Presentation is loading. Please wait.

Presentation is loading. Please wait.

Csc 8222 Network Security Web and Transport-level Security

Published byMiranda Norman Modified over 9 years ago

Similar presentations

Presentation on theme: "Csc 8222 Network Security Web and Transport-level Security"— Presentation transcript:

1 Csc 8222 Network Security Web and Transport-level Security
WenZhan Song Cryptography and Network Security

2 Web security See the top 10 security issues in web applications: Cryptography and Network Security

3 Introduction Introduction Presentation of SSL
The inner workings of SSL Attacks on SSL HTTPS vs S-HTTP Comparison with SSL/TLS Attacks on S-HTTP Other aspects of Web security TLS IPSec, Kerberos, SET Conclusion Cryptography and Network Security

4 Web Security Web now widely used by business, government, individuals
but Internet & Web are vulnerable have a variety of threats integrity confidentiality denial of service authentication need added security mechanisms Cryptography and Network Security

5 SSL (Secure Socket Layer)
transport layer security service originally developed by Netscape version 3 designed with public input subsequently became Internet standard known as TLS (Transport Layer Security) uses TCP to provide a reliable end-to-end service SSL probably most widely used Web security mechanism. Its implemented at the Transport layer; cf IPSec at Network layer; or various Application layer mechanisms eg. S/MIME & SET (later). Cryptography and Network Security

6 SSL: Secure Sockets Layer
widely deployed security protocol supported by almost all browsers, web servers https billions $/year over SSL original design: Netscape, 1993 variation -TLS: transport layer security, RFC 2246 provides confidentiality integrity authentication original goals: Web e-commerce transactions encryption (especially credit-card numbers) Web-server authentication optional client authentication minimum hassle in doing business with new merchant available to all TCP applications secure socket interface Network Security

7 SSL and TCP/IP Application Application SSL TCP TCP IP IP
Normal Application Application SSL TCP IP with SSL SSL provides application programming interface (API) to applications C and Java SSL libraries/classes readily available SSL has two layers of protocols Network Security

8 SSL Architecture Stallings Fig 17-2. Cryptography and Network Security

9 SSL Architecture SSL session SSL connection
an association between client & server created by the Handshake Protocol define a set of cryptographic parameters may be shared by multiple SSL connections SSL connection a transient, peer-to-peer, communications link associated with 1 SSL session Cryptography and Network Security

10 SSL Architecture Everything henceforth is encrypted TCP Fin follow
handshake: ClientHello handshake: ServerHello handshake: Certificate handshake: ServerHelloDone handshake: ClientKeyExchange ChangeCipherSpec handshake: Finished application_data Alert: warning, close_notify Everything henceforth is encrypted TCP Fin follow Network Security

11 SSL Record Protocol confidentiality message integrity
using symmetric encryption with a shared secret key defined by Handshake Protocol IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption message integrity using a MAC with shared secret key similar to HMAC but with different padding SSL Record Protocol defines these two services for SSL connections. Cryptography and Network Security

12 SSL Record Protocol data fragment and compress MAC fragment encrypted
data and MAC record header fragment and compress record header: content type; version; length MAC: includes sequence number, MAC key Mx fragment: each SSL fragment 214 bytes (~16 Kbytes) Network Security

13 Figure 6. 3 indicates the overall operation of the SSL Record Protocol
Figure 6.3 indicates the overall operation of the SSL Record Protocol. The Record Protocol takes an application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment. Received data are decrypted, verified, decompressed, and reassembled before being delivered to higher-level users. The first step is fragmentation. Each upper-layer message is fragmented into blocks of 214 bytes (16384 bytes) or less. Next, compression is optionally applied. Compression must be lossless and may not increase the content length by more than 1024 bytes. In SSLv3 (as well as the current version of TLS), no compression algorithm is specified, so the default compression algorithm is null. The next step in processing is to compute a message authentication code over the compressed data. For this purpose, a shared secret key is used. Next, the compressed message plus the MAC are encrypted using symmetric encryption. Encryption may not increase the content length by more than 1024 bytes, so that the total length may not exceed For stream encryption, the compressed message plus the MAC are encrypted. Note that the MAC is computed before encryption takes place and that the MAC is then encrypted along with the plaintext or compressed plaintext. For block encryption, padding may be added after the MAC prior to encryption. The padding is in the form of a number of padding bytes followed by a onebyte indication of the length of the padding. The total amount of padding is the smallest amount such that the total size of the data to be encrypted (plaintext plus MAC plus padding) is a multiple of the cipher’s block length. An example is a plaintext (or compressed text if compression is used) of 58 bytes, with a MAC of 20 bytes (using SHA-1), that is encrypted using a block length of 8 bytes (e.g., DES). With the padding-length byte, this yields a total of 79 bytes. To make the total an integer multiple of 8, one byte of padding is added.

14 The final step of SSL Record Protocol processing is to prepare a header consisting
of the following fields: • Content Type (8 bits): The higher-layer protocol used to process the enclosed fragment. • Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3. • Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0. • Compressed Length (16 bits): The length in bytes of the plaintext fragment (or compressed fragment if compression is used). The maximum value is The content types that have been defined are change_cipher_spec , alert , handshake , and application_data . The first three are the SSL-specific protocols, discussed next. Note that no distinction is made among the various applications (e.g., HTTP) that might use SSL; the content of the data created by such applications is opaque to SSL. Figure 6.4 illustrates the SSL record format.

15 The Change Cipher Spec Protocol is one of the three SSL-specific protocols that
use the SSL Record Protocol, and it is the simplest. This protocol consists of a single message (Figure 6.5a), which consists of a single byte with the value 1. The sole purpose of this message is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection. The Alert Protocol is used to convey SSL-related alerts to the peer entity. As with other applications that use SSL, alert messages are compressed and encrypted, as specified by the current state. Each message in this protocol consists of two bytes (Figure 6.5b). The first byte takes the value warning (1) or fatal (2) to convey the severity of the message. If the level is fatal, SSL immediately terminates the connection. Other connections on the same session may continue, but no new connections on this session may be established. The second byte contains a code that indicates the specific alert. The most complex part of SSL is the Handshake Protocol. This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record. The Handshake Protocol is used before any application data is transmitted. The Handshake Protocol consists of a series of messages exchanged by client and server. All of these have the format shown in Figure 6.5c.

16 Toy SSL: a simple secure channel
handshake: Alice and Bob use their certificates, private keys to authenticate each other and exchange shared secret key derivation: Alice and Bob use shared secret to derive set of keys data transfer: data to be transferred is broken up into series of records connection closure: special messages to securely close connection Network Security

17 Toy: A simple handshake
hello certificate KB+(MS) = EMS MS = master secret EMS = encrypted master secret Network Security

18 Toy: Key derivation Considered bad to use same key for more than one cryptographic operation use different keys for message authentication code (MAC) and encryption four keys: Kc = encryption key for data sent from client to server Mc = MAC key for data sent from client to server Ks = encryption key for data sent from server to client Ms = MAC key for data sent from server to client keys derived from key derivation function (KDF) takes master secret and (possibly) some additional random data and creates the keys Network Security

19 Toy: Data Records why not encrypt data in constant stream as we write it to TCP? where would we put the MAC? If at end, no message integrity until all data processed. E.g., with instant messaging, how can we do integrity check over all bytes sent before displaying? instead, break stream in series of records Each record carries a MAC Receiver can act on each record as it arrives issue: in record, receiver needs to distinguish MAC from data want to use variable-length records length data MAC Network Security

20 Toy: Sequence Numbers attacker can capture and replay record or re-order records solution: put sequence number into MAC: MAC = MAC(Mx, sequence||data) Note: no sequence number field attacker could still replay all of the records use random nonce Network Security

21 Toy: Control information
truncation attack: attacker forges TCP connection close segment One or both sides thinks there is less data than there actually is. solution: record types, with one type for closure type 0 for data; type 1 for closure MAC = MAC(Mx, sequence||type||data) length type data MAC Network Security

22 Toy SSL: summary hello certificate, nonce KB+(MS) = EMS
type 0, seq 1, data type 0, seq 2, data type 0, seq 3, data type 1, seq 4, close type 1, seq 2, close bob.com encrypted Network Security

23 Toy SSL isn’t complete how long are fields?
which encryption protocols? want negotiation? allow client and server to support different encryption algorithms allow client and server to choose together specific algorithm before data transfer Network Security

24 SSL Cipher Suite cipher suite SSL supports several cipher suites
public-key algorithm symmetric encryption algorithm MAC algorithm SSL supports several cipher suites negotiation: client, server agree on cipher suite client offers choice server picks one Common SSL symmetric ciphers DES – Data Encryption Standard: block 3DES – Triple strength: block RC2 – Rivest Cipher 2: block RC4 – Rivest Cipher 4: stream SSL Public key encryption RSA Network Security

25 SSL Handshake Protocol
allows server & client to: authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used comprises a series of messages in phases Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish Cryptography and Network Security

26 General purpose Two step process:
Handshake : exchange private keys using a public key encryption algorithm Data transmission: exchange the required data using a private key encryption Cryptography and Network Security

27 SSL Handshake Protocol
Stallings Fig 17-6. Cryptography and Network Security

28 Table 6.2 SSL Handshake Protocol Message Types
Each message has three fields: • Type (1 byte): Indicates one of ten messages. Table 6.2 lists the defined message types. • Length (3 bytes): The length of the message in bytes. • Content (# 0 bytes): The parameters associated with this message; these are listed in Table 6.2. Table 6.2 SSL Handshake Protocol Message Types

29 SSL Handshake client sends list of algorithms it supports, along with client nonce server chooses algorithms from list; sends back: choice + certificate + server nonce client verifies certificate, extracts server’s public key, generates pre_master_secret, encrypts with server’s public key, sends to server client and server independently compute encryption and MAC keys from pre_master_secret and nonces client sends a MAC of all the handshake messages server sends a MAC of all the handshake messages Network Security

30 Key derivation client nonce, server nonce, and pre-master secret input into pseudo random-number generator. produces master secret master secret and new nonces input into another random-number generator: “key block” Because of resumption: TBD key block sliced and diced: client MAC key server MAC key client encryption key server encryption key client initialization vector (IV) server initialization vector (IV) Network Security

31 SSL Handshake (cont.) last 2 steps protect handshake from tampering
client typically offers range of algorithms, some strong, some weak man-in-the middle could delete stronger algorithms from list last 2 steps prevent this Last two messages are encrypted Network Security

32 SSL Handshake (cont.) why two random nonces?
suppose Trudy sniffs all messages between Alice & Bob next day, Trudy sets up TCP connection with Bob, sends exact same sequence of records Bob (Amazon) thinks Alice made two separate orders for the same thing solution: Bob sends different random nonce for each connection. This causes encryption keys to be different on the two days Trudy’s messages will fail Bob’s integrity check Network Security

33 SSL Change Cipher Spec Protocol
one of 3 SSL specific protocols which use the SSL Record protocol a single message causes pending state to become current hence updating the cipher suite in use Cryptography and Network Security

34 SSL Alert Protocol conveys SSL-related alerts to peer entity severity
warning or fatal specific alert unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data Cryptography and Network Security

35 Attacks on SSL Certificate Injection Attack Man in the Middle
The list of trusted Certificate Authorities is altered Can be avoided by upgrading the OS or switching to a safer one. Man in the Middle Cipher Spec Rollback : regresses the public key encryption algorithms Version Rollback : regression from SSL 3.0 to weaker SSL 2.0 Algorithm rollback : modify public encryption method Truncation attack : TCP FIN|RST used to terminate connection Timing attack Can be avoided by randomly delaying the computations Brute force Can be used on servers that accept small key sizes: 40 bits for symmetric encryptions and 512 for the asymmetric one. Cryptography and Network Security

36 TLS (Transport Layer Security)
IETF standard RFC 2246 similar to SSLv3 with minor differences in record format version number uses HMAC for MAC a pseudo-random function expands secrets has additional alert codes some changes in supported ciphers changes in certificate negotiations changes in use of padding Cryptography and Network Security

37 TLS TLS was developed by IETF to replace SSL version 3.
Based on SSL version 3, with some changes: Replaced FORTEZZA key exchange option with DSS. Include the hash method HMAC used by IPSec for authentication in IP headers. More differentiation between sub-protocols. TLS has mechanisms for backwards compatibility with SSL. Cryptography and Network Security

38 TLS TLS has about 30 possible cipher ‘suites’, combinations of key exchange, encryption method, and hashing method. Key exchange includes: RSA, DSS, Kerberos Encryption includes: IDEA(CBC), RC2, RC4, DES, 3DES, and AES Hashing: SHA and MD5 (Note: Some of the suites are intentionally weak export versions.) Cryptography and Network Security

39 HTTPS (HTTP over SSL) Refers to the combination of HTTP and SSL to implement secure communication between a Web browser and a Web server The HTTPS capability is built into all modern Web browsers A user of a Web browser will see URL addresses that begin with rather than If HTTPS is specified, port 443 is used, which invokes SSL Documented in RFC 2818, HTTP Over TLS There is no fundamental change in using HTTP over either SSL or TLS and both implementations are referred to as HTTPS When HTTPS is used, the following elements of the communication are encrypted: URL of the requested document Contents of the document Contents of browser forms Cookies sent from browser to server and from server to browser Contents of HTTP header HTTPS (HTTP over SSL) refers to the combination of HTTP and SSL to implement secure communication between a Web browser and a Web server. The HTTPS capability is built into all modern Web browsers. Its use depends on the Web server supporting HTTPS communication. For example, some search engines do not support HTTPS. Google provides HTTPS as an option: The principal difference seen by a user of a Web browser is that URL (uniform resource locator) addresses begin with rather than A normal HTTP connection uses port 80. If HTTPS is specified, port 443 is used, which invokes SSL. When HTTPS is used, the following elements of the communication are encrypted: • URL of the requested document • Contents of the document • Contents of browser forms (filled in by browser user) • Cookies sent from browser to server and from server to browser • Contents of HTTP header HTTPS is documented in RFC 2818, HTTP Over TLS . There is no fundamental change in using HTTP over either SSL or TLS, and both implementations are referred to as HTTPS.

40 Connection Initiation
For HTTPS, the agent acting as the HTTP client also acts as the TLS client The client initiates a connection to the server on the appropriate port and then sends the TLS ClientHello to begin the TLS handshake When the TLS handshake has finished, the client may then initiate the first HTTP request All HTTP data is to be sent as TLS application data There are three levels of awareness of a connection in HTTPS: At the HTTP level, an HTTP client requests a connection to an HTTP server by sending a connection request to the next lowest layer Typically the next lowest layer is TCP, but it may also be TLS/SSL At the level of TLS, a session is established between a TLS client and a TLS server This session can support one or more connections at any time A TLS request to establish a connection begins with the establishment of a TCP connection between the TCP entity on the client side and the TCP entity on the server side For HTTPS, the agent acting as the HTTP client also acts as the TLS client. The client initiates a connection to the server on the appropriate port and then sends the TLS ClientHello to begin the TLS handshake. When the TLS handshake has finished, the client may then initiate the first HTTP request. All HTTP data is to be sent as TLS application data. Normal HTTP behavior, including retained connections, should be followed. There are three levels of awareness of a connection in HTTPS. At the HTTP level, an HTTP client requests a connection to an HTTP server by sending a connection request to the next lowest layer. Typically, the next lowest layer is TCP, but it also may be TLS/SSL. At the level of TLS, a session is established between a TLS client and a TLS server. This session can support one or more connections at any time. As we have seen, a TLS request to establish a connection begins with the establishment of a TCP connection between the TCP entity on the client side and the TCP entity on the server side.

41 Connection Closure An HTTP client or server can indicate the closing of a connection by including the line Connection: close in an HTTP record The closure of an HTTPS connection requires that TLS close the connection with the peer TLS entity on the remote side, which will involve closing the underlying TCP connection TLS implementations must initiate an exchange of closure alerts before closing a connection A TLS implementation may, after sending a closure alert, close the connection without waiting for the peer to send its closure alert, generating an “incomplete close” An unannounced TCP closure could be evidence of some sort of attack so the HTTPS client should issue some sort of security warning when this occurs An HTTP client or server can indicate the closing of a connection by including the following line in an HTTP record: Connection: close . This indicates that the connection will be closed after this record is delivered. The closure of an HTTPS connection requires that TLS close the connection with the peer TLS entity on the remote side, which will involve closing the underlying TCP connection. At the TLS level, the proper way to close a connection is for each side to use the TLS alert protocol to send a close_notify alert. TLS implementations must initiate an exchange of closure alerts before closing a connection. A TLS implementation may, after sending a closure alert, close the connection without waiting for the peer to send its closure alert, generating an “incomplete close”. Note that an implementation that does this may choose to reuse the session. This should only be done when the application knows (typically through detecting HTTP message boundaries) that it has received all the message data that it cares about. HTTP clients also must be able to cope with a situation in which the underlying TCP connection is terminated without a prior close_notify alert and without a Connection: close indicator. Such a situation could be due to a programming error on the server or a communication error that causes the TCP connection to drop. However, the unannounced TCP closure could be evidence of some sort of attack. So the HTTPS client should issue some sort of security warning when this occurs.

42 Presentation of S-HTTP
C- Secure-HTTP Presentation of S-HTTP A B C D Designed by E. Rescorla and A. Schiffman of EIT to secure HTTP connections Proposed in 1994 but never used commercially Not to be confused with HTTPS: encrypts HTTP messages at the application level Security on the WWW Cryptography and Network Security

43 Location of S-HTTP HTTP-specific message encryption
C- Secure-HTTP Location of S-HTTP A B C D HTTP-specific message encryption Can possibly be used over a secure channel Designed to be compatible with HTTP for handling at lower layers Security on the WWW Cryptography and Network Security

44 HTTP-specific vs. general purpose SSL (IMAPS, POPS, LDAPS…)
C- Secure-HTTP S-HTTP vs. SSL/TLS A B C D HTTP-specific vs. general purpose SSL (IMAPS, POPS, LDAPS…) Burden of encryption not on transmission/reception but rather on message production/unpacking Similar set of available ciphers, plus added capabilities for signing (DSS, RSA) Very general specifications, leaving a lot to implement and a potential for incompatible implementations Only one reference implementation in NCSA Mosaic Security on the WWW Cryptography and Network Security

45 S-HTTP vs. HTTPS: functionalities
C- Secure-HTTP S-HTTP vs. HTTPS: functionalities A B C D Security Service S-HTTP HTTPS Privacy Public or private cryptosystem Encryption of the complete HTTP transaction Symmetric key cryptosystem Complete communication encryption Integrity Simple MAC or signing MAC only Authentication Key management on the keys used, or digital signature During the initial public key exchange (server auth. mandatory, client auth. optional) Non-repudiation Digital signature Not provided S-HTTP can make use of key management Non-repudiation is not provided by SSL (e.g., HTTPS) Signing is optional, but a major attraction to S-HTTP Security on the WWW Cryptography and Network Security

46 S-HTTP vs. HTTPS: proxy traversal
C- Secure-HTTP S-HTTP vs. HTTPS: proxy traversal A B C D Security on the WWW Cryptography and Network Security

47 S-HTTP inner working Message-based encryption
C- Secure-HTTP S-HTTP inner working A B C D Message-based encryption Superset of HTTP: “outer” envelope Specific headers added Request: Secure*Secure-HTTP/1.2 Response: Secure-HTTP/ OK Security on the WWW Cryptography and Network Security

48 C- Secure-HTTP S-HTTP attacks A B C D Basically the same as on SSL, since the ciphers are the same Default values more secure in S-HTTP than SSL at the time of proposal (e.g. DES vs. RC4) S-HTTP generally stronger by design (more resilient to proxy compromising) More complex and wider specifications create a potential for faulty implementations No real-world use to field test the actual security of S-HTTP Security on the WWW Cryptography and Network Security

49 HTTP Basic Authentication
D- Other protocols A B C D HTTP Basic Authentication HTTP has an authentication scheme as part of its original protocol. Supported by almost all browsers and web servers. Password and username are sent in clear text (base64 encoded) in the HTTP request message. Obviously not secure enough for sensitive information. This scheme is being replaced by the slightly more secure HTTP Digest Authentication, which sends a MD5 hash of the password and other information. Security on the WWW Cryptography and Network Security

50 Secure Shell (SSH) A protocol for secure network communications designed to be relatively simple and inexpensive to implement The initial version, SSH1 was focused on providing a secure remote logon facility to replace TELNET and other remote logon schemes that provided no security SSH also provides a more general client/server capability and can be used for such network functions as file transfer and SSH2 fixes a number of security flaws in the original scheme Is documented as a proposed standard in IETF RFCs 4250 through 4256 SSH client and server applications are widely available for most operating systems Has become the method of choice for remote login and X tunneling Is rapidly becoming one of the most pervasive applications for encryption technology outside of embedded systems Secure Shell (SSH) is a protocol for secure network communications designed to be relatively simple and inexpensive to implement. The initial version, SSH1 was focused on providing a secure remote logon facility to replace TELNET and other remote logon schemes that provided no security. SSH also provides a more general client/server capability and can be used for such network functions as file transfer and . A new version, SSH2, fixes a number of security flaws in the original scheme. SSH2 is documented as a proposed standard in IETF RFCs 4250 through 4256. SSH client and server applications are widely available for most operating systems. It has become the method of choice for remote login and X tunneling and is rapidly becoming one of the most pervasive applications for encryption technology outside of embedded systems.

51 SSH is organized as three protocols that typically run on top of TCP
(Figure 6.8): • Transport Layer Protocol: Provides server authentication, data confidentiality, and data integrity with forward secrecy (i.e., if a key is compromised during one session, the knowledge does not affect the security of earlier sessions). The transport layer may optionally provide compression. • User Authentication Protocol: Authenticates the user to the server. • Connection Protocol: Multiplexes multiple logical communications channels over a single, underlying SSH connection.

52 Transport Layer Protocol
Server authentication occurs at the transport layer, based on the server possessing a public/private key pair A server may have multiple host keys using multiple different asymmetric encryption algorithms Multiple hosts may share the same host key The server host key is used during key exchange to authenticate the identity of the host RFC 4251 dictates two alternative trust models: The client has a local database that associates each host name with the corresponding public host key The host name-to-key association is certified by a trusted certification authority (CA); the client only knows the CA root key and can verify the validity of all host keys certified by accepted CAs Key management[edit] On Unix-like systems, the list of authorized public keys is stored in the home directory of the user that is allowed to log in remotely, in the file ~/.ssh/authorized_keys.[3] This file is only respected by ssh if it is not writable by anything apart from the owner and root. When the public key is present on the remote end and the matching private key is present on the local end, typing in the password is no longer required (some software like Message Passing Interface(MPI) stack may need this password-less access to run properly). However, for additional security the private key itself can be locked with a passphrase. The private key can also be looked for in standard places, and its full path can be specified as a command line setting (the option -i for ssh). The ssh-keygenutility produces the public and private keys, always in pairs. SSH also supports password-based authentication that is encrypted by automatically generated keys. In this case the attacker could imitate the legitimate side, ask for the password and obtain it (man-in-the-middle attack). However this is only possible if the two sides have never authenticated before, as SSH remembers the key that the remote side once used. Password authentication can be disabled. Server authentication occurs at the transport layer, based on the server possessing a public/private key pair. A server may have multiple host keys using multiple different asymmetric encryption algorithms. Multiple hosts may share the same host key. In any case, the server host key is used during key exchange to authenticate the identity of the host. For this to be possible, the client must have a prior knowledge of the server’s public host key. RFC 4251 dictates two alternative trust models that can be used: 1. The client has a local database that associates each host name (as typed by the user) with the corresponding public host key. This method requires no centrally administered infrastructure and no third-party coordination. The downside is that the database of name-to-key associations may become burdensome to maintain. The host name-to-key association is certified by a trusted certification authority (CA). The client only knows the CA root key and can verify the validity of all host keys certified by accepted CAs. This alternative eases the maintenance problem, since ideally, only a single CA key needs to be securely stored on the client. On the other hand, each host key must be appropriately certified by a central authority before authorization is possible.

53 Figure 6.9 illustrates the sequence of events in the SSH
Transport Layer Protocol. First, the client establishes a TCP connection to the server. This is done via the TCP protocol and is not part of the Transport Layer Protocol. Once the connection is established, the client and server exchange data, referred to as packets, in the data field of a TCP segment.

54 Each packet is in the following
format (Figure 6.10). • Packet length: Length of the packet in bytes, not including the packet length and MAC fields. • Padding length: Length of the random padding field. • Payload: Useful contents of the packet. Prior to algorithm negotiation, this field is uncompressed. If compression is negotiated, then in subsequent packets, this field is compressed. • Random padding: Once an encryption algorithm has been negotiated, this field is added. It contains random bytes of padding so that that total length of the packet (excluding the MAC field) is a multiple of the cipher block size, or 8 bytes for a stream cipher. • Message authentication code (MAC): If message authentication has been negotiated, this field contains the MAC value. The MAC value is computed over the entire packet plus a sequence number, excluding the MAC field. The sequence number is an implicit 32-bit packet sequence that is initialized to zero for the first packet and incremented for every packet. The sequence number is not included in the packet sent over the TCP connection. Once an encryption algorithm has been negotiated, the entire packet (excluding the MAC field) is encrypted after the MAC value is calculated. The SSH Transport Layer packet exchange consists of a sequence of steps (Figure 6.9).

55 Table 6.3 SSH Transport Layer Cryptographic Algorithms Table 6.3
* = Required ** = Recommended Table 6.3 shows the allowable options for encryption, MAC, and compression. For each category, the algorithm chosen is the first algorithm on the client’s list that is also supported by the server.

56 Authentication Methods
The client sends a message to the server that contains the client’s public key, with the message signed by the client’s private key When the server receives this message, it checks whether the supplied key is acceptable for authentication and, if so, it checks whether the signature is correct Publickey The client sends a message containing a plaintext password, which is protected by encryption by the Transport Layer Protocol Password Authentication is performed on the client’s host rather than the client itself This method works by having the client send a signature created with the private key of the client host Rather than directly verifying the user’s identity, the SSH server verifies the identity of the client host Hostbased The server may require one or more of the following authentication methods. • publickey: The details of this method depend on the public-key algorithm chosen. In essence, the client sends a message to the server that contains the client’s public key, with the message signed by the client’s private key. When the server receives this message, it checks whether the supplied key is acceptable for authentication and, if so, it checks whether the signature is correct. • password: The client sends a message containing a plaintext password, which is protected by encryption by the Transport Layer Protocol. • hostbased: Authentication is performed on the client’s host rather than the client itself. Thus, a host that supports multiple clients would provide authentication for all its clients. This method works by having the client send a signature created with the private key of the client host. Thus, rather than directly verifying the user’s identity, the SSH server verifies the identity of the client host—and then believes the host when it says the user has already authenticated on the client side.

57 Connection Protocol The SSH Connection Protocol runs on top of the SSH Transport Layer Protocol and assumes that a secure authentication connection is in use The secure authentication connection, referred to as a tunnel, is used by the Connection Protocol to multiplex a number of logical channels Channel mechanism All types of communication using SSH are supported using separate channels Either side may open a channel For each channel, each side associates a unique channel number Channels are flow controlled using a window mechanism No data may be sent to a channel until a message is received to indicate that window space is available The life of a channel progresses through three stages: opening a channel, data transfer, and closing a channel The SSH Connection Protocol runs on top of the SSH Transport Layer Protocol and assumes that a secure authentication connection is in use. That secure authentication connection, referred to as a tunnel, is used by the Connection Protocol to multiplex a number of logical channels. All types of communication using SSH, such as a terminal session, are supported using separate channels. Either side may open a channel. For each channel, each side associates a unique channel number, which need not be the same on both ends. Channels are flow controlled using a window mechanism. No data may be sent to a channel until a message is received to indicate that window space is available. The life of a channel progresses through three stages: opening a channel, data transfer, and closing a channel.

58 Figure 6.11 provides an example of Connection Protocol Message
Exchange.

59 Channel Types Session X11 Forwarded-tcpip Direct-tcpip
Four channel types are recognized in the SSH Connection Protocol specification The remote execution of a program The program may be a shell, an application such as file transfer or , a system command, or some built-in subsystem Once a session channel is opened, subsequent requests are used to start the remote program Session Refers to the X Window System, a computer software system and network protocol that provides a graphical user interface (GUI) for networked computers X allows applications to run on a network server but to be displayed on a desktop machine X11 Remote port forwarding Forwarded-tcpip Local port forwarding Direct-tcpip Four channel types are recognized in the SSH Connection Protocol specification. • session: The remote execution of a program. The program may be a shell, an application such as file transfer or , a system command, or some built-in subsystem. Once a session channel is opened, subsequent requests are used to start the remote program. • x11: This refers to the X Window System, a computer software system and network protocol that provides a graphical user interface (GUI) for networked computers. X allows applications to run on a network server but to be displayed on a desktop machine. • forwarded-tcpip: This is remote port forwarding, as explained in the next subsection. • direct-tcpip: This is local port forwarding, as explained in the next subsection.

60 Port Forwarding One of the most useful features of SSH
Provides the ability to convert any insecure TCP connection into a secure SSH connection (also referred to as SSH tunneling) Incoming TCP traffic is delivered to the appropriate application on the basis of the port number (a port is an identifier of a user of TCP) An application may employ multiple port numbers One of the most useful features of SSH is port forwarding. In essence, port forwarding provides the ability to convert any insecure TCP connection into a secure SSH connection. This is also referred to as SSH tunneling. We need to know what a port is in this context. A port is an identifier of a user of TCP. So, any application that runs on top of TCP has a port number. Incoming TCP traffic is delivered to the appropriate application on the basis of the port number. An application may employ multiple port numbers. For example, for the Simple Mail Transfer Protocol (smtp), the server side generally listens on port 25, so an incoming SMTP request uses TCP and addresses the data to destination port 25. TCP recognizes that this is the SMTP server address and routes the data to the SMTP server application.

61 Figure 6. 12 illustrates the basic concept behind port forwarding
Figure 6.12 illustrates the basic concept behind port forwarding. We have a client application that is identified by port number x and a server application identified by port number y . At some point, the client application invokes the local TCP entity and requests a connection to the remote server on port y . The local TCP entity negotiates a TCP connection with the remote TCP entity, such that the connection links local port x to remote port y . To secure this connection, SSH is configured so that the SSH Transport Layer Protocol establishes a TCP connection between the SSH client and server entities, with TCP port numbers a and b , respectively. A secure SSH tunnel is established over this TCP connection. Traffic from the client at port x is redirected to the local SSH entity and travels through the tunnel where the remote SSH entity delivers the data to the server application on port y . Traffic in the other direction is similarly redirected. SSH supports two types of port forwarding: local forwarding and remote forwarding. Local forwarding allows the client to set up a “hijacker” process. This will intercept selected application-level traffic and redirect it from an unsecured TCP connection to a secure SSH tunnel. SSH is configured to listen on selected ports. SSH grabs all traffic using a selected port and sends it through an SSH tunnel. On the other end, the SSH server sends the incoming traffic to the destination port dictated by the client application. With remote forwarding, the user’s SSH client acts on the server’s behalf. The client receives traffic with a given destination port number, places the traffic on the correct port and sends it to the destination the user chooses. A typical example of remote forwarding is the following. You wish to access a server at work from your home computer. Because the work server is behind a firewall, it will not accept an SSH request from your home computer. However, from work you can set up an SSH tunnel using remote forwarding.

62 Secure Electronic Transactions (SET)
open encryption & security specification to protect Internet credit card transactions developed in 1996 by Mastercard, Visa etc not a payment system rather a set of security protocols & formats secure communications amongst parties trust from use of X.509v3 certificates privacy by restricted info to those who need it Cryptography and Network Security

63 SET Components Stallings Fig 17-8. Cryptography and Network Security

64 SET Transaction customer opens account customer receives a certificate
merchants have their own certificates customer places an order merchant is verified order and payment are sent merchant requests payment authorization merchant confirms order merchant provides goods or service merchant requests payment Cryptography and Network Security

65 Dual Signature customer creates dual messages
order information (OI) for merchant payment information (PI) for bank neither party needs details of other but must know they are linked use a dual signature for this signed concatenated hashes of OI & PI Cryptography and Network Security

66 Purchase Request – Customer
Stallings Fig Cryptography and Network Security

67 Purchase Request – Merchant
Stallings Fig Cryptography and Network Security

68 Purchase Request – Merchant
verifies cardholder certificates using CA sigs verifies dual signature using customer's public signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature key processes order and forwards the payment information to the payment gateway for authorization (described later) sends a purchase response to cardholder Cryptography and Network Security

69 Payment Gateway Authorization
verifies all certificates decrypts digital envelope of authorization block to obtain symmetric key & then decrypts authorization block verifies merchant's signature on authorization block decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block verifies dual signature on payment block verifies that transaction ID received from merchant matches that in PI received (indirectly) from customer requests & receives an authorization from issuer sends authorization response back to merchant Cryptography and Network Security

70 Payment Capture merchant sends payment gateway a payment capture request gateway checks request then causes funds to be transferred to merchants account notifies merchant using capture response Cryptography and Network Security

71 Summary Web security considerations Secure sockets layer HTTPS
Transport layer security Version number Message authentication code Pseudorandom function Alert codes Cipher suites Client certificate types Certificate_verify and finished messages Cryptographic computations Padding Secure shell (SSH) Transport layer protocol User authentication protocol Communication protocol SET secure credit card payment protocols Web security considerations Web security threats Web traffic security approaches Secure sockets layer SSL architecture SSL record protocol Change cipher spec protocol Alert protocol Handshake protocol Cryptographic computations HTTPS Connection initiation Connection closure Chapter 6 summary.

Download ppt "Csc 8222 Network Security Web and Transport-level Security"

Similar presentations

Cryptography and Network Security Chapter 16

Cryptography and Network Security Chapter 16
Web security: SSL and TLS

Web security: SSL and TLS
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Lecture 6: Web security: SSL

Lecture 6: Web security: SSL
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
SSL: Secure Sockets Layer

SSL: Secure Sockets Layer
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.

Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.

Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.
Cryptography and Network Security

Cryptography and Network Security

Similar presentations

Ads by Google