Network security-primer-9544

Full-service Software Product Development Life Cycle Services

A Security Primer

2Full-service Software Product Development Life Cycle Services

Security Topics

PGP S/MIME

SSL TLS

IPSec

Cryptography

Symmetric Key

Public Key

Algorithms

Encryption

Digital Signatures

Certificates

Algorithms

Encryption

Key Mgmt


Need for message security

• Privacy– Am I sure no body else knows this?

• Authentication– Am I sure that the sender is genuine and not an

imposter?

• Integrity– Am I sure that the message has not been tampered on

its way?

• Non-repudiation– What will I do if the sender denies sending the message?


Cryptography


Cryptography

• Jargon– Cryptography means “Secret Writing”– Original message – plaintext– Encrypted message – ciphertext– Encryption and decryption algorithms – ciphers– The number value that the cipher operates on –key

• Types– Symmetric key cryptography – Public key cryptography


Symmetric Key Cryptography

110.ico

Encrypt

Network

110.ico

Decrypt

Shared secret key

• Features– Same key used by sender and receiver– Algorithm for decryption is inverse of the

algorithm used for encryption

Alice Bob

1 2


Symmetric Key (contd.)

• Algorithms– DES (Data Encryption Standard)– Triple DES

• Advantages– Efficient algorithms (takes less time to encrypt and

decrypt)– Simple

• Disadvantages– Each pair must have unique keys. i.e. N people will

require N(N-1)/2 keys– Distribution of keys between two parties can be difficult


Public Key Cryptography

110.ico

Encrypt

Network

110.ico

Decrypt

Bob’s public key

Alice Bob

Bob’s private key

To the public

1

2

• Features– There are two keys: a private key and a public key– The private key is kept by the receiver and the

public key is announced to the public


Public Key (contd.)

• Algorithms– RSA (Rivest, Shamir and Adleman)

• Advantages– Need to distribute only the public key. Private key can

be safely kept– Lesser number of keys i.e. 1 million users may need only

2 million keys (as compared to 500 billion, if they use symmetric key cryptography)

• Disadvantages– Complex algorithms– Association between the public key and the entity must

be verified (need for certificates)


Digital Signatures

• Features– Enables integrity, authentication and non-repudiation– Private keys are used to sign a message (or hash)– Public keys are used to verify the signatures

• Hash Functions– Signing the whole message is inefficient– Hash functions are used to create a unique digest of the

message– Popular hashing algorithms are SHA-1 (secure hash

algorithm) and MD5 (message digest)


Digital Signatures (contd.)

110.ico

Alice

Hash Function

Digest

Encrypt

Alice’s private key

+110.ico

Signed Digest

Message plus Signed Digest

To Bob

1

2

3

Sender site


Digital Signatures (contd.)

110.ico

Receiver site

Bob

From Alice

Decrypt Hash Function

Digest

Alice’s public key

DigestX

Compare

4 5

6


Key Management

• In symmetric key systems:– We need a mechanism to share the key between sender

and receiver, and also reduce the number of keys– In some cases, public key systems also use symmetric

key to encrypt a message and encrypt the key using public key

– Solution: session keys. Symmetric keys are created for a session and destroyed when the session is over

– Techniques for key management:» Deffie Hellman method» Key distribution center (Needham-Schroeder protocol and

Otway-Rees protocol)


Key Management (contd.)

• In public key systems:– Alice needs to know whether Bob’s public key is genuine– Solution: Certificates

– Bob goes to a Certification Authority (CA), e.g. VeriSign, which binds Bob’s public key to an entity called certificate.

– Certificate is signed by CA, which has a well known public key, and hence cannot be forged.

– Alice can verify the CA’s signature and hence be sure about Bob’s public key


Certificates

• Certificate is described by X.509 protocol• X.509 uses ASN.1 (Abstract Syntax Notation 1) to define the

fields• X.509 fields:

Field Explanation

Version Version number of X.509

Serial Number The unique identifier used by the CA

Signature The certificate signature

Issuer The name of the CA defined by X.509

Validity Period

Start and end period that certificate is valid

Subject Name The entity whose public key is being certified

Public Key The subject public key and the algorithms that use it


Chain of Trust

• Query propagation similar to DNS queries • At any level, the CA can certify performance of CAs in the

next level i.e. level-1 CA can certify level-2 CAs.• Thumb-rule: Everyone trusts Root CA

Root CA

Level-1CA 1

Level-2CA 3

Level-2CA 4

Level-2CA 5

Level-2CA 6

Level-2CA 2

Level-2CA 1

Level-1CA 2


Security at IP Level


IPSec – IP Security

• Secures the IP packet by adding additional header

• Selection of encryption, authentication and hashing methods left to the user

• It requires a logical connection between two hosts, achieved using Security Association (SA)

• An SA is defined by:– A 32-bit security parameter index (SPI)– Protocol type: Authentication Header (AH) Or Encapsulating

Security Payload (ESP)– The source IP address

IP HeaderIPSec Header Rest of the PacketNew IP Header

IP Header IPSec Header Rest of the Packet Transport Mode

Tunnel Mode

OR


Security at Transport Layer


Secure Sockets Layer (SSL)

• Developed by Netscape• Used to establish secure connection between two parties• Protocol similar to TLS (p.t.o)• OpenSSL (www.openssl.org) provides libraries which

implement SSL and TLS • Several application layer security protocols run on top of

SSL. E.g. Secure HTTP (https)


Transport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:

– Handshake Protocol

– Data exchange protocol

– Uses secret key to encrypt data.

– Secret key already shared during handshake

Hello

Certificate

Secret key

End Handshaking

Encrypted Ack

Client Server







Hello

Certificate

Secret key

End Handshaking

Encrypted Ack

Client Server

Browser sends a hello message that includes TLS version and other

preferences







Hello

Certificate

Secret key

End Handshaking

Encrypted Ack

Client Server

Server sends a certificate that has its

public key







Hello

Certificate

Secret key

End Handshaking

Encrypted Ack

Client Server

Browser verifies the certificate. It generates a

session key, encrypts with server’s public key

and sends it to the server







Hello

Certificate

Secret key

End Handshaking

Encrypted Ack

Client Server

Browser sends handshake terminating message, encrypted by

the secret key







Hello

Certificate

Secret key

End Handshaking

Encrypted Ack

Client Server

Server decrypts secret key with its private key.

Uses secret key to decode message ad sends encrypted ack


Security at Application Layer


Pretty Good Privacy (PGP)

110.ico

Alice

Hash Function

Digest

Encrypt


+110.ico

Signed Digest


Encrypted (secret key & message + digest) to Bob

1

2

3Encrypt

Bob’s public key

Encrypt

One-time secret key

+

4

5

6

Sender site



110.ico

Alice

Hash Function

Digest

Encrypt


+110.ico

Signed Digest



1

2

3Encrypt

Bob’s public key

Encrypt

One-time secret key

+

4

5

6

Sender site

Email message is hashed to create digest



110.ico

Alice

Hash Function

Digest

Encrypt


+110.ico

Signed Digest



1

2

3Encrypt

Bob’s public key

Encrypt

One-time secret key

+

4

5

6

Sender site

Digest is encrypted using Alice’s private key



110.ico

Alice

Hash Function

Digest

Encrypt


+110.ico

Signed Digest



1

2

3Encrypt

Bob’s public key

Encrypt

One-time secret key

+

4

5

6

Sender site

Signed digest added to the message



110.ico

Alice

Hash Function

Digest

Encrypt


+110.ico

Signed Digest



1

2

3Encrypt

Bob’s public key

Encrypt

One-time secret key

+

4

5

6

Sender site

The message and digest are encrypted using one

time secret key created by Alice



110.ico

Alice

Hash Function

Digest

Encrypt


+110.ico

Signed Digest



1

2

3Encrypt

Bob’s public key

Encrypt

One-time secret key

+

4

5

6

Sender site

The secret key is encrypted using Bob’s public key



110.ico

Alice

Hash Function

Digest

Encrypt


+110.ico

Signed Digest



1

2

3Encrypt

Bob’s public key

Encrypt

One-time secret key

+

4

5

6

Sender site

The encrypted message, digest and secret key is sent

to Bob


PGP (contd.)

110.ico

Receiver site

Bob


Digest


DigestX

Compare

9 10

11

Encrypted (secret key & message + digest)

Bob’s private key

Decrypt

Decrypt

Encrypted (message + digest)

One-time secret key

7

8


PGP (contd.)

110.ico

Receiver site

Bob


Digest


DigestX

Compare

9 10

11


Bob’s private key

Decrypt

Decrypt


One-time secret key

7

8

Bob decrypts the secret key with his private key


PGP (contd.)

110.ico

Receiver site

Bob


Digest


DigestX

Compare

9 10

11


Bob’s private key

Decrypt

Decrypt


One-time secret key

7

8

Bob decrypts the encrypted message and digest using the decrypted secret key


PGP (contd.)

110.ico

Receiver site

Bob


Digest


DigestX

Compare

9 10

11


Bob’s private key

Decrypt

Decrypt


One-time secret key

7

8

Bob decrypts the encrypted digest with Alice’s public key


PGP (contd.)

110.ico

Receiver site

Bob


Digest


DigestX

Compare

9 10

11


Bob’s private key

Decrypt

Decrypt


One-time secret key

7

8

Bob hashes the received message to create a digest

(for message integrity)


PGP (contd.)

110.ico

Receiver site

Bob


Digest


DigestX

Compare

9 10

11


Bob’s private key

Decrypt

Decrypt


One-time secret key

7

8

The two digests are compared, thus providing

authentication and integrity


Sample PGP Signature

From: [email protected]: Mon, 16 Nov 1998 19:03:30 -0600Subject: Message signed with PGPMIME-Version: 1.0Content-Type: text/plain; charset=US-ASCIIContent-Transfer-Encoding: 7bitContent-Description: "cc:Mail Note Part"

-----BEGIN PGP SIGNED MESSAGE-----

Bob,

This is a message signed with PGP, so you can see how much overhead PGPsignatues introduce. Compare this with a similar message signed with S/MIME.

Alice

-----BEGIN PGP SIGNATURE-----Version: PGP for Personal Privacy 5.0Charset: noconv

iQCVAwUBM+oTwFcsAarXHFeRAQEsJgP/X3noON57U/6XVygOFjSY5lTpvAduPZ8MaIFalUkCNuLLGxmtsbwRiDWLtCeWG3k+7zXDfx4YxuUcofGJn0QaTlk8b3nxADL0O/EIvC/k8zJ6aGaPLB7rTIizamGOt5n6/08rPwwVkRB03tmT8UNMAUCgoM02d6HXrKvnc2aBPFI==mUaH-----END PGP SIGNATURE-----


S/MIME

• Working principle similar to PGP• S/MIME uses multipart MIME type to include the cryptographic

information with the message• S/MIME uses Cryptographic Message Syntax (CMS) to specify the

cryptographic information • Creating S/MIME message:

MIME Entity

CMS Object S/MIMECertificates

Algo identifiers

CMS Processing

MIME Wrapping


Sample SMIME SignatureFrom: [email protected]: Mon, 16 Nov 1998 19:03:08 -0600Subject: Message signed with S/MIMEMIME-Version: 1.0Content-Type: multipart/mixed; boundary="simple boundary"

--simple boundaryContent-Type: text/plain; charset=US-ASCIIContent-Transfer-Encoding: 7bitContent-Description: "cc:Mail Note Part"

Bob,

This is a message signed with S/MIME, so you can see how much overhead S/MIMEsignatures introduce. Compare this with a similar message signed with PGP.

Alice

--simple boundaryContent-Type: application/octet-stream; name="smime.p7s"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="smime.p7s"

MIIQQwYJKoZIhvcNAQcCoIIQNDCCEDACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCDnwwggnGMIIJL6ADAgECAhBQQRR9a+DX0FHXfQOVHQhPMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzAxMjcwMDAwMDBaFw05ODAxMjcyMzU5NTlaMIIBFzERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMUYwRAYD


Sample SMIME SignatureUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkwNjI3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYUps9N0AUN2Moj0G+qtCmSY44s+G+W1y6ddksRsTaNV8nD/RzGuv4eCLozypXqvuNbzQaot3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0UQ5tul0WYgUfRLcvdu3LXTD9xquJA8lQ5vBbuz3zsuts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMBAAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fKEXXGnAz6K3dPh0UXO+PSwdoPWDmOrpWZA6GooTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g1G7kf512XM59uhSirguf+2dbSKVnJa8ZZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzpLFC/pvkN27CmSjCCAjEwggGaAgUCpAAAATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMxMjM1OTU5WjBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiHmgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEAUnO6mlXc3D+CfbCQmGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6gdTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3glMj3lXzzkST+vpMvco281tmsp7I8gxeXtShtCEJM8o7WfySwjj8rdmWJOAt+qMp9TNoeE60vJ9pNeKomJRzO8QxggGPMIIBiwIBATB2MGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcgIQUEEUfWvg19BR130DlR0ITzAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwIwYJKoZIhvcNAQkEMRYEFE5W9YE9GtbjlD5A52LLaEi96zCKMBwGCSqGSIb3DQEJBTEPFw05NzA4MDcxODQwMTBaMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABEDI3mvHr3SAJkdoMqxZnSjJ+5gfZABJGQVOfyEfcKncY/RYFvWuHBAEBySImIQZjMgMNrQLL7QXJ/eIxIwDet+c

--simple boundary--


References


References

• Overview of cryptography: – www.rsalabs.com/faq/– http://www.faqs.org/faqs/cryptography-faq/part06/

• Implementation of SSL and TSL: – www.openssl.org

• S/MIME Internet task force: – www.imc.org/ietf-smime/index.html

• Relationship between S/MIME and PGP/MIME: – www.imc.org/smime-pgpmime.html

Network security-primer-9544

Documents

key usingpublic key

certifiedpublic key

thepublic key

knownpublic key

public key systems

subject public key

symmetric key systems

private key canbe