washington university in st. louis - computer science ...jain/cse473-05/ftp/i_isec.pdftitle:...
Post on 26-Sep-2020
4 Views
Preview:
TRANSCRIPT
18-1©2005 Raj JainCSE473sWashington University in St. Louis
Network SecurityNetwork SecurityPart II: StandardsPart II: Standards
Raj Jain Washington UniversitySaint Louis, MO 63131
Jain@cse.wustl.eduThese slides are available on-line at:
http://www.cse.wustl.edu/~jain/cse473-05/
18-2©2005 Raj JainCSE473sWashington University in St. Louis
OverviewOverview
q Secret Key Encryption:q Data encryption standard (DES)q Triple DES (3DES)q Advanced Encryption Standard (AES)
q Hashing:q Secure Hash Algorithm 1 (SHA1)
q Secure Socket Layer (SSL)q Secure IP (IPSec)
18-3©2005 Raj JainCSE473sWashington University in St. Louis
DES and 3DESDES and 3DES
q Data Encryption Standard (DES)q 64 bit plain text blocks, 56 bit keyq Broken in 1998 by Electronic Frontier Foundation
q Triple DES (3DES)q Uses 2 or 3 keys and 3 executions of DESq Effective key length 112 or 168 bitq Block size (64 bit) too small ⇒ Slow
18-4©2005 Raj JainCSE473sWashington University in St. Louis
Advanced Encryption Standard (AES)Advanced Encryption Standard (AES)q Designed in 1997-2001 by National Institute of Standards and
Technology (NIST)q Federal information processing standard (FIPS 197)q Symmetric block cipher, Block length 128 bitsq Key lengths 128, 192, and 256 bits
18-5©2005 Raj JainCSE473sWashington University in St. Louis
AES (cont)AES (cont)
Add round key 1
Substitute Bytes
Shift Rows
Mix columns
Add round key i
Plain Text
Cipher Text
Repeat10
Times
Table Lookup
Shift left/right by 0, 1, or 2
Byteij = fn(Byte1j, byte2j, byte3j, byte4j)
11 12 13 1421 22 23 2431 32 33 3441 42 43 44
128b = 16B4×4 Array
18-6©2005 Raj JainCSE473sWashington University in St. Louis
AES Encryption RoundAES Encryption RoundState
Sub BytesState
Shift Rows
StateMix Columns
StateAdd Round Key
State
18-7©2005 Raj JainCSE473sWashington University in St. Louis
Secure Hash Algorithm 1 (SHASecure Hash Algorithm 1 (SHA--1)1)q Data processed in 512 bit blocks ⇒ 160 bit hashq 1-512 bit Padding + 64 bit length (Data < 264 b)
Padding(1 to 512b)
Msg Len
512b 512b 512b 512b
160b
18-8©2005 Raj JainCSE473sWashington University in St. Louis
SSL and TLSSSL and TLSq Secure Socket Layer (SSL)
Reliable end-to-end secure service over TCPq Embedded in specific packages, E.g., Netscape and Microsoft
Explorer and most Web serversq Transport Layer Security (TLS) defined in RFC 2246q Minor differences between SSLv3 and TLSq Session = Multiple end-to-end TCP connectionsq Four Protocols:
q Handshake protocol: Exchange shared secret keyq Record protocol: Provide end-to-end encryptionq Change cipher spec protocol: Updates cipher suite q Alert protocol: Warnings and fatal errors to peer
18-9©2005 Raj JainCSE473sWashington University in St. Louis
SSL Protocol StackSSL Protocol Stack
18-10©2005 Raj JainCSE473sWashington University in St. Louis
SSL Record Protocol OperationSSL Record Protocol Operation
Each upper-layer message fragmented 214 bytes (16384 bytes) or less
Compression optionally appliedCompressed message plus MAC encrypted using symmetric encryptionPrepend header
18-11©2005 Raj JainCSE473sWashington University in St. Louis
Record Protocol HeaderRecord Protocol Header
q Content Type: change_cipher_spec, alert, handshake, and application_data
q Major Version: SSL v3 is 3q Minor Version: SSLv3 value is 0q Compressed Length: Maximum 214 + 2048
ContentType
MajorVersion
MinorVersion
CompressedLength
8b 8b 8b 16b
Data
18-12©2005 Raj JainCSE473sWashington University in St. Louis
Change Cipher Spec ProtocolChange Cipher Spec Protocol
q Cause pending state to be copied into current stateq Updates cipher suite to be used on this connection
q Single message: Single byte value 1q Uses Record Protocol
18-13©2005 Raj JainCSE473sWashington University in St. Louis
Alert ProtocolAlert Protocol
q Convey SSL-related alerts to peer entityq Two bytes
q First byte: warning(1) or fatal(2) : If fatal, SSL immediately terminates connection: Other connections on session may continue: No new connections on session
q Second byte indicates specific alertq Example: Incorrect MAC ⇒ fatal alert
18-14©2005 Raj JainCSE473sWashington University in St. Louis
Handshake ProtocolHandshake Protocolq Negotiate security parametersq Version: Highest SSL version understood by clientq Random: 28 bytes from secure random number generatorq 32-bit timestamp: Used during key exchange to prevent replay
attacksq Session ID: Variable-length
q Nonzero ⇒ update existing connection or create new connection on session
q Zero ⇒ establish new connection on new sessionq Cipher Suite: Cryptographic algorithms supportedq Compression Methods supported
18-15©2005 Raj JainCSE473sWashington University in St. Louis
Handshake ProtocolHandshake ProtocolPhase 1: Exchange Protocol version, session ID, cipher suite, compression method and initial random numbersPhase 2: Certificate
Phase 3: Certificate
Phase 4: Change to new parameters
Client HelloServer HelloCertificateServer key ExchangeCertificate RequestServer Hello DoneCertificateClient Key ExchangeCertificate verifyChange Cypher SpecFinishedChange Cipher specFinished
Client Server
18-16©2005 Raj JainCSE473sWashington University in St. Louis
IPSecIPSecq Secure IP: A series of proposals from IETFq Separate Authentication and privacyq Authentication Header (AH) ensures data integrity
and data origin authenticationq Encapsulating Security Protocol (ESP) ensures
confidentiality, data origin authentication, connectionless integrity, and anti-replay service
AuthenticatedEncrypted
IPHeader AH ESP Original
IP Header*Original
Data
* Optional
18-17©2005 Raj JainCSE473sWashington University in St. Louis
IPSec (Cont)IPSec (Cont)q Two Modes: Tunnel mode, Transport modeq Tunnel Mode ⇒ Original IP header encryptedq Transport mode ⇒ Original IP header removed.
Only transport data encrypted.q Supports a variety of encryption algorithmsq Better suited for WAN VPNs (vs Access VPNs)q A reference implementation (Cerberus) IPSec and
interoperability tester are available from NIST
Cerberus = three headed dog guarding the underworld
18-18©2005 Raj JainCSE473sWashington University in St. Louis
Security AssociationSecurity Association
q One way relationship between sender and receiverq For two way, two associations are requiredq Three SA identification parameters
q Security parameter indexq IP destination addressq Security protocol identifier
18-19©2005 Raj JainCSE473sWashington University in St. Louis
Authentication HeaderAuthentication Header
q Next Header = TCP, UDP, �q Payload Length = Length of AH in 32-bit works − 2 (for IPv4)
=Length of AH in 64-bit works -1 (for IPv6)q SPI = Identifies Security association
(0=Local use, 1-255 reserved)q Authentication data = Integrity Check Value
18-20©2005 Raj JainCSE473sWashington University in St. Louis
AH ICV ComputationAH ICV Computation
The AH ICV is computed over:q IP header fields that are either immutable in transit or that are
predictable in value upon arrival at the endpoint for the AH SA, e.g., source address (immutable), destination address with source routing (mutable but predictable)
q The AH header (Next Header, Payload Len, Reserved, SPI, Sequence Number, and the Authentication Data (which is set to zero for this computation), and explicit padding bytes (if any))
q The upper level protocol data, which is assumed to be immutable in transit
IP Header AH Header [Old IP Header] IP payload
ICV coverage
18-21©2005 Raj JainCSE473sWashington University in St. Louis
ESP PacketESP Packet
q Payload data: IP, TCP, UDP packetq Pad Length in bytesq Next Header: Type of payload (TCP, UDP, �)q Authentication Data: Integrity Check Value over ESP packet
18-22©2005 Raj JainCSE473sWashington University in St. Louis
SummarySummary
q DES and 3DES are out. AES is current standard for encryption
q SHA-1 is older secure hash functionq SSL provides security at the session layerq IPSec provides authentication and/or encryption
18-23©2005 Raj JainCSE473sWashington University in St. Louis
Reading AssignmentReading Assignment
q Read Chapter 21 of Stallings 7th editionRead 2402 (AH), RFC 2406 (ESP)
18-24©2005 Raj JainCSE473sWashington University in St. Louis
HomeworkHomework
q Submit answer to Exercise 21.13a in Stallings� 7th
edition
top related