cs 356 lecture 27 internet security protocols
play

CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review - PowerPoint PPT Presentation

CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists


  1. CS 356 – Lecture 27 Internet Security Protocols Spring 2013

  2. Review • Chapter 1: Basic Concepts and Terminology • Chapter 2: Basic Cryptographic Tools • Chapter 3 – User Authentication • Chapter 4 – Access Control Lists • Chapter 5 – Database Security (skipped) • Chapter 6 – Malicious Software • Networking Basics (not in book) • Chapter 7 – Denial of Service • Chapter 8 – Intrusion Detection • Chapter 9 – Firewalls and Intrusion Prevention • Chapter 10 – Buffer Overflow • Chapter 11 – Software Security • Chapter 12 – OS Security • Chapter 22 – Internet Security Protocols

  3. Chapter 22 Internet Security Protocols and Standards

  4. MIME and S/MIME MIME S/MIME • extension to the old RFC • Secure/Multipurpose 822 specification of an Internet Mail Extension Internet mail format • security enhancement to – RFC 822 defines a simple the MIME Internet e-mail heading with To, From, format Subject – based on technology from – assumes ASCII text format RSA Data Security – provides a number of new – provides the ability to sign header fields that define and/or encrypt e-mail information about the body of messages the message

  5. MIME Content Types

  6. S/MIME Content Types

  7. Typical S/MIME Process Bob's private Alice's public One-time key key session key DhYz949avHVA t5UpjUXn8L79o ADnluV3vpuhE HMEcMBB1K9 This is an This is an Y8ZoJOYAmF2 S/MIME S/MIME BsIpLbjDkNJQR message from message from j98IklSSmju650 Bob to Alice. Bob to Alice. SoDlFkYYtTqw Bob will sign Bob will sign po9812KKlmHx and encrypt the and encrypt the cFGIU8700qQrR message before message before sdfgIUYTp0m8 sending it to sending it to H7G4FF32jkoN NNmj78uqwplH Plaintext message Digital signature Message with Encrypted copy Document converted (unisigned) added signature encrypted of session key to Radix-64 format (DSS/SHA) with one-time added session key (El Gamal) (Triple DES) Figure 22.1 Typical S/MIME Process

  8. S/MIME Cryptographic Algorithms • default algorithms used for signing messages are DSS and SHA-1 • RSA public-key encryption algorithm can be used with SHA-1 or the MD5 message digest algorithm for forming signatures • radix-64 or base64 mapping is used to map the signature and message into printable ASCII characters

  9. S/MIME Public Key Certificates • default algorithms used for encrypting S/ MIME messages are 3DES and EIGamal – EIGamal is based on the Diffie-Hellman public- key exchange algorithm • if encryption is used alone radix-64 is used to convert the ciphertext to ASCII format • basic tool that permits widespread use of S/MIME is the public-key certificate • S/MIME uses certificates that conform to the international standard X.509v3

  10. S/MIME Functions signed and enveloped clear- enveloped signed data data signed data data encrypted cleartext encoded nesting of content message + message + signed and and encoded signed encrypted associated signed digest entities keys digest

  11. DomainKeys Identified Mail (DKIM) • specification of cryptographically signing e-mail messages permitting a signing domain to claim responsibility for a message in the mail stream • proposed Internet Standard (RFC 4871: DomainKeys Identified Mail (DKIM) Signatures) • has been widely adopted by a range of e-mail providers

  12. Message transfer Message transfer Message transfer agent (MTA) agent (MTA) agent (MTA) SMTP SMTP (SMTP, SMTP local) Mail submission Mail delivery Message handling agent (MSA) agent (MDA) system (MHS) (SMTP, Internet SMTP local) Mail Message user Message store Message agent (MUA) (MS) Architecture author (IMAP, POP, local) Message Message user recipient agent (MUA) Figure 22.2 Function Modules and Standardized Protocols Used Between Them

  13. SMTP MTA MTA SMTP SMTP DNS Public key query/response MDA MSA DNS Example of Signer Verifier POP, IMAP SMTP DKIM Deployment MUA MUA Mail delivery Mail origination network network DNS = domain name system MDA = mail delivery agent MSA = mail submission agent MTA = message transfer agent MUA = message user agent Figure 22.3 Simple Example of DKIM Deployment

  14. Secure Sockets Layer (SSL) • one of the most widely used security services two implementation • general-purpose service choices: implemented as a set of protocols that rely on TCP provided as part • subsequently became of the underlying Internet standard protocol suite RFC2246: Transport Layer Security (TLS) embedded in specific packages

  15. SSL Protocol Stack SSL SSL Change SSL Alert HTTP Handshake Cipher Spec Protocol Protocol Protocol SSL Record Protocol TCP IP Figure 22.4 SSL Protocol Stack

  16. SSL Record Protocol Operation Application Data Fragment Compress Add MAC Encrypt Append SSL Record Header Figure 22.5 SSL Record Protocol Operation

  17. SSL Change Cipher Spec Protocol • one of three SSL specific protocols that use the SSL Record Protocol • is the simplest • consists of a single message which consists of a single byte with the value 1 • sole purpose of this message is to cause pending state to be copied into the current state • hence updating the cipher suite in use

  18. SSL Alert Protocol conveys SSL-related alerts alert messages are to peer entity compressed and encrypted if the level is fatal, SSL immediately terminates the connection first byte takes the value warning (1) or fatal (2) to convey the severity of the message other connections on the same session may continue, each message consists of but no new connections on two bytes: this session may be established second byte contains a code that indicates the specific alert

  19. SSL Handshake Protocol • most complex part of SSL • is used before any application data are transmitted • allows server and client to: negotiate negotiate authenticate encryption cryptographic each other and MAC keys to be algorithms used • comprises a series of messages exchanged by client and server • exchange has four phases

  20. Client Server c l i e n t _ h e l l o Phase 1 Establish security capabilities, including protocol version, session ID, cipher suite, SSL e ll o h _ e r compression method, and initial random v r s e numbers. c ate f i r t i c e Handshake e n g a h c e y_ex _ k e r e r v Phase 2 s Server may send certificate, key exchange, e st q u e e _ r a t c and request certificate. Server signals end i fi t r c e of hello message phase. Protocol se r v er _ h e llo_ d one Time c e r ti f i c a t e c li e nt_key_exc ha n g e Phase 3 Client sends certificate if requested. Client sends key exchange. Client may send c e r t i f i c a t e certificate verification. _ v e r i f y c h a n g e _ c i p h e r _ s p e c f in is hed Phase 4 Change cipher suite and finish c h a nge _c ip he r _s p e c handshake protocol. h ed i s n f i Note: Shaded transfers are optional or situation-dependent messages that are not always sent. Figure 22.6 Handshake Protocol Action

  21. HTTPS (HTTP over SSL) • combination of HTTP and SSL to implement secure communication between a Web browser and a Web server • built into all modern Web browsers – search engines do not support HTTPS – URL addresses begin with https:// – documented in RFC 2818, HTTP Over TLS – agent acting as the HTTP client also acts as the TLS client – closure of an HTTPS connection requires that TLS close the connection with the peer TLS entity on the remote side, which will involve closing the underlying TCP connection

  22. IP Security (IPsec) • various application security mechanisms – S/MIME, PGP, Kerberos, SSL/HTTPS • security concerns cross protocol layers • would like security implemented by the network for all applications • authentication and encryption security features included in next-generation IPv6 • also usable in existing IPv4

  23. IPsec • general IP • Provides: security mechanism s authentication confidentiality key management • assures that a • enables • provides the received packet communicating • concerned with was, in fact, nodes to encrypt capability to the secure transmitted by the messages to exchange of keys secure party identified as prevent • provided by the communications the source in the eavesdropping by Internet exchange packet header and third parties across a LAN, standard IKEv2 that the packet across private has not been and public altered in transit WANs, and across the Internet

  24. IPsec Uses

  25. Benefits of IPsec • when implemented in a firewall or router, it provides strong security to all traffic crossing the perimeter • in a firewall it is resistant to bypass • below transport layer, hence transparent to applications • can be transparent to end users • can provide security for individual users • secures routing architecture

  26. The Scope of IPsec provides two main functions: • a combined authentication/ VPNs want encryption function both called Encapsulating Security Payload authentication (ESP) and • key exchange encryption function also an authentication- specificatio only function, n is quite implemented using an complex Authentication Header • numerous (AH) RFC’s 2401/4302/430 • because message 3/4306 authentication is provided by ESP, the use of AH is included in IPsecv3 for backward compatibility but should not be used in new applications

Recommend


More recommend