week 10, lecture 1 nwen 304 advanced network applications

Week 10, Lecture 1

NWEN 304Advanced Network Applications

Jyoti Sahnijyoti.sahni@ecs.vuw.ac.nz

Upcoming Evaluations - I

• Group Project Progress Presentation

• Thursday 30 September (11 a.m. to 1:00 p.m.) and Friday 01 October 2021 (11:00 a.m. to 01:00 p.m.)

• CO 246

• Schedule uploaded on the course wiki.

• Email by September 27 if your team wishes to present remotely over Zoom

• What are you supposed to present

• What are you building

• Identified modules to work on

• Division of work among the team members

• Progress made so far2

Upcoming Evaluations - II

Term Test – II

• When : Wednesday, October 6 2021

• 4:10 p.m. to 5:10 p.m.

• Where : HULT220

• Syllabus: Everything covered after Mid-term break

• I do not have a sample test paper

• I will list the topics and what all you need to know in those topics in the course wiki by September 22, 2021

3

Security – Under the hood

4

Threats on the Web

5

Security – Key Components

• Confidentiality: protect information from unauthorized access andmisuse.

• How is confidentiality maintained:• Authorized access: Verify identity of the user before granting access

• What if communication channel / server gets compromised ? data sent /stored in encrypted form• Data at rest : Cryptographic functions

• Data in transit: Secure channel (TLS - HTTPS)

6

Security – Key Components

• Integrity is the characteristic that alterations to a system’s assets can be madeonly in an authorized way.

• We trust the data if we trust:

• its origin (how/from whom was it obtained?)

• how it was protected before it arrived at our machine

• how it was protected in transit to our machine

• how it is protected on our machine

7

Recap: One way Hash functions - Message Digests• Are a primary way of establishing integrity

• Message digest (hash)• Given message P it is easy to compute MD(P)

• Given a message digest x, it is infeasible to find a message P such that MD(P) = x

• It is infeasible to find two messages, P1 and P2, such that MD(P1) = MD(P2)

• Often involves use of Salt

8

Recap: Message Authentication using One Way Hash functions

9

How is Integrity Maintained

• Message Hashes and

• Digital Signatures are

• Used to establish Data and Origin Integrity

• Where are the public keys posted and how do we verify the owner of the key ?

• We use Certification Authorities to validate the public key mapping to anentity/identity

10

Availability

The owner of the website can be attacked as well.

• Some websites have been defaced; the files that make up the websitecontent have been remotely accessed and modified without authorization.

Websites have also been subject to Denial of Service (DoS) attacks, during whichwould-be customers are unable to access the website because it is beingoverwhelmed by bogus requests.

A loss of availability is the disruption of access to or use of information or aninformation system

Recap: Foundations: Internet Protocol Suite

12

Application Layer

Presentation Layer

Session Layer

Transport Layer

Network Layer

Data Link Layer

Physical Layer

Application Layer

Transport Layer

Internet Layer

Network Interface

Layer

OSI Layers TCP / IP Layers

HTTP FTP TELNET SMTP DNS

TCP UDP

IP

Ethernet Token Ring ATM

TCP / IP Protocols

Recap: Foundations: Internet Protocol Suite

13

Application Layer

Transport Layer

Internet Layer

Network Interface Layer

Host A

Application Layer

Transport Layer

Internet Layer

Network Interface Layer

Router

Internet Layer

Network Interface Layer

Host B

Communication goes down to physical network

Then from network peer to peer

Then up to relevant layer

How is availability Maintained

• DoS attacks are segregated by which layer of the Open Systems Interconnection (OSI)model they attack.

• They are most common at:

• Network (layer 3)

• Transport (Layer 4)

• Presentation (Layer 6) and

• Application (Layer 7) Layers.

• Protection: Firewalls, Replication (not always preventable)

• Recent DoS attack in NZ: https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/: Used HTTP pipelining

14

Integrity case study: Certificates

15

Example: Certifying a Public Key

• Certification authorities issue certificates and binds key owner's identity to the key.

16

-CA privatekey

K CA

add digitalsignature to

certificate

Certificatesigned withcertificationauthority’skey

K B

+Bob’s publickey K

B

+

Information aboutBob's identity (name, address etc.) and Bob's public key

Certificate Essentials

• At its minimum, a certificate assigned to a user consists of the user’spublic key, the identifier of the key owner, a time stamp (in the formof a period of validity), etc.

• The whole block is encoded with the CA’s private key, and isreferred to as the CA having signed the certificate.

• A certificate issued to party A is essentially:

CA = E(K-CA, [T, IDA, K+

A])

17

Certificate verification

• When A presents his/her certificate to party B,

• B can verify the legitimacy of the certificate by decrypting it with the CA’s public key.

• Successful decryption authenticates both the certificate supplied by A and A’spublic key.

• X.509 Standard defines the format of public key certificates

18

Single Point of Failure

• Subverting the certification authority breaks the scheme, and Malice can now claim to be Bob

19

Malice’s publickey K

M

+

+CA publickey

K CA

verify the certificate

Information aboutBob's identity (name, address etc.) and Malice's public key

Yes – valid, can use Malice’s public key to

communicate with Bob

Threshold Cryptography

• Instead of sharing the keys, we want to allow encryption or decryption by a group.

• (t, n)-threshold cryptography configuration

• n members

• no less than t members must cooperate,can tolerate up to n-t traitors

• Widely used in financial networks, Hardware security modules (e.g. Amazon Cloud HSM)

20

Solution: Distribute the Private Key

• Create key shares such that t shares required for successful encryption and decryption.

• Distribute to multiple certificate authorities controlled by different people.

21

CA'sprivatekey K

CA

-

Create RSAshares

Share 1of CA's privatekey

SK 1,CA

-

Share 2 of CA's privatekey

SK 2,CA

-

Share 3 of CA's privatekey

SK 3,CA

-

Solution: Normal Operation

• Each certification authority computes a partial digital signature using their key share.

• Bob combines the shares together to generate a complete digital signature. Need at least t shares to create a valid signature.

22

Combine shares

together

K B

+Bob’s publickey K

B

+

SK 1,CA

- SK 3,CA

-

Create partialdigital signature

Create partialdigital signature

Certificatesigned withcertificationauthority’skey

Solution: Preventing Subversion

• Malice wants to substitute Bob’s public key for her own.

• Malice subverts one certification authority, however, fewer than t valid shares means the generated signature is invalid and will fail when verification takes place.

23

Malice’s publickey K

M

+

Combineshares

together

K M

+

SK 2,CA

-

Sharing Secrets

• All the secrets we have looked at involve 2-parties:• Sam and Alice share a key (secret) and are able to communicate.• Alice can read everything written using the secret, and• Bob can read everything written using the secret.

• Consider instead a different scenario:• Imagine a vault that can only be opened using a secret code.• Our bank has n managers who need to be able to open the vault.• IDEA: give the secret code (S) to all n managers.• RESULT: this is dangerous, as the security of the vault may be vulnerable if any one of

the managers is compromised.• This is a 1 out-of n scheme (1:n).

• The general problem is called secret sharing.

24

Secret Sharing (n:n)

• All managers are required to open the vault.

• IDEA: give S1 to manager1, S2 to the manager2, etc.

secret(S) = S1⊕ S2⊕ · · · ⊕ Sn

• the vault cannot be opened when fewer than n managers are present.

• Principle of separation of duties.

• RESULT: this is overly restrictive, e.g., if one of the managers is not available, then the vault cannot be opened.

25

Secret Sharing (2:n)

• We want a scheme such that any two of the n managers can open the vault, but any one manager cannot open the vault by himself.

• IDEA: we can use a line:

f(x) = mx + s

• The principle is to use the y-intercept as our secret (S).

• We calculate a point (or key share) for each manageri = f(i).

26

Solving for Y (S)

27

0

2

4

6

8

10

12

14

0 1 2

But if we know 2 points…

0

2

4

6

8

10

12

14

0 1 2

Share manager 1

Share manager 1

Share manager 2

S

RESULT: if we only know one point, then we learn nothing as there are an infinite number of possible solutions for S.

RESULT: if we know 2 points, then we can completely solve for the y-intercept and therefore S.

Secret Sharing (m:n)

• We want a scheme such that any m of n bank managers can open the vault, but any collection of managers fewer than m cannot, i.e., 3 from 5 managers, 2 cannot open it, but 3 can.

• IDEA: (Shamir) we can use a polynomial of the form:

f(x) = cm-1xm-1 + … + c2x2 + c1x + S

• Shamir’s algorithm is based on the fact that a polynomial of degree m-1 can be uniquely identified by m points:

• A line f(x) = mx + s (degree 1) can be identified by 2 points.

• A parabola f(x) = c2x2 + c1x + s (degree 2) can be identified by 3 points.

• f(x) = c3x3 + c2x2 + c1x + s (degree 3) can be identified by 4 points.28

Secret Sharing (m:n)

• Here you can see the degree 2 parabola has infinite solutions when only 2 points are defined.

• With 3 points the curve is uniquely identified, and we can now work backwards to reconstruct the polynomial equation.

29

0

100

200

300

400

500

600

700

0 10 20 30 40 50 60

Secret Sharing (m:n)

The details…

• We construct a polynomial f(x) of degree m-1 using m-1 random coefficientsand the secret S as the constant.

• We then pick n random x values and solve the polynomial creating n points (or key shares) of the form (xi,yi) for the managers.

30

0

100

200

300

400

500

600

700

0 10 20 30 40 50 60

Secret Sharing (m:n)

• To retrieve the value S, we need to know at least m of the n shares (in any combination, say 3 of 5) and,

• We reconstruct the coefficients for the equation using Lagrange interpolation(see http://en.wikipedia.org/wiki/Lagrange_polynomial).

31

0

100

200

300

400

500

600

700

0 10 20 30 40 50 60

S

Web Traffic Security

32

Web Traffic Security Approaches

• HTTP is an insecure protocol since data in an HTTP protocol is encoded in plain text format.

• Any man-in-the-middle can listen to TCP communication and read your personal data transmitted over the web.

33

Relative location of security facilities in the TCP/IP protocol stack

* TLS has 2 possible implementations.1. For full generality, SSL can be provided as part of underlying protocol suite (transparent to the user).2. Or SSL can be embedded in specific packages. Virtually all browsers come equipped with TLS, and most web servers implement the protocol.

Transport Layer Security (TLS)

• Probably the Internet’s most important security protocol.

• Originally designed by Netscape for Web transactions

• Back then, called Secure Sockets Layer

• But used for just about everything you can think of:• HTTP

• VPNs

• E-mail

• Voice/video

• IoT Now

• Maintained by the IETF

• The role of the TLS layer is to establish a secure connection with the serverusing a TLS handshake (after the TCP handshake) and encrypt the HTTP datausing some encryption algorithms negotiated with the server.

SSL and TLS

• Netscape’s original SSL protocols: • 1.0 (not published due to flaws)

• 2.0 (first official release) introduced in 1995, deprecated in 2011

• 3.0 introduced in 1996, deprecated in 2015

• TLS built on SSL version 3.0 w/limited downgrade compatibility. • 1.0 introduced in 1999, deprecated in March 2020

• 1.1 introduced in 2006, deprecated in March 2020

• 1.2 introduced in 2008

• 1.3 introduced in 2018

35

Intent: Ensure a Secure channel

• SSL/TLS provides the following services over TCP layer :

1. Crypto negotiation: Negotiate encryption and hash methods

2. Key Exchange: Secret key exchange using public key certificates

3. Confidentiality: Encryption using secret key

4. Integrity: Message authentication using a keyed hash

36

TLS Protocol Architecture

37

2 layers of protocol

Handshake protocol: mutually authenticateand negotiate crypto parameters for a “SSLsession”

Change Cipher Spec Protocol: Implementnegotiated crypto parameters

Alert protocol: To convey problems

Record Protocol: apply encryption and MACfor message exchange

Simplified view of TLS

38

FYI: What’s in a Cipher Suite?

• Key Exchange (RSA, DHE, ECDHE, PSK, ...)

• Authentication (RSA, DSS, ECDSA, ...)

• Encryption (AES, Camellia, ...)

• MAC (MD5, SHA1, SHA256, ...)

• Basically the choice of encryption technologies that will be used.

• Client offers, Server chooses.

39

TLS Handshake Protocol

• Allows peers to authenticate each other.

• Negotiate an encryption and MAC algorithm.

• Exchange cryptographic keys.

40

TLS Handshake Protocol

41

Example: Cypher Suite:TLS_RSA_WITH_AES_256_CBC_SHAServer will use the RSA algorithm to encrypt the shared secret

key of bulk data encryption. The bulk encryption algorithm used

by both the client and the server is AES 256 bit (in CBC mode).

TLS Handshake Protocol

42

TLS Handshake Protocol

43

TLS Handshake Protocol

44

TLS Record Protocol

45

HTTPS (HTTP over SSL)

• Refers to the combination of HTTP and SSL to implement securecommunication between a Web browser and a Web server

• The HTTPS capability is built into all modern Web browsers• A user of a Web browser will see URL addresses that begin with https://

rather than http://• If HTTPS is specified, port 443 is used, which invokes SSL• When HTTPS is used, the following elements of the communication are

encrypted:• URL of the requested document• Contents of the document• Contents of browser forms• Cookies sent from browser to server and from server to browser• Contents of HTTP header

46