By Ram Narula Trivial Internet weaknesses with solutions proposal (“A global initiative” Part 1: Focusing on ) Ram Narula

Slides:



Advertisements
Similar presentations
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Advertisements

Securing Bruce Maggs. Separate Suites of Protocols Protocols for retrieving POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending
Cryptography and Network Security
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Cunsheng Ding HKUST, Hong Kong, CHINA
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Chapter 8 Web Security.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
Introduction 1 Lecture 7 Application Layer (FTP, ) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.
-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
SIMPLE MAIL TRANSFER PROTOCOL SECURITY Guided By Prof : Richard Sinn Bhavesh Jadav Mayur Mulani.
The Application Layer  application and application requirements  sample network applications and protocols  SMTP, POP3  WWW: http1.1  teleconferencing.
 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.
2: Application Layer1 Chapter 2 Application Layer These slides derived from Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
SMTP, POP3, IMAP.
Chapter 7: Using Windows Servers to Share Information.
Mail Services.
Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
FTP (File Transfer Protocol) & Telnet
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Prof. John A. Copeland fax Office: Klaus
Copyright 2003 CCNA 1 Chapter 9 TCP/IP Transport and Application Layers By Your Name.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Component 9 – Networking and Health Information Exchange Unit 1-1 ISO Open Systems Interconnection (OSI) This material was developed by Duke University,
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
File Transfer Protocol (FTP)
06 APPLYING CRYPTOGRAPHY
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
1 SMTP - Simple Mail Transfer Protocol –RFC 821 POP - Post Office Protocol –RFC 1939 Also: –RFC 822 Standard for the Format of ARPA Internet Text.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
NETWORK HARDWARE AND SOFTWARE MR ROSS UNIT 3 IT APPLICATIONS.
Application Security: (April 10, 2013) © Abdou Illia – Spring 2013.
SMTP / MIME Florin Zidaru.
Understand Internet Security LESSON Security Fundamentals.
Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.
Application of the Internet 1998/12/09 KEIO University, JAPAN Mikiyo
Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
درس مهندسی اینترنت – مهدی عمادی مهندسی اینترنت برنامه‌نویسی در اینترنت 1 SMTP, FTP.
Key management issues in PGP
Chapter 7: Using Windows Servers
SMTP - Simple Mail Transfer Protocol POP - Post Office Protocol
Electronic mail security
S/MIME T ANANDHAN.
ELECTRONIC MAIL SECURITY
Ram Narula For presentation at APNIC 20 in Hanoi
ELECTRONIC MAIL SECURITY
Protocol Application TCP/IP Layer Model
Unit 8 Network Security.
Advanced Computer Networks
Chapter 7 Network Applications
Module 4 System and Application Security
MESSAGE ACCESS AGENT: POP AND IMAP
Presentation transcript:

by Ram Narula Trivial Internet weaknesses with solutions proposal (“A global initiative” Part 1: Focusing on ) Ram Narula For presentation at APNIC 20 in Hanoi

by Ram Narula Simple Mail Transfer Protocol (SMTP) “THE PROTOCOL” for communication “THE PROTOCOL” for communication Generally performs everything in plain-text (no data encryption) for server to server communication Generally performs everything in plain-text (no data encryption) for server to server communication Open to sniffing and Man-in-the-middle attacks Open to sniffing and Man-in-the-middle attacks Generally perform no authentication of sending server/receiving server Generally perform no authentication of sending server/receiving server

by Ram Narula What did it all mean? When you send to your SMTP server and your servers sends it to the designated SMTP server (of the recipient), the is not encrypted. This allows anyone/router between them to view your message and alter your message (session hijack). When you send to your SMTP server and your servers sends it to the designated SMTP server (of the recipient), the is not encrypted. This allows anyone/router between them to view your message and alter your message (session hijack). Wanna see how many routers your message passes through? Try doing a “traceroute” from your SMTP server to recipient’s SMTP server (hidden router/firewall will not even show up!) Wanna see how many routers your message passes through? Try doing a “traceroute” from your SMTP server to recipient’s SMTP server (hidden router/firewall will not even show up!)

by Ram Narula $ traceroute kombu.apnic.net -q 1 traceroute to kombu.apnic.net ( ) from 203.xxx.xxx.xxx, 30 hops max, 38 byte packets xxx.xxx.xxx (203.xxx.xxx.xxx) ms xxx.xxx.xxx (203.xxx.xxx.xxx) ms xxx.xxx.xxx (203.xxx.xxx.xxx) ms xxx.xxx.xxx (203.xxx.xxx.xxx) ms xxx.xxx ( xxx.xxx) ms xxx.xxx ( xxx.xxx) ms ( ) ms ( ) ms 5 global.hgc.com.hk ( ) ms 5 global.hgc.com.hk ( ) ms 6 global.hgc.com.hk ( ) ms 6 global.hgc.com.hk ( ) ms ( ) ms ( ) ms ( ) ms ( ) ms 9 peer.hgc.com.hk ( ) ms 9 peer.hgc.com.hk ( ) ms 10 i-3-4.wwh-dist02.net.reach.com ( ) ms 11 i-5-1.wwh-core01.net.reach.com ( ) ms 12 i-7-1.syd-core01.net.reach.com ( ) ms 13 10GigabitEthernet5-0.pad-core4.Sydney.telstra.net ( ) ms 14 10GigabitEthernet9-0.chw-core2.Sydney.telstra.net ( ) ms 15 Pos2-0.cha-core4.Brisbane.telstra.net ( ) ms 16 GigabitEthernet5-1.cha23.Brisbane.telstra.net ( ) ms 17 apnic1-new.lnk.telstra.net ( ) ms !X Sample ‘traceroute’ result from Bangkok to APNIC’s SMTP server 17 hops!!

by Ram Narula Example of an attack

by Ram Narula Another example of an attack

by Ram Narula Not a new problem This is not a new problem, it is just being overlooked This is not a new problem, it is just being overlooked It needs more attention It needs more attention Solutions exists Solutions exists People will not understand or want to understand the problem until something bad happens People will not understand or want to understand the problem until something bad happens SMIME, PGP and TLS (Transport Layer Security) implementation are not new SMIME, PGP and TLS (Transport Layer Security) implementation are not new

by Ram Narula Solution for end-to-end encryption Use SMIME or PGP for encrypting Use SMIME or PGP for encrypting Problems Problems Both sender and receiver must be ready to use SMIME or PGP (could be a problem for general use) Both sender and receiver must be ready to use SMIME or PGP (could be a problem for general use) Man in the middle issues: Jack the hacker will still be able to gather headers including subject, time of , internal corporate network information including software name and version information, etc. Man in the middle issues: Jack the hacker will still be able to gather headers including subject, time of , internal corporate network information including software name and version information, etc.

by Ram Narula Another Approach – TLS is not new Implement TLS (Transport Layer Security) in all SMTP servers (both sending and receiving sides) Implement TLS (Transport Layer Security) in all SMTP servers (both sending and receiving sides) With TLS all SMTP communication between SMTP servers will be encrypted With TLS all SMTP communication between SMTP servers will be encrypted With proper digital certificates, SMTP servers will also be able to authenticate their identities. This will also help in reduction of spam as unregistered/unsigned SMTP servers will not be able to operate. With proper digital certificates, SMTP servers will also be able to authenticate their identities. This will also help in reduction of spam as unregistered/unsigned SMTP servers will not be able to operate. SMIME and PGP users will not be affected SMIME and PGP users will not be affected Problem: New SMTP servers will be required to wait for certificate signing Problem: New SMTP servers will be required to wait for certificate signing

by Ram Narula Implementation An entity that will be responsible for registration and signing of SMTP server certificates will have to be established (could be similar to RIRs/NIRs/LIRs structure) An entity that will be responsible for registration and signing of SMTP server certificates will have to be established (could be similar to RIRs/NIRs/LIRs structure) (Small) Payment must be collected from SMTP server owners for registration and signing (to ensure seriousness in operating the SMTP server) (Small) Payment must be collected from SMTP server owners for registration and signing (to ensure seriousness in operating the SMTP server) A cut off date will have to be established, no fall-back to non-TLS should take place after a set date (e.g. Dec 1 st 2006) A cut off date will have to be established, no fall-back to non-TLS should take place after a set date (e.g. Dec 1 st 2006)

by Ram Narula Technical implementation for UNIX/Linux platform Sendmail Sendmail “STARTTLS” – by Claus Assmann “STARTTLS” – by Claus Assmann Postfix Postfix “Postfix TLS Support” - Lutz Janicke and Wietse Venema “Postfix TLS Support” - Lutz Janicke and Wietse Venema Exim Exim “Including TLS/SSL encryption support” by Exim team /doc/html/spec_4.html#SECT4.6 “Including TLS/SSL encryption support” by Exim team /doc/html/spec_4.html#SECT /doc/html/spec_4.html#SECT /doc/html/spec_4.html#SECT4.6

by Ram Narula Technical implementation for Windows platform Microsoft Exchange Microsoft Exchange “How to Help Protect SMTP Communication by Using the Transport Layer Security Protocol in Exchange Server” – Microsoft corporation d=kb;en-us; “How to Help Protect SMTP Communication by Using the Transport Layer Security Protocol in Exchange Server” – Microsoft corporation d=kb;en-us; d=kb;en-us; d=kb;en-us;829721

by Ram Narula …:-)…… $ telnet maila.microsoft.com smtp Trying Connected to maila.microsoft.com. Escape character is '^]'. 220 IGR-IMC-01.redmond.corp.microsoft.com Thu, 11 Aug :xx:xx EHLO x 250-IGR-IMC-01.redmond.corp.microsoft.com Hello [203.xxx.xxx.xxx] 250-TURN 250-SIZE ETRN250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-8bitmime250-BINARYMIME250-CHUNKING250-VRFY 250-X-LINK2STATE 250-XEXCH OK STARTTLS Unable to initialize security subsystem

by Ram Narula Issues with TLS? The entity that signs the certificate must be trusted by all SMTP servers The entity that signs the certificate must be trusted by all SMTP servers It does not provide end-to-end encryption (like SMIME or PGP) as it only secures SMTP communication It does not provide end-to-end encryption (like SMIME or PGP) as it only secures SMTP communication Certificate revocation mechanism will have to exist & short lived certificate will have to be considered Certificate revocation mechanism will have to exist & short lived certificate will have to be considered Additional cost for setting up and maintenance Additional cost for setting up and maintenance Requires additional processing power and bandwidth Requires additional processing power and bandwidth Could be illegal where encryption is prohibited Could be illegal where encryption is prohibited

by Ram Narula Cost vs. Benefit Similar view for cost vs. benefit for implementation of Web-based SSL(?) Similar view for cost vs. benefit for implementation of Web-based SSL(?) Security and privacy to the next level Security and privacy to the next level SMTP servers will have legal owners SMTP servers will have legal owners How much spam would admin of registered server be kind to tolerate? How much spam would admin of registered server be kind to tolerate? Comments? Comments? What do you think? What do you think?

by Ram Narula SMTP-TLS Summary Advantages/plus side for implementation Advantages/plus side for implementation Authenticity of SMTP servers could be confirmed Authenticity of SMTP servers could be confirmed Increased privacy and security for users Increased privacy and security for users Spam reduction as all SMTP servers will have to be registered and will need a signed certificate Spam reduction as all SMTP servers will have to be registered and will need a signed certificate Disadvantages/hurdles Disadvantages/hurdles Entity that will take care of each region's registration will have to be formed for every regions (creating more jobs :-) Entity that will take care of each region's registration will have to be formed for every regions (creating more jobs :-) More admin work to maintain the SMTP servers and certificates More admin work to maintain the SMTP servers and certificates All SMTP servers will have to trust the signer All SMTP servers will have to trust the signer Higher processing and bandwidth requirements Higher processing and bandwidth requirements SMTP server registration and certificate associated costs SMTP server registration and certificate associated costs

by Ram Narula Why should TLS be implemented on a global scale? Makes ing a safer thing to do with more privacy without end-user involvement Makes ing a safer thing to do with more privacy without end-user involvement Makes communication become traceable and more reliable Makes communication become traceable and more reliable Help in reducing spam Help in reducing spam

by Ram Narula …:-)…… $ telnet kombu.apnic.net smtp Trying Connected to kombu.apnic.net. Escape character is '^]'. 220 kombu.apnic.net ESMTP Postfix EHLO x 250-kombu.apnic.net250-PIPELINING 250-SIZE VRFY250-ETRN 250 8BITMIME STARTTLS 502 Error: command not implemented

by Ram Narula Sample of TLS implementation

by Ram Narula End of SMTP part

by Ram Narula File Transfer Protocol (FTP) Widely used, implemented in web browsers Widely used, implemented in web browsers Communicates in plain-text (no encryption) for everything including username, password, and files Communicates in plain-text (no encryption) for everything including username, password, and files Vulnerable to sniffing and Man-in-the- middle attacks (session hijack) Vulnerable to sniffing and Man-in-the- middle attacks (session hijack) (Not as popular as and web)

by Ram Narula FTP Solution 2 major approaches 2 major approaches FTP over TLS/SSL FTP over TLS/SSL Secure but not popular yet Secure but not popular yet SFTP (File transfer using SSH based protocol) SFTP (File transfer using SSH based protocol) Secure but not widely used except for SSH users (seems to be more popular than FTP over TLS/SSL) Secure but not widely used except for SSH users (seems to be more popular than FTP over TLS/SSL)

by Ram Narula Internet Explorer support for FTP Internet Explorer 6 (world’s most popular browser) accepts ftps:// and sftp:// type URLs but will just revert to ftp:// and shows “FTP does not encrypt or encode passwords or data before sending them to the server. To protect the security of your passwords and data, use Web Folders (WebDAV) instead” Internet Explorer 6 (world’s most popular browser) accepts ftps:// and sftp:// type URLs but will just revert to ftp:// and shows “FTP does not encrypt or encode passwords or data before sending them to the server. To protect the security of your passwords and data, use Web Folders (WebDAV) instead”

by Ram Narula Technical implementation General implementation with list of supported SSL/TLS FTP server/client General implementation with list of supported SSL/TLS FTP server/client SFTP (SSH based) SFTP (SSH based) nguide/32/SFTP_Server.html nguide/32/SFTP_Server.html nguide/32/SFTP_Server.html nguide/32/SFTP_Server.html Microsoft IIS implementation Microsoft IIS implementation There seem to be no direct support for this. Instead of SSL/TLS for FTP, WebDAV (World Wide Web Distributed Authoring and Versioning) seems to be preferred. There seem to be no direct support for this. Instead of SSL/TLS for FTP, WebDAV (World Wide Web Distributed Authoring and Versioning) seems to be preferred.

by Ram Narula References “RFC SMTP Service Extension for Secure SMTP over TLS” “RFC SMTP Service Extension for Secure SMTP over TLS” “S/MIME and OpenPGP” Internet Mail Consortium “S/MIME and OpenPGP” Internet Mail Consortium “Filling SMTP gaps -- The secrets to using standards” by Joel Snyder 499,00.html “Filling SMTP gaps -- The secrets to using standards” by Joel Snyder 499,00.html 499,00.html 499,00.html “SSL versus TLS versus STARTTLS” by Jeremy Mates “SSL versus TLS versus STARTTLS” by Jeremy Mates “Browsers Statistics” by Refsnes Data “Browsers Statistics” by Refsnes Data

by Ram Narula Supporter/Sponsorship This presentation has been created independently. This presentation has been created independently. Any supporter? Any supporter? Please me at Please me at