Академический Документы
Профессиональный Документы
Культура Документы
Lecture 3:
Real-World Protocols
Professor Wayne Patterson
Howard University
Spring 2009
Real-World Protocols
Next, well look at specific protocols
SSL security on the Web
IPSec security at the IP layer
Kerberos symmetric key system
GSM mobile phone (in)security
Socket layer
Socket layer
lives between
application and
transport
layers
SSL usually
lies between
HTTP and TCP
Socket
layer
application
User
transport
OS
network
link
NIC
physical
4
What is SSL?
SSL is the protocol used for most secure
transactions over the Internet
For example, if you want to buy a book at
amazon.com
You want to be sure you are dealing with Amazon
(authentication)
Your credit card information must be protected in
transit (confidentiality and/or integrity)
As long as you have money, Amazon doesnt care
who you are (authentication need not be mutual)
5
protected HTTP
Bob
h(msgs,SRVR,K)
Data protected with key K
Bob
S is pre-master secret
K = h(S,RA,RB)
msgs = all previous messages
CLNT and SRVR are constants
7
SSL Keys
6 keys derived from K = hash(S,RA,RB)
2 encryption keys: send and receive
2 integrity keys: send and receive
2 IVs: send and receive
Why different keys in each direction?
SSL Authentication
Alice authenticates Bob, not vice-versa
How does client authenticate server?
Why does server not authenticate client?
Alice
RA
certificateT, RB
{S1}Trudy,E(X1,K1)
h(Y1,K1)
E(data,K1)
Trudy
RA
certificateB, RB
{S2}Bob,E(X2,K2)
h(Y2,K2)
E(data,K2)
Bob
SSL Connection
session-ID, cipher list, RA
session-ID, cipher, RB,
h(msgs,SRVR,K)
h(msgs,CLNT,K)
Alice
Protected data
Bob
12
SSL vs IPSec
IPSec
13
SSL vs IPSec
IPSec implementation
Requires changes to OS, but no changes to applications
SSL implementation
Requires changes to applications, but no changes to OS
IPSec
15
SSL
IPSec
application
User
transport
OS
network
link
NIC
physical
16
Flawed
Some serious security flaws
Complex
Did I mention, its complex?
17
ESP/AH
ESP: Encapsulating Security Payload for
encryption and/or integrity of IP packets
AH: Authentication Header
integrity only
18
IKE
19
IKE
IKE has 2 phases
Phase 1
Phase 2
IKE Phase 1
Four different key options
Public key encryption (original version)
Public key encryption (improved version)
Public key signature
Symmetric key
IKE Phase 1
Well discuss 6 of 8 phase 1 variants
Public key signatures (main and aggressive
modes)
Symmetric key (main and aggressive modes)
Public key encryption (main and aggressive)
IKE Phase 1
Uses ephemeral Diffie-Hellman to establish
session key
Achieves perfect forward secrecy (PFS)
23
Alice
IC,RC, gb mod p, RB
IC,RC, E(Alice, proofA, K)
IC,RC, E(Bob, proofB, K)
Bob
24
IC,RC, proofA
Bob
Alice
IC,RC, gb mod p, RB
IC,RC, E(Alice, proofA, K)
IC,RC, E(Bob, proofB, K)
Bob
27
IC,RC, proofA
Bob
Alice
IC,RC, E(proofA, K)
IC,RC, E(proofB, K)
Bob
30
IC,RC, proofA
Bob
31
Trudy
as Bob
IC,RC, proofA
Plausible Deniability
Trudy can create conversation that appears
to be between Alice and Bob
Appears valid, even to Alice and Bob!
A security failure?
In this mode of IPSec, it is a feature
Plausible deniability: Alice and Bob can deny
that any conversation took place!
IKE Phase 2
Phase 1 establishes IKE SA
Phase 2 establishes IPSec SA
Comparison to SSL
SSL session is comparable to IKE Phase 1
SSL connections are like IKE Phase 2
37
IKE Phase 2
IC,RC,CP,E(hash1,SA,RA,K)
IC,RC,CS,E(hash2,SA,RB,K)
Alice
IC,RC,E(hash3,K)
Bob
38
IPSec
After IKE Phase 1, we have an IKE SA
After IKE Phase 2, we have an IPSec SA
Both sides have a shared symmetric key
Now what?
We want to protect IP datagrams
39
IP Review
IP datagram is of the form
IP header
data
Where IP header is
40
IP and TCP
Consider HTTP traffic (over TCP)
IP encapsulates TCP
TCP encapsulates HTTP
IP header
data
IP header
IP header ESP/AH
data
ESP/AH
IP header data
Host-to-host
IP header data
Tunnel Mode
IP header ESP/AH
data
Tunnel Mode
IP header data
new IP hdr
ESP/AH
Transport Mode
Firewall-to-firewall
Transport mode
not necessary
Transport mode is
more efficient
IP header data
44
IPSec Security
What kind of protection?
Confidentiality?
Integrity?
Both?
What to protect?
Data?
Header?
Both?
AH vs ESP
AH
Authentication Header
Integrity only (no confidentiality)
Integrity-protect everything beyond IP header and
some fields of header (why not all fields?)
ESP
Encapsulating Security Payload
Integrity and confidentiality
Protects everything beyond IP header
Integrity only by using NULL encryption
46
Kerberos
51
Kerberos
In Greek mythology, Kerberos is 3-headed dog
that guards entrance to Hades
Wouldnt it make more sense to guard the exit?
Kerberos KDC
Kerberos Key Distribution Center or KDC
Acts as a TTP
TTP must not be compromised!
KDC shares symmetric key KA with Alice, key KB
with Bob, key KC with Carol, etc.
Master key KKDC known only to KDC
KDC enables authentication and session keys
Keys for confidentiality and integrity
In practice, the crypto algorithm used is DES
54
Kerberos Tickets
KDC issues a ticket containing info needed to
access a network resource
KDC also issues ticket-granting tickets or
TGTs that are used to obtain tickets
Each TGT contains
Session key
Users ID
Expiration time
55
Kerberized Login
Alice enters her password
Alices workstation
Derives KA from Alices password
Uses KA to get TGT for Alice from the KDC
Kerberized Login
Alice wants
a TGT
Alices
password
Alice
E(SA,TGT,KA)
Computer
KDC
Talk to Bob
REPLY
Alice
Computer
KDC
Bob
Kerberos
Session key SA used for authentication
Can also be used for confidentiality/integrity
Timestamps used for mutual authentication
Recall that timestamps reduce number of
messages
Acts like a nonce that is known to both sides
Note: time is a security-critical parameter!
60
Kerberos Questions
When Alice logs in, KDC sends E(SA,TGT,KA)
where TGT = E(Alice,SA,KKDC)
Q: Why is TGT encrypted with KA?
A: Extra work and no added security!
Kerberos Alternatives
Could have Alices workstation remember
password and use that for authentication
Then no KDC required
But hard to protect password on workstation
Scaling problem
Kerberos Keys
In Kerberos, KA = h(Alices password)
Could instead generate random KA and
Compute Kh = h(Alices password)
And workstation stores E(KA, Kh)
GSM Security
64
Cell Phones
First generation cell phones
Analog, few standards
Little or no security
Susceptible to cloning
Third generation?
3rd Generation Partnership Project (3GPP)
65
Visited
Network
Base
Station
AuC
VLR
land line
Base
Station
Controller
PSTN
Internet
Etc.
HLR
Home
Network
66
SIM
67
Home network
69
Authentication
Necessary for proper billing
Very important to phone company!
Confidentiality
Confidentiality of calls over the air interface
Not important to phone company
May be very important for marketing!
70
GSM: Anonymity
IMSI used to initially identify caller
Then TMSI (Temporary Mobile Subscriber
ID) used
TMSI changed frequently
TMSIs encrypted when sent
Not a strong form of anonymity
But probably sufficient for most uses
71
GSM: Authentication
Caller is authenticated to base station
Authentication is not mutual
Authentication via challenge-response
Home network generates RAND and computes
XRES = A3(RAND, Ki) where A3 is a hash
Then (RAND,XRES) sent to base station
Base station sends challenge RAND to mobile
Mobiles response is SRES = A3(RAND, Ki)
Base station verifies SRES = XRES
GSM: Confidentiality
Data encrypted with stream cipher
Error rate estimated at about 1/1000
Error rate too high for a block cipher
Encryption key Kc
Home network computes Kc = A8(RAND, Ki),
where A8 is a hash
Then Kc sent to base station with (RAND,XRES)
Mobile computes Kc = A8(RAND, Ki)
Keystream generated from A5(Kc)
GSM Security
1. IMSI
2. IMSI
4. RAND
Mobile
3. (RAND,XRES,Kc)
5. SRES
6. Encrypt with Kc
Home
Network
Base
Station
74
Base
Station
VLR
Base
Station
Controller
76
No
encryption
Call to
destination
Fake
Base Station
Base Station
GSM Conclusion
Did GSM achieve its goals?
Eliminate cloning? Yes
Make air interface as secure as PSTN? Perhaps
But design goals were clearly too limited
Protocols Summary
Generic authentication protocols
Protocols can be very subtle!
SSL
IPSec
Kerberos
GSM
81
Coming Attractions
Software and security
Software flaws buffer overflow, etc.
Malware viruses, worms, etc.
Software reverse engineering
Digital rights management
OS and security
Microsofts NGSCB
82