Hybrid scheme Kerberos Protocol � Public-key: nice solution for key distribution, but � Motivation : In a multi-national company, its computational expensive distributed information services are usually maintained by various business units (i.e., they are � Secret-key: efficient, but one requirement. in different network domains) in this company. � In applications (particularly, huge data), a hybrid � To secure use of these services, a user needs various scheme is used credentials for her/him to be authenticated to use these � Easy of key distribution different services. � Efficiency � However, it would be unrealistic and uneconomic to � Example require a user to maintain several different credentials. � � Solution: Kerberos Authentication Protocol � RSA+DES, or RSA+TDES is basic mode for secure sockets layer (SSL) protocol. � The basic idea � Used in Web server and popular Web browser such as � use a trusted third party (centralized authentication server) Netscape and IE. to authenticate users to services, and authenticate servers � In SSL protocol, the initiator (Web client) … … to users. And issue a shared session key between the user and the server. � Its limitation � Two-server structure: scalable. � the session key is generated by one side � No public-key encryption � the client is initiator and is weak in generation of real randomness. � Based on a timestamp version of the Needham- � Solution: Diffie-Hellman key exchange protocol Schroeder protocol. 1 2 1
Needham-Schroeder protocol Kerberos protocol � Two Key Distribution Centers (KDC): AS, TGS. � Client initiates a request to Authentication server � (AS) Two types of tickets: ticket-granting ticket (TGT), service-granting ticket (SGT). � AS provides a “ticket-granting” service by issuing � AS Exchange a session key, and delivers the session key in two � 1. Client C requests a TGT (on behalf of the user U ) by “ticket” messages. sending its user’s ID and TGS ID to AS. � With the tickets, client can ask the server for � 2. AS replies with a encrypted TGT, which is used by service. the client C later in a TGS Exchange. � 2.1 When message arrives, C asks U for the password, generates the key, and decrypt the incoming message. � Problem: � TGT has two parts: one part is for the client; the other � User C may access services many times after login. part is for TGS. � User C need a new ticket for every different service. � Each part contains the session key to be shared between � C and TGS. Also, timestamp + lifetime. Ticket-granting server (TGS) in Kerberos � Analysis � Three sub-protocols in Kerberos � Encrypted: prevent modification The Authentication Service Exchange (AS Exchange). � � Timestamp + lifetime: avoid replay • Once per user logon session � Within its lifetime, C can reuse this TGT to ask for The Ticket-Granting Service Exchange (TGS � service from particular TGS. Exchange). � TGS Exchange • Once per type of service � AP Exchange � The Client/Server Authentication Application Exchange (AP Exchange). 3 4 2
Kerberos protocol Web security � Threats � AS Exchange � � Integrity TGS Exchange • modification of user data, memory � loss of 3. C requests a SGT (on behalf of the user U ) by � sending its user’s ID, Server S ID, and TGT to AS. information. � 4. TGS decrypts the TGT and verifies it (ID, lifetime). • Encryption checksums Then issues a encrypted SGT to C. � Confidentiality � SGT has the same structure as TGT. • Steal info from client, server, Net � loss of privacy. � Each part contains another session key to be shared • Encryption between C and S. Also, timestamp + lifetime. � Denial of service � AP Exchange • Killing of user threads, flooding machine with huge � 5. C requests access to a service (on behalf of the user number of requests, filling up disk or memory � U ), with User ID, and the SGT. prevent user from getting work done � Why two Key Distribution Centers: AS and TGS? • Difficult to prevent User doesn’t need to reenter password for different � � Authentication services. (binding password to a TGT) • Pretend to be a different one � belief in false � Application servers belong to different network domains, organized by different TGS in different information domains. Similarly, a fixed user may use one fixed AS. • Authentication protocols, using encryption In this protocol, this user can be served by many TGSs techniques. and as a result, can be severed by a large number of � Another way to classify Web security threats: location of application servers. threat � Web server Computer system security � Web browser 5 6 � Network traffic between browser and server. 3
Web traffic security approaches Transport Layer Security (TLS) � Supported by most Web browsers, Web servers. It � IP Security (IPSec) is widely used to secure HTTP interactions such as � secure network from unauthorized monitoring network Internet commerce, and other security-sensitive traffic, and secure computer-to-computer traffic applications. � authentication and encryption mechanisms � FTP, Telnet, and so on. � contained in IPv6, and can be used in IPv4. � Two main features: � Benefits of IPSec • Transparent to applications, end users. � Negotiable encryption and authentication • Provides a filtering capability algorithms • A general-purpose solution � Bootstrapped secure communication � Another relative general-purpose solution: security � Two layers just above TCP � TLS Record Protocol � Transport Layer Security (TLS) (or Secure Sockets Layer � TLS Handshake Protocol SSL) � SSL Session vs. SSL Connection � Two implementation choices � A SSL session is an association between a client • Part of the underlying protocol suite � transparent to and a server. Sessions are created by Handshake applications Protocol. • Embedded in specific packages. • Ex: Web browser is equipped with SSL, Web server � A SSL connection is similar to TCP connection. implements the protocol. Every connection is associated with one session. � Application-specific security services � Usually, there is one session between two � For particular application, satisfy the specific needs of a parties, and there may be multiple secure given application. connections between them. 7 8 � S/MIME for e-mail application; SET for Web security. 4
Transport Layer Security (TLS) TLS Record Protocol � Parameters in a session state � Runs on top of a connection-oriented protocol: TCP; � Session ID: an arbitrary byte sequence chosen by the server. � provides two services for SSL connections � Certificates: may be null � confidentiality, integrity. � Compression method: i.e. Zip; compress data before � Keys for symmetric encryption and keys used to form encryption MAC are generated by the TLS Handshake Protocol. � CipherSpec: encryption algorithm (such as null, DES, � Input: a message to be transmitted. etc.), a hash algorithm (such as SHA-1, MD5) for MAC � Its operations: fragment data into blocks; compress calculation. data (optionally); apply a MAC for data-integrity; � Master secret: 48-byte secret shared between client and server. encrypt for confidentiality; append SSL record � Parameters in a connection state header; and transmit the result to the receiving process. � Server and client random: chosen for each connection � MAC secret at Server side: the secret key is used in MAC � Content Type (8 bits): indicates the higher-layer protocol operations on data � Major Version (8 bits): � MAC secret at Client side � Minor Version (8 bits): � Server write key: conventional encryption key � Compressed length (16 bits): length in bytes of � Client write key compressed message. � Initial vectors: when a block cipher in CBC mode is used � At the receiving side, it receives cipher data blocks, decrypts them, verifies the MAC, optionally decompressed, reassembles the blocks and delivers the result to higher level application processes. 9 1 0 5
Recommend
More recommend
