COMP3123 COMP3123 Internet Security Internet Security Richard Henson Richard Henson University of Worcester University of Worcester October October 2010 2010
Dec 19, 2015
COMP3123 COMP3123 Internet SecurityInternet Security
Richard HensonRichard Henson
University of WorcesterUniversity of Worcester
OctoberOctober 20102010
Week 3: Cryptography, Securing Week 3: Cryptography, Securing the Internet, & the PKIthe Internet, & the PKI
Objectives:Objectives: Explain the intended of the various components Explain the intended of the various components
that make up the PKI and allow secure that make up the PKI and allow secure internetwok communicationsinternetwok communications
Explain what Kerberos Authentication is, and how Explain what Kerberos Authentication is, and how Kerberos can be used to securely authenticate Kerberos can be used to securely authenticate users on remote networksusers on remote networks
Apply principles of public-private key encryption Apply principles of public-private key encryption and digital signatures to obtain a digital certificate and digital signatures to obtain a digital certificate via Internet and then use the PKI to send/receive via Internet and then use the PKI to send/receive encrypted messagesencrypted messages
The Need for a Secure The Need for a Secure ArchitectureArchitecture
As discussed last week: The Internet was As discussed last week: The Internet was designed to be an “open” system”designed to be an “open” system” anyone with a little knowhow can read email/http anyone with a little knowhow can read email/http
communications…communications… no-one should therefore even think of asking people no-one should therefore even think of asking people
to send credit card details without using encryptionto send credit card details without using encryption just as no-one (hopefully…) would leave their credit just as no-one (hopefully…) would leave their credit
card details on someone’s voicemail!card details on someone’s voicemail! For secure data transfer, PKE (public key For secure data transfer, PKE (public key
encryption) of email sent through the Internet encryption) of email sent through the Internet became an attractive optionbecame an attractive option
The PKI The PKI (Public Key Infrastructure)(Public Key Infrastructure) Developed in late 1990s through IETF; Developed in late 1990s through IETF;
shared as RFCsshared as RFCs Essential to provide support for Internet Encryption Essential to provide support for Internet Encryption
techniques and demand for services increased:techniques and demand for services increased: e.g. the distribution & identification of public keyse.g. the distribution & identification of public keys
PKI is made up of:PKI is made up of: Digital SignaturesDigital Signatures Digital Certificates (DC)Digital Certificates (DC) Certificate Authorities (CA)Certificate Authorities (CA) Repository for digital certificatesRepository for digital certificates Authentication across networksAuthentication across networks
RFCs included contributions from the first CA – VerisignRFCs included contributions from the first CA – Verisign #2459 in February 1999 :#2459 in February 1999 : v1 digital certificates; v1 revocation listsv1 digital certificates; v1 revocation lists
Digital Certificates (or Digital IDs)Digital Certificates (or Digital IDs)
To support secure email, the PKI needed a way to To support secure email, the PKI needed a way to ensure ensure that the public key belongs to the entity to that the public key belongs to the entity to which the certificate was issuedwhich the certificate was issued
Verisign provided this through the digital certificate:Verisign provided this through the digital certificate: the the public keypublic key information about the algorithms usedinformation about the algorithms used owner or subject dataowner or subject data the digital signature of a Certificate Authority that has the digital signature of a Certificate Authority that has
verified the subject dataverified the subject data a date range during which the certificate can be considered a date range during which the certificate can be considered
validvalid
Providing Digital Certificates Providing Digital Certificates IETF/Verisign agreed DCs should be made available IETF/Verisign agreed DCs should be made available
via the www via the www IETF decided to use Directory Services compliant with the IETF decided to use Directory Services compliant with the
OSI X500 standardOSI X500 standard» result: LDAP (Lightweight Directory Access Protocol) result: LDAP (Lightweight Directory Access Protocol) » problem: the LDAP fields were not right for the problem: the LDAP fields were not right for the
Internet…Internet… Developments (starting 1995) carefully controlled as Developments (starting 1995) carefully controlled as
RFCs:RFCs: RFC1777 – defined LDAPRFC1777 – defined LDAP RFC2585 – http accessible repository for certificatesRFC2585 – http accessible repository for certificates RFC2587 – perfected X509 schema for LDAP v2RFC2587 – perfected X509 schema for LDAP v2 RFC2251 – defined LDAP v3RFC2251 – defined LDAP v3 RFC2256 – X509 schema for LDAP v3…RFC2256 – X509 schema for LDAP v3…
» still not complete: issues with authenticationstill not complete: issues with authentication Final Agreement (year 2006)Final Agreement (year 2006)
RFC 4510 – technical spec and roadmap for LDAP v3RFC 4510 – technical spec and roadmap for LDAP v3
Crucial Role of the Digital Certificate
Without certificates, it would not be possible toWithout certificates, it would not be possible to 1. create a new key pair1. create a new key pair 2. distribute the public key, claiming that it is the public key 2. distribute the public key, claiming that it is the public key
for almost anyonefor almost anyone
Data could be sent encrypted with the private key Data could be sent encrypted with the private key and the public key would be used to decrypt the and the public key would be used to decrypt the data…data… but there would be no assurance that the data was but there would be no assurance that the data was
originated by anyone in particularoriginated by anyone in particular all the receiver would know is that a valid key pair was all the receiver would know is that a valid key pair was
usedused……
PKI & Certificate AuthoritiesPKI & Certificate Authorities Certificate Authority (Certificate Authority (CA)CA)
guarantees that the individual granted the unique certificate is, in guarantees that the individual granted the unique certificate is, in fact, who he or she claims to be fact, who he or she claims to be
guarantee that the two parties exchanging information are really guarantee that the two parties exchanging information are really who they claim to bewho they claim to be
CAs areCAs are “t “trusted” (e.g. banks) third-party organizationrusted” (e.g. banks) third-party organizationss that issue digital certificates used to create digital that issue digital certificates used to create digital signatures and public-private key pairssignatures and public-private key pairs contrast with PGP “web of trust”contrast with PGP “web of trust”
This means that the CA must have an arrangement with a This means that the CA must have an arrangement with a financial institution that provides it with information to financial institution that provides it with information to confirm an individual's claimed identityconfirm an individual's claimed identity
CAs are, and were intended to be, a critical component in CAs are, and were intended to be, a critical component in the security transfer of information & electronic commercethe security transfer of information & electronic commerce
The Four Types of The Four Types of Digital Certificate…Digital Certificate…
Personal CertificatesPersonal Certificates Server CertificatesServer Certificates Software publisher CertificatesSoftware publisher Certificates Certificate Authority certificatesCertificate Authority certificates
Personal CertificatesPersonal Certificates IIdentify individualsdentify individuals AAuthenticate users with a server, or to enable secure uthenticate users with a server, or to enable secure
e-mail using S-Mimee-mail using S-Mime IIf a f a Windows Windows password list file (.pwl) becomes password list file (.pwl) becomes
damaged or missingdamaged or missing:: the the personal personal certificate is not available for usecertificate is not available for use you may you may therefore therefore receive an error message when you try to receive an error message when you try to
send e-mailsend e-mail!! It is the responsibility of the user to back up this file It is the responsibility of the user to back up this file
so passwords can be recoveredso passwords can be recovered Microsoft offered encryption for this file as far back as Microsoft offered encryption for this file as far back as
Windows 95 & 98 systems!Windows 95 & 98 systems!
Server CertificatesServer Certificates
IIdentify servers that participate in dentify servers that participate in secure communications with other secure communications with other computers…computers…using using secure secure communication protocols communication protocols
such as SSLsuch as SSL (secure sockets layer) (secure sockets layer) AAllow a server to verify its identity to llow a server to verify its identity to
clientsclients FFollow the X.509 certificate formatollow the X.509 certificate format
As defined by the Public-Key Cryptography As defined by the Public-Key Cryptography Standards (PKCS) Standards (PKCS)
Software Publisher CertificatesSoftware Publisher Certificates Used are used to sign software that will be distributed Used are used to sign software that will be distributed
over the Internetover the Internet Internet browsers areInternet browsers are capable of trusting software that is capable of trusting software that is
signed with a publisher's certificatesigned with a publisher's certificate Example:Example:
Microsoft Microsoft use a system called Ause a system called Authenticode uthenticode requires a software publisher certificate to sign Microsoft requires a software publisher certificate to sign Microsoft
ActiveX and other compiled code. ActiveX and other compiled code. Authenticode does not guarantee that signed code is safe to Authenticode does not guarantee that signed code is safe to
run, but rather informs the user whether or not the publisher run, but rather informs the user whether or not the publisher is participating in the infrastructure of trusted publishers and is participating in the infrastructure of trusted publishers and CCAAss
Trusted software publishers Trusted software publishers appear in a list provided appear in a list provided in in Internet ExplorerInternet Explorer
Root (class 1) Certificate Root (class 1) Certificate AuthoritiesAuthorities
Trusted organisations set up specifically Trusted organisations set up specifically for the purpose of awarding digital for the purpose of awarding digital certificatescertificatese.g. Verisigne.g. Verisign
Usually associated with banks, or credit Usually associated with banks, or credit card companies, who can reliably card companies, who can reliably authenticate the name of anyone authenticate the name of anyone requesting a digital certificaterequesting a digital certificate
Root and Intermediate Certification Root and Intermediate Certification Authorities & their certificatesAuthorities & their certificates
Root certificates are self-signed…Root certificates are self-signed… subject of the certificate is also the signer of the subject of the certificate is also the signer of the
certificatecertificate Root CAs can also assign certificates for Root CAs can also assign certificates for
“Intermediate Certification Authorities”“Intermediate Certification Authorities” The hierarchy can continue downwards:The hierarchy can continue downwards:
Intermediate Certification Authorities Intermediate Certification Authorities cancan issue: issue:» server certificatesserver certificates» personal certificatespersonal certificates» publisher certificatespublisher certificates» certificates for other Intermediate Certification certificates for other Intermediate Certification
Authorities…Authorities…
Verisign Digital CertificatesVerisign Digital Certificates
Included “by default” with Internet ExplorerIncluded “by default” with Internet Explorer IIssued and signed by the Class 1 Public Primary ssued and signed by the Class 1 Public Primary
Certificate Authority, and therefore root certificatesCertificate Authority, and therefore root certificates Intermediate Certification Authorities Intermediate Certification Authorities option also option also
available:available: listed as "VeriSign Class 1 CA“listed as "VeriSign Class 1 CA“
» means that Verisign (as Root certificate authority) means that Verisign (as Root certificate authority) issued these certificatesissued these certificates
» created for the purpose of issuing and validating created for the purpose of issuing and validating personal digital certificatespersonal digital certificates
if a person has obtained a Class 1 personal digital certificate if a person has obtained a Class 1 personal digital certificate from VeriSign, it will be issued by one of these Intermediate from VeriSign, it will be issued by one of these Intermediate CCAsAs
Verification ChainsVerification Chains
The system of root and intermediate The system of root and intermediate certificate authorities certificate authorities creates what is creates what is known as a verification chainknown as a verification chainroot authority is always at the toproot authority is always at the topcould be a number of intermediate could be a number of intermediate
authoritiesauthoritiesverification chains can contain a large verification chains can contain a large
number of certificates depending upon the number of certificates depending upon the number of number of iintermediatentermediatess in the chain in the chain
How a Certificate Is Issued - 1
Key GenerationKey Generation The person The person requesting certification requesting certification sets the sets the
process in motion that will automatically process in motion that will automatically generate generate key pairs of public and private keyskey pairs of public and private keys
Matching of Policy InformationMatching of Policy Information anyone requesting a CA is required to send anyone requesting a CA is required to send
additional information additional information requested by requested by the CA to issue the CA to issue the certificate, before the certificate is generatedthe certificate, before the certificate is generated» tax ID numbertax ID number» e-mail addresse-mail address» etc…etc…
How a Certificate Is How a Certificate Is IssuedIssued – 2 – 2
Verification of InformationVerification of Information The CA applies whatever policy rules it requires in The CA applies whatever policy rules it requires in
order to verify thorder to verify the information ge information gatheatheredred If verification is successfulIf verification is successful……
Public Keys and Information is sent (often Public Keys and Information is sent (often encrypted using the CA's public key) to the CAencrypted using the CA's public key) to the CA
the CA may wish to make it available on the the CA may wish to make it available on the Internet through a repositoryInternet through a repository
a process then begins whereby the a process then begins whereby the applicant applicant should receive should receive theirtheir certificate certificate
How a Certificate Is Issued - 3
Certificate CreationCertificate Creation The CA creates a digital document with the The CA creates a digital document with the
appropriate information (public keys, appropriate information (public keys, expiration date, and other data) and signs it expiration date, and other data) and signs it using the CA's private keyusing the CA's private key
Sending/Posting of CertificateSending/Posting of Certificate» The CA may The CA may emailemail the certificate to the applicant, the certificate to the applicant,
or post it publicly as appropriateor post it publicly as appropriate» The certificate is The certificate is installed installed on on thethe individual's individual's
computercomputer
Certificate Revocation Typical reasons:Typical reasons:
The certificate holder's private key may have been The certificate holder's private key may have been compromisedcompromised
false information may have been used to apply for false information may have been used to apply for the certificatethe certificate
CAs publish certificate revocation lists (CRLs) CAs publish certificate revocation lists (CRLs) containing certificates that have been containing certificates that have been revoked by the CArevoked by the CA provide a way of withdrawing a certificate after it provide a way of withdrawing a certificate after it
has been issuedhas been issued available for downloading or online viewing by available for downloading or online viewing by
client programsclient programs
Verifying a CertificateVerifying a Certificate
VVeriferification ofication of a certificate a certificate requires th requires the public e public key of the CA and a check against the CRL key of the CA and a check against the CRL published by that CApublished by that CA ccertificates and CAs reduce the public-key ertificates and CAs reduce the public-key
distribution problem of verifying and trusting one distribution problem of verifying and trusting one (or more) public keys per individual(or more) public keys per individual
iinstead, only the CA's public key must be trusted nstead, only the CA's public key must be trusted and verified, and then that can be relied on to and verified, and then that can be relied on to allow verification of other certificatesallow verification of other certificates
Certificate RepositoryCertificate Repository AA system or collection of distributed system or collection of distributed
systems that store systems that store digital digital certificates certificates and CRLs and serves as a means of and CRLs and serves as a means of distributing these certificates and CRLs distributing these certificates and CRLs to end entitiesto end entities
Covers the use of FTP and HTTP to obtain Covers the use of FTP and HTTP to obtain and download:and download: X509 Digital Certificates (recommend saved X509 Digital Certificates (recommend saved
as .cer, but could also be .p7c)as .cer, but could also be .p7c) CRLs (recommend saved as .crl) from PKI CRLs (recommend saved as .crl) from PKI
repositoriesrepositories
What is x509?What is x509? PKI standard for managing digital certificate PKI standard for managing digital certificate
information, defined by RFC 2459information, defined by RFC 2459 also integrated with the OpenSSL infrastructurealso integrated with the OpenSSL infrastructure
OpenSSL consists of an “open source” OpenSSL consists of an “open source” implementation of:implementation of: SSL (secure sockets layer)SSL (secure sockets layer) TLS (transport layer security)TLS (transport layer security)
OpenSSL architecture can:OpenSSL architecture can: display certificate informationdisplay certificate information convert certificates to various formsconvert certificates to various forms sign certificate requests like a "mini CA“sign certificate requests like a "mini CA“ edit certificate trust settingsedit certificate trust settings
Logging On Remotely using Logging On Remotely using Kerberos AuthenticationKerberos Authentication
Kerberos was (is) a very clever system Kerberos was (is) a very clever system developed at MIT to support secure developed at MIT to support secure remote network logon remote network logon it became part of the PKI thanks to IETF it became part of the PKI thanks to IETF
support and RFC 1510support and RFC 1510It was subsequently adopted by Microsoft It was subsequently adopted by Microsoft
to provide authentication for remote to provide authentication for remote Windows 2000 logons to support logon Windows 2000 logons to support logon across domain trees and forests (RFC across domain trees and forests (RFC 3244)3244)
The Kerberos SystemThe Kerberos System
A number of components are needed:A number of components are needed: Central coordination/distribution centre (KDC) as Central coordination/distribution centre (KDC) as
a “trusted centre”a “trusted centre” Link between each participating network user Link between each participating network user
(client) and the distribution centre for the sharing (client) and the distribution centre for the sharing of secret keysof secret keys
Shared secret key generation when a computer Shared secret key generation when a computer joins a domainjoins a domain
Client-server trust can then be establishedClient-server trust can then be established theory is that both parties (client and server) theory is that both parties (client and server)
trust the KDC, so they trust each other!trust the KDC, so they trust each other!
Mechanism of Kerberos Mechanism of Kerberos AuthenticationAuthentication
All based on the KDCAll based on the KDC
Client requests valid logon credentials from Client requests valid logon credentials from KDCKDC NOT the server it is logging on to!NOT the server it is logging on to!
Logon info provides the KDC with Logon info provides the KDC with username/password client-ID info and the username/password client-ID info and the domain that it is requesting to log on todomain that it is requesting to log on to
Role of the KDCRole of the KDC
Looks up secret keys of both client and Looks up secret keys of both client and server that client is trying to log on toserver that client is trying to log on to
Then creates a “ticket” containingThen creates a “ticket” containing1.1. expiration time, determined by the security policyexpiration time, determined by the security policy2.2. random session keyrandom session key3.3. current KDC timecurrent KDC time4.4. the SID – secure identifierthe SID – secure identifier
The ticket is then encrypted using the client’s The ticket is then encrypted using the client’s secret keysecret key
Role of the KDCRole of the KDC
The KDC then creates a second “session The KDC then creates a second “session ticket” containing:ticket” containing: the session keythe session key optional further authentication data that is optional further authentication data that is
encrypted with the server’s keyencrypted with the server’s key
Both tickets are transmitted to the client Both tickets are transmitted to the client (server doesn’t even need to be involved – (server doesn’t even need to be involved – only a valid client can encrypt the ticket only a valid client can encrypt the ticket anyway!)anyway!)
Client-Server CommunicationClient-Server Communication Once the client has a valid ticket and session Once the client has a valid ticket and session
key for a server, it can communicate directly key for a server, it can communicate directly with that serverwith that server
To do this, the client constructs an To do this, the client constructs an authenticator:authenticator: Clients nameClients name Optional checksumOptional checksum Randomly generated number/session subkeyRandomly generated number/session subkey Encrypted using the session key, and transmitted Encrypted using the session key, and transmitted
with the session ticketwith the session ticket Authenticators can only be used onceAuthenticators can only be used once
Server actionsServer actions When the ticket is received:When the ticket is received:
Decrypts session ticket using the servers Decrypts session ticket using the servers shared secret keyshared secret key
Retrieves the session keyRetrieves the session keyUses this to decrypt the authenticator – Uses this to decrypt the authenticator –
and prove that it was received from the and prove that it was received from the KDC using the shared secret keyKDC using the shared secret key
Authenticator proves that the key is recent Authenticator proves that the key is recent and not a replay attackand not a replay attack
Diagram of a KDC system: Diagram of a KDC system: client-sideclient-side
clientKDC
Retrieve secret key for client & server
Create ticket
Encrypt ticket with clients secret key
Create session ticket & encrypt with server key
ticket
Request for ticket
Generate authenticator & encrypt using session key
SERVER
Diagram of a KDC system: Diagram of a KDC system: server-sideserver-side
ticket & authenticatorserver
Decrypt session ticket using server secret key
Decrypt authenticator using session key
Validate authentication
Grant access, service requests
CLIENT
KDC
Revision of Domain Revision of Domain Relationships (NT)Relationships (NT)
Covered in COMP2122Covered in COMP2122 Windows NT domains Windows NT domains
(pre-W2K):(pre-W2K): Each domain can be set Each domain can be set
up to “trust” other up to “trust” other domains:domains:» users and groups then users and groups then
get access to trusted get access to trusted domaindomain
» potentially a security potentially a security threat, through the threat, through the trusted domaintrusted domain
Domain A
Domain B
trusts
Revision of Domain Revision of Domain Relationships (Active Dir)Relationships (Active Dir)
Windows 2000 etc Windows 2000 etc allow “domain allow “domain tree” structures:tree” structures: a whole 2D a whole 2D
structure of structure of domains with a domains with a trust relationship trust relationship can be set upcan be set up
potentially a potentially a HUGE security HUGE security threat, if threat, if authentication is authentication is compromised…compromised…
Kerberos and Trust Kerberos and Trust Relationships between DomainsRelationships between Domains
Any domain name that is connected to the Any domain name that is connected to the Internet is actually part of the Domain Name Internet is actually part of the Domain Name systemsystem e.g. there was once an NT domain called bandit e.g. there was once an NT domain called bandit
(Business and IT) here at Worcester(Business and IT) here at Worcester Thanks to active directory, it became Thanks to active directory, it became
bandit.worc.ac.uk in the Internet naming systembandit.worc.ac.uk in the Internet naming system Domains that are linked Domains that are linked within an Active within an Active
directory domain treedirectory domain tree work within a system work within a system that automatically creates interdomain keys that automatically creates interdomain keys for Kerberos through a system involving local for Kerberos through a system involving local and “foreign” KDCsand “foreign” KDCs
So now you know!So now you know!
That’s all folks… That’s all folks…
Plenty more PKI-related Plenty more PKI-related RFCs on the IETF website…RFCs on the IETF website…