Академический Документы
Профессиональный Документы
Культура Документы
Caesar cipher
Monoalphabetic cipher
Polyalphabetic cipher
Playfair cipher
Vigenère cipher
Vernam cipher
This system includes, within its own cipher, the two previously proposed
systems. It therefore introduces greater security. Normally in a cryptographic
system multiple phases of these two systems are used. Obviously, both in
transmission and in reception it will be possible to read the plain text. For this
reason these processes must be reversible.
Symmetric cryptography
Pro:
0. Speed of operation, so you can use very long keys, since the
algorithms to encrypt or decrypt are very fast
Cons:
0. Problem of the exchange of the key and its distribution to users
0. Hypothesis of a single key for encryption and decryption (or anyway
easily deductible from one another)
0. Repeated use of the same key: several times it is used, the easier it is
to understand it
0. Reliability of the recipient: this could lose or give others
unauthorized their key
DES
Triple-DES
and therefore a single DES encryption with the key k can be represented as
TDES-EDE with k 1 = k 2 = k 3 = k . The choice of decryption for the
central passage does not affect the security of the algorithm.
Encryption mode
Block cipher
E k -1 (E k (m)) = m
for each block m and key k . For every input key k , E k is the number of
possible permutations of all types of inputs to be encrypted, which are (2 Nb )
! . The number of possible keys is usually less than the number of possible
inputs.
2 Nk <(2 Nb )!
The block size, N b , is typically 64 or 128 bits although some algorithms
accept blocks of variable size.
In summary:
0. Plain text is divided into n-bit blocks that are independently
encrypted
0. Each block of plaintext generates a block of the same length of
ciphertext
0. To make decryption possible, each block of plain text must produce
a block of unambiguous text
The most famous block ciphers are: Lucifer, 3-Way, AES, Camellia,
Blowfish, DES.
Stream cipher
RSA algorithm
MD5
The MD5 is a cryptographic hash function created by Ronald Rivest in 1991
and standardized with RFC 1321. It is a unidirectional function different from
encoding and encryption because it is irreversible. This function takes an
arbitrary length string into input and produces another 128-bit output. The
process takes place very quickly and the output (also known as "MD5
Checksum" or "MD5 Hash") returned is such that it is highly unlikely to get a
same hash value in output with two different input strings. To date, many
online resources are available that are likely to be able to decrypt coded
common words. To date, the availability of efficient algorithms capable of
generating strings that collide (that is, output in the same hash value) in a
reasonable time has made MD5 less favored than other hashing algorithms
(see WHIRLPOOL, SHA-1 or RIPEMD- 160), although its diffusion is still
very widespread (just think that the most frequent file integrity check is based
on MD5).
Example in PHP
<?php
//I assign to a variable the string that I want to encode with the MD5 algorithm
$my_var = 'This is the string I want to encode' ;
//Print on screen the MD5 encoding of the string stored in the variable
echo md5 ( $my_var );
// You can add "salt" to the string to be encrypted, that is another string
$salt = "NaCl" ;
echo md5 ( $salt . "my_password" );
?>
SHA
SHA (Secure Hash Algorithm) refers to a family of five different
cryptographic hash functions developed since 1993 by the NSA and
published by NIST as a federal standard by the US government (FIPS PUB
180-4). Like any hash algorithm, the SHA produces a message digest, or
"footprint of the message", of fixed length starting from a message of
variable length. The security of a hash algorithm lies in the fact that the
function is not reversible (ie it is not possible to trace the original message
knowing only this data) and that it should never be possible to intentionally
create two different messages with the same digest. The family algorithms are
called SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512: the last 4
variants are often referred to generically as SHA-2, to distinguish them from
the first. The former produces a message digest of only 160 bits, while the
others produce digits of a length in bits equal to the number indicated in their
abbreviation (SHA-256 produces a 256-bit digest). The SHA-1 is the most
widespread algorithm of the SHA family and is used in many applications
and protocols despite being insecure and will soon be replaced by others,
more modern and efficient. The functioning of the SHA-1 is as follows:
0. Step 1 (Padding): "Padding" bits are added to the original message so
that the final length of the message is congruent to 448 module 512,
thus making the length of "message + padding" is equal to a 6 4bit
number smaller than a multiple of 512 bit.
0. Step 2 (Added Length): A 64 bit unsigned integer containing the
length of the original message is added to the bit sequence (message +
padding) created during step 1. At the end of these first two steps we
obtain a sequence of bits which is a multiple of 512.
0. Step 3 (Initialization of the MD buffer): A buffer of 160 bits divided
into 5 registers of 32 bits each is created for the memorization of some
intermediate steps.
0. Step 4 (Processing the 512 bit blocks): The bit sequence "message +
padding + message length" is divided into 512 bit blocks, which we
will identify with B n with n ranging from 0 to L . The fulcrum of the
SHA-1 algorithm is called compression function and consists of 4
cycles of 20 steps each. The cycles have a very similar structure among
them if not for the fact that they use a different primitive logic function.
Each block is taken as input parameter from all 4 cycles together with a
constant K and the values of the 5 registers. At the end of the
computation we will obtain new values for A, B, C, D, E that we will
use for the computation of the next block up to the final block F.
Authentication protocols
The AAA protocol generically indicates a protocol that carries out the three
functions of authentication, authorization and accounting. The expression
AAA protocol does not refer to a protocol in particular, but to a family of
protocols that, even in different ways or with different implementations, offer
the services mentioned. AAA (authentication, authorization and accounting)
is mainly used in the field of corporate security. In fact, it protects access to
company data, physical access to the premises and the use of resources.
Authentication
Authorization
Accounting
Accounting refers to all the actions that track or record, measure and
document the resources granted to a user during an access to a server or more
generally to an IT system.
Authentication based on a shared secret
C hallenge/response protocols
Unconditionally secure
Computationally secure
Certificates
IPsec, short for IP Security, is a standard for packet networks that aims to
achieve secure connections over IP networks. Security is achieved through
authentication, encryption and integrity control of IP packets (datagrams).
The ability to provide security or security is then provided at the network
level (unlike HTTPS, SSL / TLS), which makes this protocol transparent to
the level of applications that should not therefore be modified. IPsec is
designed to secure both portal-to-portal and end-to-end communications. In
the first configuration the traffic is made "safe" to different computers (in
some cases to an entire LAN); in the second case only the peers that establish
the connection exchange protected packets. However the predominant use of
IPsec is the creation of VPN (virtual private network); to achieve this purpose
both methods previously exposed can be used. Psec is a collection of
protocols consisting of:
0. Protocols that implement key exchange to achieve encrypted flow.
0. Protocols that provide data stream encryption.
Currently there is only one protocol for the exchange of keys, the IKE
protocol. IPsec is an integral part of IPv6, while it is optional in IPv4. As a
result, it is expected that it will be most used when IPv6 will gain popularity.
The protocol is defined in RFCs 2401-2412. Since 2004, studies are
underway to update the protocols. Regarding the second aspect, there are two
protocols: Authentication Header (AH) and Encapsulating Security Payload
(ESP). AH provides authentication and message integrity, but does not offer
confidentiality and is the IP 51 protocol. ESP instead provides authentication,
confidentiality and integrity control of the message and is the IP 50 protocol.
For these reasons ESP is much more used than AH.
IPsec supports two modes of operation:
0. Transport mode
0. host-to-host connection;
0. used by end-points, not by gateways;
0. in case of encryption, only the payload of the IP datagrams is
encrypted, not the header;
0. computationally light;
0. every host that wants to communicate must have all the
software necessary to implement IPsec;
0. only the IPsec header is added; the sender and receiver
addresses of the end-points are detectable.
0. Tunnel mode
0. gateway-to-gateway connection;
0. in case of encryption, the whole original IP package is
encrypted;
0. used to create VPNs;
0. computationally onerous;
0. only gateways must have IPsec software;
0. there are points of centralization, therefore single point of
failure;
0. it uses a double encapsulation, placing as a payload of the
communication between gateway addresses as it is obtained by
encrypting the union of sender and receiver addresses of the end-
points with the actual payload; adopting the Encapsulating
Security Payload protocol, the sender and recipient addresses of
the end-points are therefore no longer detectable (they remain
detectable by adopting AH).
The two modes are supported by both AH and ESP. IPsec can also be used
for connections between gateways and hosts.
Security Association
The concept of the Security Association (in short SA) is the basis of IPsec's
operation. An SA is a "contract" between the two entities involved in the
communication; in it are established the protection mechanisms and the keys
to be used during the subsequent data transfer. Within IPsec, establishing
security associations is the task of the IKE protocol, although it is also
possible to set them manually; obviously the manual procedure is not
recommended as it can introduce errors that weaken the tunnel. A peculiarity
of the SA is that they identify a one-way communication; therefore, during
the creation of the connection, the entities involved create and manage an SA
for each of the communication lines, so 2 SA identify a full-duplex channel.
In order to simplify the management of the SA, a special database called
SAD (Security Association Database) is used, where the active SA is tracked.
In particular, an SA consists of the following parameters:
0. The IP addresses of the peers involved in the communication;
0. The protocol that will be used for the tunnel (AH or ESP);
0. The encryption techniques used and the related keys;
0. A 32-bit integer called SPI, which stands for Security Parameter
Index.
By examining the parameters of an SA, all the information necessary to
establish the manner in which the traffic must be protected is deduced; the
next step is to define which traffic should be protected: the Security Policy
(in short SP) deals with this. An SP is a rule that determines what type of
traffic should be routed to the tunnel and then be covered by IPsec; in a
similar way to the SA, the SPs are contained in an SPD (Security Policy
Database). The security policy contains:
0. Source address and destination address of the package. This
information is already contained in the SA and therefore may seem
redundant. In reality this information makes sense when Tunnel mode
is used.
0. The protocol and its port to be routed in the tunnel. This option
depends on the implementation of the protocol and is not always
covered; if it is not available, all the traffic produced is conveyed to the
tunnel.
0. An identifier of the SA to be used to process the data.
Once the security association and the security policy have been established,
the communication that will exploit the AH protocol or the ESP protocol to
which the SPI parameter will be passed can begin, which will allow to go
back to the cryptographic techniques to be used for transmission.
IKE protocol
IKE is an acronym for Internet key exchange and is the protocol used to
establish a security association in the IPsec suite of protocols. This protocol is
defined in RFC 4306. It is an application layer protocol and uses the UDP
protocol as transport protocol; the port on which the connection is established
is 500. The goal of IKE is to establish a shared session secret, that is, a shared
key corresponding to the session to be established and to this end it uses the
Diffie-Hellman algorithm; from the shared secret are subsequently derived
the cryptographic keys that will be used for subsequent communication. In
order to authenticate the entities involved in the communication, symmetrical
key techniques or, alternatively, asymmetric key can be used; in the latter
case, use is made of public-key infrastructure (PKI) and the use of digital
certificates.
AH protocol
Authenticated data
AH in tunnel mode:
External IP header AH header IP header TCP header Data
Authenticated data
The dark gray line indicates the areas of the package that are authenticated.
From the point of view of protection, in both cases, the packages are
completely protected. Note that in the IP header, some fields vary during
network transit, such as TTL. These fields are set to 0 before the hash
function is calculated, which is necessary to protect the package. From what
has just been said, it is immediately clear that the AH protocol is
incompatible with the various NAT techniques; in fact if the address fields in
the IP header are altered (in both modes), the checksum immediately fails in
receipt.
ESP protocol
Authenticated data
Authenticated data
Dark gray lines subtend the part of the package that is checked for
authenticity and integrity; light gray zones indicate packet areas that are
protected by cryptographic algorithms. As far as encryption algorithms are
concerned, Data Encryption Standard (DES), 3DES, AES and Blowfish can
be used. The integrity and authenticity check is performed via HMAC (hash
functions); the hash is calculated using a hash function (MD5 or SHA1),
using a shared key; the hash obtained is attached to the message and sent. The
message integrity is checked in reception. As shown in the diagrams, the
outermost IP address is not covered by the integrity check. This option makes
the ESP protocol suitable for use in some types of NAT, especially in static
ones. However, there are ad-hoc solutions for the joint operation of IPsec and
NAT, such as NAT traversal.
NAT-T
NAT traversal (or more shortly NAT-T) is the name of a protocol that is part
of the IPsec suite and standardized in several RFCs, of which the official one
is RFC 3947. The goal of this protocol is to provide the possibility to
establish a tunnel IPsec even when one of the two peers involved undergoes a
NAT operation to reach the other entity involved in the communication. NAT
is a widely used technique for reusing IP addresses. However, hosts behind a
router (or firewall) performing NAT operations do not have end-to-end
connectivity. Although there are several types of NATs, the overall goal is to
alter the package headers. This behavior is in stark contrast to IPsec which
has among its objectives the control of the integrity of the package. In
particular, NAT is incompatible with AH both in tunnel mode and in
transport mode, as AH verifies the integrity of the whole IP package. ESP, on
the other hand, does not cover the IP header with controls of any sort either in
Tunnel mode or in Transport mode, so it is suitable in case the NAT executed
is of the SNAT type; in other words, the modification made by the router
must involve only the IP header and not the upper level port. NAT also
creates problems with IKE and especially with IKE in main mode. The main
mode used in conjunction with the preshared-keys method requires the
authentication of the hosts involved in the communication and this
authentication provides control over the IP addresses; therefore the alteration
of the address by a NAT device causes authentication to fail. Generally, in
the devices used to manage IPsec tunnels and VPN clients, NAT-T is not
enabled by default but must be set up by hand; however its use remains
optional: in fact during the creation of the security association, the peers
determine if one of the two undergoes NAT operations and only in this case
the NAT-T is used; this operation is done during the first phase of the IKE
negotiation. In the first instance, peers verify that both are able to support
NAT-T; this verification is performed in the very first phase of the IKE
protocol, by means of a package with a Vendor ID field, which contains a
known hash value. Once it is established that both support NAT-T, frames
are sent "NAT-Discovery" (NAT-D), in order to verify which of the two
undergo the NAT, or at the limit if they both suffer. Once the NAT user is
established, the communication moves to a new pair of UDP ports and the
"nat-tata" entity starts sending keepalive frames; these frames are used to
keep the communication ports fixed on the router and to prevent them from
reassigning them to a new communication.
The fields marked in dark gray are those related to the NAT-T; these fields
are inserted immediately after the external IP header, which is not altered,
just as the following fields are not altered. The inverse operation is performed
in reception.
Firewall
Functionality
Stateful firewall
Application firewall
N ext-generation firewall
Examples
Single firewall
The network has a single firewall with at least 3 network interfaces, which
respectively provide a link to:
0. The external network, from which the Internet requests arrive via a
router (WAN).
0. The internal network in which there is the workstation (intranet).
0. The DMZ that contains the servers offered.
The firewall that manages everything becomes the only possible security flaw
for the entire network and must be able to handle all the traffic going to the
DMZ and the internal network. It represents an unsafe configuration due to
the presence of a single firewall.
Double firewall
User authentication
The nature of the VPN - making private data transit in public networks -
requires attention to potential threats to data and the impact of lost data. A
VPN worries about security threats, offering security services in the realm of
authentication, the process of making sure that a customer or system is
actually the person they claim to be. There are many authentication
mechanisms, but the most used are:
0. something you know: (an identifier, such as a password or PIN);
0. something you have: (a computer-readable symbol, like a smartcard);
0. something you are: (the retina or fingerprints).
Login and password are generally considered weak authentication, while
strong authentication is obtained by combining two different types of
authentication. The actual level of security obviously depends on the context,
because for example a smartcard can be stolen, while access credentials can
be difficult to detect. Stolen or lost security data may allow multiple attacks
and require multiple authentication schemes. No technique offers complete
authentication security, even biometric ones (fingerprints, vocal impressions
and retina mapping).
Trusted VPN
The guarantee offered by the Trusted VPN network is the security that no
unauthorized third party can take advantage of the customer's circuit. This
implies that the customer has his own IP address and his own security policy.
The circuit travels through one or more communication "switches" that can
be compromised by those who want to disturb the network traffic. The
customer of a VPN then expects the VPN provider (provider) to maintain the
integrity of the circuit to prevent intruder access. Companies that use a
Trusted VPN want to be sure that their data moves through a series of paths
that have specific properties and are controlled by an ISP (Internet Service
Provider). The customer therefore believes that the paths through which these
data move are kept secure according to the criteria of a previous agreement,
even if the customer generally does not know what the paths used by the
Trusted VPN provider are. More recently, service providers have begun to
offer a new type of Trusted VPN, this time using the Internet instead of the
telephone network as a communication substrate. These new Trusted VPNs
do not offer security, but give customers a way to easily create large-scale
network segments (WANs). Trusted VPN segments can also be controlled
from a single place and often with a quality of service (QoS - quality of
service) from the provider.
Requirements:
0. No one outside the Trusted VPN provider can affect the creation or
modification of the VPN path.
0. No one outside the relationship of trust can change any part of the
VPN.
0. No one outside the Trusted VPN provider can change incoming or
deleted data from the VPN path.
0. The data travels within the various paths that are shared by multiple
customers of the provider, the path must then be specified by the VPN
and no one apart from the trusted provider can change the various data.
0. The path and address used in a Trusted VPN must be established
before the VPN is created.
0. The customer must know what is expected of the supplier, so that
both can plan and create the network for which they are collaborating.
Secure VPN
Since the Internet has spread and has become an important means of
communication, security is at the same time becoming increasingly
important, both for customers and for providers. Since the VPN did not offer
complete security, the connectivity providers began to create protocols that
allow the encryption of data from the network or from the source computer,
in order to be transported on the Internet like any other data, for then be
decrypted upon arrival in the company network or in the receiving computer.
This encrypted traffic acts as a "tunnel" between two networks: even if an
intruder tried to read the data, he could not decrypt the contents or modify
them, since any changes would be immediately detected by the recipient and
therefore rejected. Networks built using data encryption are called Secure
VPN. The main reason why companies use a Secure VPN is that they can
transmit sensitive information over the Internet without fear of being
intercepted. Secure VPNs are particularly useful for allowing remote access
by users connected to the Internet from areas not controlled by the network
administrator.
Requirements:
0. All traffic on a Secure VPN must be encrypted and authenticated.
0. Many of the protocols used to create Secure VPN allow the creation
of authenticated, but not encrypted, networks.
0. Even if such a network is more secure than a network without
authentication, it could not be considered a VPN because it does not
protect privacy.
0. The security properties of a VPN must be agreed by all parts of the
VPN.
0. Secure VPNs have one or more tunnels and each tunnel has two
ends.
0. Administrators at each end of each tunnel must be able to agree on
the tunnel's security properties.
0. No one outside the VPN can compromise the security properties of
the VPN.
0. It must be impossible for an intruder to change the security
properties of one or more parts of the VPN, in order to weaken the
encryption or compromise the encryption keys used.
Hybrid VPN
A Secure VPN can be used as part of a Trusted VPN by creating a third type
of VPN, recently introduced on the market. The secure parts of a Hybrid
VPN can be controlled by a customer or by the same provider that provides
the trust part of the Hybrid VPN. Sometimes an entire Hybrid VPN is made
secure thanks to a secure VPN, but most commonly only a part of the Hybrid
VPN is secure. It is clear that Secure VPNs and Trusted VPNs have very
different properties:
0. Secure VPNs provide security, but do not secure routes;
0. Trusted VPNs ensure the properties of paths as QoS, but not
intrusion security.
Because of these strengths and weaknesses, the Hybrid VPNs have been
introduced. However, the usage scenarios are still evolving. A typical
situation for deploying a Hybrid VPN is when a company already has a
Trusted VPN and wants security on a part of the VPN. However, none of the
Trusted VPN technologies prevents the creation of Hybrid VPN and some
manufacturers are building systems that explicitly support the creation of
Hybrid VPN services.
Requirements:
0. The border addresses between the Secure VPN and the Trusted VPN
must be extremely clear.
0. In a Hybrid VPN the Secure VPN should be a subset of the Trusted
VPN. For each pair of data addresses in a Hybrid VPN the VPN
administrator must be able to know for sure whether the traffic between
the two addresses is part of the Secure VPN.
The protocols that implement a more secure VPN are:
0. IPsec (IP security), commonly used on IPv4 (mandatory part of
IPv6).
0. Point-to-point tunneling protocol (PPTP), developed by Microsoft.
0. SSL / TLS, used both for tunneling the entire network, as in the
OpenVPN project, and to make sure it is essentially a web proxy. SSL
is a framework, very often associated with electronic commerce, which
has proved to be very flexible and is therefore used as a security layer
for various (more or less standard) implementations of virtual private
networks.
0. VPN Quarantine: the machine of the VPN terminal client could be a
source of attack, which does not depend on the VPN project. There are
solutions that provide Quarantine VPN services that control the remote
computer. The customer is kept in quarantine until the infection has
been removed.
0. MPVPN (Multi Path Virtual Private Network), a registered
trademark owned by the Ragula System Development Company.
0. The ISPs now offers a VPN service for companies that want the
security and convenience of a VPN. In addition to providing remote
employees with secure access to the internal network, other security
and management services are sometimes included. These mechanisms
do not themselves implement a virtual network, but only a secure
conversation between two terminals. In these cases the virtual network
mechanism must be implemented by means of a special protocol which
is then encapsulated.
T SL protocol
Transport Layer Security (TLS) and its predecessor Secure Sockets Layer
(SSL) are cryptographic presentation protocols that allow secure
communication from the source to the recipient (end-to-end) over TCP / IP
networks (such as the Internet) providing authentication, data integrity and
confidentiality operating above the transport level.
Several versions of the protocol are widely used in applications such as
browsers, e-mail, instant messaging and voice over IP. An example of
applying SSL / TLS is in the HTTPS protocol. The TLS protocol allows
client / server applications to communicate across a network in such a way as
to prevent tampering (tampering) of data, falsification and interception. It is a
standard IETF protocol that, in its latest version, is defined in RFC 5246,
developed on the basis of the previous SSL protocol by Netscape
Communications. In the typical use of a browser by an end user, TLS
authentication is one-sided: it is the only server that authenticates itself at the
client (ie, the client knows the identity of the server, but not vice versa the
client remains anonymous and not authenticated on the server). Server
authentication is very useful for navigation software and for the user. The
browser validates the server certificate by checking that the digital signature
of the server certificates is valid and recognized by a known certificate
authority using a public key encryption. After this authentication the browser
indicates a secure connection usually showing a lock icon. This
authentication, however, is not sufficient to ensure that the site with which
you are connected is the one required. To be sure it is necessary to analyze
the content of the certificate issued and check the certification chain. Sites
wishing to deceive the user can not use a site certificate that they want to
impersonate because they do not have the ability to effectively encrypt the
certificate, which includes the address, so that it is valid at the destination.
Only CAs can generate valid certificates with an embedded URL so that the
comparison between the apparent URL and that contained in the certificate
can provide a reliable method for identifying the site. Very often this
mechanism is not known to internet users and causes various frauds due to
incorrect use of the browser, not to a weakness of the TLS protocol. The TLS
protocol also allows for bilateral authentication, typically used in business
applications, in which both parties authenticate themselves securely by
exchanging their certificates. This authentication (called mutual
authentication) requires that the client also has its own digital certificate
which is very unlikely in a normal scenario. In the absence of a bilateral
authentication, the TLS-PSK or Secure remote password (SRP) protocols can
be used to ensure secure authentication in the absence of a certificate.
Functioning
The operation of the TLS protocol can be divided into three main phases:
0. Negotiation between the parts of the algorithm to be used
0. Key exchange and authentication
0. Symmetric encryption and message authentication
In the first step, the client and server negotiate the encryption protocol that
will be used in secure communication, the key exchange protocol and the
authentication algorithm as well as the Message authentication code (MAC).
The key exchange algorithm and the authentication algorithm are usually
public key algorithms or, as in the case of TLS-PSK, they use a pre-shared
key (Pre-Shared Key). The integrity of the messages is guaranteed by a hash
algorithm that uses an HMAC construct for the TLS protocol or a non-
standard pseudorandom function for the SSL protocol.
Within a session, the following protocols are typically used:
0. For key exchange: RSA, Diffie-Hellman, ECDH, SRP, PSK
0. For authentication: RSA, DSA, ECDSA
0. Symmetrical encryption: RC4, DES, Triple DES, AES, IDEA or
Camellia. In older versions of SSL the RC2 protocol was also used.
0. For cryptographic integrity functions, hash functions are usually
used: HMAC-MD5 or HMAC-SHA are used in TLS, while in SSL
MD5 and SHA. In older versions of SSL, MD2 and MD4 were also
used.
SSLv2 did not use RSA. There is a vulnerability in which an attacker can
repeatedly attempt to connect using SSLv2, each time obtaining some
cryptographic key information. Some clients, in addition to support for TLS,
have maintained support for the previous SSLv2 over the years, without
disabling it; IIS, the Microsoft web server, since version 7.0, and OpenSSL
since version 1.0.2g (March 2016) disable SSLv2 by default.
STARTTLS
The HyperText Transfer Protocol over Secure Socket Layer (HTTPS), (also
known as HTTP over TLS, HTTP over SSL and HTTP Secure) is a protocol
for secure communication through a computer network used on the Internet.
The port used in general (but not necessarily) is 443. This system was
designed by Netscape Communications Corporation, which deals with
authentication and encrypted communications and is widely used in the
World Wide Web for situations that require special security needs such as
payment of online transactions. In this case SSL guarantees the encryption of
data sent and received on the internet. HTTPS consists in the communication
through the HTTP protocol (HyperText Transfer Protocol) inside a
connection encrypted by the Transport Layer Security (TLS) or its
predecessor, Secure Sockets Layer (SSL ). The principle behind HTTPS is to
have:
0. authentication of the website visited
0. privacy protection
0. integrity of the data exchanged between the communicating parties.
It is the result of the application of an asymmetric cryptographic protocol to
the HTTP hypertext transfer protocol. It is used to guarantee confidential data
transfers on the web, in order to prevent the interception of contents. In its
popular operation on the Internet, HTTPS provides authentication of the
website and associated web server with which one of the parties is
communicating, protecting communication from known attacks through the
man in the middle technique. Moreover, HTTPS provides a bidirectional
encryption of communications between a client and a server, which protects it
against possible eavesdropping operations, (action by which the private
conversation between the parties is secretly listened to without their consent)
and tampering (literally tampering or alteration of the communication)
falsifying its contents. In practice, this mechanism provides a satisfactory
assurance that it is communicating exactly with the desired website (as
opposed to a fake site), as well as ensuring that the contents of
communications between the user and the website can not be intercepted. or
altered by third parties. Historically, HTTPS connections were used primarily
for payments in transactions on the World Wide Web, e-mail and for
sensitive transactions within corporate information systems. In the late 2000s
and early 2010s, HTTPS began to be widely used and widely used to protect
the authenticity of web pages, the security of user accounts and to maintain
private communications, identity and web browsing. 'user.
Description
In web browsers, the URI (Uniform Resource Identifier) which refers to this
technology has the name https scheme and is in all respects similar to the
URI http. However, HTTPS tells the browser to use the additional SSL / TLS
encryption layer to protect internet traffic. SSL / TLS is particularly suitable
for HTTP protocol, since it can provide some protection, even if only one of
the communicating parts is authenticated. This is the case with HTTP in
Internet transactions, where the server is typically the only party to be
authenticated, while the client examines the server's certificate. HTTPS takes
care of creating a secure communication channel through an unsafe computer
network. This ensures acceptable protection from eavesdropper (prying
listeners) and man-in-the-middle attacks, provided proper communication
encryption is used and that the server certificate is verified and trusted. The
HTTP protocol is based entirely on the operation of HTTPS, above the
Transport Layer Security; for this reason the latter can be completely
encrypted. The encryption of the HTTP protocol includes:
0. the URL request (the web page that was requested)
0. the query parameters
0. the headers of the connection (headers)
0. cookies (which often contain information on the user's identity)
However, because host IP addresses (websites) and port numbers are part of
the underlying TCP / IP protocols, HTTPS can not protect their disclosure. In
practice, it means that even if a web server is correctly configured, the
eavesdropper can deduce the IP address and the port number (sometimes
even the domain name, for example "www.example.org", but not the rest
URL) of the web server with which you are communicating, in addition to
the amount of data transferred and the duration of the communication
(session length), but not the content of the communication. Web browsers
know how to trust HTTPS websites based on authority certificates that come
pre-installed in their software. Certification authorities (such as Symantec,
Comodo, GoDaddy and GlobalSign) are trusted by web browser creators to
provide valid certificates for communication purposes. Therefore, a user
should trust an HTTPS connection to a website if and only if all the following
points are verified:
0. The user trusts that the browser software correctly implements the
HTTPS protocol with properly pre-installed authority certificates.
0. The user trusts the certification authority that only guarantees
legitimate websites.
0. The website provides a valid certificate, which means that it has been
signed by a trusted authority.
0. The certificate correctly identifies the website (for example, when
the browser visits "https://example.com", the certificate received is
appropriately the one related to "example.com" and not some other
entity).
0. The user trusts that the encryption level of the protocol (SSL / TLS)
is sufficiently secure against the possible operations of the
eavesdropper.
HTTPS is particularly important through insecure networks (such as public
WiFi access points), since anyone on the same local network can sniff out
packages and discover sensitive information that is not protected by HTTPS.
In addition, many are paid to engage in packet injection ("packet injection")
within wireless networks in order to provide a service for advertising on their
web pages, while others do it freely. However, this operation can be
maliciously exploited in many ways, like injecting malware onto web pages
and stealing private information from users. HTTPS is also very important
with connections on the Tor network (acronym of The Onion Router) to
preserve anonymity on the internet, as malicious Tor nodes can damage or
alter the contents that cross them insecurely and inject malware into the
connection. For this reason the Electronic Frontier Foundation (EFF) and the
Tor project have started the development of the HTTPS Everywhere protocol,
which is included in the Tor Browser package. Although more information is
being disseminated regarding mass global surveillance and theft of personal
information from hackers, the use of HTTPS for security on all websites is
becoming increasingly important, regardless of the type of internet
connection used. While the metadata of the individual pages that a user visits
are not sensitive information, when this information is combined together
they can reveal a lot about the user's identity and compromise the privacy
itself. The use of HTTPS also allows the use of the SPDY / HTTP / 2
protocols, which are new generations of the HTTP protocol, designed to
reduce loading times and web page latency. It is recommended to use HTTP
Strict Transport Security (HSTS) with HTTPS to protect users from man-in-
the-middle attacks, particularly SSL stripping. HTTPS should not be
confused with the little used Secure HTTP (S-HTTP) protocol described in
the RFC 2660 specification. Most browsers display a warning message if
they receive an invalid certificate from the server that serves as a certificate
authority. Older browsers, when they were connecting to a website with an
invalid certificate, showed the user a dialog message asking them if they
wanted to continue browsing. The most recent browsers, on the other hand,
display a warning message that covers the entire window, showing the safety
information of the visited site on the browser's address bar. In modern
browsers, extended certificate validation shows the address bar with a green
color. In addition, most browsers display a warning message to the user when
they are visiting a site that contains a mixture of encrypted and unencrypted
content. Firefox uses the HTTPS protocol for Google searches from version
14, with the aim of "protecting our users from the network infrastructure that
can collect data from users or modify / censor their search results". The
Electronic Frontier Foundation has expressed the opinion that: "In an ideal
world, every web request could be transformed by default into an HTTPS
request". For Google Chrome browser browsers, Mozilla Firefox (also on
Android) and Opera there is an add-on called "HTTPS Everywhere" which
enables the default HTTPS protocol for hundreds of websites.
Security
The security of HTTPS is guaranteed by the underlying TLS protocol, which
in practice uses long-term private and public keys to generate short-term
session keys. These keys are used later to encrypt the flow of data exchanged
between client and server. The certificates defined by the X.509 standard are
used to authenticate the server (sometimes even the client). As a result, the
certifying authorities and the public key certificates are necessary in order to
verify the relationship between the certificate and its owner, in addition to
generating the signature and managing the validity of the certificates. While
this may be more beneficial than verifying identities through a network of
trust, mass disclosures on surveillance in 2013 have drawn the certifying
authorities as a potential weak spot for man-in-the-middle attacks. An
important property in this context is forward secrecy, which ensures that
encrypted communications recorded in the past can not be recovered and
decrypted and long-term encryption keys or passwords are not compromised
in the future. Not all web servers provide forward secrecy. A website must be
totally hosted on the HTTPS protocol, without having some of its contents on
HTTP - for example, having scripts uploaded online in an insecure (clear) - or
the user will be vulnerable to certain attacks and subjected to surveillance.
Also having only a certain web page of a site that contains sensitive
information (such as a log-in page) under HTTPS protocol, but having the
rest of the website loaded on the HTTP protocol in plaintext, will expose the
user to possible attacks. On a website that has sensitive information
somewhere on it, whenever the site is accessed in HTTP instead of HTTPS,
the user and session will be exposed on the network. Likewise, cookies on an
active website using the HTTPS protocol must have the protection attribute
enabled.
URLs of the HTTPS protocol start with https: // and use port 443 by default,
while HTTP URLs begin with http: // and use port 80. HTTP is not encrypted
and is vulnerable to man-in-the-attacks middle and eavesdropping, which can
allow attackers to gain access to sensitive website accounts and edit web
pages to inject malware or malicious advertising into them. HTTPS is
designed to withstand these attacks and is considered secure against them
(with the exception of the more deprecated and deprecated versions of the
SSL protocol).
Network levels
HTTPS operates at the highest level of the TCP / IP model, the application
level; as does the TLS security protocol (acting as a lower layer of the same
layer). In practice, between the TCP and HTTP interfaces (transparently to
the user) an encryption / authentication level such as the Secure Sockets
Layer (SSL) or the Transport Layer Security (TLS) which encrypts the HTTP
message before transmission and decrypts the message once arrived at its
destination. Basically, an encrypted communication channel is created
between the client and the server through an exchange of certificates; once
this channel is established, the HTTP protocol for communication is used
within it. Strictly speaking, HTTPS is not actually considered a protocol
separate from HTTP, but refers precisely to the use of the latter through an
SSL / TLS encrypted connection. This type of communication ensures that
only the client and the server are able to know the content of the
communication. Everything in the HTTPS message is encrypted, including
the headers and the request / response load of the message. With the
exception of the possible CCA cryptographic attack described in the next
"Limits" section, the attacker can only know that a connection between the
two communicating parties has occurred and can know their domain names
and IP addresses.
Acquisition of certificates
Access control
The system can also be used to authenticate the client in order to restrict
access to the web server to authorized users only. To do this, the site
administrator typically creates a certificate for each user, which is loaded into
the users browser. Normally, it contains the name and e-mail address of the
authorized user and is automatically checked by the server each time it is
reconnected to verify the user's identity, potentially without entering the
password.
Functioning
Limitations
The SSL / TLS protocol is available with two options, simple and mutual. In
the simple version, only the server is responsible for ensuring the security of
communication. The mutual version is more secure, but requires the user to
install a personal client certificate within their browser in order to
authenticate itself. Whatever strategy is used (simple or mutual), the level of
protection strongly depends on the correctness of the implementation of the
web browser, the server software and the actual cryptographic algorithms
supported. SSL / TLS does not prevent the entire site from being indexed
using a web crawler, and in some cases the URI of the encrypted resource can
be inferred by knowing only the size of the intercepted request / response.
This allows an attacker to have access to the unformatted text (the publicly
accessible static content) and the ciphertext (the encrypted version of the
static content), allowing a cryptographic attack. Because TLS operates under
the HTTP protocol and has no knowledge of the higher-level protocols, TLS
servers can strictly present only one certificate for a particular combination of
port and IP address. This means that in most cases it is not possible to use
name-based virtual hosting with HTTPS. There is a solution called Server
Name Indication (SNI) that sends the host name to the server before
encrypting the connection, although many older browsers do not support this
extension. Support for SNI is available starting from: Firefox 2, Opera 8,
Safari 2.1, Google Chrome 6 and Internet Explorer 7 on Windows Vista.
From an architectural point of view:
0. An SSL / TLS connection is managed by the first visible machine
that starts the TLS connection. If, for some reason, (routing, traffic
optimization, etc.), this machine is not the application server and must
decrypt the data, solutions must be found to propagate the user
authentication information or the application server certificate, who
must know who is going to connect.
0. For the SSL / TLS version with mutual authentication, the SSL / TLS
session is managed by the first server that initiates the connection. In
situations where encryption needs to be propagated along a server
chain, managing session timeout becomes complicated to implement.
0. With the mutual version of SSL / TLS, security is maximum, but on
the client side there is no way to properly terminate the SSL / TLS
connection and disconnect the user, except wait until the server session
session expires or all connected client applications.
A sophisticated type of man-in-the-middle attack called SSL stripping was
presented at the 2009 Blackhat conference. This type of attack overcomes the
security provided by the HTTPS protocol by changing the link https: in an
http link: taking advantage of the fact that some Internet users actually type
"https" from their browser interface: they reach a secure site by clicking on a
link, and are therefore tricked into thinking about using HTTPS when they
are actually using HTTP. The attacker then communicates in clear with the
client. This led to the development of an HTTP countermeasure called HTTP
Strict Transport Security (HSTS). In May 2010, an article written by
researchers at Microsoft Research and the University of Indiana revealed that
detailed sensitive user data can be derived from side / marginal channels such
as packet size. More specifically, the researchers found that an eavesdropper
can deduce the diseases / medicines / user surgeries, their family income and
their investment secrets, despite the HTTPS protection present in the various
high profile and better web applications. in the field of health, taxation,
investment and web research. In June 2014, a team of researchers from the
University of California, Berkeley and Intel led by Brad Miller, demonstrated
a generalized approach to HTTPS traffic analysis based on machine learning.
The researchers demonstrated this attack applied to a range of websites,
including Mayo Clinic, Planned Parenthood and YouTube. The attack
assumes that the attacker is able to visit the victim's own web pages to collect
information on network traffic that acts as data training. The attacker
subsequently is able to identify similarities in the size and ordering of the
package between the victim's traffic and the data training traffic that allows
the attacker to frequently infer the exact webpage the victim is visiting. For
example, this attack could be used to determine if a user who is visiting the
Planned Parenthood website is looking for information on a preventive health
screening or an abortion. Note that the attack can not be used to find specific
user-specific values embedded in a web page. For example, many banks offer
web interfaces that allow users to view their current account balance. While
the attacker would be able to discover that the user is viewing a page
displaying the account balance, he would not be able to know the exact value
of the account balance or the account number of the users.
SSH
The Transport Layer Protocol is the first of the three levels of the SSH
protocol. It contains all the protocols and procedures used in the
establishment and creation of the encrypted client-server communication
channel. Within the Transport Layer server authentication, key exchange,
encryption, compression and integrity checking of packages are performed.
The level partly includes the session level and partly the level of presentation
of the ISO / OSI standard. The connection created normally uses the TCP / IP
protocol for communication at the network and transport level but is
theoretically independent of it. In the Transport Layer, the integrity of the
packets is checked, but the cases in which the packets of the connection are
lost are not handled, in such cases the session is terminated and must be
completely re-established. For these reasons, connection-oriented transport
protocols such as TCP are strongly recommended to prevent packet loss and
connection closure. Algorithm negotiation is one of the first steps in
establishing an SSH connection. In order to determine which algorithms to
use in the SSH connection, the client and server must exchange the list of
algorithms they support for the connection. The list contains all the available
algorithms in order of preference, the preference and the available algorithms
are determined by the configuration of the client and server software. Once
the list exchange is over, the protocols available on both machines are chosen
giving precedence to the higher algorithms in order of preference. If no
common algorithms are available between the machines, the connection is
terminated. After defining the algorithms to be used in the connection, one of
the most important steps is taken in establishing the secure communication
channel: the exchange of keys. In order to guarantee the security and privacy
of communication it is essential to establish algorithms for exchanging secure
keys, a security hole in the exchange of keys would compromise the entire
connection. Key negotiation takes place at the beginning of each connection,
to guarantee greater security the keys are generally renegotiated every hour or
every gigabyte of data transited in the connection. The most used key
exchange algorithms are:
0. Diffie-Hellman-group1-sha1
0. Diffie-Hellman-group14-sha1
The two algorithms used are variations of the Diffie-Hellman key exchange
algorithm in which a server certification system has been added using a host
key. Observing the algorithm identifier strings it is possible to deduce that
they only vary for the groupX term, this term defines the group used in
defining the Diffie-Hellman algorithm parameters, these groups are
documented in RFC3526. The Diffie-Hellman algorithm has been certified as
one of the safest key exchange methods on an unsafe communication channel
and is among the most used algorithms in the world. Due to the high number
of calculations necessary for the exchange of Diffie-Hellman keys, the RSA
algorithm can be used in older and less computational systems as well as
being less demanding in terms of computing power. Server authentication
serves to prevent a malicious user from "tampering" the server, by providing
the user credentials (spoofing from a man in the middle attack). For this
purpose, a pair of asymmetric keys is generated for each server. The private
key remains on the server. The public key must be known by the client, the
client can obtain the key of a server using public archives of the keys
available on the web or receiving it directly from the server during the first
connection. Authentication occurs during the exchange of Diffie-Hellman
keys, the server creates an encrypted message with its own private key and
sends it to the client, the client deciphers it with the server's public key
verifying the identity of the server, if decryption of the message, the client
proceeds with the establishment of the connection, otherwise it interrupts the
procedure. Since only the server should be aware of the private key, the client
is able to determine the identity of the server it is communicating with. Once
defined a secret key known exclusively by the client and the server, it is
possible to use a symmetric cryptographic protocol to encrypt the
communication between client and server. A symmetric cryptographic
algorithm allows the use of a single key to encrypt and decrypt information.
In a symmetric key algorithm the shared key must be defined before the
initialization of the connection using a method of communication of the
secure key that is performed using the Diffie-Hellman algorithm in the SSH.
The symmetric key algorithms guarantee a high standard of security and a
low cost in terms of computing power (unlike the asymmetric key algorithms
such as the RSA algorithm). The list of symmetric algorithms that can be
used by the SSH protocol includes:
0. 3des-cbc
0. blowfish-cbc
0. twofish256-cbc
0. twofish-cbc
0. twofish192-cbc
0. twofish128-cbc
0. aes256-cbc
0. AES192-cbc
0. aes128-cbc
0. serpent256-cbc
0. serpent192-cbc
0. serpent128-cbc
0. arcfour
0. idea-cbc
0. cast128-cbc
The most used algorithms are the AES and the 3DES present on practically
all the computers. It is possible to use a null encryption algorithm which in
fact does not perform any encryption operation, this choice is strongly
discouraged as it would make the whole communication insecure. After
having established the protocols to be used and after having exchanged keys
using the Diffie-Hellman protocol, it is possible to establish the encrypted
connection with the previously defined symmetric key algorithm. The SSH
protocol allows to apply algorithms of information compression to the flow
of data passing in the connection. Compression is now supported by the zlib
library. Information integrity checking is a process that verifies that the data
contained in a packet received from one of the two connection hosts matches
the data sent by the other machine. The process of control of the information
allows to identify possible errors in the sending phase and above all allows to
identify any replay attacks by computers outside the communication. The
MAC algorithms (Message Authentication Code) that can be used in the SSH
protocol are:
0. HMAC-sha1
0. HMAC-SHA1-96
0. HMAC-MD5
0. HMAC-MD5-96
The integrity check process is recommended but not required in an SSH
connection. The integrity check of the packets is carried out after defining the
secret key of the connection, before an integrity check can not be performed.
After creating a secure communication channel, the ssh protocol provides for
user authentication using methods defined in the User Authentication
Protocol. This level of the SSH protocol architecture includes the operations
required by the ISO / OSI standard for the session level. Public key
authentication is the most secure authentication method implemented in the
SSH protocol and must always be available on every server. This
authentication method is based on asymmetric cryptography. The asymmetric
cryptographic algorithm most used for key generation is RSA. To
authenticate, the client generates a public / private key pair using an
asymmetric encryption algorithm supported by the SSH protocol using the
ssh-keygen command. Generating the keys the user must transfer his public
key to the server where it is generally stored in a special file in the user's
home directory on the server; the private key is kept on the client and must
not be disclosed, to guarantee greater security it is possible to protect the
private key with a password (passphrase). The user can transfer his public
key to the server either through physical storage media or via the ssh-copy-id
command. The source server to verify the identity of the user exploits the
particular characteristics of the asymmetric cryptographic algorithms. During
the authentication phase the server generates a random string of 256 bits, the
digit using the user's public key and the encryption algorithm corresponding
to the key and sends it to the client. The client decrypts the message using its
private key and sends the hash of the received string to the server, if the client
string hash matches the hash of the server string the user is authenticated.
Only those who have the private key of the user are able to correctly decrypt
the encrypted server message, in this way the server is able to verify the
identity of the client. When authenticating with public keys, no password is
required for the user except when a passphrase has been applied to the private
key. Password authentication is the simplest authentication method supported
by the SSH protocol. The user provides a user name and password, the server
compares this data with the user database of the operating system. This
exchange takes place within an encrypted channel, so it is not at risk of
interception. Procedure:
A$ ⇒ B: SSH_MSG_USERAUTH_REQUEST, pappy, ssh-userauth,
keyboard-interactive
B$ ⇒ A: SSH_MSG_USERAUTH_INFO_REQUEST, pappy, password-
authentication, 1, "Enter Password"
A$ ⇒ B: SSH_MSG_USERAUTH_INFO_RESPONSE, 1, "love"
B$ ⇒ A: SSH_MSG_USERAUTH_SUCCESS.
To prevent brute force attacks, a DenyHosts or Fail2ban tool can be used.
The Connection Layer is the highest level of the SSH protocol, allows the
establishment of interactive terminals, execution of remote commands,
forwarding of connections and forwarding of X11 graphic applications. The
Connection Layer manages these functionalities by using multiple
communication channels passing through the same encrypted tunnel of the
Transport Layer. Each open interactive terminal and each connection
forwarded through the SSH connection can occupy a communication
channel. Since it is possible to establish multiple channels each channel has
an identification number, this number is used to distinguish packages
belonging to different channels allowing the SSH application to reconstruct
the different open communications through the encrypted tunnel. The
opening of a channel occurs when both parties agree on its creation, if one of
the two parties refuses the channel is not created. As long as one of the hosts
has not yet confirmed the opening of the channel, no package is authorized to
use this channel. Thanks to the extreme flexibility of the SSH protocol it is
possible to create encrypted tunnels able to carry arbitrary TCP sessions
inside the encrypted connection, to protect unsafe protocols from
interception, or to avoid routing limitations. This feature is called port
forwarding, and allows you to open a TCP socket on the client SSH (local
port forwarding) or on the server (remote port forwarding). Connections
received on this port are forwarded from the other end of the SSH connection
to a specified host and port. For example, with this command you connect to
host1, by forwarding port 10022 of the machine where we launch the ssh
client to port 22 of host2 through a secure channel between client and host1:
ssh host1 -L 10022:host2:22
While this connection is active, connecting to client port 10022 is redirected
to port 22 of host2.
X forwarding
The SSH File Transfer Protocol or SFTP is a network protocol that provides
data transfer and handling capabilities. It is typically used with the SSH-2
protocol that uses a secure file transfer, even if it is usable with any other
protocol. The SFTP protocol is different from SCP because the latter only
allows file transfer, while SFTP allows different operations on remote files.
Usually port 22 is used. It could therefore be considered as a remote file
system. The SFTP protocol itself does not provide either authentication or
security systems. The SSH version 2 protocol is therefore used as a SFTP
subsystem; the use of SSH version 1, together with SFTP, is not possible
because it does not support the concept of "subsystem". In fact, the client that
connects with SSH-1 must know the path of the SFTP server binaries. The
protocol has not yet become standard. However, the specifications for the
latest version of the protocol are documented, 6. The most used version,
however, is 3, which is implemented in the popular OpenSSH as SFTP
server.
Secure Copy Protocol