Transcript Document 7391256

Network Security
Refik MOLVA
Institut Eurécom
B.P. 193
06904 Sophia Antipolis Cedex - France
[email protected]
Institut Eurecom 2002
1
Outline
THEORY
1. Symmetric Cryptography
2. Asymmetric Cryptography
3. Hash Functions and Integrity
4. Authentication
5. Key Management
APPLICATIONS
6. Internet Security Using Firewalls
7. Internet Security with Cryptographic Mechanisms
9. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002
2
Security Services
7498-2 ISO standard defines :
security services and mechanisms in the context of OSI
r function placement in OSI layers
r
does not cover the security of standalone systems.
r
authentication
r
access control
r
confidentiality
r
integrity
r
non-repudiation
Network Security - R. Molva - Institut Eurecom 2002
3
Services vs. Layers
1. Application Layer Security
finest granularity (user and program verification)
r end-to-end security
r non-transparent to applications
r
2. Transport Layer
medium level granularity (end-users are not visible)
r end-to-end security
r transparent to applications
r
3. Network Layer
low granularity
r no end-to-end security (hop-by-hop security relies on intermediate systems)
r transparent to applications
r
4. Physical Layer
like network layer security, plus
r ease of integration
r limited functionality (hardware only)
r
Network Security - R. Molva - Institut Eurecom 2002
4
Cryptography
The art of writing in or deciphering secret code by transforming the message
content.
Different from steganography which aims at hiding the message without
transforming it.
Cryptography
Cryptanalysis
encryption
decryption
code breaking
Cryptology
Cryptography is the building block for most security mechanisms.
Network Security - R. Molva - Institut Eurecom 2002
5
Symmetric Cryptography
r
secret-key based
K
P
E
C
D
P
r
The same key is required both for encryption and decryption
r
Secrecy of K is essential
 requirement for secret key management using an on-line trusted third
party (TTP)
r
K must be shared by at least two parties
 no signature
Network Security - R. Molva - Institut Eurecom 2002
6
DES
E (encryption)
Input
64-bit
k1
k2
R1
R2
k15
k16
R15 R16
IP-1
IP
R16 R15
k16
k15
R2
R1
k2
k1
Output
64-bit
D (decryption)
IP : initial permutation, IP-1(IP(x)) = x
Ri : key-dependent functions
ki : 16 sub-keys(48 bits) (key schedule)
result of shift and select operations on 56-bit K
Network Security - R. Molva - Institut Eurecom 2002
7
Advanced Encryption Standard (AES)
Rijndael - Winner of an extensive selection process
• New encryption standard (FIPS 197) - replacement to DES – May 26, 2002
• Triple DES is still a valid standard (FIPS 46-3)
•
•
Key size: 128, 192, or 256 bits
10, 12 or 14 rounds, depending on the key size.
•
•
byte-oriented cipher operations in each round
Round function:
–
–
–
–
8x8 S-box applied to each byte
rows of the array shifted
columns of the array mixed
subkey bytes XORed into each byte of the array
–
column mixing is omitted in the last round.
Network Security - R. Molva - Institut Eurecom 2002
8
AES-Rijndael Performance
•
“…a machine that could recover a DES key in a second then it would
take that machine approximately 149 thousand-billion (149 trillion)
years to crack a 128-bit AES key. To put that into perspective, the
universe is believed to be less than 20 billion years old.”
• Key setup time
– 200 keys /msec in 32 bit C / Apple G4 PowerPC
• Encryption speed
– 52 Mbits/s in 32 bit C / Apple PowerPC
– 4.8 Mbits/s in Java / Intel Pentium Pro 200
Network Security - R. Molva - Institut Eurecom 2002
9
Asymmetric Cryptography
r
public-key cryptography
K’
P
E
K
C
D
r
Different keys for encryption and decryption
r
Each user has a secret key (K) and a public key (K’)
r
No shared secret between the origin and the recipient
P

no need to manage secret keys but integrity of K’ must be assured with an
off-line trusted third party (TTP)

digital signature is possible
Network Security - R. Molva - Institut Eurecom 2002
10
Asymmetric Cryptography
r
each user U has a secret key KSU
r
everybody can access KPU (public database)
r
only U knows KSU
Name : A, Key : KPa
and a public key KPU
A, KPa
Name : B, Key : KPb
Name : C, Key : KPc
EKPa (message)
A, KPa
EKPa (message)
A
KSa
r
DKSu (EKPu(X)) = x
et
EKPu (DKSu(X)) = x
Network Security - R. Molva - Institut Eurecom 2002
11
Asymmetric Cryptography
Public-key algorithms are based on one-way functions.
V One-way functions (OWF)
f : X Y is one-way if f(x) is easy to compute for all x in X but for essentially all y in Im(f)
it is computationally infeasible to find x in X such that f(x) = y.
f
y = f(x)
X
f-1
Example : discrete exponential (Diffie-Hellman)
f = axmod n
X
y = f(x)
f=
logay
Network Security - R. Molva - Institut Eurecom 2002
12
Trapdoor OWF
f is a trapdoor one-way function if
f is a OWF with the additional property that
given some extra information called trapdoor it becomes easy to compute the reverse
of f (x such that f(x) = y).
Example : f(x) = x5mod n
n= pq , p and q are large primes
f is a OWF (it is infeasible to compute f-1)
but if p and q are known f-1 becomes easy to compute (cf. RSA).
No proof of existence for OWF.
Security of public-key schemes is based on OWF.
 no proof of security for public-key schemes
Network Security - R. Molva - Institut Eurecom 2002
13
The DIFFIE-HELLMAN Algorithm
r
pioneer of public key algorithms
Known by A
Public
Known by B
x
a,p
y
ax mod p
ax mod p
ay mod p
ay mod p
ay mod p
ax mod p
compute :
(ay ) x mod p
compute :
(ax ) y mod p
= ayx mod p
= axy mod p
A and B set a shared secret (axy mod p ) without exchanging secret
information.
r axy mod p can be used as a secret key with a symmetrical algorithm to
encrypt data.
r relies on the difficulty of computing discrete log.
r
Network Security - R. Molva - Institut Eurecom 2002
14
RSA
r
message structured in n bit blocks
r
for each block P of cleartext :
r
V encryption:
C = P e mod r
V decryption:
P = C d mod r
main property (non-trivial):
(xe)d  (xd)e  x (mod r)
 security relies on the choice of r, e and d
Network Security - R. Molva - Institut Eurecom 2002
15
RSA - Principle
1. pick two very large (100 digits) prime numbers p,q
2. compute r = pq
3. compute F(r) = (p-1) (q-1)
4. pick e, small number, prime with F(r), e < F(r)
5. compute d : d.e  1 (mod F(r))
Why (x e)d  (xd)e  x (mod r) ?
Euler's Theorem:
from 5. :
so :
a F(r)  1 (mod r)
 am.F(r)+1  a (mod r)
d.e = e.d = m. F(r)+1
(xe)d  (xd)e  x (mod r)
Note : m must be invertible, property can be demonstrated with general m using
Chinese Remaindering.
Network Security - R. Molva - Institut Eurecom 2002
16
RSA - Example
1. p =17, q =13
2. r = 221
3. F(r) = (p-1) (q-1) = 192
4. e = 11
5. d = 35 , d.e ( 1 (mod 192)
e = 11
P = 123
E
d = 35
C = 12311(mod 221)
D
C = 115
Network Security - R. Molva - Institut Eurecom 2002
C = 11535(mod 221)
P = 123
17
RSA
security  factoring r (512 bits, 154 digits) into p and q
r best known factoring algorithm : 1 M years
r
r
512-bit chips
Origin
E/D
Kb/s
CYLINK
7
CRYPTECH
17
CENT
5.3
BT
5
AT&T
19
Pijnenburg
50
1000 times slower than DES in hardware
100 times slower than DES in software
Network Security - R. Molva - Institut Eurecom 2002
18
El Gamal Public Key Encryption
r
DH key agreement in encryption
p is prime, x and y in Zp-1
a is a generator in Zp.
b=ay mod p
KPB = ( p, a, b)is the public key.
KSB = y is the secret key.
Known by A
x (random)
Known by B
y
Public Key
(p, a, ay mod p)
ay mod p
axy mod p
Encryption:
m1 = ax mod p
m2 = m.axy mod p
m1=DH key agreement
+ m2=encrypted message
Decryption:
m1 axy mod p
m = m2.(m1y)-1 mod p
= m.axy.((ax)y)-1 mod p
Network Security - R. Molva - Institut Eurecom 2002
19
Symmetric vs. Asymmetric Cryptography
Symmetric Cryptography
r
secret key shared by (at least) two parties
Pros
key is short (64-128 bits)
r fast encryption/decryption
r extensive history
r perfect secrecy exists
r
Cons
key distribution(by on-line TTP) is mandatory
r no signature (possible only with additional means)
r
Asymmetric Cryptography
r
one private key, one public key per party
Pros
no requirement for secret key distribution
r digital signature is possible
r
Cons
key is long (> 512 bits)
r computationally intensive
r security relies on the difficulty of number-theoretic problems, no perfect secrecy
r
Network Security - R. Molva - Institut Eurecom 2002
20
Symmetric vs. Asymmetric Cryptography
Summary
Use Asymmetric Cryptography for
key distribution (for symmetric keys)
r digital signature
r
Use Symmetric Cryptography for
bulk data encryption
r data integrity
r
Network Security - R. Molva - Institut Eurecom 2002
21
Plaintext
Network Security - R. Molva - Institut Eurecom 2002
22
DES-ECB Encryption
Network Security - R. Molva - Institut Eurecom 2002
23
DES-CBC Encryption
Network Security - R. Molva - Institut Eurecom 2002
24
CBC Mode
Cipher Block Chaining
64-bit blocks
IV
C0
Cn-1
64 bits
64 bits
K
P
Pn

K
C
E
Cn-1
Cn
D

P
Pn
Ci = E K(Pi  Ci-1)
r C0 = EK(P0  IV), IV (Initialization Vector) transmitted in cleartext
r Pi = DK(Ci)  Ci-1
r
chaining effect : Ci depends on all the Pj with j  i
r last block of C : depends on all the plaintext blocks
r converts DES into a stream cipher
r 1 E/D operation per 64 bits
r
Network Security - R. Molva - Institut Eurecom 2002
25
CBC- Error propagation
r
Decryption of Pi requires Ci and Ci-1
Error extension :
• error in block Ci or loss of complete block Ci
• only Pi and Pi+1 are affected
• subsequent blocks are not affected (self-synchronization)
• new vulnerability:
controlled modification by the intruder - transmission error
on bit i of block Cj results in loss of Pj and complementing of bit i in Pj+1.
no self-synchronization on bit slips :
• all subsequent blocks are lost
 requirement for framing and error control on C
r
Relationship between Error Control and CBC Encryption :
E
D
Error
control
Error
control
Network Security - R. Molva - Institut Eurecom 2002
D
E
26
CFB Mode
Cipher Feedback
n = variable block size for C and P, n 
shift register
IV
shift register
64 bits
64 bits
64
K
64
n
E
n
E
64
K
64
Select n
left bits
Select n
left bits
n
P
n

n
C
n

P
n
1 E/D operation / n bits
s0 : initial value of the register, transmitted in cleartext
Network Security - R. Molva - Institut Eurecom 2002
27
OFB Mode
Output Feedback
variable quantum size (n )
shift register
shift register
IV
64 bits
64
64
K
n
n
E
K
E
64
64
Select n
left bits
Select n
left bits
n
P
n

n
C
n

P
n
1 E/D operation per n bits
s0 : initial value of the register, transmitted in cleartext
s0 must be different for each new message
stream cipher : one-time pad with pseudo-random number generation
Network Security - R. Molva - Institut Eurecom 2002
28
Outline
THEORY

1. Symmetric Cryptography
2. Asymmetric Cryptography
3. Hash Functions and Integrity
4. Authentication
5. Key Management
APPLICATIONS
6. Internet Security Using Firewalls
7. Internet Security with Cryptographic Mechanisms
8. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002
29
Hash Functions
message
Arbitrary length
h
message digest
fixed length (n 128 bits)
Main purpose :
Modification Detection Codes (MDC), Manipulation Detection Codes or Message Integrity
Check (MIC)
Objective :
data integrity with additional security means
h(m) serves as a representative of message m
if m changes, h(m) changes with high probability
Security properties :
• one-way: given y, finding x | h(x) = y is difficult.
• collision resistence : it is difficult to find x  x' | h(x) = h(x').
Network Security - R. Molva - Institut Eurecom 2002
30
General Model for Building Hash Functions
arbitrary length input
x
x1
x2
xn
fixed length constant H0
compression
function
f
fixed length input
fixed length constant H1
f
compression
function
f
compression
function
output
fixed length input
fixed length input
Hn = h(x)
H (iterated hash function)
Additional : input preprocessing by adding padding and length block
Network Security - R. Molva - Institut Eurecom 2002
31
Message Authentication Codes
• Encryption of MAC
MAC = EK(h(M)) with DES or RSA
• Keyed hashing
MAC = h(K1 | M | K2)
Examples from Internet :
r
Keyed MD5 (RFC 1828, 08/1995)
512
Key + padding
n x 512
IP packet
Key
padding
MD5
Authentication Data (128 bits)
r
HMAC (RFC 2104, 02/1997)
HMAC ( K , text ) = H ( K xor pad1 | H ( K xor pad2 | text ) )
Network Security - R. Molva - Institut Eurecom 2002
32
Data integrity
K
MAC
function
message
message
message
unsecured channel
MAC
MDC
function
message
message
MDC=unkeyed hash
MDC
K
E
unsecured channel
MDC
function
MDC
secured channel
unsecured channel
Network Security - R. Molva - Institut Eurecom 2002
33
Outline
THEORY

1. Symmetric Cryptography
2. Asymmetric Cryptography
3. Hash Functions and Integrity
4. Authentication
5. Key Management
APPLICATIONS
6. Internet Security Using Firewalls
7. Internet Security with Cryptographic Mechanisms
8. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002
34
Authentication Protocols (1/2)
• Secret function of a predictable item
A
hK(time stamp or counter)
B
• Synchronization requirement
• synchronized clocks  very difficult with distributed systems
how to secure a global time service ?
• counters  losses
how to secure re-synchronization?
• Protocol requires only 1 message
Network Security - R. Molva - Institut Eurecom 2002
35
Authentication Protocols (2/2)
• Secret function of an unpredictable item (nonce : random number used only once)
A
N
B
hK(N)
• No need for synchronization
• 2 messages
• Mutual authentication
A
Na
B
hK(Na), Nb
hK(Nb)
Network Security - R. Molva - Institut Eurecom 2002
36
S/key
One-time password authentication technique based on a secure hash function
K
h
h(K)
h
h
h2(K)
hn(K)
K is secret
h is a public one-way hash function :
it is computationally infeasible to derive hi-1(K) from hi(K)
User knows K
1st Auth. Msg : U, M=hn-1(K)
2nd Auth. Msg : U,
...
M=hn-2(K)
Authentication
server
SKu = hn(k)
accept if
h(M) = SKu
Sku:= M(= hn-1(K))
accept if
h(M) = SKu
Sku:= M(= hn-2(K))
Only the user who knows K can generate the hi(K) values in the reverse
order : hn(K), hn-1(K), hn-2(K),…, h(K)
Network Security - R. Molva - Institut Eurecom 2002
37
Passive Devices
storage of non-secret verification value W in the device W=OWF(S), S is a
secret kept by the user
r
r
verification by a reader
r
authentication:
- user enters secret value S
- reader computes V=OWF(S)
- reader compares V with W stored in the device
r
magnetic stripe cards
r
cards with a memory chip
Network Security - R. Molva - Institut Eurecom 2002
38
Active Devices
r
r
Able to run cryptographic algorithms and strong authentication protocols
Eliminate the risk of exhaustive attacks and replay on the PIN
1. Personal computers
2. Tokens
3. Smart cards
Principle :
r
PIN-based verification of the user by the personal device.
PIN is not disclosed outside the protected area.
r
Personal device runs the authentication protocol on behalf of the user
through untrusted environments.
Strong authentication protocols resist to attacks from hostile public environment.
Network Security - R. Molva - Institut Eurecom 2002
39
Tokens
User : relay between (untrusted) public terminal and the personal token
Token
Authentication
Server
+ : cheap and easy to retrofit on existing systems
- : ergonomics
Network Security - R. Molva - Institut Eurecom 2002
40
Smart Cards
Communication between smart card and authentication server is
transparent for the user
After the user verification, the smart card runs the strong authenticationprotocol :
• symmetrical (DES) or asymmetrical (RSA) algorithm
• nonce-, time stamp-, or counter-based
The card can perform other services :
• data encryption
• digital signature
• message integrity
Advanced smart cards include :
• an operating system
• a file system with access control
• a Java virtual machine
+ : the most secure and user-friendly
- : cost of deployment, retrofitting : a reader is required on each terminal
Network Security - R. Molva - Institut Eurecom 2002
41
Digital Signature
Generation of A’s signature on message M:
S= EKSa(h(M))
r
h is an unkeyed hash function (MD5, SHA-1, . . .)
r
KSa is A’s private RSA key
Verification of A’s signature by any other party:
compute h(M)
r using A’s public key KPa, check if
r
DKPa(S) = h(M)
Network Security - R. Molva - Institut Eurecom 2002
42
Outline
THEORY

1. Symmetric Cryptography
2. Asymmetric Cryptography
3. Hash Functions and Integrity
4. Authentication
5. Key Management
APPLICATIONS
6. Internet Security Using Firewalls
7. Internet Security with Cryptographic Mechanisms
8. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002
43
Key Management
Most security mechanisms are based on cryptography.
Cryptography requires:
generation
distribution
storage
archival
deletion
......
of (secret and public) keys
Network Security - R. Molva - Institut Eurecom 2002
44
Key Generation
random number generation problem
·a random bit generator can be used to generate random numbers
·a random bit generator outputs a sequence of statistically independent and unbiased
bits.
Solutions :
·physical sources
biased, de-skewing is necessary
impractical
·pseudorandom bit generators
Based on a truly random binary sequence of length k, generate a sequence of
length l >> k using a deterministic algorithm.
The output sequence appears to be random.
Among all possible outputs (if it were truly random) only a fraction 2k/2l can be
generated.
The goal is to expand the truly random "seed" to a longer pseudorandom sequence.
Network Security - R. Molva - Institut Eurecom 2002
45
Pseudorandom Bit Generators (PRBG)
Security properties:
• resistance to statistical tests : the output of a pseudorandom bit generator
should not be distinguishable from a truly random sequence of the same length
by a polynomial-time algorithm.
• resistance to next-bit test : the next bit of the output sequence cannot be
predicted based on the bit sequence that is already generated using a
polynomial-time algorithm.
• the two conditions are equivalent
• a PRBG that fulfills one of these properties is said cryptographically secure.
• in addition the k-bit seed must be large enough so that an exhaustive search
over possible seeds is infeasible.
Ex : linear congruence
xn = axn-1 + b mod p
is not secure because given a partial output sequence, the remainder
of the output bits can be predicted.
Network Security - R. Molva - Institut Eurecom 2002
46
RSA-based Cryptographically Secure PRBG
n=pq, e are defined like in the basic RSA algorithm.
Generation of an l bit pseudorandom sequence :
1. pick a random integer x0 in [1, n-1] as the seed
2. For i from 1 to l do
2.1. xi := xei-1 mod n
2.2. zi : = the least significant bit of xi
output sequence = [z1, z2, …, zl]
The security property (resistance to next-bit test) is proven based on the difficulty
of factorization.
Network Security - R. Molva - Institut Eurecom 2002
47
Practical Secure PRBGs
Use one-way hash functions.
random_numbern = h(s+n)
s is the secret seed.
n = 0, 1, 2, …
 predictable after re-initialization
 the initialization must be randomized :
(Kerberos)
K’ = DESK (universal time)
Rn=DESK’(n) n = 0, 1, 2, …
 based on the secret key K
These PRBGs are not cryptographically secure because there is no proof of the
PRBG security property but they are sufficiently secure for most applications.
Network Security - R. Molva - Institut Eurecom 2002
48
Key Distribution
• Symmetrical cryptography
 distribution of secret keys
 key distribution must assure the confidentiality of secret keys
 key distribution service must be on-line
• Asymmetrical cryptography
 distribution of public keys
 key distribution must assure the integrity of public keys
 key distribution service can be off-line
Network Security - R. Molva - Institut Eurecom 2002
49
Distribution of Secret Keys
Problem : how to distribute a secret session key Kab to parties A and B who do
not share a secret channel ?
Complexity : a new session key is needed for each new session and per
security function (authentication, data confidentiality, integrity)
Alternatives (n: number of parties) :
• Manual : complexity of initial key installation : O(n2)
• Hybrid scheme (O(n))
• Algorithmic (O(n))
• Key server (O(n))
Network Security - R. Molva - Institut Eurecom 2002
50
Hybrid scheme
Use public-key cryptography to distribute secret session keys.
Use secret key (symmetrical) cryptography for bulk data encryption.
A, E KPb (Kab, t, A,...), MAC KSa
A
B
KSa
any mechanism using
symmetrica l cryptograp hy
with K ab
Network Security - R. Molva - Institut Eurecom 2002
KSb
51
Algorithmic Key Distribution
A
Public
B
g, p
Pick random x
compute :
x
g mod p
M A  g X mod p, Signature A (M A )
verify Signature A (M A )
M B  g y mod p, Signature B (M B )
verify Signature B (MB )
Compute :
K ab  (g ) mod p
y x
pick random y
compute :
g y mod p
compute :
K ab  (g x ) y mod p
Perfect forward secrecy: breaking any long-term key (signature key) does not
threaten the secrecy of past session keys (Kab).
No forward secrecy with the hybrid scheme.
Network Security - R. Molva - Institut Eurecom 2002
52
Key distribution with a key server
Key Server
2. Here are the
envelopes for A
and B
Ka
Kb
1. I am A, I want a key to
communicate with B
3. Here is the shared key prove that you are B
A
4. Here is my proof, prove that you are A
Ka
5. Here is my proof
B
Kb
A and B share the same key
Trust in key server:
• security of session keys
• entity authentication
Network Security - R. Molva - Institut Eurecom 2002
53
Key distribution with a key server
Key Server
Ka
2. E Ka (Kab, t, B,...)
Kb
E Kb (Kab, t, A,...)
1. A, B
3. A, N a , E Kb (Kab, t, A,...)
4. E Kab (Na), N b
A
5. E Kab (Nb)
Ka
B
Kb
data security mechanism using K ab
Kab: session key
Ka, Kb: terminal keys
Trust in key server:
• Kab is fresh and kept secret
B (resp. A) believes: whoever proves knowledge of secret Kab is A (resp. B).
Key distribution must be strongly linked with authentication.
Network Security - R. Molva - Institut Eurecom 2002
54
Public-key Integrity Problem
Problem :
A
I am B, here is my public key KPx
X
(intruder, impersonat es B)
generate KSx and KPx
EKPx (secret data destined to B)
decrypt secret data
using KSx
The integrity of public keys must be assured.
Solutions :
• Authentication trees
• Public-key certification
Network Security - R. Molva - Institut Eurecom 2002
55
Identity Certificate
Public Key certificate of entity A (key=KPa) created by X:
CX (KPa )  KPa , ID a , t,..., RSA KSx (h(KPa ,ID a , t,...)) 
• signed by trusted party X using secret key KSx
• can be checked by using public key KPX
Prerequisite for verifying a certificate: KPX must be known and trusted.
• identity certificates are required for all services implemented using public-key
encryption (entity authentication, data origin authentication, data integrity, nonrepudiation of origin, key distribution)
• the security of these services entirely relies on the validity (integrity) of the
certificate that includes the public key.
• On the contrary of a common belief, a certificate alone does not prove anything, it
must be used together with a mechanism like an authentication protocol through
which the owner of the public-key demonstrates his knowledge of the
corresponding private key.
Network Security - R. Molva - Institut Eurecom 2002
56
TTP Functions
• Certification Authority (CA)
• Registration Authority (RA)
• Name Service
• Certificate Directory
• Key Generator
Network Security - R. Molva - Institut Eurecom 2002
57
Certification Scenario
Key pair generated by user
2
identity validation,
public-key
RA
name, public-key
(integrity-protection, entity
authentication)
(proof of knowledge
of private key)
User
3
4 Certificate
CA
1 key pair
KG
Certificate
Directory
Network Security - R. Molva - Institut Eurecom 2002
58
Certificate Chains
Problem:
A and B belong to domains managed by CA X and CA Y.
No direct cross certificate exists between X and Y.
But cross certificates exist from Y to Z and from Z to X.
Domain 3
CA=Z
Domain 1
CX (Z)
CX (Z), CZ (Y)
CA=X
Domain 2
CA=Y
CX (Z), CZ (Y), CY (B)
A trusts KPX
CX (Z), CZ (Y), CY (B)
B trusts KPY
A gets KPZ by verifying CX(Z) using KPX that is trusted a priori. He gets KPY by verifying
CZ(Y) using KPZ. He finally verifies B' s public-key in CY(B) using KPY.
Network Security - R. Molva - Institut Eurecom 2002
59
Hierarchical Model
U
V : U issues CU (V)
W
Root
Y
X
A
Z
B
C
D
Alternative domain partitionings:
• single domain: all chains start at Root; all users trust a priori only KPRoot.
• multiple domains: chain between two domains start from the closest common
node; each user trusts a priori his closest authority and Root.
Drawbacks:
• certificate chains can be too long
• lack of centralization in real life situations
Network Security - R. Molva - Institut Eurecom 2002
60
Outline
THEORY
1. Symmetric Cryptography
2. Asymmetric Cryptography
3. Hash Functions and Integrity
4. Authentication
5. Key Management
APPLICATIONS
Security Using Firewalls
 6.7. Internet
Internet Security with Cryptographic Mechanisms
8. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002
61
Internet Security Directions
Cryptographic security
protect only sensitive resources using logical means
e-commerce
HTTP SMTP
FTP TELNET
DNS
RIP
Secure virtual
channel using
cryptography
SNMP
BGP
TCP/UDP OSPF
IP
Data Link
Internet
Pros
• flexible (service type and security level)
• end-to-end (application and user security)
• no impact on global network
Cons
• deployment (retrofitting in end-systems)
• cost of migration (protocol impact)
Network Security - R. Molva - Institut Eurecom 2002
62
Internet Security Directions
Domain Control
Isolate trusted network from untrusted Internet by filtering traffic across the border
Filter
Intranet
(trusted)
Internet
(untrusted)
Pros
• no impact on the intranet components
• no impact on application software and users
• ease of deployment for company intranets
Cons
• impediment to the global network concept
• no end-to-end security
• insufficient for e-commerce applications
Network Security - R. Molva - Institut Eurecom 2002
63
Filtering Components
Traffic filtering based on (combination of) :
• packet filters
• application gateways
• circuit gateways
Network Security - R. Molva - Institut Eurecom 2002
64
Packet Filters
• Function integrated with packet forwarding
• Principle:
• for each IP packet received from a local interface
• check the packet against the set of access rules
• forward, discard and/or log the packet according to the result of the rulebased verification
• Access rules are based on (a selection of):
• information of the TCP/IP header:
- source and destination IP addresses
- source and destination port numbers
- protocol type (TCP/UDP)
- flags (ACK, SYN)
• the identity of the incoming interface
• direction of the packet (in/out)
• implemented by
• router (CISCO)
• IP forwarding algorithm in a host (Linux)
• dedicated device (Firewall-1 Checkpoint, Screend, etc.)
Network Security - R. Molva - Institut Eurecom 2002
65
Application Gateways
Opposite approach to packet filtering:
Instead of a general purpose mechanism for all kind of traffic, a special purpose
access control mechanism is used for each application.
• Idea:
Application gateway is a proxy server. Each proxy server acts as an intermediate
between the client and the actual server. Proxy server performs varoous verifications
on the application protocol between the client and server.
Generic operation of an application gateway:
• the client first connects to proxy server
• proxy server performs authentication and access control verification
• if the client is authorized, proxy server connects to the actual destination
• further communication between the client and the actual server is relayed
through the proxy server and some optional filtering can be applied on the data
exchange.
An application gateway is a process, not a host.
There is an application gateway for each application protocol that is authorized.
Application gateways can be combined with a packet filter.
Network Security - R. Molva - Institut Eurecom 2002
66
Application Gateways
Simpler Packet Filtering
Basic model for packet filtering with application gateways:
Network 1 (untrusted)
Interface 1
Packet Filter
GWi
Interface 3
Interface 2
Network 2 (trusted)
Application
Gateway Host
Authorized connections
Network Security - R. Molva - Institut Eurecom 2002
67
Circuit Gateways
generic proxy for all TCP based applications
Basic principle:
• client-server connections are forced to pass through the gateway by a change in the
transport layer software of the client.
• relaying takes place at the transport layer(TCP).
• the layers above TCP (application) are not affected at all.
Encapsulation of client-server connection by client-gateway connection:
Client
GW
Server
Connection request (data=server name)
Verification
establish
relay
Connection request
Connection response
Connection response
Data
relay
Data
Network Security - R. Molva - Institut Eurecom 2002
68
Packet filtering Firewall
Local
Network
Packet
Filter
Internet
Router
• Router blocks all or most access to internal network.
• Router can allow selective access to services.
• Usually inherently danagerous services as NIS, NFS, X11 are blocked
Network Security - R. Molva - Institut Eurecom 2002
69
Dual-Homed Gateway
Proxy
Servers
bastion Host
Local
Network
Internet
Firewall
• Gateway host has a separate interface (network adapter) to each network.
• Packet (IP) forwarding on the gateway is disabled.
• Proxy server performs application layer access control.
Default condition: only traffic authorized by application gateways can cross the
boundary
In a simple setup proxy servers for telnet, ftp, http and a mail server can be located
on the firewall.
Network Security - R. Molva - Institut Eurecom 2002
70
Screened Host Firewall
Proxy
Servers
Bastion Host
Local
Network
Open
Services
Packet
Filter
Internet
Router
Firewall
• packet filter "forces" all inbound packets to connect to the gateway or "bastion
host".
• packet filter lets out only packets from the gateway.
• Proxy servers performs application layer access control.
Main difference from Dual-homed Gateway:
no true network isolation
Network Security - R. Molva - Institut Eurecom 2002
71
Screened Subnet Firewall
Buffer Subnet = De-militarized Zone (DMZ)
Local
Network
Internal
Packet
Filter
Router
Proxy
Servers
Bastion Host
Open
Services
External
Packet
Filter
Internet
Router
De-militarized Zone
• Internal packet filter "forces" all exit packets to connect to the gateway.
• External packet filter "forces" all entry packets to connect to the gateway or to
open services.
• External packet filter lets out only packets from the gateway or from open
services.
• Internal packet filter lets in only packets from the gateway.
• Proxy servers perform application layer access control.
Network Security - R. Molva - Institut Eurecom 2002
72
Other Useful Tools
• TCP_WRAPPER
• host-based access control and logging for TCP-based services
• located at each host
• integrated with inetd
• Tripwire
• host-based integrity verification
• detects modification of essential files
• based on hashing
• SATAN, ISS
• vulnerability testing on UNIX networks
• based on well-known security flaws
• COPS
• vulnerability testing on UNIX systems
• ISS Real Secure, Netranger, etc.
• network intrusion detection
• based on traffic analysis and recognition of well-known attack sequences
Network Security - R. Molva - Institut Eurecom 2002
73
Outline
THEORY
1. Symmetric Cryptography
2. Asymmetric Cryptography
3. Hash Functions and Integrity
4. Authentication
5. Key Management
APPLICATIONS

6. Internet Security Using Firewalls
7. Internet Security with Cryptographic Mechanisms
8. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002
74
Cryptographic Security
SNMP
Domain
Name
System
Routing
Information
Protocol
EGP
BGP
Routing
Security
ICMP
IGMP
Transmission User
Control
Datagram
Protocol
Protocol
OSPF
Transport Layer
Security
ARP
RARP
ATM
Internet
Layer
Security
Internet
Protocol
xDSL
Ethernet
Network Security - R. Molva - Institut Eurecom 2002
Data Link Layer
75
Internet Layer Security Architecture
IPsec
RFC 2401 - Architecture Document
• IP Authentication Header (IP AH)
• IP Encapsulating Security Payload (ESP)
• Keyed Hash Functions
• Key management and Security Associations
• No protection for ARP in IPv4
• Secure equivalent in IPv6 using ICMP
Network Security - R. Molva - Institut Eurecom 2002
76
IP Authentication Header
Cryptographic Authentication for IPv4 and IPv6 Datagrams
RFC 2402
Services provided:
• support for variable functions and parameters (SPI)
• data origin authentication
• data integrity
• replay detection
Services not provided:
• confidentiality
• traffic secrecy
• denial of service detection
Network Security - R. Molva - Institut Eurecom 2002
77
IP AH
0
8
16
24
Security Parameter Index (SPI)
Sequence Number
Authentication Data (variable)
mutable fields
IP Datagram
000
Auth.Data
000000000000
Secure Hash Function
Network Security - R. Molva - Institut Eurecom 2002
78
IP AH
• Transport mode AH placement in the IP datagram:
IPv4
Original IP
Header
AH
TCP
Data
coverage of authentication (except for mutable fields)
IPv6
Original IP
Header
Hop-by-hop
extensions
AH
End-to-end
extensions
TCP
Data
coverage of authentication (except for mutable fields)
• Tunnel mode AH placement in the IP datagram:
Encapsulating IP
Header
AH
Original IP Extension TCP
Header + fields
Data
coverage of authentication (except for mutable fields)
Network Security - R. Molva - Institut Eurecom 2002
79
IP AH
Secure Hash Function alternatives:
• Keyed MD5 (RFC 1828)
512
Key + padding
n x 512
IP packet
Key
padding
MD5
Authentication Data (128 bits)
• HMAC (RFC 2104)
HMAC (K, text)  H (K xor pad1 H (K xor pad 2 text ))
• Asymmetric or Symmetric Encryption of MD5 output
Network Security - R. Molva - Institut Eurecom 2002
80
IP Encapsulating Security Payload
RFC 2406
Services provided:
• data confidentiality
• data integrity with replay detection
• traffic confidentiality (optional)
8
16
24
Security Parameter Index (SPI)
Sequence Number
Payload
Padding
Coverage of
Confidentiality
0
Authentication Data (variable)
Network Security - R. Molva - Institut Eurecom 2002
81
IP ESP
ESP header
Original IP
SPI
Header
ESP payload
Seq.Nr. TCP
ESP trailer
Data
Padding
Auth.
Data
IPv4
Transport
Coverage of confidentiality
Coverage of authentication
ESP header
ESP payload
Mode
ESP trailer
Original IPHop-by-hop
end-to-end TCP Data Padding Auth
SPI
Seq.Nr.
Data
Header
extensions
extensions
IPv6
Coverage of confidentiality
Coverage of authentication
ESP header Original IP datagram
New
IP new
original IP
TCP
Header
extensions SPI Seq.Nr. Header
ESP trailer
Data Padding
Auth
Data
Tunnel
Mode
Coverage of confidentiality
Coverage of authentication
Network Security - R. Molva - Institut Eurecom 2002
82
End-to-end security with IPsec
Internet or Intranet
Host 2
Host 1
Transport Mode
Tunnel Mode
IP1
AH
ULH
IP2 AH
IP1
ULH
IP1
ESP
ULH
IP2 ESP IP1
ULH
IP1
AH ESP ULH
: One or more SA’s applied to the same traffic stream
IP1 : original IP header IP2 : encapsulating IP header
ULH : Upper Layer Header
Network Security - R. Molva - Institut Eurecom 2002
83
Simple virtual private network with IPsec
Intranet
Host 1
Internet
Intranet
SG 2
SG1
Host 2
Tunnel Mode
IP2
AH IP1
ULH
IP2 ESP IP1
ULH
Network Security - R. Molva - Institut Eurecom 2002
84
Remote access with IPsec
SA1
SA 2
Internet
Host 1
Intranet
SG
Host 2
Network Security - R. Molva - Institut Eurecom 2002
85
Internet Security Architecture
SNMP
Domain
Name
System
Routing
Information
Protocol
EGP
BGP
Routing
Security
ICMP
IGMP
Transmission User
Control
Datagram
Protocol
Protocol
OSPF
Transport Layer
Security
ARP
RARP
ATM
Internet
Layer
Security
Internet
Protocol
xDSL
Ethernet
Network Security - R. Molva - Institut Eurecom 2002
Data Link Layer
86
Transport Layer Security (TLS) Protocol
RFC 2246
Based on Secure Sockets Layer (SSL) from Netscape Communications
Services provided :
• peer entity authentication
• data confidentiality
• data integrity (replay detection)
• generation/distribution of session keys
• security parameter negotiation
Two sub-layers:
• TLS Record Protocol
• TLS Handshake Protocol
• Record sub-layer encapsulates Application Data and Handshake Protocol
Network Security - R. Molva - Institut Eurecom 2002
87
TLS Handshake Protocol
Session Negotiation between peer Transport Entities
A session consists of:
• session Id
• X509 public-key certificate of the peer
• compression algorithm
• encryption algorithm
• MAC algorithm (MD5, SHA, etc.)
• cryptographic attributes
- Session data are used by the TLS Record Layer for encryption and integrity
protection of higher layer protocols
- A session can be reused by several transport connections.
Client
Server
ClientHello
ServerHello Certificate
ServerKeyExchange
Certificate
ClientKeyExchange
Application Data
Network Security - R. Molva - Institut Eurecom 2002
88
WWW Security
browser
applet
server
CGI
gateway
program
HTTP url
Local resources
Local resources
Vulnerabilities:
• HTTP: risks due to communication over Internet
• CGI: malicious script can expose server resources
• Java: malicious applet can expose client resources
Network Security - R. Molva - Institut Eurecom 2002
89
HTTP and CGI Security
Client-server communication:
• Standard: authentication by the server
• uuencoded cleartext passwords
• domain-based access control
• per subtree of the html document directory
• application layer: Secure HTTP
• transport layer: SSL Netscape (see Transport Layer Security)
• proxy server to filter traffic at domain boundary
CGI:
• restricted access to cgi-bin directory
• user-provided parameter verification in the cgi scripts
• limited use of setuid bit with cgi scripts
• limited use of process creation in cgi scripts
• hide source of cgi scripts from the net
Network Security - R. Molva - Institut Eurecom 2002
90
Mobile Code
Client
Browser
Network
Applet
Libraries
Malicious applet (executable content) can cause:
- diclosure of client information
- modification of client information
- denial of service on client resources
Flexibility and power at the cost of higher risk
Network Security - R. Molva - Institut Eurecom 2002
91
Java Security
Language features
• object-oriented data encapsulation
• type-safety
• final attribute
• absence of pointers
• garbage collection
• namespace encapsulation
Protection against malicious Applets: Sandbox Approach
Bytecode Verifier
converts bytecode from the network into local class, checking:
• stack overflows
• pointers
• access restrictions
• object and method access
Class Loader
• protects integrity of local classes
• forces class import from origin node
• signature verification by subtyped SignedClassLoader
Security Manager
• access control by the runtime environment (browser)
• used by the other objects
Network Security - R. Molva - Institut Eurecom 2002
92
Outline
THEORY
1. Symmetric Cryptography
2. Asymmetric Cryptography
3. Hash Functions and Integrity
4. Authentication
5. Key Management
APPLICATIONS

6. Internet Security Using Firewalls
7. Internet Security with Cryptographic Mechanisms
8. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002
93
Multicast Security
•
Key Management
•
Data Origin Authentication
•
Data Confidentiality
Network Security - R. Molva - Institut Eurecom 2002
94
Key Management
•
Security requirements
– membership (JOIN/LEAVE) security;
– Containment.
•
Scalability
– Processing cost
– Membership dynamics
• No group-wide re-key message
– Treat the group as single entity
•
Existing algorithms :
– one key for the whole group
– the group is a set of subgroups : different keys in each subgroup
Network Security - R. Molva - Institut Eurecom 2002
95
Multicast Key management
• Keygraphs [Wong et al. 98]
K0
 K0 = Group Key
 u4’s keys = {K3,K34, K1234,K0}
K1234
u4 JOINS : trivial
K5678
u4 LEAVES :
{K34’, K1234’,K0’}K3  u3
K12
K34
K56
{K1234’, K0’}K12  u1, u2
K78
{K0’}K5678  u5,u6,u7,u8
K1
K2
K3
K4 K5 K6 K7 K8
u1
u2
u3
u4
u5
u6
u7
u8
 advantage : number of re-key messages
are in the logarithmic order
there is no containment.
Network Security - R. Molva - Institut Eurecom 2002
96
Multicast Key Management
Sub-group approach
• Iolus [Mittra, 97]
• intermediate nodes involved in key distribution
 GSC (Group Security Controller)
defines the groups and the GSI
K1
GSC
GSI
GSI
K3
K2
GSI
K5
GSI
K6
GSI
K4
 GSI (Group Security Intermediary):
1- decrypt M with the key of the group;
2 - recrypt M with the key of the other
group he’s involved in.
 advantage : containment + scalability
 disadvantage : we have to trust GSIs
Network Security - R. Molva - Institut Eurecom 2002
97
Multicast Key Management
Sub-group Approach
• [Molva et al. 99]
• Based on asymmetric algorithms
S1 Source
( S0 ) a1 mod p
a1
sends:
T  M  S0
a2
a3
a6
a4
a7
S4
a5
Recipients in
subgroup:
S0  (S 4 )
1
a1 a2 a3 a7
Network Security - R. Molva - Institut Eurecom 2002
mod p
98
Multicast Key Management (4/4)
•
MARKS [Briscoe 99]
t0
L
t1
L
L
t3
R
 access to segments between s4 and s8
using t2 and t10
R
R
L
t4
t5
L
R
L
t11
t7
t8
t9
t10
k1
k2
k3
k4
k5
 k4 = t10 ; k5 = L(L(t2)); etc.
t2
R L
t12
k6
L and R are one-way functions.
R
t6
t13
R
t14
k7
k8
Network Security - R. Molva - Institut Eurecom 2002
99
Broadcast Encryption(2/3)
•
k-resilient scheme [Fiat et al. 1994]
 Every user ui is assigned a set of keys Ki
S
 S sends {M}K and a key envelope
to a user set T
u1
u2
u3 ….. un
 Each users in T retrieves K
from the key envelope using Ki
 mathematically proven k-resilient.
Network Security - R. Molva - Institut Eurecom 2002
100
Broadcast encryption(3/3)
•
f-redundant key cover schemes [Abdalla et al. 2000]
k(ui) = {Kj} \ uiKj
u5
u8 K
1
u2
u9
u10
u3
u4
K2
K5
u6
u11 K3
u13
u7
u12
K4
U
U = universe of users ui
Ki = sets of users (one key per set)
S {u2,u6,u10,u12} : M
S computes Cmin(K) and
sends the same message
encrypted with the keys in
Cmin(K) (minimal key
cover).
=> f-redundancy: some of
users outside the intended
destination group will be
able to access M
Network Security - R. Molva - Institut Eurecom 2002
101
Data Encryption (1/3)
•
[Pannetrat et al. 2002] Based on same idea as the key distribution
algorithm using intermediate nodes
•
Symmetric encryption in XOR-Counter mode.
– Apply several layers of encryption at the source and recipients.
– Only two operations in the intermediate elements
• One decryption
• One encryption
Network Security - R. Molva - Institut Eurecom 2002
102
Data Encryption (2/3)
• Link Model
m
k1,k2,k3
P3

P2

P1

m
P4

P3

P2

m
k1
k4
P5

P4

P3

m
k2
k5
P6

P5

P4

m
k3
k6
P7

P6

P5

m
k4
k7
Network Security - R. Molva - Institut Eurecom 2002
m
k5,k6,k7
103
Data Encryption(3/3)
• Group Model
k2
k10
k3,k4,k10
k5,k6,k7
k2
k5
Network Security - R. Molva - Institut Eurecom 2002
k5,k6,k8
104
Multicast Authentication (1/4)
•
•
Requirements
– A Multiparty Problem
• One source and an unlimited number of recipients
• The source does not trust the recipients
 authentication technique must be asymmetric
– A Packet Streaming Problem
• Individual authentication of each packet
• Authentication of packet sequences
• cost/packet
• Packet loss rate
• Real time
A digital signature per packet is not a practical solution
• 1 digital signature for a set of packets
• Packet chaining using hash functions
Network Security - R. Molva - Institut Eurecom 2002
105
Multicast Authentication (2/4)
•
TESLA [Perrig et al. 2000]
•
Lamport’s hash chaining like in S/Key:
K0, K1, K2, . . . Kn \ Ki = h(Ki+1)
•
Authenticated multicast message sent at time interval i:
Mi, MAC(Ki, Mi), Ki-1
•
•
•
Mi authenticated using a further message in the stream
Synchronization required to detect re-plays: Kj only valid in interval Ij
The first message asymmetrically authenticated using a digital
signature.
Network Security - R. Molva - Institut Eurecom 2002
106
Multicast Authentication (3/4)
• [Pannetrat et al. 2002]
hash
P P P P P P P P P P P P
Advantages :
•Spread the cost of a signature
over several packets.
•Erasure code to tolerate losses.
•No need to send duplicate hash values
E.C.1
Sign
E.C.2
Network Security - R. Molva - Institut Eurecom 2002
107
Multicast Authentication (4/4)
• Alternative feedback schemes
PPPP PPPP
PPPP
PPPP PPPP
Network Security - R. Molva - Institut Eurecom 2002
108
Thank You
Network Security - R. Molva - Institut Eurecom 2002
109