Presentation is loading. Please wait.

Presentation is loading. Please wait.

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015.

Published byGwenda Mitchell Modified over 9 years ago

Similar presentations

Presentation on theme: "Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015."— Presentation transcript:

1 Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015

2 Let’s Sum Up Symmetric Key Model –Encryption ECB (bad), CBC, CTR –All these are modes of operation built on a blockcipher –Authentication (MACs) CBC MAC, XCBC, UMAC, HMAC Asymmetric Key Model –Encryption RSA-OAEP –Assumes factoring product of large primes is hard –Authentication RSA signatures –Usually hash-then-sign

3 Next Up: SSL Next we’ll look at how to put all this together to form a network security protocol We will use SSL/TLS as our model since it’s ubiquitous

4 What is SSL/TLS? SSL –Secure Socket Layer Designed by Paul Kocher, consulting for Netscape TLS –Transport Layer Security New version of SSL, and probably what we should call it (but I’m used to SSL) Used for web applications (https) –But also used many other places that aren’t as well-known

5 TLS – Sketch Let’s start by trying to design TLS ourselves and see what else we’ll need –This will end up being only a sketch of the very complex protocol TLS actually is We want: –Privacy, authentication –Protection against passive and active adversaries We have: –Symmetric/asymmetric encryption and authentication –Collision-resistant hash functions

6 A First Stab First we need a model –Client/Server is the usual one –Client and Server trust each other –No shared keys between client and server Assuming a shared key is not realistic in most settings –Adversary is active (but won’t try DoS) Server generates RSA key pair for encryption –pk S, sk S –S subscript stands for “Server”

7 A First Stab (cont) Now client C comes along and wants to communicate with server S –C sends SSL HELLO to initiate session –S responds by sending pk S –C sends credit card number encrypted with pk S –S decrypts credit card number with sk S and charges the purchase What’s wrong here?

8 Our First Protocol: Problems There are tons of problems here –We don’t know how to encrypt {0,1} *, only how to encrypt elements of Z n * Ok, say we solve that problem (there are ways) –It’s really SLOW to use RSA on big messages Ok, we mentioned this before… let’s use symmetric cryptography to help us –There is no authentication going on here! Adversary could alter pk S on the way to the client We’d better add some authentication too Let’s try again…

9 Second Stab C says Hello S sends pk S to C C generates two 128-bit session keys –K enc, K mac, used for encryption and MACing C encrypts (K enc, K mac ) with pk S and sends to S S recovers (K enc, K mac ) using sk S and both parties use these “session keys” to encrypt and MAC all further communication

10 Second Stab (cont) Problems? –Good news: we’re a lot more efficient now since most crypto is done with symmetric key –Good news: we’re doing some authentication now –Bad news: Man-in-the-Middle attack still possible –Frustratingly close If we could get pk S to the client, we’d be happy

11 Man in the Middle Let’s concretely state the problem –Suppose an adversary A generates pk A and sk A –Now S sends pk S to C, but A intercepts and sends pk A to C instead –C responds with (K enc, K mac ) encrypted under pk A and sends to S –A intercepts, decrypts (K enc, K mac ) using sk A and re- encrypts with pk S then sends on to S A doesn’t have to use (K enc, K mac ) here… any keys would do –Idea is that A proxies the connection between C and S and reads/alters any traffic he wishes

12 MitM Attack C AS hello pk S pk A (K enc, K mac ) under pk A (K enc, K mac ) under pk S “Welcome” under (K enc, K mac ) CC# under (K enc, K mac ) “Welcome” under (K enc, K mac ) CC# under (K enc, K mac )

13 How do we Stop This? Idea: –Embed pk S in the browser A cannot impersonate S if the public key of S is already held by C Problems: –Scalability (100,000 public keys in your browser?) –Key freshening (if a key got compromised and it were already embedding in your browser, how would S update?) –New keys (how do you get new keys? A new browser?) –Your crypto is only as reliable as the state of your browser (what if someone gets you to install a bogus browser?) (Partial) Solution: Certificates

14 Certificates: Basic Idea Enter the “Certification Authority” (CA) –Some trusted entity who signs S’s public key Well-known ones are Verisign, RSA Let’s assume the entity is called “CA” CA generates keys vk CA and sk CA CA signs pk S using sk CA CA’s vk S is embedded in all browsers –Same problem with corrupted browsers as before, but the scaling problem is gone

15 New Protocol C sends Hello S sends pk S and the signature of CA on pk S –These two objects together are called a “certificate” C verifies signature using vk CA which is built in to his browser C generates (K enc, K mac ), encrypts with pk S and sends to S S decrypts (K enc, K mac ) with sk S Session proceeds with symmetric cryptography

16 SSH (A Different Model) SSH (Secure SHell) –Replacement for telnet –Allows secure remote logins Different model –Too many hosts and too many clients –How to distribute pk of host? –Can be done physically –Can pay a CA to sign your keys (not likely) –Can run your own CA More reasonable, but still we have a bootstrapping problem

17 SSH: Typical Solution The most common “solution” is to accept initial exposure –When you connect to a host for the first time you get a warning: “Warning: host key xxxxxx with fingerprint xx:xx:xx is not in the.ssh_hosts file; do you wish to continue? Saying yes may allow a man-in-the-middle attack.” (Or something like that) You take a risk by saying “yes” If the host key changes on your host and you didn’t expect that to happen, you will get a similar warning –And you should be suspicious

18 Key Fingerprints The key fingerprint we just saw was a hash of the public key –Can use this when you’re on the road to verify that it’s the key you expect Write down the fingerprint on a small card and check it When you log in from a foreign computer, verify the fingerprint –Always a risk to log in from foreign computers!

19 X.509 Certificates X.509 is a format for a certificate –It contains a public key (for us, at least), email address, and other information –In order to be valid, it must be signed by the CA –In this class I will be the CA

Download ppt "Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015."

Similar presentations

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Encryption, SSL and Certificates BY JOSHUA COX AND RACHAEL MEAD.

Encryption, SSL and Certificates BY JOSHUA COX AND RACHAEL MEAD.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Foundations of Network and Computer Security J J ohn Black Lecture #15 Oct 3 rd 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #15 Oct 3 rd 2007 CSCI 6268/TLEN 5831, Fall 2007.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Similar presentations

Ads by Google