Top Banner
Fundamentals of Network Security 3. Network Security Protocols CryptoWorks21 • July 25 & 27, 2017 Dr Douglas Stebila https://www.douglas.stebila.ca/teaching/cryptoworks21
68

Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Aug 03, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

FundamentalsofNetworkSecurity3.NetworkSecurityProtocols

CryptoWorks21•July25&27,2017

Dr DouglasStebila

https://www.douglas.stebila.ca/teaching/cryptoworks21

Page 2: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

FundamentalsofNetworkSecurity1. BasicsofInformationSecurity

– Securityarchitectureandinfrastructure;securitygoals(confidentiality,integrity,availability,andauthenticity);threats/vulnerabilities/attacks;riskmanagement

2. CryptographicBuildingBlocks– Symmetriccrypto:ciphers(stream,block),hashfunctions,message

authenticationcodes,pseudorandomfunctions– Publickeycrypto:publickeyencryption,digitalsignatures,keyagreement

3. NetworkSecurityProtocols&Standards– Indetail:publickeyinfrastructure,TLS– Overview:Networking,SSH,IPsec,Kerberos,WEP

4. NetworkScanningandDefence– Trafficsniffingandnetworkreconnaissance(mmap)– Networkprotection:firewallsandintrusiondetection

5. AccessControl&Authentication;WebApplicationSecurity– Accesscontrol:discretionary/mandatory/role-based;phases– Authentication:somethingyouknow/have/are/somewhereyouare– Websecurity:cookies,SQLinjection– Supplementalmaterial:Passwords

Page 3: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

NetworkSecurityProtocols

• PublicKeyInfrastructure• Networking• TransportLayerSecurity(TLS)• Otherprotocols– SecureShell(SSH)– IPsec– Kerberos–WiredEquivalentProtocol(WEP)

Page 4: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

PUBLICKEYINFRASTRUCTURES(PKI)

Problem:HowdoesBobgetAlice’spublickeytobeginwith?

Page 5: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Usingdigitalsignaturesforentityauthentication

Bobsendsarandom

challengetoAlice

Alicesignsthechallengeusingherprivatekey

Alicesendssignatureto

Bob

BobverifiesthesignatureusingAlice’spublickey

Page 6: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Certificatesandcertificateauthorities

• Acertificate isanassertionbyatrustedthirdpartythataparticularpublickeybelongstoaparticularentity.

• Thecertificateauthoritygeneratesacertificateby1. Obtainingtheuser’spublickeybysometrustmechanism.2. Verifyingthattheuserreallyiswhoshesayssheis.3. Signing(usingthecertificateauthority’spublickey)theuser’spublickey

andname.

• Thisallowstwopartieswhohavenevermettoestablishtrustbetweenthem:– Exchangecertificates.– Doauthenticationusingdigitalsignatures.– Iftheyeachtrustthecertificateauthoritythatsignedtheotherparty’s

certificate,theycannowbecertainwhotheotherpartyis.

Page 7: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,
Page 8: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

X.509certificatesAstandardizedformatforcertificates.Usesastrange(old)formatcalledASN.1andastrangebinaryencoding.

Publickey

Certificateauthority

Validityperiod

Revocationinformation

Domainname

CA’ssignatureoneverything

Page 9: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

+Certificaterevocation

CertificateRevocationLists(CRLs)• EachCAcanpublishafile

containingalistofcertificatesthathavebeenrevoked.

• Havetodownloadwholelist.• CRLaddressoftenincludedin

certificate.

• Onceacertificate’sbeenissued,whathappensiftheuser’sprivatekeyhasbeencompromised?

• Wewouldliketobeabletorevoke thecertificate,orindicatethatitshouldnolongerbetrusted.

• Whenrevokingcertificatesthatwereusedformessageauthentication,whatdoesthatmeanfordocumentssignedusingthatcertificate?Mayneedatrustedtimestampserveraswell.

OnlineCertificateStatusProtocol(OCSP)• AnonlineservicerunbyaCAfor

checkinginreal-timeifacertificatehasbeenrevoked.

• Don’thavetodownloadwholelist.• Notwidelyimplemented.

Page 10: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

PublickeyinfrastructureApublickeyinfrastructure (PKI) is• asetofsystems(hardware,software,policies,procedures)• formanaging(creating,distributing,storing,revoking)• digitalcertificates.

Includes:• oneormorecertificateauthorities• users• relyingparties• possiblyatimestampserver• possiblyadirectoryserverstoringcertificates(e.g.,LDAP

server,ActiveDirectoryserver)

Page 11: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Certificatetypes

Domainvalidation• Identity

confirmedbyvalidatingcontroloverDNSrecord

• Let'sEncrypt$0• Comodo $77• Thawte$149

Organizationvalidation• Identity

confirmedbysomechecksoflegalstatusoforganization

• Symantec$995• Thawte$199

Extendedvalidation• Morerigourous

checkoforganization'sexistence

• Symantec$995• Thawte$299

Eye-trackingstudiesshowthatusersdonotnoticetheseadditionalsecurityindicators

Page 12: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

CertificateTransparency

• AcertificateloggingmechanismtoallowanyonetocheckwhichcertificatesaCAhasissued

• AuditorsmonitorCAstowatchformaliciousbehaviour

• Domainnameownersmonitorthelogstocheckforcertificatesissuedfortheirdomains

Page 13: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

BrowserstrusthundredsofCAs(directlyorindirectly)bydefault.

AnyCAcanissueacertificateforanydomain.(Somenewprotocolshelprestrictthat.)

Page 14: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Secure email

• X.509certificatescanalsobeusedtosendsecureemail:– digitallysigned– encrypted

• S/MIME (Secure/MultipurposeInternetMailExtensions):– Supportedinmostdesktopmailprograms.– Reliesonapublickeyinfrastructure.

• PGP (PrettyGoodPrivacy):– Availableasanadd-ontomostdesktopmailprograms.– Usespublickeys,butdoesn’trequireCAs:usersmanually

distributetheirkeysina“weboftrust”• Notwidelyused:

– UsersmustknowhowsetuppublickeysandobtainS/MIMEX.509certificateordistributePGPpublickeys.

– Littletonosupportinwebmail.

Page 15: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

ApplicationsofPKIs

• Websiteauthentication(TLS)• Emailauthentication(S/MIME,PGP)• Domainnames(DNSSEC)• Digitalidentities– e.g.,nationalidentitycards(Belgium,Spain,Germany)

• Business-to-businesse-commerce– e.g.,digitallysigningtransactions,XMLsignatures

Page 16: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

NETWORKING

Page 17: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

IETFInternetProtocolsuiteLayer Examples

Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)

Transport connection-oriented(TCP)connectionless(UDP)

Internet

addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)

Link

packetframing(Ethernet)physical connection• WLAN(WEP, WPA)• ADSL• GSM/3G

There’salsothe7-layerOSImodel.

Mostd

efined

bythe

InternetEngineerin

gTask

Force(IE

TF)

Page 18: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Link(a.k.a.networkaccess)layer

Computernetworkscanusealargenumberofconnectionsandtransmissionmedia• Telephonewires• Ethernet(twistedpair)cables• OpticFibrecables• Satellitecommunications• Mobilephonenetworks• Wirelessnetworks• Bluetooth

Atthislayerphysicaladdressesidentifynetworknodes• EthernetMACaddress

Thelink ornetworkaccesslayer isthephysicallayerandisassociatedwithcomputerhardware.

Page 19: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Internet(a.k.a.network)layer

Hostaddressingandidentification:• EachhosthasauniqueIP

address:– IPv4,32bit,

e.g.,131.181.118.220– IPv6,128bit,

e.g.,2001:0db8:85a3:0000:0000:8a2e:0370:7334

Packetrouting:• OrganizationsareassignedarangeofIPaddressesthattheymanageandassigntotheircomputers.

TheInternetlayer runsalowlevelprotocolcalledtheInternetProtocol(IP)(plusafewextrahelpers,e.g.ICMP).• IPv4(1981),IPv6(1996)

Page 20: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

TransportLayer

TCP (TransmissionControlProtocol)• connection-oriented protocol

– back-and-forth,ongoingconnections

• reliability– largemessagessplitintopackets– in-orderdeliveryofpackets,

recombinedtolargemessage– errorchecking– retransmissionoflostpackets– congestioncontrol

UDP (UserDatagramProtocol)• connectionless protocol

• sendapacket,that’sit• unreliable

• simpleerrorchecking• noretransmissionoflost

packets• usedforstreaming

• audio,video,VOIP

Thetransportlayer establishesbasicdatachannelsforapplications.Itusesports todistinguishbetweendifferentapplicationsonthesamehost.

Page 21: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Applicationlayer

Eachapplicationprotocolhasuniquemessageformatsthataresentandreceivedtoachievetheirtasks.• HTTP(web)• FTP(filetransfer)• SSH,Telnet(login)• SMTP,POP3,IMAP(email)• XMPP(chat)• BitTorrent (I’msureyouknowwhat

thisisusedfor)

Eachapplicationprotocolrequiresthelowernetworklayers(TCP,IP,NetworkAccess)tocommunicateonthenetwork.

ManyuseanintermediateprotocolcalledSSL/TLSforencryptionandauthentication.

Applicationlayerprotocols areusedbyapplicationstoprovideuserservicesoveranetwork.

Page 22: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Client-serverontheInternet• Eachapplicationserverlistensformessagesonaparticularportnumber.Commonports:– webservers:port80(HTTP),443(HTTPS)– login:port22(SSH),23(Telnet)– filetransfer:port20/21(FTP),22(SFTP/SCP)– emailservers:port25(SMTP),220/993(IMAP),110(POP)

• ClientsidentifythemachinetheywanttoconnecttousinganIPaddress.

• Clientsidentifytheprogramtheywanttouseusingaportnumber.

Page 23: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

ApplicationLayer– Webbrowser••Constructstherequestinaspecificformat– HTTPrequest.••Includesaddressinformationoftheserver(IPaddressandportnumber)

TransportLayer••BreaksHTTPrequestintoTCPpackets(eachwithaddressinfo– IPaddressandport)

InternetLayer••RoutesTCPpacketstodestinationIPaddress(packetswitching)

LinkLayer••Packetsaretransmittedacrosswire,wireless,satelliteetcdependingonhowcomputerisconnected

Example:requestingawebpage

Page 24: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

LinkLayer••Receivespacketsacross“wire”

InternetLayer••CollectspacketsforthisIPaddress

TransportLayer••Assemblespacketsofrequest.••Determinesifthereareanyerrors,andifsorequestsretransmission.••SendscompleteHTTPrequesttospecifiedport

ApplicationLayer– Webserver••ProcessestheHTTPrequest,maybepreparesaresponse

Example:receivingawebpagerequest

Page 25: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

NetworksecurityprotocolsNetwork-relatedsecurityprotocolsincommonuseinclude:

– SecureShell(SSH):Usedforremotelogin,filetransfer,andlimitedVPNservice.

– TransportLayerSecurity(TLS):Usedextensivelyonthewebandisoftenreferredtoinprivacypoliciesasameansofprovidingconfidentialwebconnections.

– IPSecurity(IPsec):ProvidessecurityservicesattheIPlevelandisusedtoprovideVirtualPrivateNetwork(VPN)services.

– WiFi security(WEP,WPA):Providessecurityservicesatthelinklayerforwirelesscommunication

Page 26: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

IETFInternetProtocolsuiteLayer Examples

Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)

Transport connection-oriented(TCP)connectionless(UDP)

Internet

addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)

Link

packetframing(Ethernet)physical connection• WLAN(WEP,WPA)• ADSL• GSM/3G

TLS

Page 27: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

TRANSPORTLAYERSECURITY(TLS)A.K.A.SECURESOCKETSLAYER(SSL)

Page 28: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Terminology• SSL:SecureSocketsLayer• ProposedbyNetscape

– SSLv2:1995– SSLv3:1996

• TLS:TransportLayerSecurity

• IETFStandardizationofSSL– TLSv1.0=SSLv3:1999– TLSv1.1:2006– TLSv1.2:2008– TLSv1.3:2017?

• HTTPS: HTTP(HypertextTransportProtocol)overSSL

Page 29: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

SecuritygoalsofTLS

• Providesauthentication basedonpublickeycertificates– server-to-client(always)– client-to-server(optional)

• Providesconfidentiality andintegrity ofmessagetransmission

• Butonlyprotectsconfidentialityifauthenticationiscorrect.

Page 30: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

IETFInternetProtocolsuiteLayer Examples

Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)

Transport connection-oriented(TCP)connectionless(UDP)

Internet

addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)

Link

packetframing(Ethernet)physical connection• WLAN• ADSL• GSM/3G

TLSaddsencryptiontomanyapplicationlevelprotocols

TLS

Page 31: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

TLSandHTTP• TLScanbeusedtoprovideprotectionforHTTPcommunications:– Port443isreservedforHTTPoverTLS

• HTTPSisthenameoftheURLschemeusedwiththisport.

• http://www.develop.com impliestheuseofstandardHTTPusingport80.

• https://www.develop.com impliestheuseofHTTPoverTLSusingport443.

Page 32: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

SSL/TLSProtocol

Client Server

1.Negotiatecryptographicalgorithms

2.Authenticateusingcertificates

3.Establishencryptionkeys

Internet

MessageEncryptedMessage

Encryption Decryption

EncryptedMessage Message

SSLSession

Key KeyMAC MAC

HAND

SHAK

ERE

CORD

LAYER

Page 33: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

WhatisTLS?

• 5protocolversions• vastarrayofstandards• manyimplementations!• 300+combinationsof

cryptographicprimitives• differentlevelsofsecurity• differentmodesof

authentication• additionalfunctionality:

– alerts&errors– sessionresumption– renegotiation– compression

https://www.trustworthyinternet.org/ssl-pulse/July2,2017

1995 1996 1999 2006 2008

Page 34: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

WhatisTLS?

ThecurrentapprovedversionofTLSisversion1.2,whichisspecifiedin:• RFC5246:“TheTransportLayerSecurity(TLS)ProtocolVersion1.2”.Thecurrentstandardreplacestheseformerversions,whicharenowconsideredobsolete:• RFC2246:“TheTLSProtocolVersion1.0”.• RFC4346:“TheTransportLayerSecurity(TLS)ProtocolVersion1.1”.aswellastheneverstandardizedSSL3.0:• RFC6101:“TheSecureSocketsLayer(SSL)ProtocolVersion3.0”.OtherRFCssubsequentlyextendedTLS.ExtensionstoTLS1.0include:• RFC2595:“UsingTLSwithIMAP,POP3andACAP”.SpecifiesanextensiontotheIMAP,POP3andACAPservicesthatallowtheserver andclientto

usetransport-layersecuritytoprovideprivate,authenticatedcommunicationovertheInternet.• RFC2712:“AdditionofKerberosCipherSuitestoTransportLayerSecurity(TLS)”.The40-bitciphersuitesdefinedinthismemoappearonlyfor

thepurposeofdocumentingthefactthatthoseciphersuitecodeshavealreadybeenassigned.• RFC2817:“UpgradingtoTLSWithinHTTP/1.1”,explainshowtousetheUpgrademechanisminHTTP/1.1toinitiateTransportLayerSecurity(TLS)

overanexistingTCPconnection.ThisallowsunsecuredandsecuredHTTPtraffictosharethesamewellknownport(inthiscase, http:at80ratherthanhttps:at443).

• RFC2818:“HTTPOverTLS”,distinguishessecuredtrafficfrominsecuretrafficbytheuseofadifferent'serverport'.• RFC3207:“SMTPServiceExtensionforSecureSMTPoverTransportLayerSecurity”.SpecifiesanextensiontotheSMTPservicethatallowsan

SMTPserverandclienttousetransport-layersecuritytoprovideprivate,authenticatedcommunicationovertheInternet.• RFC3268:“AESCiphersuites forTLS”.AddsAdvancedEncryptionStandard(AES)ciphersuitestothepreviouslyexistingsymmetricciphers.• RFC3546:“TransportLayerSecurity(TLS)Extensions”,addsamechanismfornegotiatingprotocolextensionsduringsessioninitialisation and

definessomeextensions.MadeobsoletebyRFC4366.• RFC3749:“TransportLayerSecurityProtocolCompressionMethods”,specifiestheframeworkforcompressionmethodsandtheDEFLATE

compressionmethod.• RFC3943:“TransportLayerSecurity(TLS)ProtocolCompressionUsingLempel-Ziv-Stac (LZS)”.• RFC4132:“AdditionofCamelliaCipherSuitestoTransportLayerSecurity(TLS)”.• RFC4162:“AdditionofSEEDCipherSuitestoTransportLayerSecurity(TLS)”.• RFC4217:“SecuringFTPwithTLS”.• RFC4279:“Pre-SharedKeyCiphersuites forTransportLayerSecurity(TLS)”,addsthreesetsofnewciphersuitesfortheTLSprotocoltosupport

authenticationbasedonpre-sharedkeys.ExtensionstoTLS1.1include:• RFC4347:“DatagramTransportLayerSecurity”specifiesaTLSvariantthatworksoverdatagramprotocols(suchasUDP).• RFC4366:“TransportLayerSecurity(TLS)Extensions”describesbothasetofspecificextensionsandagenericextensionmechanism.• RFC4492:“EllipticCurveCryptography(ECC)CipherSuitesforTransportLayerSecurity(TLS)”.• RFC4507:“TransportLayerSecurity(TLS)SessionResumptionwithoutServer-SideState”.• RFC4680:“TLSHandshakeMessageforSupplementalData”.• RFC4681:“TLSUserMappingExtension”.• RFC4785:“Pre-SharedKey(PSK)Ciphersuites withNULLEncryptionforTransportLayerSecurity(TLS)”.• RFC5054:“UsingtheSecureRemotePassword(SRP)ProtocolforTLSAuthentication”.DefinestheTLS-SRPciphersuites.• RFC5081:“UsingOpenPGP KeysforTransportLayerSecurity(TLS)Authentication”,obsoletedbyRFC6091.ExtensionstoTLS1.2include:• RFC5746:“TransportLayerSecurity(TLS)RenegotiationIndicationExtension”.• RFC5878:“TransportLayerSecurity(TLS)AuthorizationExtensions”.• RFC6091:“UsingOpenPGP KeysforTransportLayerSecurity(TLS)Authentication“.• RFC6176:“ProhibitingSecureSocketsLayer(SSL)Version2.0”.• RFC6209:“AdditionoftheARIACipherSuitestoTransportLayerSecurity(TLS)”.

http://en.wikipedia.org/wiki/Transport_Layer_Security

Page 35: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

StructureofTLS

Negotiationofcryptographicparameters

Authentication(one-wayormutual)usingpublickeycertificates

Establishmentofamastersecretkey

Derivationofencryptionandauthenticationkeys

Keyconfirmation

Bi-directionauthenticatedencryptionOptionalcompression

HANDS

HAKEPRO

TOCO

LRE

CORD

LAYER

ALERTPROTOCOL

Page 36: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

StructureofTLS

ClientHello --------> ServerHello

Certificate*ServerKeyExchange*

CertificateRequest*<-------- ServerHelloDone

Certificate*ClientKeyExchangeCertificateVerify*(derive session keys)[ChangeCipherSpec]Finished --------> (derive session keys)

[ChangeCipherSpec]<-------- Finished

Bi-directionauthenticatedencryptionOptionalcompression

HANDS

HAKEPRO

TOCO

LRE

CORD

LAYER DES/3DESCBC

AESCBC/GCM/CCMRC4

RSADSAECDSA

RSADSAECDSA

Page 37: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

324TLSciphersuites

TLS_NULL_WITH_NULL_NULLTLS_RSA_WITH_NULL_MD5TLS_RSA_WITH_NULL_SHATLS_RSA_EXPORT_WITH_RC4_40_MD5TLS_RSA_WITH_RC4_128_MD5TLS_RSA_WITH_RC4_128_SHATLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5TLS_RSA_WITH_IDEA_CBC_SHATLS_RSA_EXPORT_WITH_DES40_CBC_SHATLS_RSA_WITH_DES_CBC_SHATLS_RSA_WITH_3DES_EDE_CBC_SHATLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHATLS_DH_DSS_WITH_DES_CBC_SHATLS_DH_DSS_WITH_3DES_EDE_CBC_SHATLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHATLS_DH_RSA_WITH_DES_CBC_SHATLS_DH_RSA_WITH_3DES_EDE_CBC_SHATLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHATLS_DHE_DSS_WITH_DES_CBC_SHATLS_DHE_DSS_WITH_3DES_EDE_CBC_SHATLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHATLS_DHE_RSA_WITH_DES_CBC_SHATLS_DHE_RSA_WITH_3DES_EDE_CBC_SHATLS_DH_anon_EXPORT_WITH_RC4_40_MD5TLS_DH_anon_WITH_RC4_128_MD5TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHATLS_DH_anon_WITH_DES_CBC_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHATLS_KRB5_WITH_DES_CBC_SHATLS_KRB5_WITH_3DES_EDE_CBC_SHATLS_KRB5_WITH_RC4_128_SHATLS_KRB5_WITH_IDEA_CBC_SHATLS_KRB5_WITH_DES_CBC_MD5TLS_KRB5_WITH_3DES_EDE_CBC_MD5TLS_KRB5_WITH_RC4_128_MD5TLS_KRB5_WITH_IDEA_CBC_MD5TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHATLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHATLS_KRB5_EXPORT_WITH_RC4_40_SHATLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5TLS_KRB5_EXPORT_WITH_RC4_40_MD5TLS_PSK_WITH_NULL_SHA TLS_DHE_PSK_WITH_NULL_SHATLS_RSA_PSK_WITH_NULL_SHATLS_RSA_WITH_AES_128_CBC_SHATLS_DH_DSS_WITH_AES_128_CBC_SHATLS_DH_RSA_WITH_AES_128_CBC_SHATLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_DH_anon_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHATLS_DH_DSS_WITH_AES_256_CBC_SHATLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_DH_anon_WITH_AES_256_CBC_SHATLS_RSA_WITH_NULL_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS_DH_DSS_WITH_AES_128_CBC_SHA256TLS_DH_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_CAMELLIA_128_CBC_SHATLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHATLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHATLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHATLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHATLS_DH_anon_WITH_CAMELLIA_128_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHA256TLS_DH_DSS_WITH_AES_256_CBC_SHA256TLS_DH_RSA_WITH_AES_256_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_256_CBC_SHA256TLS_DH_anon_WITH_AES_128_CBC_SHA256TLS_DH_anon_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_CAMELLIA_256_CBC_SHATLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHATLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHATLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHATLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHATLS_DH_anon_WITH_CAMELLIA_256_CBC_SHATLS_PSK_WITH_RC4_128_SHATLS_PSK_WITH_3DES_EDE_CBC_SHATLS_PSK_WITH_AES_128_CBC_SHATLS_PSK_WITH_AES_256_CBC_SHATLS_DHE_PSK_WITH_RC4_128_SHATLS_DHE_PSK_WITH_3DES_EDE_CBC_SHATLS_DHE_PSK_WITH_AES_128_CBC_SHATLS_DHE_PSK_WITH_AES_256_CBC_SHATLS_RSA_PSK_WITH_RC4_128_SHA TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHATLS_RSA_PSK_WITH_AES_128_CBC_SHATLS_RSA_PSK_WITH_AES_256_CBC_SHATLS_RSA_WITH_SEED_CBC_SHATLS_DH_DSS_WITH_SEED_CBC_SHATLS_DH_RSA_WITH_SEED_CBC_SHATLS_DHE_DSS_WITH_SEED_CBC_SHATLS_DHE_RSA_WITH_SEED_CBC_SHATLS_DH_anon_WITH_SEED_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DH_RSA_WITH_AES_128_GCM_SHA256TLS_DH_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_DSS_WITH_AES_128_GCM_SHA256TLS_DHE_DSS_WITH_AES_256_GCM_SHA384TLS_DH_DSS_WITH_AES_128_GCM_SHA256TLS_DH_DSS_WITH_AES_256_GCM_SHA384TLS_DH_anon_WITH_AES_128_GCM_SHA256TLS_DH_anon_WITH_AES_256_GCM_SHA384TLS_PSK_WITH_AES_128_GCM_SHA256TLS_PSK_WITH_AES_256_GCM_SHA384TLS_DHE_PSK_WITH_AES_128_GCM_SHA256TLS_DHE_PSK_WITH_AES_256_GCM_SHA384TLS_RSA_PSK_WITH_AES_128_GCM_SHA256TLS_RSA_PSK_WITH_AES_256_GCM_SHA384TLS_PSK_WITH_AES_128_CBC_SHA256TLS_PSK_WITH_AES_256_CBC_SHA384TLS_PSK_WITH_NULL_SHA256TLS_PSK_WITH_NULL_SHA384TLS_DHE_PSK_WITH_AES_128_CBC_SHA256TLS_DHE_PSK_WITH_AES_256_CBC_SHA384TLS_DHE_PSK_WITH_NULL_SHA256TLS_DHE_PSK_WITH_NULL_SHA384TLS_RSA_PSK_WITH_AES_128_CBC_SHA256TLS_RSA_PSK_WITH_AES_256_CBC_SHA384TLS_RSA_PSK_WITH_NULL_SHA256TLS_RSA_PSK_WITH_NULL_SHA384TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256TLS_EMPTY_RENEGOTIATION_INFO_SCSVTLS_ECDH_ECDSA_WITH_NULL_SHATLS_ECDH_ECDSA_WITH_RC4_128_SHATLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_ECDSA_WITH_AES_128_CBC_SHATLS_ECDH_ECDSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_NULL_SHATLS_ECDHE_ECDSA_WITH_RC4_128_SHATLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_ECDH_RSA_WITH_NULL_SHATLS_ECDH_RSA_WITH_RC4_128_SHATLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHATLS_ECDH_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_NULL_SHATLS_ECDHE_RSA_WITH_RC4_128_SHATLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDH_anon_WITH_NULL_SHA TLS_ECDH_anon_WITH_RC4_128_SHATLS_ECDH_anon_WITH_3DES_EDE_CBC_SHATLS_ECDH_anon_WITH_AES_128_CBC_SHATLS_ECDH_anon_WITH_AES_256_CBC_SHATLS_SRP_SHA_WITH_3DES_EDE_CBC_SHATLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHATLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHATLS_SRP_SHA_WITH_AES_128_CBC_SHATLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHATLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHATLS_SRP_SHA_WITH_AES_256_CBC_SHATLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHATLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_PSK_WITH_RC4_128_SHATLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHATLS_ECDHE_PSK_WITH_AES_128_CBC_SHATLS_ECDHE_PSK_WITH_AES_256_CBC_SHATLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384TLS_ECDHE_PSK_WITH_NULL_SHATLS_ECDHE_PSK_WITH_NULL_SHA256TLS_ECDHE_PSK_WITH_NULL_SHA384TLS_RSA_WITH_ARIA_128_CBC_SHA256TLS_RSA_WITH_ARIA_256_CBC_SHA384TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384TLS_DH_anon_WITH_ARIA_128_CBC_SHA256TLS_DH_anon_WITH_ARIA_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384TLS_RSA_WITH_ARIA_128_GCM_SHA256TLS_RSA_WITH_ARIA_256_GCM_SHA384TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384TLS_DH_anon_WITH_ARIA_128_GCM_SHA256TLS_DH_anon_WITH_ARIA_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384TLS_PSK_WITH_ARIA_128_CBC_SHA256TLS_PSK_WITH_ARIA_256_CBC_SHA384TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384TLS_PSK_WITH_ARIA_128_GCM_SHA256TLS_PSK_WITH_ARIA_256_GCM_SHA384TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384TLS_RSA_WITH_AES_128_CCMTLS_RSA_WITH_AES_256_CCMTLS_DHE_RSA_WITH_AES_128_CCMTLS_DHE_RSA_WITH_AES_256_CCMTLS_RSA_WITH_AES_128_CCM_8TLS_RSA_WITH_AES_256_CCM_8TLS_DHE_RSA_WITH_AES_128_CCM_8TLS_DHE_RSA_WITH_AES_256_CCM_8TLS_PSK_WITH_AES_128_CCMTLS_PSK_WITH_AES_256_CCMTLS_DHE_PSK_WITH_AES_128_CCMTLS_DHE_PSK_WITH_AES_256_CCMTLS_PSK_WITH_AES_128_CCM_8TLS_PSK_WITH_AES_256_CCM_8TLS_PSK_DHE_WITH_AES_128_CCM_8TLS_PSK_DHE_WITH_AES_256_CCM_8

Page 38: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

IsTLSsecure?

WhatshouldTLSdo?• Server-to-client

authentication• Client-to-server

authentication(optional)• Confidentialcommunication

withintegrityprotection

Whatdoesn’tTLSdo?• (Trustedcreationof

certificates)• Password-based

authentication• Stopdenialofservice

attacks• Preventwebapplication

vulnerabilities

Page 39: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

ComponentsofTLS

Cryptoprimitives

•RSA,DSA,ECDSA•Diffie–Hellman,ECDH

•HMAC•MD5,SHA1,SHA-2

•DES,3DES,RC4,AES

Ciphersuitedetails

•Datastructures•Keyderivation•Encryptionmodes,IVs

•Padding

Advancedfunctionality

•Alerts&errors•Certification/revocation

•Negotiation•Renegotiation•Sessionresumption

•Keyreuse•Compression

Libraries

•OpenSSL•GnuTLS•SChannel•JavaJSSE

Applications

•Webbrowsers:Chrome,Firefox,IE,Safari

•Webservers:Apache,IIS,…

•ApplicationSDKs•Certificates

Page 40: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Real-worldattacksonTLS

Cryptoprimitives

•RSA,DSA,ECDSA•Diffie–Hellman,ECDH

•HMAC•MD5,SHA1,SHA-2

•DES,3DES,RC4,AES

Ciphersuitedetails

•Datastructures•Keyderivation•Encryptionmodes,IVs

•Padding

Advancedfunctionality

•Alerts&errors•Certification/revocation

•Negotiation•Renegotiation•Sessionresumption

•Keyreuse•Compression

Libraries

•OpenSSL•GnuTLS•SChannel•JavaJSSE

Applications

•Webbrowsers:Chrome,Firefox,IE,Safari

•Webservers:Apache,IIS,…

•ApplicationSDKs•Certificates

Heartbleed

DebianOpenSSL

entropybugBleichenbacherRSAPKCSv1

Lucky13

Rizzo&Duong“CRIME”attack

goto fail;

Page 41: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Esotericfeatures– compression• TLSsupportsoptional

compression• Messagebrokenupintochunks,

eachchunkcompressedthenencrypted

• Sizeofciphertext=>amountofcompression=>leaksplaintextinfo

• “CRIME”attack,Sept.2012• Fix:disablecompression

https://www.trustworthyinternet.org/ssl-pulse/June1,2016

Page 42: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

(Perfect)Forwardsecrecy

• Anadversarywholaterlearnstheserver'slong-termprivatekeyshouldn'tbeabletoreadprevioustransmissions

• RSAkeytransport:noPFS

• signedDiffie–Hellman:PFS https://www.trustworthyinternet.org/ssl-pulse/September4,2014

Page 43: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

(Perfect)Forwardsecrecy

• Anadversarywholaterlearnstheserver'slong-termprivatekeyshouldn'tbeabletoreadprevioustransmissions

• RSAkeytransport:noPFS

• signedDiffie–Hellman:PFS https://www.trustworthyinternet.org/ssl-pulse/July2,2017

Page 44: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Certificateauthoritybreachesanderrors

• DigiNotar inJul.2011– securitybreach,malicious

certificatesformanydomainsissued

– wentoutofbusiness• TURKTRUST inAug.2011

– issuedintermediateCAwithwildcardsigningcapabilities

– laterusedforman-in-the-middleproxyfiltering/scanning

– noevidenceforuseinattack– detectedonlyinJan2013

• Digicert Malaysia inNov.2011– 22certificateswithweakprivate

keysormissingrevocationdetailsissued

• KPN/Getronics inNov.2011– suspendedCAbusinessafter

detectinginfectiononitswebservernoevidenceofcertificatemalfeasance

• Webbrowserstrust650+certificateauthoritieswhichcanissuecertificatesforanydomainontheInternet

• Extendedvalidationcertificates don’tsolvetheproblem

Page 45: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Cryptographicattacks

• Manyweaknessesfoundinrecordlayersymmetricencryptionalgorithms.

• Usuallyrequirelargeamountofdatatosucceed.• Noturgenttofix,butcryptographicattacksonlygetbetter,neverworse.

• Canbeconfusingasknowledgeevolves:– BEASTattack2011=>AES-CBCmodeinsecure,useRC4

– Patersonetal.attack2013=>RC4insecure,usefixedAES-CBC

Page 46: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

TLSv1.3:TheNextGeneration

• CurrentlyunderdevelopmentattheIETF

• Primarygoals:– removeciphersuites withoutforwardsecrecy– removeobsolete/deprecatedalgorithms– providelow-latencymodewithfewerroundtrips– encryptmoreofthehandshaketoimproveprivacy

Page 47: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

OTHERPROTOCOLSSSH,IPsec,Kerberos

Page 48: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

SSH(SecureShell)protocol• SSHusedforsecure

remoteaccess(liketelnet,butsecure)

• Providespublickeyauthenticationofserversandclientsandencryptedcommunication

• SpecifiedinRFCsbytheIETF

Page 49: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

UseofSSH

• Primarilyusedasanapplicationitself(remotelogin)

• Occasionallyusedasa“poorman’sVPN”

Layer Examples

Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)

Transport connection-oriented(TCP)connectionless(UDP)

Internet

addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)

Link

packetframing(Ethernet)physical connection• WLAN(WEP,WPA)• ADSL• GSM/3G

Page 50: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

SSHsecurityservices• MessageConfidentiality.

– Protectsagainstunauthorised datadisclosure.– Accomplishedbytheuseofencryptionmechanisms.

• MessageIntegrity.– SSHcandetermineifdatahasbeenchanged(intentionallyorunintentionally)

duringtransit.– Integrityofdatacanbeassuredbyusingamessageauthenticationcode

(MAC).• MessageReplayProtection.

– Thesamedataisnotdeliveredmultipletimes.• PeerAuthentication.

– Servertoclientauthenticationbasedonpublickeys– Clienttoserverauthenticationbasedonpasswordsorpublickeys– Ensuresthatnetworktrafficisbeingsentfromtheexpectedparty.

Page 51: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

ClientauthenticationinSSH• SSH (SecureShell)isoftenusedforremotecommand-lineaccessin

UnixandMacOSX.• Itsupportspublickeyauthentication.

– Asecurity-consciousSSHinstallationwouldsupportonly publickeyauthenticationanddisablepassword-basedauthentication.

• Eachaccountcanhavemultipleassociatedpublickeys.– Multipleuserscanlogintoasingleaccountwithouthavingtobetold

thepasswordforthataccount.Easytorevokeoneuser’saccesstothataccount.

– Oneusercouldhaveadifferentkeyfromeachlocalcomputer(laptop,desktop,...);ifoneoflocalcomputerislost/compromised,easytorevokeitsaccess.

• Userscanassociatethesamekeywithmultipleaccounts.– Yieldsaformofsinglesign-on.– Userscanprotecttheirprivatekeyusingapassword.

Page 52: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

IPsec (InternetProtocolSecurity)

• ProvidesconfidentialityandauthenticationforInternetcommunications

• WorksattheIPlayeroftheprotocolstack– TLSworksathigherlevels,

soapplicationshavetobedesignedtouseTLS

– IPsec canbeusedtransparentlywithanyapplication

• OftenusedforVirtualPrivateNetworks(VPNs)

Layer Examples

Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)

Transport connection-oriented(TCP)connectionless(UDP)

Internet

addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)

Link

packetframing(Ethernet)physical connection• WLAN(WEP,WPA)• ADSL• GSM/3G

Page 53: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

IPsec:CommonArchitecturesGateway-to-gateway

Source: NIST Special Publication 800-77

Page 54: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

IPsec:CommonArchitecturesHost-to-gateway

Source: NIST Special Publication 800-77

Page 55: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Singlesign-on

• Singlesign-onprotocols allowausertouseacredentialfromoneidentityproviderwithmanyrelyingparties.

• Theuser’sauthenticationtotheidentityprovidercanbebasedonanyform(s)ofauthentication:password,publickey,biometric.

• Theidentityprovidergivesanassertiontotherelyingparty statingwhotheuseris.

Page 56: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Kerberos• Protocolforcryptographic

authenticationofusersandservicesondistributedsystems

• Authenticationbasedonknowledgeofsharedsecrets

• Usessymmetricauthentication• Reliesonatrustedthirdparty

tomediateauthenticationbetweenparties

• DevelopedbyMITinthe1980sand1990s

• Kerberosversion5publishedin1993

• KerberosusedasdefaultauthenticationmethodinWindows2000andlateraspartofActiveDirectoryservices

• MostUNIX-basedoperatingsystems(Linux,Solaris,MacOSX,FreeBSD)supportKerberosauthetication ofusersandservices

• Kerberosalsosupportspublickey(asymmetric)authentication

Page 57: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

WIREDEQUIVALENTPRIVACY(WEP)

Page 58: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

WiredEquivalentPrivacy(WEP)

• Goal: provideloginauthentication,messageauthentication/integrity,andmessageconfidentialityfor802.11wirelessnetworks– standardizedin1999– usesRC4forencryption– usesCRC-32checksumforintegrity– usespre-establishedsharedkeys

Page 59: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

IETFInternetProtocolsuiteLayer Examples

Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)

Transport connection-oriented(TCP)connectionless(UDP)

Internet

addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)

Link

packetframing(Ethernet)physical connection• WLAN(WEP,WPA)• ADSL• GSM/3G

Page 60: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

WiFi Security

Internet

Encrypted:(

Unencrypted:)Unencrypted:)

Page 61: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

WEPEncryption

• 64-bitWEPusesa24-bitIVanda40-bitkey

• 128-bitWEPusesa24-bitIVanda104-bitkey

• AppendCRC-32(m)tomessagebeforeencrypting

Page 62: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

WEPLoginAuthenticationToauthenticatetoa802.11networkusingWEPsharedkeyauthentication:• Accesspointsends128-bit

challengeinplaintext• ClientpicksanIV,usesIV,K

toencryptchallenge(withRC4)

• Serverdecryptschallengeandcompares

Isthissecure?• Attackerseeschallenge

plaintext,ciphertext• Ciphertext =XORof

keystream andmessage,checksum

• Attackercanderivekeystream fromciphertextandplaintextchallenge

• Attackercanusekeystreamtoencryptanotherchallengeandgainaccess

Page 63: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

WirelessSecurity

WEP• Loginauthentication:completely

insecure;attackercanimpersonateafterseeingasinglepacket

• Messageauthentication/integrity:completelyinsecure;attackercanundetectablymodifyanypacketwith100%successrate

• Messageconfidentiality:completelyinsecure;attackercanrecoversecretkeywithhighprobabilityinjustaminuteusingreadilyavailabletools

• In2007,USretailerTJMaxxhad45millioncustomercreditcardsstolenbecausetheirwirelessnetworkwassecuredusingWEP

• WEPprohibitedforuseincreditcardprocessing(PCI-DSS)afterJune2010.

Wi-FiProtectedAccess• Wi-FiProtectedAccess

(WPA,WPA2)standardizedin2003

• WPAmostlystillsecure,aslongasstrongpasswordsareused

• Wi-FiProtectedSetup8-digitPINsbrute-forcedinafewhours

Page 64: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

IETFInternetProtocolsuiteLayer Examples

Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)

Transport connection-oriented(TCP)connectionless(UDP)

Internet

addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)

Link

packetframing(Ethernet)physical connection• WLAN(WEP,WPA)• ADSL• GSM/3G

TLS

Page 65: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Casestudy:InjectingadsinWi-FihotspotAT&TprovidesfreeWi-Fihotspotsinairports.

Inadditiontomakingusersviewadswhentheyfirstconnectedtothehotspot,AT&TwasalsomodifyingHTTPresponsesfromwebserverstoincludetheirownadsonpages.

http://arstechnica.com/business/2015/08/atts-free-wi-fi-hotspot-injects-extra-ads-on-non-att-websites/

Page 66: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Casestudy:InjectingadsinWi-Fihotspot

Internet

GEThttp://www.stanford.edu/

Page 67: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

Casestudy:InjectingadsinWi-Fihotspot

• Link-layersecuritywouldnot protectagainstthisattack– WEP/WPA

• Internet-layer,transport-layer,andapplication-layerwouldprotectagainstthisattack– IPsec:UseaVPNtoatrusted

gateway.– TLS:Encryption/integrityprotection

forwebpageconnections.– SSH:Encryption/integrityprotection

forremotelogin.

Layer Examples

Applicationweb (HTTP,HTTPS)email(SMTP,POP3,IMAP)login(SSH,Telnet)

Transport connection-oriented(TCP)connectionless(UDP)

Internet

addressing androuting:• IPv4,IPv6control(ICMP)security (IPsec)

Link

packetframing(Ethernet)physical connection• WLAN(WEP,WPA)• ADSL• GSM/3G

TLS

Page 68: Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

PracticalsX.509CertificatesandSecureEmail• UsingtheXCAcertificate

authoritysoftware:– Setupacertificateauthority– Generateaprivatekeyand

certificaterequestforauser– Issueacertificatetotheuser

• Importthecertificateintoanemailclientandsendasignedemail

TLS• Usingyourwebbrowser,

inspectthecertificateusedinasecureconnectionwithawebsite

• UsingtheWireshark packetsniffingsoftware,inspectaTLSconnectiontoseetheprotocolmessagessent

Practicals availableathttps://www.douglas.stebila.ca/teaching/cryptoworks21