eCommerce, Fall 2000
Lecture 3, 20-771: Computer Security, Fall 2000
1
Today’s lecture
•
•
•
•
Review
SSL, SET
Break (10 min)
X.509v3
Lecture 3, 20-771: Computer Security, Fall 2000
2
This Week
Chapters 3-4-5 WS
Homework – Discussion Groups
Threads for Windows 2000
Quiz – Chapters 3-4-5
Lecture 3, 20-771: Computer Security, Fall 2000
3
Client Applications
Web
Client
Security
Our Class
Web
Server
Security
Security
Assurance
Applications
Proxy/Router
Applications –
Put in
Hardware!
(buy CISCO)
Path Security
Physical
security
Server Applications
Client Security
Proxy/Router
Security
- Kind of
Server
Security Server
Applications
WINDOWS 2000
Server Security
Host Security
Whole Facility / Internet Security – Protocols/Policy/Publicity
Technology
How To
Integrity/Privacy/Authent
icate/Authorize/Record
The Law
Cryptography
Lecture 3, 20-771: Computer Security, Fall 2000
4
Fundamental Elements of
Security : IPAAA
•
•
•
•
•
Integrity
Privacy
Authentication
Authorization
Auditability
Lecture 3, 20-771: Computer Security, Fall 2000
5
Cryptography
•
•
•
•
A key is just the parameter that makes a program do
something to the plaintext or the cyphertext that is very
hard to discover.
Symmetric Cryptography = Private Key Systems
– Great for the Privacy Function, Hiding Secrets
One Way Hashes = Digest Functions = Integrity
Checkers = Password Storage
– Great for Integrity Checking, Hiding Secrets
Public Key Cryptography = Public/Private Key Pairs =
RSA Patent (sept 21)
– Private Reads, Public Writes : Send Secret to Authentic Person
– Private Writes, Public Reads = Signing: Authenticate Writer, no
secret
– Certificates : Signing, used for Authorization
– CA : Authority who guarantees Authentication
– Where to hide Private Keys? Key Escrow, Smart Cards, Floppy
– PKI – the total system of keys, CA
Lecture 3, 20-771: Computer Security, Fall 2000
6
Internet Cryptographic
Protocols
•
•
•
•
•
•
•
•
•
•
•
Cybercash : Electronic Funds Transactions, RFC1898
DNSSEC : Domain Name System, RFC2065
IPSec : Packet-Level Encryption, RFC2401
PCT : TCP/IP-level Encryption
PGP : E-Mail, RFC2015
S/MIME : E-Mail, RFC2311,RFC2634
S-HTTP : Web Browsing, RFC2660
SET : Electronic Funds Transactions
SSL : TCP/IP-level Encryption, Netscape
SSH : Remote Login
– http://search.ietf.org/internet-drafts/draft-ietf-secsh-transport07.txt
– http://search.ietf.org/internet-drafts/draft-provos-secsh-dhgroup-exchange-00.txt
TLS : TCP/IP-level Encryption, RFC2246
Lecture 3, 20-771: Computer Security, Fall 2000
7
Secure Socket Layer History
•
•
•
•
•
•
SSL 1.0 Netscape 1994
S-HTTP (web only)
SSL 2.0 Netscape (buggy)
PCT Microsoft (loser) 1996
SSL 3.0 Netscape
TLS 1.0 IETF (now dominant) 1999
Lecture 3, 20-771: Computer Security, Fall 2000
8
SSL
•
•
•
•
•
•
•
•
•
•
“TLS, more commonly known as SSL”
RFC2246 : TLS Protocol Version 1.0 1/99
RFC2487 : SMTP over TLS
RFC2712 : Adding Kerberos to TLS
RFC2716 : PPP TLS
RFC2817 : Upgrading to TLS within HTTP/1.1
RFC2818 : HTTP over TLS
RFC2830 : TLS for Lightweight Directory Access
Protocol (LDAP)
The Lock or Non-broken Key on Your Browser
Get the picture? (yes, we like it)
Lecture 3, 20-771: Computer Security, Fall 2000
9
Protocol Stack
TELNET
HTTP
SMTP
NNTP
SSL Interface : Port N
FTP
Transport - TCP
Internet - IP
Network Interface – EtherNet/etc.
Physical Layer
Lecture 3, 20-771: Computer Security, Fall 2000
10
SSL
•
•
Crypto Solves the Problems – You just need
to select among good alternatives for each
task.
The “cypher suite”
– X.509 Certificates (1991) too.
– First, cypher suite agreement between the TCP peers.
Lecture 3, 20-771: Computer Security, Fall 2000
11
SSL Components
DIFFIEHILLMAN
Establishing Symmetric
SessionKey
RSA
Public Key for Authentication
TRIPLE-DES/CBC
RC4
Session Encryption with
Symmetric Key for Privacy
RC3
Message
Message Digest for Checking on
Message Integrity
RC2
MD5
Lecture 3, 20-771: Computer Security, Fall 2000
SHA
12
SSL Cipher Suites
Suite
DES-CBC3-MD5
DES-CBC3-SHA
RC4-MD5
RC4-SHA
RC2-CBC-MD5
DES-CBC-MD5
DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-DES-RC4-MD5
EXP-RC2-CBC-MD5
NULL-MD5
NULL-SHA
CHECK
Strength
*****
*****
****
****
****
***
***
**
**
**
*
*
YOUR
Lecture 3, 20-771: Computer Security, Fall 2000
Description
168bit Session/1024bit RSA
168bit Session/1024bit RSA
128bit Session/1024bit RSA
128bit Session/1024bit RSA
128bit Session/1024bit RSA
56bit Session/1024bit RSA
56bit Session/1024bit RSA
40bit Session/512bit RSA
40bit Session/512bit RSA
40bit Session/512bit RSA
None/RSA authentication
None/RSA authentication
BROWSER!!!!!!!
13
SSL Encrypts
•
•
•
•
•
•
•
•
•
ALL Browser-Server and Server-Browser
except which-browser is talking to whichserver
URL of requested document
Contents of requested document
Contents of any submitted form fill-outs
Cookies sent from browser to server
Cookies sent from server to browser
Contents of HTTP header
Javascript communications
Etc. ??NetShow—cause that’s UDP??
Lecture 3, 20-771: Computer Security, Fall 2000
14
What Could Replace SSL?
TELNET
HTTP
SMTP
NNTP
SSL Interface : Port N
FTP
Transport - TCP
IPSec
Internet - IP
Network Interface – EtherNet/etc.
Physical Layer
Lecture 3, 20-771: Computer Security, Fall 2000
15
IPSec Does Not
•
•
•
Authenticate Participants
But then, neither does SSL in practice
Its does authenticate computers … not done
by SSL except during session. SSL can’t stop
a proxy.
Lecture 3, 20-771: Computer Security, Fall 2000
16
SSL Transaction
1. Client says Hello & Stuff
2. Server says Hello & Stuff
3. Server sends Certificate
4. (opt) Server requests client Certificate
5. Client sends Certificate
6. Client sends ClientKeyExchange
7. Client sends a Certificate Verify message
8. Both send ChangeCipherSpec Messages
9. Both send Finished Messages
Lecture 3, 20-771: Computer Security, Fall 2000
17
Rules of Thumb
•
Always get 128 Bit Browsers
– This is called “US” as opposed to “International”
Even though it really means the opposite!!!!!!!
•
•
•
128 bits is really really good for securing your
transaction against spies
Unfortunately, hides employee behavior.
Unfortunately, false sense of security:
– Most theft of credit cards is by the employees of credit
card processing operations including retailer, clearing,
etc.
– Do you really trust Amazon? Read their privacy
statement at http://www.amazon.com/privacy-notice
Lecture 3, 20-771: Computer Security, Fall 2000
18
SET
•
•
•
•
Authentication : All parties use certificates
including customer, merchant, bank,
merchant’s bank.
Confidentiality : Encrypted and Private
Message Integrity : Can’t be tampered
Linkage : Verification of encrypted
attachments (blind forwarding)
Lecture 3, 20-771: Computer Security, Fall 2000
19
Set Protocol Supports all
Features of Credit Card System
•
•
•
•
•
•
•
•
•
•
Cardholder registration
Merchant registration
Purchase requests
Payment authorizations
Payment capture (funds transfer)
Chargebacks (refunds to customers)
Credits
Credit reversals
Debit Card (check card) transactions
Real-time, batch, installment payments, etc.
Lecture 3, 20-771: Computer Security, Fall 2000
20
Problems with SET
•
•
•
•
•
•
Risk Management leads Banks to use Intermediaries
Intermediaries have access to the credit card
purchasing information
This is where most theft occurs.
To be adopted SET really needs to be accompanied
with a change in credit card processing.
BUT: the rate of Internet Charge Backs is HUGE!
(Particularly on download purchases and
subscriptions). Retailers are now being fined in the
hope of reducing this.
SET does not create a non-repudiatable confirmation
of the successful obtaining and use of the product
sold. It hides critical information from the retailer!
Lecture 3, 20-771: Computer Security, Fall 2000
21
BREAK!
Lincoln
Stein
Lecture 3, 20-771: Computer Security, Fall 2000
22
•
•
•
•
•
X.509v3 Certificates
More generally used than SSL
– Used by SSL
– Used by nearly every major computer security system
From Older Standards Groups
ISO/ITU
– International Standards Organization/ANSI
– International Telecommunications Union (was CCITT – fax, TIFF)
– Part of United Nations as of 1988
ASN.1 (Abstract Syntax Notation 1) – see www.asn1.com
– This is instead of BNF and is pretty arcane, but includes encoding rules (DER)
– SGML (predecessor of HTML) used this, X.10 Financial Systems.
Object Identifier
– Tree starting with world, down through countries, companies, etc.,
www.hyperstamps.com fun
– Your international phone number is a legal Object Identifier
– It is a felony in nearly every country of the world to counterfeit an ISO issued
Object Identifiers
Lecture 3, 20-771: Computer Security, Fall 2000
23
X.509v3 Where to Get
•
You have to pay 34 Swiss Francs!
– www.itu.org -- search on X.509
– But WAIT! X.509v4 is out, but not yet published!
•
Those typical Swiss…always getting rich
– No, this is how nearly all older standards bodies have
worked – they sell copies of their standards
– Buy them. They are like the RFCs and the W3
Specifications. They will make you one of the few real
experts.
Lecture 3, 20-771: Computer Security, Fall 2000
24
What is X.509?
•
•
•
A means of authenticating a “directory”
Uses public/private key exclusively (and that
means RSA for all practical purposes … Sept
21, remember?)
A means for chaining certificate authorities
– Didn’t work, people really just chain certificates
•
•
The information about who you are is hashed
and signed so this can be compared with the
plaintext about who you are in the certificate
Serial Number : an Object Identifier – It’s a
FELONY to copy this even in IRAQ!!!
Lecture 3, 20-771: Computer Security, Fall 2000
25
X.509 Basic Form
Certificate Serial Number
Public Key for Authentication
DateTime and Expiration
Who you are Message
Message Digest for Checking on
Message Integrity
MD5
Lecture 3, 20-771: Computer Security, Fall 2000
RSA
Sept 21, 2000!
SHA
26
Concepts behind X.509
•
user certificate; public key certificate;
certificate:
– The public keys of a user, together with some other
information, rendered unforgeable by encipherment with
the private key of the certification authority which issued
it.
•
certification path:
– An ordered sequence of certificates of objects in the
directory information tree which, together with the public
key of the initial object in the path, can be processed to
obtain that of the final object in the path.
Lecture 3, 20-771: Computer Security, Fall 2000
27
X.509 Nomenclature
Xp
Public key of a user X
Xs
Private key of a user X
Xp[I]
Encryption of Information, I, using public key of X
Xs[I]
Encryption of I using the private key of X
X{I}
Signing I by X : I with hashed summary appended
CA(X)
A certification authority of user X
Can(X)
(where n>1): CA(CA(…n times(X)))
X1<<X2>>
Certificate of user X2 issued by authority X1
X1<<X2>>X2<<X3>>
Chain of certificates functionally equivalent to X1<<Xn+1>>
X1p*X1<<X2>>
Unwrapping certificate to extract public key.
Ap * A<<B>> B<<C>> denotes using public key A to obtain
B’s public key, Bp, from its certificate, followed by using Bp
to unwrap C’s certificate. Outcome is the public key of C,
Cp.
A -> B
Certification path from A to B form of a chain of certificates
starting with CA(A)<<CA2(A)>> and ending with
CA(B)<<B>>
Note:
X’s are names of users, I is arbitrary information
Lecture 3, 20-771: Computer Security, Fall 2000
28
Certificate Definition
Certificate ::= SIGNED{SEQUENCE{
version version Default v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueIdentifier ObjectIdentifier, - v3
subjectUniqueIdentifier ObjectIdentifier, - v3
extensions Extensions, }}
Lecture 3, 20-771: Computer Security, Fall 2000
29
Certificate Defined (cont)
Version :== Integer (for v1, v2, v3)
CertificateSerialNumber ::= Integer
AlgorithmIdentifier ::= SEQUENCE{ ..stuff about crypto
}
Validity ::= SEQUENCE {
notBefore Time,
notAfter Time}
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BITSTRING }
Time ::= CHOICE {
utcTime UTCTime,
generalizedTime GeneralizedTime }
Extensions ::== SEQUENCE OF extensions
like, critical TrueORFalse – v3
Lecture 3, 20-771: Computer Security, Fall 2000
30
Date Time
•
Great Security Technique for Authentication
– Challenge-Response, let mother nature be the challenge.
– Very hard to defeat since you have to crack the code too
quickly … can be used to put a time limit on things. This
is used by many certificates.
•
•
Kerberos uses this in issuing “tickets” for a
time.
Great Security Technique for Auditability
– Hash the date-time and sign it.
– Requires an authority or both members of transaction to
maintain copy (you can’t deny your signature even if you
“fix” your copy!)
Lecture 3, 20-771: Computer Security, Fall 2000
31
X.509 certificate types
•
•
•
•
•
•
•
For people
For web sites
For companies
For organizations inside companies
For software
Etc. etc. etc.
You could have X.509 certificates that certify
a toaster made a piece of toast.
http://dollar.ecom.cmu.edu/sec/509.doc
Lecture 3, 20-771: Computer Security, Fall 2000
32
What’s Wrong with Them
•
•
•
•
•
•
•
Classic HORRIBLE USER INTERFACE
ASSOCIATED WITH GOOD CRYPTOGRAPHY
You have to apply to a root CA for one
They invade your privacy!
They make you PAY!
They make them last only one Year!
– And you pay again.
– Hey…their cost is a few cpu seconds…
Homework: Go to Thawte (www.verisign.com)
and get a free personal certificate for your
mail browser (outlook, eudora, or netscape).
See what I mean?
Lecture 3, 20-771: Computer Security, Fall 2000
33
Better root CAs
•
•
There should not be a commercial monopoly here.
Social Security Admin could issue free personal
certificates FOR LIFE.
– This would make your private key very private
– Needs to be on a smart card you don’t lose
– Would make Certificate Revocation Work!
•
Now, each individual person can become a CA!
– He can establish expirations suitable to him
– He does not himself expire.
•
•
Same for each company (IRS or United Nations
through ASN.1 Object Identifiers maintained by United
Nations.)
September 21, 2000!!! Wanna be a root CA?
Lecture 3, 20-771: Computer Security, Fall 2000
34
SSL
•
•
•
•
•
What does SSL stand for?
Does SSL use X.509v3 Certificates?
When is the client and server authenticated in
SSL?
Can SSL perform a secure transaction
without server authentication?
Do browsers by default come configured for
low grade, exportable, security?
Lecture 3, 20-771: Computer Security, Fall 2000
35