K. Salah1 Cryptography Module III. K. Salah2 Security Services Confidentiality/Privacy Confidentiality/Privacy Has to do with hiding information. Only.

K. Salah 1

CryptographyCryptography

Module IIIModule III

K. Salah 2

Security ServicesSecurity Services

Confidentiality/PrivacyConfidentiality/Privacy Has to do with hiding information. Only the intended receiver can make

sense out of the message. Message AuthenticationMessage Authentication

Data Origin Can it be achieved by symmetric cipher? Yes Can it be achieved by asymmetric cipher? No

Data Integrity Can it be achieved by symmetric cipher? (not really) Can it be achieved by asymmetric cipher? (not really) There is that possibility that bits (cipher bit-block) can be re-ordered in transit

Non-RepudiationNon-Repudiation The receiver must proof that the message came from a specific sender. The sender can not repudiate/deny sending the message

K. Salah 3

Digital Signature – Digital Signature – signing whole documentsigning whole document

K. Salah 4

Digital Signature – Digital Signature – signing the digestsigning the digest

K. Salah 5

Digital SignatureDigital Signature

ProvidesProvides Authentication

Data Origin Data Integrity (with free-collision hashing)

Nonrepudiation

Does not provide confidentiality/privacy Does not provide confidentiality/privacy Need to encrypt the message

K. Salah 6

What is the difference (in terms of non-What is the difference (in terms of non-repudiation, data origin, data integrity, repudiation, data origin, data integrity, confidentiality) when: confidentiality) when: Sign then Encrypt Encrypt then Sign Sign and encrypt only PT message

K. Salah 7

MIM Attack and ARP MIM Attack and ARP PoisoningPoisoning

with a demowith a demo

K. Salah 8

User AuthenticationUser Authentication

User Authentication = User Authentication = Verification of identityVerification of identity

Secret key approachSecret key approach Using Symmetric-Key only

MIM attack where data is intercepted, tampered with, or replayed again to receiver

Using a nonce/challenge A random number Replay is resolved

Bidirectional Must have a unique

challenge per sessions

Public key approachPublic key approach Subject to MIM attack

K. Salah 9

Key ManagementKey Management

Symmetric Key DistributionSymmetric Key Distribution Problems with distributing symmetric key Diffe-Hellman Method

Subject to MIM attack KDC Method

Public-Key CertificationPublic-Key Certification Certificate-based

K. Salah 10

Diffe-Hellman MethodDiffe-Hellman Method

K. Salah 11

MIM Attack MIM Attack

K. Salah 12

KDC (Key Distribution Center)KDC (Key Distribution Center)

Problem with Diffe-Hellman approach is Problem with Diffe-Hellman approach is that information is sent in plaintextthat information is sent in plaintext

R1 and R2 needs to encryptedR1 and R2 needs to encryptedA secret key is neededA secret key is neededSo we have a vicious circuitSo we have a vicious circuitThree solutionsThree solutions

Using KDC Needham-Schroeder Protocol Otway-Rees Protocol

K. Salah 13

Using KDCUsing KDC Sender and receiver registers with KDC and each given a private keySender and receiver registers with KDC and each given a private key KDC sends a KDC sends a ticketticket back to sender back to sender Vulnerable to replay attacks at step 3 and beyondVulnerable to replay attacks at step 3 and beyond

K. Salah 14

Needham-Schroeder ProtocolNeedham-Schroeder Protocol Solve replay attackSolve replay attack Uses 4 noncesUses 4 nonces (R(R11-1) and (R-1) and (R22-1) are used to ensure that ticket was received correctly (decrypted and -1) are used to ensure that ticket was received correctly (decrypted and

processed properly)processed properly)

K. Salah 15

Otway-Rees ProtocolOtway-Rees Protocol Solve replay attack with fewer stepsSolve replay attack with fewer steps R is a common nonce. R is different for each session. Used to make sure encryption and R is a common nonce. R is different for each session. Used to make sure encryption and

decryption got processed properlydecryption got processed properly

K. Salah 16

Public Key CertificationPublic Key Certification

MIM attack. Intruder can intercept the public key in MIM attack. Intruder can intercept the public key in transit and send his own.transit and send his own.

A need for a trusted entity, a certificate authority (CA) to A need for a trusted entity, a certificate authority (CA) to solve public key fraudsolve public key fraud

CA can be public. CA can be public. Their public key is trusted and embedded with the OS and

Applications. Also it can be added manually. Examples

Thawte veriSign Entrust

CA can be privateCA can be private Owned by an organization

K. Salah 17

X.509X.509

FieldField ExplanationExplanation

VersionVersion Version number of X.509Version number of X.509

Serial numberSerial number The unique identifier used by the CAThe unique identifier used by the CA

SignatureSignature The certificate signature, SHA-1, MD5 of CAThe certificate signature, SHA-1, MD5 of CA

IssuerIssuer The name of the CA defined by X.509The name of the CA defined by X.509

Validity periodValidity period Start and end period that certificate is validStart and end period that certificate is valid

Subject nameSubject name The entity whose public key is being certifiedThe entity whose public key is being certified

Public keyPublic key The subject public key and the algorithms that use itThe subject public key and the algorithms that use it

K. Salah 18

PKI (Public Key Infrastructure)PKI (Public Key Infrastructure) Like DNS, there is a need for hierarchical structure of CAs that are public and privateLike DNS, there is a need for hierarchical structure of CAs that are public and private The principle of cross certificationThe principle of cross certification The CA does not to be on-lineThe CA does not to be on-line CA certificate is typically issued by upper level certificate.CA certificate is typically issued by upper level certificate.

Root CA issues its own certificate Local CA can issue its own certificate

K. Salah 19

Use of CertificatesUse of Certificates EmailEmail

PGP-based: Faster than S/MIME PGP, OpenPGP, GnuPG (Gnu Privacy Guard) Email clients:

• Enigmail• PGP Mail• Hushmail (web based)

S/MIME or Certificate based (Digitally signed and then encrypted) Email Clients:

• Outlook • Mozilla Thunderbird

https and SSLhttps and SSL SSHSSH Software protection and signingSoftware protection and signing User authentication through certificate-basedUser authentication through certificate-based

FTP Dialup Directory .Net

K. Salah 20

PGPPGP

Invented by Phil Invented by Phil Zimmermann to provide Zimmermann to provide privacy, integrity, privacy, integrity, authentication, and authentication, and nonrepudiationnonrepudiation

Uses digital signature to Uses digital signature to provide integrity, provide integrity, authentication, and authentication, and nonrepudiationnonrepudiation

Uses one-time secret-key Uses one-time secret-key and public-key encryption and public-key encryption to provide privacyto provide privacy

Message only makes sense at the receiver

What is the job of one-time What is the job of one-time secret key? What if it gets secret key? What if it gets removed? removed?

Encryption is faster with one-time secret key, especially when email is long.

One-time key is very short

K. Salah 21

S/MIMES/MIME

Secure / Multipurpose Internet Mail Secure / Multipurpose Internet Mail ExtensionExtension

provides similar services to PGPprovides similar services to PGP based on technology from RSA Securitybased on technology from RSA Security Can use symmetric or asymmetric key Can use symmetric or asymmetric key

encryptionencryption As specified in the MIME headers

S/MIME certificates are X.509 conformantS/MIME certificates are X.509 conformant Contained in email clientsContained in email clients

MS outlook Netscape communicator Eudora Mozilla Thunderbird etc

K. Salah 22

Security facilities in the TCP/IP protocol Security facilities in the TCP/IP protocol stackstack

K. Salah 23

SSL and TLSSSL and TLS SSL – Secure Socket LayerSSL – Secure Socket Layer TLS – Transport Layer SecurityTLS – Transport Layer Security Both provide a secure transport connection between Both provide a secure transport connection between

applications (e.g., a web server and a browser)applications (e.g., a web server and a browser) SSL was originated by NetscapeSSL was originated by Netscape

SSLv1 and SSLv2 SSL version 3.0 has been implemented in many web SSL version 3.0 has been implemented in many web

browsers (e.g., Netscape Navigator and MS Internet browsers (e.g., Netscape Navigator and MS Internet Explorer) and web servers and widely used on the Explorer) and web servers and widely used on the InternetInternet

SSL v3.0 was specified in an Internet Draft (1996)SSL v3.0 was specified in an Internet Draft (1996) It evolved into TLS specified in RFC 2246It evolved into TLS specified in RFC 2246 TLS can be viewed as SSL v3.1TLS can be viewed as SSL v3.1

K. Salah 24

Transport Layer SecurityTransport Layer Security For any TCP protocol: HTTP (https:// port 443), NNTP, For any TCP protocol: HTTP (https:// port 443), NNTP,

telnet, POP, SFTP, etc.telnet, POP, SFTP, etc. For transactions on Internet, a browser needs:For transactions on Internet, a browser needs:

Make sure that server belongs to the actual vendor Contents of message are not modified during

transition Make sure that the impostor does not interpret

sensitive information. TLS has two protocols: Handshake and data exchange TLS has two protocols: Handshake and data exchange

protocol.protocol. Handshake: Responsible for negotiating security Handshake: Responsible for negotiating security

parameters (encryption method, etc), authenticating the parameters (encryption method, etc), authenticating the server to the browser, and (optionally) defining other server to the browser, and (optionally) defining other communication parameters.communication parameters.

Data exchange (record) protocol uses the secret key to Data exchange (record) protocol uses the secret key to encrypt the data for secrecy and to encrypt the message encrypt the data for secrecy and to encrypt the message digest for integrity.digest for integrity.

K. Salah 25

SSL Record Protocol ServicesSSL Record Protocol Services

ConfidentialityConfidentiality – the handshake protocol – the handshake protocol defines a shared key for encryptions of defines a shared key for encryptions of SSL payloadsSSL payloads

Message IntegrityMessage Integrity – the handshake – the handshake protocol defines a shared key used to form protocol defines a shared key used to form message authentication code (MAC)message authentication code (MAC)

K. Salah 26

SSL Record Protocol OperationSSL Record Protocol Operation

K. Salah 27

SSL ArchitectureSSL Architecture

K. Salah 28

Handshake ProtocolHandshake Protocol Browser sends a hello message that includes TLS version Browser sends a hello message that includes TLS version

and some preferencesand some preferences Server sends a certificate message that includes the public Server sends a certificate message that includes the public

key of the server. The public key is certified by some key of the server. The public key is certified by some certification authority, which means that the public key is certification authority, which means that the public key is encrypted by a CA private key. Browser has a list of CAs encrypted by a CA private key. Browser has a list of CAs and their public keys. It uses the corresponding key to and their public keys. It uses the corresponding key to decrypt the certification and finds the server public key. decrypt the certification and finds the server public key. This also authenticates the server because the public key is This also authenticates the server because the public key is certified by the CA.certified by the CA.

Browser sends a secret key, encrypts it with the server Browser sends a secret key, encrypts it with the server public key, and sends it to the server.public key, and sends it to the server.

Browser sends a message, encrypted by the secret key, to Browser sends a message, encrypted by the secret key, to inform the server that handshaking is terminating from the inform the server that handshaking is terminating from the browser key.browser key.

Server decrypts the secret key using its private key and Server decrypts the secret key using its private key and decrypts the message using the secret key. It then sends a decrypts the message using the secret key. It then sends a message, encrypted by the secret key, to inform the message, encrypted by the secret key, to inform the browser that handshaking is terminating from the server browser that handshaking is terminating from the server side.side.

K. Salah 29

SSL Hashing and EncryptionSSL Hashing and Encryption

supported hash functions:supported hash functions: MD5 SHA-1

supported encryption algorithmssupported encryption algorithms block ciphers (in CBC mode)

RC2_40 DES_40 DES_56 3DES_168 IDEA_128 Fortezza_80

stream ciphers RC4_40 RC4_128

K. Salah 30

client_hello

server_hello

certificate

server_key_exchange

certificate_request

server_hello_done

certificate

client_key_exchange

certificate_verify

change_cipher_spec

finished

change_cipher_spec

finished

Phase 1: Negotiation of the session ID, key exchangealgorithm, MAC algorithm, encryption algorithm, Compression, and exchange of initial random numbersor nonces to prevent replay attacks of key exchange.

Phase 2: Server may send its certificate and keyexchange message, and it may request the clientto send a certificate. Server signals end of hellophase.

Phase 3: Client sends certificate if requested and maysend an explicit certificate verification message. Client always sends its key exchange message.

Phase 4: Change cipher spec (to change the operating state to finished) and finish handshake

K. Salah 31

State changesState changes StateState

Handshake Alert Data Exchange

operating stateoperating state currently used state

pending statepending state state to be used built using the current state

operating state operating state pending state pending state at the transmission and reception of a Change Cipher Spec message

party A(client or server)

party B(server or client)

the sending part of thepending state is copied

into the sending partof the operating state the receiving part of the

pending state is copied into the receiving partof the operating state

Change Cipher Spec

K. Salah 32

Server certificate and key exchange Server certificate and key exchange messagesmessages certificatecertificate

required for every key exchange method except for anonymous DH (Diffe-Hellman) contains one or a chain of X.509 certificates (up to a known root CA) may contain

public RSA key suitable for encryption, or public RSA or DSS key suitable for signing only, or fix DH parameters

server_key_exchangeserver_key_exchange sent only if the certificate does not contain enough information to complete the key exchange (e.g., the

certificate contains an RSA signing key only) may contain

public RSA key (exponent and modulus), or DH parameters (p, g, public DH value), or Fortezza parameters

digitally signed if DSS (Digital Signature Standard by NIST): SHA-1 hash of (client_random | server_random | server_params) is signed if RSA: MD5 hash and SHA-1 hash of (client_random | server_random | server_params) are concatenated and encrypted

with the private RSA key certificate_requestcertificate_request

sent if the client needs to authenticate itself specifies which type of certificate is requested (rsa_sign, dss_sign, rsa_fixed_dh, dss_fixed_dh, …)

server_hello_doneserver_hello_done sent to indicate that the server is finished its part of the key exchange after sending this message the server waits for client response the client should verify that the server provided a valid certificate and the server parameters are acceptable

K. Salah 33

Client authentication and key exchangeClient authentication and key exchange certificatecertificate

sent only if requested by the server may contain

public RSA or DSS key suitable for signing only, or fix DH parameters

client_key_exchangeclient_key_exchange always sent (but it is empty if the key exchange method is fix DH) may contain

RSA encrypted pre-master secret, or client one-time public DH value, or Fortezza key exchange parameters

certificate_verifycertificate_verify sent only if the client sent a certificate provides client authentication contains signed hash of all the previous handshake messages

if DSS: SHA-1 hash is signed if RSA: MD5 and SHA-1 hash is concatenated and encrypted with the private key

MD5( master_secret | pad_2 | MD5( handshake_messages | master_secret | pad_1 ) ) SHA( master_secret | pad_2 | SHA( handshake_messages | master_secret | pad_1 ) )

finishedfinished sent immediately after the change_cipher_spec message first message that uses the newly negotiated algorithms, keys, IVs, etc. used to verify that the key exchange and authentication was successful contains the MD5 and SHA-1 hash of all the previous handshake messages:

MD5( master_secret | pad_2 | MD5( handshake_messages | sender | master_secret | pad_1 ) ) |SHA( master_secret | pad_2 | SHA( handshake_messages | sender | master_secret | pad_1 ) )

where “sender” is a code that identifies that the sender is the client or the server (client: 0x434C4E54; server: 0x53525652)

K. Salah 34

Countermeasures to hijacking SSL Countermeasures to hijacking SSL sessions using MIM attacksessions using MIM attack

EducationEducation Sysadmins

Register with CA Users

Beware of alerts Use L3 SwitchesUse L3 Switches

Track and maintain IP/MAC pairs S-ARP protocolS-ARP protocol

Certificate-based Modify kernel to not honor unsolicited ARP repliesModify kernel to not honor unsolicited ARP replies

Sun Solaris Linux 2.4 and 2.6

Use IDSUse IDS Track and maintain IP/MAC pairs

K. Salah 35

OpenSSL vs. PGPOpenSSL vs. PGP

http://www.openssl.orghttp://www.openssl.org OpenSSL is a cryptography toolkit implementing the Secure OpenSSL is a cryptography toolkit implementing the Secure

Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by network protocols and related cryptography standards required by them. them.

The The opensslopenssl program is a command line tool for using the various program is a command line tool for using the various cryptography functions of OpenSSL's cryptography functions of OpenSSL's cryptocrypto library from the shell. It library from the shell. It can be used for can be used for Creation of RSA, DH and DSA key parameters Creation of X.509 certificates, CSRs and CRLs

CSR (Certificate Signing Request) containing public key to submit to CA CRL (Certificate Revocation List) to submit to CA to revoke certificates

Calculation of Message Digests Encryption and Decryption with Ciphers SSL/TLS Client and Server Tests Handling of S/MIME signed or encrypted mail

K. Salah 36

Kerberos V5– Kerberos V5– not a certificate based authenticationnot a certificate based authentication

A network authentication protocol of users developed by MITA network authentication protocol of users developed by MIT Name after Greek Mythology – a dog with 3 heads that guards the gatesName after Greek Mythology – a dog with 3 heads that guards the gates Used in Windows to overcome shortcomings of NTLM Used in Windows to overcome shortcomings of NTLM

NTLM is less secure. Latest version uses a challenge/response authentication Client id itself to the Server Server sends the Client a challenge, R Client responds in one message with NT response and LM response

• NT response is based on LM Hash (of user password) and R• LM response is based on NT Hash (of user password) and R• Therefore, one can crack LM Hash or NT Hash separately!

This info is based on reverse engineering In Windows XP, either Kerberos or NTLM can be selected for user authentication

Kerberos claims of more scalability and is more backward compatible. Kerberos claims of more scalability and is more backward compatible. Has three serversHas three servers

Authentication Server (AS) Ticket-Granting Server (TGS) Real Server

FTP server Dial up server Directory server

K. Salah 37

Kerberos ServersKerberos Servers

K. Salah 38

Kerberos ExampleKerberos Example

KKAA is generated locally when AS replies the first time. Alice has to enter a password. The password is then destroyed. is generated locally when AS replies the first time. Alice has to enter a password. The password is then destroyed. T is a challenge or a Timestamp to prevent replay attackT is a challenge or a Timestamp to prevent replay attack KKSS is the session key is the session key If Alice wants to communicate to anther server, she does not to do the first two steps againIf Alice wants to communicate to anther server, she does not to do the first two steps again