8 Authentication/Security Protocols Dr. Stephan Spitz [email protected] Applied IT Security Applied Cryptography
May 17, 2015
8 Authentication/Security Protocols
Dr. Stephan [email protected]
Applied IT Security
Applied Cryptography
8 Authentication/Security Protocols
• Applied Cryptography
• System Security
• Firewalls and Intrusion Detection Systems
• Authentication Protocols
• Encryption and digital Signatures in topical Applications
• Public Key Infrastructures
• Security Threats on Networks
• Overview & Basics• Network Protocols and the Internet
• Operating Systems and Applications
• Software Development & IT Security
• Use of Cryptographic Libraries and Devices
• Building Secure IT Systems
• The Future of IT Security
• Operating System Security
8 Authentication/Security Protocols
Today
• Applied Cryptography
• System Security
• Firewalls and Intrusion Detection Systems
• Authentication Protocols
• Encryption and digital Signatures in topical Applications
• Public Key Infrastructures
• Security Threats on Networks
• Overview & Basics• Network Protocols and the Internet
• Operating Systems and Applications
• Software Development & IT Security
• Use of Cryptographic Libraries and Devices
• Building Secure IT Systems
• The Future of IT Security
• Operating System Security
8 Authentication/Security Protocols
Overview Authentication and Security Protocols
• Application Layer Security
• SSL / TLS / HTTPS / SSH / SMIME
• SSL in Detail
• Network and Transport Layer Security• Virtual Private Networks
• IPSec
• Internet Key Exchange
• Wireless Protocol Security• Wireless Security Protocols
• Bluetooth Security
• UMTS Security
• Example: Apache and SSL
8 Authentication/Security Protocols
Protocol Layers
Data Link Layer
Transport Layer
Network Layer
Application Layer
Ethernet, Token Ring, ATM, PPP, GPRS
Package Transmission onphysical media
Routing, Adressing of packages
Connetion-oriented, connectionlesstransport service for applications
Internet Protocol (IP)
Transmission Control Protocol (TCP), UDP, ICMP (Internet Control Message Protocol) for debugging
Services for applications (E-Mailclients and server, WWW-Server),name resolution (DNS)
SMTP, HTTP, SNMP, FTP, SOAP, etc.
SOCKET INTERFACESSL/TLS
IPSec Transport Layer
IPSec Network Layer (Tunnel)
L2TP, PPTP
WEP, EAP
8 Authentication/Security Protocols
Network Layer Security (Tunnel)
Data Link Layer
Transport Layer
SecurityenhancedNetwork
Layer
Application Layer
Data Link Layer
Transport Layer
Application LayerApplication Data
Transport Payload
Network Payload in a Secure Tunnel
Data Link Payload
SecurityenhancedNetwork
Layer
Protected communication in an open network between securesystems e.g. firewalls, router
•
8 Authentication/Security Protocols
Transport Layer Security
Data Link Layer
Securityenhanced
Transport Layer
NetworkLayer
Application Layer
Data Link Layer
Securityenhanced
Transport Layer
Application LayerApplication Data
Secured Packet Transport
Network Payload
Data Link Payload
Communication inside a secure network with protectedtransport payload (AH or ESP)
•
NetworkLayer
8 Authentication/Security Protocols
Virtual Private Networks (VPN)
A process called „Tunneling“ enables the virtual part of a VPN. There are two tunneling protocols:
PPTP Point to Point Tunneling Protocol
L2TP Layer 2 Tunneling Protocol
•
The basic VPN functionality is the provision of authentication, access control, confidentiality and data integrity
•
IPSec security services keep the VPN (transport, network)payload private (optionally), integer and authenticated:
IPSec AH Authentification Header
IPSec ESP Encapsulating Security Payload
•
8 Authentication/Security Protocols
IPSec
IPSecHeader
Original Packet (AH, optionally kept secret with ESP)
IP Header
TCP/UDP Header
ApplicationProtocol
IP Header
• Tunnel Mode (Network Layer Security)
IPSecHeader
Original Packet (AH, optionally kept secret with ESP)
TCP/UDP Header
ApplicationProtocol
IP Header
• Transport Mode (Transport Layer Security)
8 Authentication/Security Protocols
Tunneling
L2TP/PPTP Header
IP Header
ApplicationData
Layer 2 Media
Header
• Tunneling with L2TP or PPTP
Original Packet
• Combination of IPSec and L2TP
TCP/UDP Header
L2TP/PPTP Header
IP Header
ApplicationData
Layer 2 Media
Header
IPSecHeader
IP Header
TCP/UDP Header
Original Packet
8 Authentication/Security Protocols
IPSec Network View
IPSec Host
•Physical NWI (Network Interface)
•Logical NWI with IPSec IP inside VPN
IPSec Gateway
•Physical NWI, IP known in INTERNET•Logical NWI inside VPN•Physical NWI with IP known in LAN
Company LAN
INTERNET
8 Authentication/Security Protocols
Internet Key Exchange (IKE)
IKE is the alternative to manual key configuartion to … :
… agree between the communicating parties on protocols, algorithms and keys.
… ensure talking to the right person (authentication).
… secure key management and exchange
•
IKE = Security Association (SA)+Key Management Protocol (KMP)•
KMP can be done in …
… main mode i.e. DH-agreement with identity and nonces, keyderivation (deriv., auth., enc.) and identity prooving
… aggressive mode i.e. main mode without DH identity protection
… quick mode inside a SA
•
8 Authentication/Security Protocols
Application Layer Security
Data Link Layer
Transport Layer
NetworkLayer
Application Layer
Data Link Layer
Transport Layer
Application Layer
Authenticated and privacy protected Application Data
Transport Payload
Network Payload
Data Link Payload
Communication on application level is secured by cryptography•
NetworkLayer
SSL/TLS/SSH SSL/TLS/SSH
8 Authentication/Security Protocols
Overview
HTTPS: HTTP over TLS/SSL•
TLS: Transport Layer Security eq. SSL (SSL 3.0 = TLS 1.0)•
SSL: Secure Socket Layer = Application level security built on the socket interface to support security in ftp, telnet, http, etc.
•
SSH: Secure Shell supports authenticated and encrypted remotesystem logins also based on the socket interface (it´s a programand a protocol)
•
SMIME: Secure MIME (Multipurpose Internet Mail Extensions ) format for secure email exchange based on PKCS#7
•
8 Authentication/Security Protocols
SSL History
SSL V3.0 (1995)
• Bugfixes and new crypto algorithms
• Unlimited key length
SSL V1.0 (1993)
• Security on application level
• Developed by Netscape
SSL V3.1 TLS V1.0 (1999)
• Authentic mode only with message digest and without encryption
SSL V2.0 (1994)
• First implementation in Netscape Navigator
• Limitation on 40 bit keys
8 Authentication/Security Protocols
SSL HandshakeServerClient
Client Hello (ID, RND1, CipherSuite)
Server Hello (ID, RND2, CipherSuite)
Certificate
Certificate Request
Hello Done
ClientKeyExchange ( )Enc PubKey Server
Certificate
Certificate Verify ( )Enc PrivKey Client
ChangeCiperSpec/Finished ( )Enc SessionKey
ChangeCiperSpec/Finished (Enc SessionKey)
8 Authentication/Security Protocols
SSL Communication
SSL Record Layer
• Complete division of SSL Handshake and Record Layer Communication
• Record Layer provides encrypted communication (handshake keys!)
• Integrity of data is ensured by adding message digest
• Sequence counters ensure connection orientation on SSL level
• Fragmentation support for encrypted SSL records
• Bandwith reduction due to compression in SSL records
8 Authentication/Security Protocols
Programming with SSL-Sockets
Server side :
Step 1-3 is like the client side without connect()
Client side :
2. Open socket socket() and connect to server connect()
3. Connect Unix socket and SSL data SSL_ste_fd()
5. Write and read data on SSL socket SSL_write(), SSL_read()
4. Start SSL handshake with SSL_connect()
1. Define socket parameters in SSL_struct
4. Wait on client request listen() and accept it accept()
5. Read the private server key SSL_use_RSAPrivateKey()
6. Select the server certificate again with SSL_use_RSAPrivateKey()
7. After SSL_connect() read and write data to client
8 Authentication/Security Protocols
Resistance of SSL against Attacks
IP Spoofing
Replay attack
Man-in-the-Middle attack
Encrypted sequence numbers in SSL record layer prevent replayof „old“ SSL-Records.
•
Random numbers inside SSL handshake prevent replay of handshake
•
Dynamic key agreement via challenge response technique in SSL handshake
•
IP packages with faked source IP can not be prevented, becauseSSL provides no security for the network and the transport layer
•
8 Authentication/Security Protocols
Security in Wireless Protocols
WEP (Wired Equivalent Privacy) and EAP (Extensible AuthenticationProtocol) security in Wireless LANs according to IEEE 802.1x
Bluetooth security architecture (three secure modes), authentification/key negotiation and encryption
•
•
General Security Aspects in Wireless LANs according to IEEE 802.1x•
8 Authentication/Security Protocols
General WLAN Security Aspects
Denial of service attacks based on jamming in the 2.4 GHz band orthe 5 GHz band are possible
•
Wireless LAN access point detection (war driving) via Netstumbler/ Ministumbler or SSIDsniff; sniffing via CENiffer, Kismet, Ethereal
•
Secure Configuration:
Don´t use default SSID (Service Set Identifier i.e. WLAN Name)
Enable Hidden SSID (connection only with clients knowing SSID)
Limit access only to certain MACs (be careful MAC can be faked!)
Enable WEP and use EAP authentication
•
8 Authentication/Security Protocols
Wired Equivalent Privacy (WEP)
WEP defines a simple stream cipher based on an RC4 pseudorandom generator seeded by an initialisation vector and the key.
•
Wired Equivalent Privacy (WEP) is defined in IEEE 802.11Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Spec.
•
WEP weaknesses have been announced by Fluhrer, Mantin and Shamir in 2001; meanwhile cracks are available (Airsnort, WEPCrack) based on:
IV is first transmitted as plain text and only 24 bit (after224 packets the key is repeated simple crypto analysisbased on autocorrelation)
Seed must not be used twice, which is often practiced, because of repetition of IV or using 0 as IV for the firstpacket
•
8 Authentication/Security Protocols
Extensible Authentication Protocol (EAP)
RFC 2284 defines the PPP Extensible Authentication Protocol (EAP) for embedding authentication in other protocols like WEP.
•
There are different ways for authentication:
EAP-MD5 provides a username, password authentication, not advisable with the weaknesses of WEP encryption
EAP-TLS uses an asymmetric challenge-responseauthentication based on X.509 certificates
EAP-TLS SSL-Handshake without client certificatetransmission
EAP-SIM authentication based on mobile phones SIM (Subscriber Identity Module)
•
8 Authentication/Security Protocols
Bluetooth Security
Bluetooth defines three modes Non Secure, Service Level EnforcedSecurity and Link Level Enforced Security and offers authenticationand encryption services.
•
Bluetooth symmetric authentication steps:
1. Link Key negotiation based on Unit Key (fixed) or Combination Key
2. Challenge-response system authentication based on Link Key
3. Encryption key derivation based on Link Key, random numberand a Ciphering Offset
•
Bluetooth encryption is based on a non „state of the art“ streamchipher using linear feedback shift registers (LFSR) with max. 128bit key length.
•
8 Authentication/Security Protocols
Concerns on Bluetooth Security
Usage of fixed Unit Key for authentication and key derivationcauses security problems and narrows variety of authenticationand encryption keys.
•
The quality of the pseudo random number generators can be veryweak concerning different implementations.
•
Cryptanalysis already reduced the complexity of the used streamcipher from 2128 (Brute Force) to 266.
•
Security depends on the knowledge of one PIN (personal identification number), because the random challenge and bluetooth adresses are known.
•