Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Certificates, SSL, and One time passwords Fall 2010 David Brumley.

Published byHester Hodge Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Certificates, SSL, and One time passwords Fall 2010 David Brumley."— Presentation transcript:

1 1 Certificates, SSL, and One time passwords Fall 2010 David Brumley

2 2 Recap Recap: –Intro to network security Today: –X509 Certificates –SSL/TLS –IPSec –Remote authentication HW2 is out

3 3 Alice Alice Public key Expiration Date Certificate Certificates bind a public key to a user

4 4 Alice Alice Public key Expiration Date Certificate Certificate Authority (CA)

5 5 Alice Alice Public key Expiration Date Certificate CA Signature

6 6 Alice Alice Public key Expiration Date Certificate Cert Parameters

7 7 Alice Alice Sends: User ID || public key || … Certificate Authority (CA)

8 8 Alice Alice Generates and Gives: User ID || public key || … Certificate Authority (CA) CA Computes: D=H(User ID || public key || …) Sig = Sign(D, CA private key) Gives Alice Sig

9 9 Alice Alice Generates and Gives: User ID || public key || … Certificate Authority (CA) CA Computes: D=H(User ID || public key || …) Sig = Sign(D, Serial, CA private key) Gives Alice Alice’s Certificate [User ID || public key || …] || CA Name || Serial || Sig ||

10 10 X.509 Authentication Service universally accepted standard for formatting public-key certificates –widely used in network security applications, including IPSec, SSL, SET, and S/MIME part of CCITT X.500 directory service standards uses public-key crypto & digital signatures –algorithms not standardised, but RSA recommended

11 11 X.509 Certificates

12 12 Secure Sockets Layer (SSL) & Transport Layer Security (TLS) transport layer security service –originally developed by Netscape –version 3 designed with public input subsequently became Internet standard RFC2246: Transport Layer Security (TLS) use TCP to provide a reliable end-to-end service may be provided in underlying protocol suite or embedded in specific packages

13 13 SSL Alice Bob.com 1. ClientHello Encryption with Symmetric Cipher (e.g., AES) with shared secret 2. ServerHello 3. ClientKeyExchange

14 14 Protocol Stack Telnet… IP TCP SSL Record Protocol Handshake Change Cipher Alert HTTP SSL/TLS

15 15 SSL Record Protocol Services message integrity –using a MAC with shared secret key –similar to HMAC but with different padding confidentiality –using symmetric encryption with a shared secret key defined by Handshake Protocol –AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4- 128 –message is compressed before encryption Telnet… IP TCP SSL Record Protocol Handshake Change Cipher Alert HTTP

16 16 SSL Record Protocol Operation Telnet… IP TCP SSL Record Protocol Handshake Change Cipher Alert HTTP

17 17 SSL Change Cipher Spec Protocol Initiate change the keying material used for encryption between the client and server. one of 3 SSL specific protocols which use the SSL Record protocol a single message. Initiates handshake protocol Telnet… IP TCP SSL Record Protocol Handshake Change Cipher Alert HTTP

18 18 SSL Alert Protocol conveys SSL-related alerts to peer entity severity »warning or fatal specific alert »fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter »warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data Telnet… IP TCP SSL Record Protocol Handshake Change Cipher Alert HTTP

19 19 SSL Handshake Protocol allows server & client to: –authenticate each other –to negotiate encryption & MAC algorithms –to negotiate cryptographic keys to be used comprises a series of messages in phases 1.Establish Security Capabilities 2.Server Authentication and Key Exchange 3.Client Authentication and Key Exchange 4.Finish Telnet… IP TCP SSL Record Protocol Handshake Change Cipher Alert HTTP

20 20 Detailed Handshake Protocol

21 21 SSL with RSA 1. ClientHello 2. ServerHello Certificate with (N s, e s ) 3. ClientKeyExchange Sends c i. Picks random r ii. f = Format(r) iii. c= f e mod N) i. f’ = c d mod N ii. r’ = unformat(f’) BlockCipher(r’, messages) Detect misformatted messages and abort if r’ != r Problem: Attackers exposing private key expose all traffic

22 22 Remote Timing Attacks are Practical

23 23 SSL with Ephemeral DH 1. ClientHello 2. ServerHello Certificate with (N s, e s ) & DH p, g, c 3. ClientKeyExchange Sends c i. Picks random r ii. f = g a mod p iii. c= RSASign(f mod N s ) Pre-master shared secret: g ab mod p RSA Signature defeats man-in-the-middle Fixes RSA problem Much, much slower so not used often i.Verify Sig ii.Pick random x iii.Compute: c = f x mod p

24 24 Certificate Revocation Alice Bob.com 1. ClientHello 2. ServerHello (send cert., e.g., pub key e) Is Bob.com’s key still legit?

25 25 Certificate Revocation Alice Bob.com 1. ClientHello 2. ServerHello (send cert., e.g., pub key e) Verification Authority (VA) Verification Protocol

26 26 Certificate Verification Protocols Expiration Date OCSP – Online Cert Status Protocol Certificate Revocation Lists (CRL) and Certificate Revocation Trees (CRT)

27 27 Online Cert Status Protocol AliceVerification Authority (VA) 1. Request(Bob’s Cert) 2. Check DB 3. Response( Sign(Bob’s Cert {OK,BAD}) VA Signing Key) Implemented in IE7 (Vista+), Firefox, Safari, Opera, Chrome (Vista+) What do we do when VA key bad?

28 28 Online Cert Status Protocol AliceVerification Authority (VA) 1. Request(Bob’s Cert) 2. Check DB 3. Response( Sign(Bob’s Cert {OK,BAD}) VA Signing Key) Implemented in IE7 (Vista+), Firefox, Safari, Opera, Chrome (Vista+) What do we do when VA key bad?

29 29 CRT’s: Efficient Variant of OCSP [kocher98] Secure and Trustworthy Verification Authority (VA) 1. Create CRT Insecure VA 1 Replica Insecure VA 2 Replica Insecure VA 3 Replica 2. Distribute CRT Alice 3. Query replica

30 30 Certificate Revocation Tree Generation C1C1 C1C1 C2C2 C2C2 C3C3 C3C3 C4C4 C4C4 C i-1 CiCi CiCi … … Revoked cert C j sorted by serial h h h h h h h h h h h h VASig = Sign( H root, VA signing key) Verification Authority (VA) H1H1 H2H2 H3H3 H3H3 H4H4 H5H5 H6H6 H root

31 31 Secure and Trustworthy Verification Authority (VA) Insecure VA 1 Replica Insecure VA 2 Replica Insecure VA 3 Replica

32 32 Insecure VA 2 Replica Alice 1. Is Bob’s Cert C 2 revoked 2. [C 1, H 2, H 6, VASig] C1C1 C1C1 C2C2 C2C2 C3C3 C3C3 C4C4 C4C4 C i-1 CiCi CiCi … … Revoked cert C j sorted by serial h h h h h h h h h h h h VASig) H1H1 H2H2 H3H3 H3H3 H4H4 H5H5 H6H6 H root 3. Alice validates C 2 on list: a. H’ root =H(H(C 1, C 2 ), H 2, …, H 6 ) b. H’ =?= H c. VA Sig valid? Copy Size of Proof: O(log i)

33 33 IPSec

34 34 IP Security various application security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS security concerns cross protocol layers hence would like security implemented by the network for all applications

35 35 IPSec general IP Security mechanisms provides –authentication –privacy –key management applicable to use over LANs, across public & private WANs, & for the Internet

36 36 IPSec Uses

37 37 Benefits of IPSec in a firewall/router provides strong security to all traffic crossing the perimeter in a firewall/router is resistant to bypass The application can request the operating system to set up a security association before starting a TCP connection or a UDP exchange can be transparent to end users can provide security for individual users secures routing architecture

38 38 IP Security Architecture mandatory in IPv6, optional in IPv4 have two security header extensions: –Authentication Header (AH) (authentication only) –Encapsulating Security Payload (ESP) (auth/encryption) VPNs want both authentication/encryption –hence usually use ESP specification is quite complex –numerous RFC’s 2401/2402/2406/2408

39 39 Authentication Header (AH) provides support for data integrity & authentication of IP packets –end system/router can authenticate user/app –prevents address spoofing attacks by tracking sequence numbers based on use of a MAC –HMAC-MD5-96 or HMAC-SHA-1-96 parties must share a secret key

40 40 Authentication Header

41 41 Encapsulating Security Payload (ESP)

42 42 Key Management handles key generation & distribution typically need 2 pairs of keys –2 per direction for AH & ESP manual key management –sysadmin manually configures every system automated key management –automated system for on demand creation of keys for SA’s in large systems –has Oakley & ISAKMP elements

43 43 Remote Authentication

44 44 Authentication Mechanisms in Practice: Passwords –Used to authenticate people –Low entropy –Replay attacks possible –Secrets stored on server –Aside: “Extra questions” for password recovery insecure Security Properties?

45 45 Authentication Mechanisms in Practice: Biometrics –No remote login –No revocation –Best used for 2-factor authentication (to increase password entropy) Security Properties?

46 46 Lamport Hashes (One-Time Passwords) 1.Setup: Alice picks p and computes: w = h(h(h(h….(h(p)))))) –Denote n hashes by h n (p) –Puts w on server, stores p and n 2.Alice authenticates: –n = n -1 –x = h n (p) –Send x –Server verifies h(x) = w –Server stores x if correct n times

47 47 Security properties of One-Time Pads 1.Protects against replay/eavesdropping 2.No secrets on server 3.Limited # of authentications 4.Insecure against man-in-the-middle

48 48 Secure Tokens k 0 = initial shared secret k = H(k) every t seconds

49 49 Secure Tokens k 0 = initial shared secret k = H(k) every t seconds Security Properties?

50 50 That is all for today

Download ppt "1 Certificates, SSL, and One time passwords Fall 2010 David Brumley."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Cryptography and Network Security Chapter 16

Cryptography and Network Security Chapter 16
Web security: SSL and TLS

Web security: SSL and TLS
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Lecture 6: Web security: SSL

Lecture 6: Web security: SSL
Cryptography and Network Security

Cryptography and Network Security
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 22: Internet Security Protocols and.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 22: Internet Security Protocols and.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Lecture 22 Internet Security Protocols and Standards

Lecture 22 Internet Security Protocols and Standards
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security

Cryptography and Network Security
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Similar presentations

Ads by Google