Today Today 1. Review/Summary of security technologies • Crypto and certificates 2. Combination of techniques in SSL Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust • The basis for secure HTTP, ssh , secure IMAP, scp , secure ftp , … • Server authentication vs. peer/client authentication 3. Hierarchies in DNS and certificate distribution • Hierarchies as a basic technique for scale • Hierarchy of trust and autonomy 4. Older slides on servlets at the end for tinyserver lab. Crypto Summary The Underpinnings of Security: Encryption Crypto Summary The Underpinnings of Security: Encryption Two functions Encrypt and Decrypt with two keys K -1 and K Cryptography functions • Decrypt(K, Encrypt(K -1 , x)) = x • Secret key (e.g., DES) • Know x and Encrypt(K -1 , x), cannot comput K or K -1 • Public key (e.g., RSA) • Message digest (e.g., MD5) Secrecy: • Know Encrypt(K -1 , x) but not K, cannot compute x Security services Integrity: • Privacy: preventing unauthorized release of information • Choose x, do not know K -1 : cannot compute y such that • Authentication: verifying identity of the remote participant Decrypt(K, y) = x • Integrity: making sure message has not been altered Digests are one-way (lossy) functions Security • Cannot compute message from digest Cryptography Security • Sufficient for integrity algorithms services Secret Public Message Privacy Authentication Message key key digest integrity (e.g., DES) (e.g., RSA) (e.g., MD5) [Vahdat] [Vahdat] Figure 7.2 Figure 7.2 Familiar names for the protagonists in security Familiar names for the protagonists in security Shared Key versus Public Key Cryptography Shared Key versus Public Key Cryptography protocols protocols With shared key K = K -1 • Mostly for pairwise communication or groups of principals that all trust one another (Data Encryption Standard or DES) With public key cannot compute K from K -1 , or K -1 from K Alice First participant Bob Second participant • K is made public, K -1 kept secret Carol Participant in three- and four-party protocols • Can generate messages without knowing who will read it Dave Participant in four-party protocols (certificate) Eve Eavesdropper • Holder of K -1 can broadcast messages with integrity Mallory Malicious attacker • (K -1 ) -1 = K, send secret messages to holder of K -1 Sara A server • RSA (Rivest-Shamir-Adelman) most popular scheme Secret Key much faster than Public Key [Vahdat] 1
Figure 7.3 Figure 7.3 Messages with both Authenticity and Secrecy Messages with both Authenticity and Secrecy Cryptography notations Cryptography notations How does A send a message x to B with: • Authenticity (B knows that only A could have sent it) K A Alice’s secret key • Secrecy (A knows that only B can read the message) K B Bob’s secret key K AB Secret key shared between Alice and Bob K Apriv Alice’s private key (known only to Alice) K Apub Alice’s public key (published by Alice for all to read) { M } Message M encrypted with key K K [ M ] K Message M signed with key K [Vahdat] Messages with both Authenticity and Secrecy Messages with both Authenticity and Secrecy Certification Authorities: Motivation Certification Authorities: Motivation How does A send a message x to B with: What is the problem with the previous approach? • Authenticity (B knows that only A could have sent it) • Secrecy (A knows that only B can read the message) A Transmits the following message x -1 }K B • {{ x }K A What if x is large (performance concerns)? • A transmits K A to B, B transmits K B to A • A picks J A , transmits {J A }K B to B • B picks J B , transmits {J B }K A to A • Each computes secret key, K sk = Hash(J A , J B ) • A transmits {x}K sk to B [Vahdat] [Vahdat] Certification Authorities: Motivation Certification Authorities: Motivation Message Digest Message Digest Cryptographic checksum What is the problem with the previous approach? • Regular checksum protects receiver from accidental changes • Evil router intercepts first public key exchange, imposes its • Cryptographic checksum protects receiver from malicious changes own public key (with corresponding private key) One-way function • Intercepts subsequent messages and inserts its own version • Given cryptographic checksum for a message, virtually impossible to determine what message produced that checksum; it is not • Man in the middle attack computationally feasible to find two messages that hash to the same cryptographic checksum. Solutions? Relevance • Exchange keys over secure channel (in person) • Given checksum for a message and you are able to compute exactly the • Trust certification authority with well-known public key same checksum for that message, then highly likely this message produced given checksum [Vahdat] [Vahdat] 2
Figure 7.11 Figure 7.11 Message Integrity Protocols Message Integrity Protocols Digital signatures with public keys Digital signatures with public keys Digital signature using RSA M signed doc • Compute signature with private key and verify with public key {h} Kpri H(M) h • A transmits M, {D(M)}KA private E(K pri , h) Signing • Receiver decrypts digest using KA public M 128 bits Digital signature with secret key (server as escrow agent) • A ! server, A, {D(M)} KA • Server ! A, {A, D(M), t} KS • A ! B, M, {A, D(M), t} KS {h} Kpri • B ! S, B, {A, D(M), t} KS h' D(K pub ,{h}) S ! B, {A, D(M), t} KB • Verifying M h = h'? h H(doc) [Vahdat] Figure 7.12 Figure 7.12 What happens… What happens… Low- -cost signatures with a shared secret key cost signatures with a shared secret key Low M signed doc H(M+K) h https://www.consumefest.com/checkout.html Signing M K M h Verifying h = h'? h' H(M+K) K Figure 7.17 Figure 7.17 Figure 7.18 Figure 7.18 SSL protocol stack SSL protocol stack SSL handshake protocol SSL handshake protocol Establish protocol version, session ID, ClientHello cipher suite, compression method, SSL ServerHello exchange random values SSL Change SSL Alert Handshake HTTP Telnet Cipher Spec Protocol protocol Certificate O ptionally send server certificate and Certificate Request request client certificate SSL Record Protocol ServerHelloDone Client Certificate Server S end client certificate response if Transport layer (usually TCP) Certificate Verify requested Network layer (usually IP) Change Cipher Spec Change cipher suite and finish Finished handshake SSL protocols: Other protocols: Change Cipher Spec Finished 3
Figure 7.13 Figure 7.13 SSL Questions SSL Questions X509 Certificate format X509 Certificate format Why doesn’t SSL need/use an authentication service like Kerberos? How do SSL endpoints verify the integrity of certificates Subject Distinguished Name, Public Key (IDs)? Issuer Distinguished Name, Signature Does s-http guarantee non-repudiation for electronic Period of validity Not Before Date, No t After Date transactions? Why/how or why not? Administrativeinforma tion Version, Serial Number Extended Information Does SSL guarantee security of (say) credit numbers in electronic commerce? Why does SSL allow endpoints to use fake IDs? Figure 7.14 Figure 7.14 Hybrid Crypto in SSL Hybrid Crypto in SSL Performance of encryption and secure digest Performance of encryption and secure digest algorithms algorithms Why does SSL “change ciphers” during the handshake? Key size/hash size Extrapolated PRB optimized (bits) speed (kbytes/s) How does SSL solve the key distribution problem for (kbytes/sec.) symmetric crypto? TEA 128 700 - Is key exchange vulnerable to man-in-the-middle attacks? DES 56 350 7746 Triple-DES 112 120 2842 IDEA 128 700 4469 512 7 - RSA RSA 2048 1 - MD5 128 1740 62425 SHA 160 750 25162 Figure 7.19 Figure 7.19 Figure 7.20 Figure 7.20 SSL handshake configuration options SSL handshake configuration options SSL record protocol SSL record protocol Application data abcdefghi Fragment/combine Component Description Example abc def ghi Record protocol units Key exchange the method to be used for RSA with public-key Compress method exchange of a session key certificates Compressed units Cipher for data the block or stream cipher to be IDEA transfer used for data Hash MAC Message digest for creating message SHA function authentication codes (MACs) Encrypt Encrypted Transmit TCP packet 4
Recommend
More recommend