BINF 711 Amr El Mougy Sherif Ismail ** Slides attributed to W. Stallings
Lecture (8) Internet Security
Internet Security Protocols and Standards Secure Sockets Layer (SSL) / Transport Layer Security (TLS) IPv4 and IPv6 Security
Secure Sockets Layer (SSL) Transport layer security service originally developed by Netscape version 3 designed with public input Subsequently became Internet standard RFC2246: Transport Layer Security (TLS) Use TCP to provide a reliable end-to-end service May be provided in underlying protocol suite Or embedded in specific packages
Secure Sockets Layer (SSL) SSL identifies two main concepts: Session: an association between client and server that defines security parameters. Created by the Handshake Protocol Connection: A transport within a session supporting particular services. Every connection is associated with one session A client and a server may have more than one connection within a session They may also have several sessions but this is not common
SSL Record Protocol Services Message integrity using a MAC with shared secret key Confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption
Record Protocol Operation
SSL Handshake Protocol Allows server & client to: authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used Comprises a series of messages in phases Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish
SSL Handshake Protocol
Change Cipher Spec Protocol One of 3 SSL specific protocols which use the SSL Record protocol A single message Causes pending state to become current Hence updating the cipher suite in use
SSL Alert Protocol Conveys SSL-related alerts to peer entity Severity warning or fatal Specific alert fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown Compressed & encrypted like all SSL data
HTTPS HTTP over SSL or TLS Uses port 443 instead of port 80 When HTTPS is used, the following are encrypted: URL of requested object Contents of object Contents of browser forms (filled in by user) Cookies HTTP header The client initiates the SSL/TLS session and connection Once the handshake is complete, the HTTP request can be sent Multiple TCP connections can be established in one session
IPSec Scheduled to be integral component of IPv6, optional in IPv4 Supports strong authentication and encryption at layer 3 Bi-directional tunnel Packet filtering is primary access control method Requires Public Key Infrastructure (PKI)
IPSec Uses
IPSec Functionality Functionality AH (Authentication Header): integrity and authenticity ESP (Encrypted Security Payload): confidentiality, optional authentication & integrity Security Association (for each pair of hosts): determined by destination IP address and the SPI (Security Parameters Index) Specification of the crypto methods to be used by SPI Keys to be used by the crypto methods for that SPI The hosts and other entities associated with this traffic Key Management Manual Keying (required) Key Management Protocols (in flux)
IPSec Modes Transport Mode: Tunnel mode: Provides protection to the payload of the packet (everything that comes after the IP header). Thus, headers are not encrypted Typically used for end-to-end communications between hosts Tunnel mode: Provides protection to the whole packet After AH or ESP headers are added, the entire packet plus the new headers are encrypted New outer IP header is then added Routers in the middle do not read the internal headers Used when one or both ends of the security association is a gateway, not a host
Combining Security Associations
Security Policy (SP) and Security Association (SA) SA is a one-way relationship between sender & receiver that affords security for traffic flow Defined by 3 parameters: Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier Has a number of other parameters seq no, AH & EH info, lifetime etc. SP determines how traffic in an SA is handled
IP Traffic Processing IPSec Architecture Inbound Packets Outbound Packets Inbound Packets
Authentication Header Provides data integrity and authentication Prevents source address spoofing Based on MAC Scope covers payload and parts of the IP header
Encapsulating Security Payload Header Provides confidentiality and optional integrity Based on symmetric encryption techniques (AES) Scope depends on transport or tunnel modes
Whatsapp End-to-End Encryption Link encryption: data is visible to the server End-to-end encryption: data is encrypted in the server
Whatsapp End-to-End Encryption New encryption system supports regular and group chats, images, videos, voice messages, files, and voice calls At the center of this system is the new “Signal Protocol” developed by Open Whisper Systems Even if a user’s key is physically compromised from a device, an attacker cannot decrypt previously encrypted messages
The Signal Protocol: Keys Each user has three types of public keys: Long-term identity key generated at installation Medium-term key generated at installation and rotated periodically. The medium-term key is signed by the identity key One-time key: generated as needed In addition, there are three types of session keys: Root key: 32-byte value used to create chain keys Chain key: 32-byte value used to create message keys Message key: 80-byte value used to encrypt messages. Out of these 80 bytes, 32 are used for AES 256, another 32 are used for HMAC-SHA256, and 16 bytes IV
The Signal Protocol: Operation At registration time, the client sends the public identity key, public medium-term key (signed by the private identity key) , and a set of one-time keys The private keys are never sent To chat with someone you need to establish a session (any open whatsapp chat is a session) A session does not need to be re-established unless the app is re-installed
The Signal Protocol: Operation To establish a session, the initiator requests the public keys of the recipient from the server (identity key, signed medium term key, and one of the stored one-time keys) Once the server returns those keys, the initiator generates a new key and uses its own identity key in addition to the recipient’s public keys to calculate a master secret (using an algorithm similar to Diffie Hellman). The master secret is then used to create a root key and a chain key using a key derivation function
The Signal Protocol: Operation Now, the initiator can start sending messages to the recipient, even if he/she is offline To establish the session at the receiving end, the initiator inserts all values necessary for the receiver to calculate the root and chain keys in the header of all messages The receiver uses this information together with its own private keys to calculate the master secret The master secret is used as input to the key-derivation function to calculate the root and chain keys
The Signal Protocol: Operation Each message is encrypted with a message key that includes AES256 encryption and HMAC-SHA256 for integrity and authentication Each time a new message needs to be sent, a new message key is derived from the chain key The message key cannot be derived from the message The chain key is also rotated every time a message is sent
The Signal Protocol: Special Functions To transmit media, the sender first saves it in an encrypted cloud store The sender then sends an encrypted pointer to the receiver to download the media Group messages in whatsapp are disseminated using server-side fan out (message is copied N times) Pairwise sessions are created between all members of the group Each of these sessions has a different chain key used to create message keys Thus, the sender encrypts the message N times (one for each member) and the server sends them Calls are established using encrypted RTP