Network Security
Refik MOLVAInstitut Eurécom
B.P. 193F-06904 Sophia Antipolis Cedex - France
Network Security - R. Molva - Institut Eurecom 2002 2
Outline
THEORY
1. Symmetric Cryptography2. Asymmetric Cryptography3. Hash Functions and Integrity4. Authentication5. Key Management
APPLICATIONS
6. Internet Security Using Firewalls 7. Internet Security with Cryptographic Mechanisms9. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002 3
Security Services
7498-2 ISO standard defines :
security services and mechanisms in the context of OSI function placement in OSI layers
does not cover the security of standalone systems.
authentication
access control
confidentiality
integrity
non-repudiation
Network Security - R. Molva - Institut Eurecom 2002 4
Services vs. Layers
1. Application Layer Security
finest granularity (user and program verification) end-to-end security non-transparent to applications
2. Transport Layer
medium level granularity (end-users are not visible) end-to-end security transparent to applications
3. Network Layer
low granularity no end-to-end security (hop-by-hop security relies on intermediate systems) transparent to applications
4. Physical Layer
like network layer security, plus ease of integration limited functionality (hardware only)
Network Security - R. Molva - Institut Eurecom 2002 5
CryptographyThe art of writing in or deciphering secret code by transforming the message content.
Different from steganography which aims at hiding the message without transforming it.
Cryptography Cryptanalysisencryption code breakingdecryption
Cryptology
Cryptography is the building block for most security mechanisms.
Network Security - R. Molva - Institut Eurecom 2002 6
Symmetric Cryptography
P E C D P
The same key is required both for encryption and decryption
Secrecy of K is essential
requirement for secret key management using an on-line trusted third party (TTP)
K must be shared by at least two parties
no signature
K secret-key based
Network Security - R. Molva - Institut Eurecom 2002 7
DES
Input64-bit
Output64-bit
k1 k2
k16 k15
k15 k16
k2 k1
IP IP-1
E (encryption)
D (decryption)IP : initial permutation, IP-1(IP(x)) = x
Ri : key-dependent functions
ki : 16 sub-keys(48 bits) (key schedule)
result of shift and select operations on 56-bit K
R1 R2
R1R2
R15
R16
R16
R15
Network Security - R. Molva - Institut Eurecom 2002 8
Advanced Encryption Standard (AES)
Rijndael - Winner of an extensive selection process• New encryption standard (FIPS 197) - replacement to DES – May 26, 2002• Triple DES is still a valid standard (FIPS 46-3)
• Key size: 128, 192, or 256 bits• 10, 12 or 14 rounds, depending on the key size.
• byte-oriented cipher operations in each round• Round function:
– 8x8 S-box applied to each byte– rows of the array shifted– columns of the array mixed– subkey bytes XORed into each byte of the array
– column mixing is omitted in the last round.
Network Security - R. Molva - Institut Eurecom 2002 9
AES-Rijndael Performance
• “…a machine that could recover a DES key in a second then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.”
• Key setup time– 200 keys /msec in 32 bit C / Apple G4 PowerPC
• Encryption speed – 52 Mbits/s in 32 bit C / Apple PowerPC– 4.8 Mbits/s in Java / Intel Pentium Pro 200
Network Security - R. Molva - Institut Eurecom 2002 10
Asymmetric Cryptography
P E C D P
Different keys for encryption and decryption
Each user has a secret key (K) and a public key (K’)
No shared secret between the origin and the recipient
no need to manage secret keys but integrity of K’ must be assured with an off-line trusted third party (TTP)
digital signature is possible
K’
public-key cryptography
K
Network Security - R. Molva - Institut Eurecom 2002 11
Asymmetric Cryptography
each user U has a secret key KSU and a public key KPU
everybody can access KPU (public database)
only U knows KSUName : A, Key : KPa
Name : B, Key : KPb
Name : C, Key : KPc
A, KPa
A, KPa
AEKPa (message)
DKSu (EKPu(X)) = x et EKPu (DKSu(X)) = x
KSa
EKPa (message)
Network Security - R. Molva - Institut Eurecom 2002 12
Asymmetric Cryptography
Public-key algorithms are based on one-way functions.
One-way functions (OWF)
f : X Y is one-way if f(x) is easy to compute for all x in X but for essentially all y in Im(f) it is computationally infeasible to find x in X such that f(x) = y.
X
f
y = f(x)
f-1
Example : discrete exponential (Diffie-Hellman)
X y = f(x)
f = axmod n
f = logay
Network Security - R. Molva - Institut Eurecom 2002 13
Trapdoor OWF
f is a trapdoor one-way function if
f is a OWF with the additional property that
given some extra information called trapdoor it becomes easy to compute the reverse of f (x such that f(x) = y).
Example : f(x) = x5mod n
n= pq , p and q are large primes
f is a OWF (it is infeasible to compute f-1)
but if p and q are known f-1 becomes easy to compute (cf. RSA).
No proof of existence for OWF.
Security of public-key schemes is based on OWF.
no proof of security for public-key schemes
Network Security - R. Molva - Institut Eurecom 2002 14
The DIFFIE-HELLMAN Algorithm
Known by A Public Known by B
x a,p y
ax mod p ax mod p ay mod p ay mod p
ay mod p
ax mod p
compute : (ay ) x mod p
compute : (ax ) y mod p
= ayx mod p
= axy mod p
pioneer of public key algorithms
A and B set a shared secret (axy mod p ) without exchanging secret information. axy mod p can be used as a secret key with a symmetrical algorithm to encrypt data. relies on the difficulty of computing discrete log.
Network Security - R. Molva - Institut Eurecom 2002 15
RSA
message structured in n bit blocks
for each block P of cleartext :
encryption: C = P e mod r
decryption: P = C d mod r
main property (non-trivial):
(xe)d (xd)e x (mod r)
security relies on the choice of r, e and d
Network Security - R. Molva - Institut Eurecom 2002 16
RSA - Principle
1. pick two very large (100 digits) prime numbers p,q
2. compute r = pq
3. compute (r) = (p-1) (q-1)
4. pick e, small number, prime with (r), e < (r)
5. compute d : d.e 1 (mod (r))
Why (x e)d (xd)e x (mod r) ?
Euler's Theorem: a (r) 1 (mod r) am.(r)+1 a (mod r)
from 5. : d.e = e.d = m. (r)+1
so : (xe)d (xd)e x (mod r)
Note : m must be invertible, property can be demonstrated with general m using Chinese Remaindering.
Network Security - R. Molva - Institut Eurecom 2002 17
RSA - Example
1. p =17, q =13
2. r = 221
3. (r) = (p-1) (q-1) = 192
4. e = 11
5. d = 35 , d.e ( 1 (mod 192)
e = 11
P = 123 C = 12311(mod 221)
C = 115
d = 35
C = 11535(mod 221)
P = 123E D
Network Security - R. Molva - Institut Eurecom 2002 18
RSA
Origin E/DKb/s
CYLINK 7
CRYPTECH 17
CENT 5.3
BT 5
AT&T 19
Pijnenburg 50
security factoring r (512 bits, 154 digits) into p and q best known factoring algorithm : 1 M years
512-bit chips
1000 times slower than DES in hardware100 times slower than DES in software
Network Security - R. Molva - Institut Eurecom 2002 19
El Gamal Public Key Encryption
DH key agreement in encryption
Known by Ax (random)
axy mod p
Public Key(p, a, ay mod p)
Known by By
ay mod p
m1=DH key agreement+ m2=encrypted message
Decryption:m1 axy mod pm = m2.(m1
y)-1 mod p = m.axy.((ax)y)-1 mod p
Encryption:m1 = ax mod pm2 = m.axy mod p
p is prime, x and y in Zp-1
a is a generator in Zp.
b=ay mod pKPB = ( p, a, bis the public key.KSB = y is the secret key.
Network Security - R. Molva - Institut Eurecom 2002 20
Symmetric vs. Asymmetric CryptographySymmetric Cryptography
secret key shared by (at least) two parties
Pros key is short (64-128 bits) fast encryption/decryption extensive history perfect secrecy exists
Cons key distribution(by on-line TTP) is mandatory no signature (possible only with additional means)
Asymmetric Cryptography one private key, one public key per party
Pros no requirement for secret key distribution digital signature is possible
Cons key is long (> 512 bits) computationally intensive security relies on the difficulty of number-theoretic problems, no perfect secrecy
Network Security - R. Molva - Institut Eurecom 2002 21
Symmetric vs. Asymmetric Cryptography Summary
Use Asymmetric Cryptography for
key distribution (for symmetric keys) digital signature
Use Symmetric Cryptography for
bulk data encryption
data integrity
Network Security - R. Molva - Institut Eurecom 2002 22
Plaintext
Network Security - R. Molva - Institut Eurecom 2002 23
DES-ECB Encryption
Network Security - R. Molva - Institut Eurecom 2002 24
DES-CBC Encryption
Network Security - R. Molva - Institut Eurecom 2002 25
CBC Mode
Cipher Block Chaining 64-bit blocks
Ci = E K(Pi Ci-1)
C0 = EK(P0 IV), IV (Initialization Vector) transmitted in cleartext
Pi = DK(Ci) Ci-1
chaining effect : Ci depends on all the Pj with j i last block of C : depends on all the plaintext blocks converts DES into a stream cipher 1 E/D operation per 64 bits
E DP
Pn
C
Cn
64 bits 64 bitsCn-1 Cn-1
K K
P
Pn
IV
C0
Network Security - R. Molva - Institut Eurecom 2002 26
CBC- Error propagation Decryption of Pi requires Ci and Ci-1
Error extension :• error in block Ci or loss of complete block Ci
• only Pi and Pi+1 are affected• subsequent blocks are not affected (self-synchronization)• new vulnerability: controlled modification by the intruder - transmission error
on bit i of block Cj results in loss of Pj and complementing of bit i in Pj+1.
no self-synchronization on bit slips :• all subsequent blocks are lost
requirement for framing and error control on C
Relationship between Error Control and CBC Encryption :
Errorcontrol
Errorcontrol
E
D
D
E
Network Security - R. Molva - Institut Eurecom 2002 27
CFB ModeCipher Feedback
n = variable block size for C and P, n
1 E/D operation / n bitss0 : initial value of the register, transmitted in cleartext
P PC
K K
64 bits
E E
shift register shift register
Select n left bits
Select n left bits
n
64 64
64 64
n
n n
n
n n
IV64 bits
Network Security - R. Molva - Institut Eurecom 2002 28
OFB ModeOutput Feedbackvariable quantum size (n
1 E/D operation per n bitss0 : initial value of the register, transmitted in cleartexts0 must be different for each new messagestream cipher : one-time pad with pseudo-random number generation
P PC
K K
64 bits
E E
shift register shift register
Select n left bits
Select n left bits
64 64
64 64
n
n n
n
nnn
IV
Network Security - R. Molva - Institut Eurecom 2002 29
Outline
THEORY1. Symmetric Cryptography2. Asymmetric Cryptography3. Hash Functions and Integrity4. Authentication5. Key Management
APPLICATIONS
6. Internet Security Using Firewalls 7. Internet Security with Cryptographic Mechanisms8. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002 30
Hash Functionsmessage
h
message digest
Arbitrary length
fixed length (n 128 bits)Main purpose :
Modification Detection Codes (MDC), Manipulation Detection Codes or Message Integrity Check (MIC)
Objective : data integrity with additional security means
h(m) serves as a representative of message m
if m changes, h(m) changes with high probability
Security properties :
• one-way: given y, finding x | h(x) = y is difficult.• collision resistence : it is difficult to find x x' | h(x) = h(x').
Network Security - R. Molva - Institut Eurecom 2002 31
General Model for Building Hash Functions
fixed length constant
compressionfunction
fixed length constant
output
x1 x2 xnxarbitrary length input
H0
H1
f
compressionfunction
f fixed length input
fixed length input
compressionfunction
ffixed length input
Hn = h(x) H (iterated hash function)
Additional : input preprocessing by adding padding and length block
Network Security - R. Molva - Institut Eurecom 2002 32
Message Authentication Codes
• Encryption of MAC
MAC = EK(h(M)) with DES or RSA
• Keyed hashing
MAC = h(K1 | M | K2)
Examples from Internet :
Keyed MD5 (RFC 1828, 08/1995)
HMAC (RFC 2104, 02/1997)
HMAC ( K , text ) = H ( K xor pad1 | H ( K xor pad2 | text ) )
MD5
Key + padding IP packet Key padding
Authentication Data (128 bits)
512 n x 512
Network Security - R. Molva - Institut Eurecom 2002 33
Data integrity
message
message
message
message
message
MAC function
MDC function
MDC function
MAC
MDC E
K
K
unsecured channel
unsecured channel
unsecured channel
secured channelMDC
MDC=unkeyed hash
Network Security - R. Molva - Institut Eurecom 2002 34
Outline
THEORY1. Symmetric Cryptography2. Asymmetric Cryptography3. Hash Functions and Integrity4. Authentication5. Key Management
APPLICATIONS
6. Internet Security Using Firewalls 7. Internet Security with Cryptographic Mechanisms8. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002 35
Authentication Protocols (1/2)
• Secret function of a predictable item
• Synchronization requirement• synchronized clocks very difficult with distributed systems
how to secure a global time service ?
• counters losses how to secure re-synchronization?
• Protocol requires only 1 message
BA hK(time stamp or counter)
Network Security - R. Molva - Institut Eurecom 2002 36
Authentication Protocols (2/2)
• Secret function of an unpredictable item (nonce : random number used only once)
• No need for synchronization • 2 messages
• Mutual authentication
hK(Na), Nb
hK(Nb)
hK(N)
NA B
A BNa
Network Security - R. Molva - Institut Eurecom 2002 37
S/keyOne-time password authentication technique based on a secure hash function
h hh h2(K)h(K)K hn(K)
K is secreth is a public one-way hash function :it is computationally infeasible to derive hi-1(K) from hi(K)
User Authenticationserverknows K
SKu = hn(k)
1st Auth. Msg : U, M=hn-1(K)
2nd Auth. Msg : U, M=hn-2(K)
accept ifh(M) = SKu
Sku:= M(= hn-1(K))
accept ifh(M) = SKu
Sku:= M(= hn-2(K))
Only the user who knows K can generate the hi(K) values in the reverse order : hn(K), hn-1(K), hn-2(K),…, h(K)
...
Network Security - R. Molva - Institut Eurecom 2002 38
Passive Devices
storage of non-secret verification value W in the device W=OWF(S), S is a secret kept by the user
verification by a reader
authentication: - user enters secret value S- reader computes V=OWF(S)- reader compares V with W stored in the device
magnetic stripe cards
cards with a memory chip
Network Security - R. Molva - Institut Eurecom 2002 39
Active Devices
Able to run cryptographic algorithms and strong authentication protocols
Eliminate the risk of exhaustive attacks and replay on the PIN
1. Personal computers2. Tokens3. Smart cards
Principle :
PIN-based verification of the user by the personal device. PIN is not disclosed outside the protected area.
Personal device runs the authentication protocol on behalf of the user through untrusted environments. Strong authentication protocols resist to attacks from hostile public environment.
Network Security - R. Molva - Institut Eurecom 2002 40
Tokens
User : relay between (untrusted) public terminal and the personal token
+ : cheap and easy to retrofit on existing systems- : ergonomics
AuthenticationServer
Token
Network Security - R. Molva - Institut Eurecom 2002 41
Smart CardsCommunication between smart card and authentication server is transparent for the user
After the user verification, the smart card runs the strong authenticationprotocol :• symmetrical (DES) or asymmetrical (RSA) algorithm• nonce-, time stamp-, or counter-based
The card can perform other services :• data encryption• digital signature• message integrity
Advanced smart cards include :• an operating system• a file system with access control• a Java virtual machine
+ : the most secure and user-friendly- : cost of deployment, retrofitting : a reader is required on each terminal
Network Security - R. Molva - Institut Eurecom 2002 42
Digital Signature
Generation of A’s signature on message M:
S= EKSa(h(M))
h is an unkeyed hash function (MD5, SHA-1, . . .)
KSa is A’s private RSA key
Verification of A’s signature by any other party:
compute h(M) using A’s public key KPa, check if
DKPa(S) = h(M)
Network Security - R. Molva - Institut Eurecom 2002 43
Outline
THEORY1. Symmetric Cryptography2. Asymmetric Cryptography3. Hash Functions and Integrity4. Authentication5. Key Management
APPLICATIONS
6. Internet Security Using Firewalls 7. Internet Security with Cryptographic Mechanisms8. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002 44
Key Management
Most security mechanisms are based on cryptography.
Cryptography requires:
generationdistribution storage archivaldeletion . . . . . .
of (secret and public) keys
Network Security - R. Molva - Institut Eurecom 2002 45
Key Generationrandom number generation problem
·a random bit generator can be used to generate random numbers·a random bit generator outputs a sequence of statistically independent and unbiased bits.
Solutions : ·physical sources biased, de-skewing is necessary impractical
·pseudorandom bit generators Based on a truly random binary sequence of length k, generate a sequence of length l >> k using a deterministic algorithm.
The output sequence appears to be random.
Among all possible outputs (if it were truly random) only a fraction 2k/2l can be generated.
The goal is to expand the truly random "seed" to a longer pseudorandom sequence.
Network Security - R. Molva - Institut Eurecom 2002 46
Pseudorandom Bit Generators (PRBG)Security properties:
• resistance to statistical tests : the output of a pseudorandom bit generator should not be distinguishable from a truly random sequence of the same length by a polynomial-time algorithm.
• resistance to next-bit test : the next bit of the output sequence cannot be predicted based on the bit sequence that is already generated using a polynomial-time algorithm.
• the two conditions are equivalent• a PRBG that fulfills one of these properties is said cryptographically secure.
• in addition the k-bit seed must be large enough so that an exhaustive search over possible seeds is infeasible.
Ex : linear congruence xn = axn-1 + b mod p is not secure because given a partial output sequence, the remainder
of the output bits can be predicted.
Network Security - R. Molva - Institut Eurecom 2002 47
n=pq, e are defined like in the basic RSA algorithm.
Generation of an l bit pseudorandom sequence :
1. pick a random integer x0 in [1, n-1] as the seed
2. For i from 1 to l do
2.1. xi := xei-1 mod n
2.2. zi : = the least significant bit of xi
output sequence = [z1, z2, …, zl]
The security property (resistance to next-bit test) is proven based on the difficulty of factorization.
RSA-based Cryptographically Secure PRBG
Network Security - R. Molva - Institut Eurecom 2002 48
Practical Secure PRBGs
Use one-way hash functions.
random_numbern = h(s+n) n = 0, 1, 2, … s is the secret seed.
predictable after re-initialization
the initialization must be randomized :
(Kerberos)K’ = DESK (universal time)Rn=DESK’(n) n = 0, 1, 2, … based on the secret key K
These PRBGs are not cryptographically secure because there is no proof of the PRBG security property but they are sufficiently secure for most applications.
Network Security - R. Molva - Institut Eurecom 2002 49
Key Distribution
• Symmetrical cryptography
distribution of secret keys
key distribution must assure the confidentiality of secret keys
key distribution service must be on-line
• Asymmetrical cryptography
distribution of public keys
key distribution must assure the integrity of public keys
key distribution service can be off-line
Network Security - R. Molva - Institut Eurecom 2002 50
Distribution of Secret Keys
Problem : how to distribute a secret session key Kab to parties A and B who do not share a secret channel ?
Complexity : a new session key is needed for each new session and per security function (authentication, data confidentiality, integrity)
Alternatives (n: number of parties) :
• Manual : complexity of initial key installation : O(n2)
• Hybrid scheme (O(n))
• Algorithmic (O(n))
• Key server (O(n))
Network Security - R. Molva - Institut Eurecom 2002 51
Hybrid scheme
Use public-key cryptography to distribute secret session keys.Use secret key (symmetrical) cryptography for bulk data encryption.
A
KSa
B
KSb
abKwith
hycryptograp lsymmetrica
using mechanismany
KSaKPb MACA,...),t,(Kab,E A,
Network Security - R. Molva - Institut Eurecom 2002 52
Algorithmic Key Distribution
Perfect forward secrecy: breaking any long-term key (signature key) does not threaten the secrecy of past session keys (Kab).
No forward secrecy with the hybrid scheme.
g, p
p modg
: compute
xrandomPick
x
A Public B
)(MSignatureverify AA
)(MSignature p, modgM AAX
A
)(MSignatureverify BB
p mod)(gK
: computeyx
ab p mod)(gK
: Computexy
ab
)(MSignaturep, modgM BBy
B
p modg
: compute
y randompick
y
Network Security - R. Molva - Institut Eurecom 2002 53
Key distribution with a key server
Trust in key server:• security of session keys• entity authentication
A
Ka
B
Kb
Key Server
Ka
Kb2. Here are theenvelopes for A and B
1. I am A, I want a key to communicate with B
3. Here is the shared key prove that you are B
4. Here is my proof, prove that you are A
5. Here is my proof
A and B share the same key
Network Security - R. Molva - Institut Eurecom 2002 54
Key distribution with a key server
Kab: session key Ka, Kb: terminal keys
Trust in key server: • Kab is fresh and kept secret
B (resp. A) believes: whoever proves knowledge of secret Kab is A (resp. B).Key distribution must be strongly linked with authentication.
A
Ka
B
Kb
Key Server
Ka
Kb
abK using mechanismsecurity data
(Nb)E 5. Kab
bKab N(Na),E 4.
A,...)t,(Kab,E,N A, 3. Kba
1. A, B
A,...)t,(Kab,E
B,...)t,(Kab,E 2.
Kb
Ka
Network Security - R. Molva - Institut Eurecom 2002 55
Public-key Integrity Problem
The integrity of public keys must be assured.
Solutions :
• Authentication trees
• Public-key certification
Problem :
xKS using
datasecret decrypt
B) todestined data(secret EKPx
xKPkey publicmy is here B, am I
A X
xx KP and KS generate
B) esimpersonat (intruder,
Network Security - R. Molva - Institut Eurecom 2002 56
Identity Certificate
Public Key certificate of entity A (key=KPa) created by X:
• signed by trusted party X using secret key KSx
• can be checked by using public key KPX
Prerequisite for verifying a certificate: KPX must be known and trusted.
• identity certificates are required for all services implemented using public-key encryption (entity authentication, data origin authentication, data integrity, non-repudiation of origin, key distribution)
• the security of these services entirely relies on the validity (integrity) of the certificate that includes the public key.
• On the contrary of a common belief, a certificate alone does not prove anything, it must be used together with a mechanism like an authentication protocol through which the owner of the public-key demonstrates his knowledge of the corresponding private key.
t,...)),,ID(h(KPRSAt,..., ,ID ,KP)(KPC aaKSxaaaX
Network Security - R. Molva - Institut Eurecom 2002 57
TTP Functions
• Certification Authority (CA)• Registration Authority (RA)
• Name Service• Certificate Directory• Key Generator
Network Security - R. Molva - Institut Eurecom 2002 58
Certification Scenario
Key pair generated by user
Certificate
Directory
CA
RA
KG
User
1 key pair
4 Certificate
3
name, public-key
2
identity validation, public-key
(proof of knowledge of private key)
(integrity-protection, entity authentication)
Network Security - R. Molva - Institut Eurecom 2002 59
Certificate ChainsProblem:
A and B belong to domains managed by CA X and CA Y.No direct cross certificate exists between X and Y.But cross certificates exist from Y to Z and from Z to X.
Domain 1 Domain 2
Domain 3
CA=X CA=Y
CA=Z
XKP A trusts YKP trustsB
(B)C (Y),C (Z),C YZX
(B)C (Y),C (Z),C YZX
(Z)CX (Y)C (Z),C ZX
A gets KPZ by verifying CX(Z) using KPX that is trusted a priori. He gets KPY by verifying
CZ(Y) using KPZ. He finally verifies B' s public-key in CY(B) using KPY.
Network Security - R. Molva - Institut Eurecom 2002 60
Hierarchical Model
Alternative domain partitionings:• single domain: all chains start at Root; all users trust a priori only KPRoot.• multiple domains: chain between two domains start from the closest common node; each user trusts a priori his closest authority and Root.
Drawbacks:• certificate chains can be too long• lack of centralization in real life situations
Root
Y
Z
DC
BA
X
W
U V : U issues (V)CU
Network Security - R. Molva - Institut Eurecom 2002 61
Outline
THEORY1. Symmetric Cryptography2. Asymmetric Cryptography3. Hash Functions and Integrity4. Authentication5. Key Management
APPLICATIONS
6. Internet Security Using Firewalls 7. Internet Security with Cryptographic Mechanisms8. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002 62
Internet Security DirectionsCryptographic securityprotect only sensitive resources using logical means
Pros• flexible (service type and security level)• end-to-end (application and user security)• no impact on global network Cons• deployment (retrofitting in end-systems)• cost of migration (protocol impact)
Internet
Data LinkIP
e-commerce
HTTP SMTP FTP TELNET
DNS SNMP RIP BGP
TCP/UDP OSPF
Secure virtual channel using cryptography
Network Security - R. Molva - Institut Eurecom 2002 63
Internet Security Directions
Domain ControlIsolate trusted network from untrusted Internet by filtering traffic across the border
Pros• no impact on the intranet components• no impact on application software and users• ease of deployment for company intranetsCons• impediment to the global network concept• no end-to-end security• insufficient for e-commerce applications
Internet (untrusted)
Intranet (trusted)
Filt
er
Network Security - R. Molva - Institut Eurecom 2002 64
Filtering Components
Traffic filtering based on (combination of) :
• packet filters
• application gateways
• circuit gateways
Network Security - R. Molva - Institut Eurecom 2002 65
Packet Filters• Function integrated with packet forwarding
• Principle:• for each IP packet received from a local interface• check the packet against the set of access rules• forward, discard and/or log the packet according to the result of the rule-based verification
• Access rules are based on (a selection of):• information of the TCP/IP header:
- source and destination IP addresses- source and destination port numbers- protocol type (TCP/UDP)- flags (ACK, SYN)
• the identity of the incoming interface• direction of the packet (in/out)
• implemented by• router (CISCO)• IP forwarding algorithm in a host (Linux)• dedicated device (Firewall-1 Checkpoint, Screend, etc.)
Network Security - R. Molva - Institut Eurecom 2002 66
Application GatewaysOpposite approach to packet filtering:
Instead of a general purpose mechanism for all kind of traffic, a special purpose access control mechanism is used for each application. • Idea:Application gateway is a proxy server. Each proxy server acts as an intermediate between the client and the actual server. Proxy server performs varoous verifications on the application protocol between the client and server.
Generic operation of an application gateway:• the client first connects to proxy server• proxy server performs authentication and access control verification• if the client is authorized, proxy server connects to the actual destination• further communication between the client and the actual server is relayed through the proxy server and some optional filtering can be applied on the data exchange.
An application gateway is a process, not a host. There is an application gateway for each application protocol that is authorized.Application gateways can be combined with a packet filter.
Network Security - R. Molva - Institut Eurecom 2002 67
Application Gateways
Simpler Packet FilteringBasic model for packet filtering with application gateways:
Authorized connections
Network 2 (trusted)
Network 1 (untrusted)
Packet Filter
Application Gateway Host
Interface 1
Interface 2
Interface 3 iGW
Network Security - R. Molva - Institut Eurecom 2002 68
Circuit Gatewaysgeneric proxy for all TCP based applications
Basic principle:• client-server connections are forced to pass through the gateway by a change in the transport layer software of the client.• relaying takes place at the transport layer(TCP).• the layers above TCP (application) are not affected at all.Encapsulation of client-server connection by client-gateway connection:
relay DataData
Connection response
Connection response
Connection request
establish relay
ServerGWClient
Connection request (data=server name)
Verification
Network Security - R. Molva - Institut Eurecom 2002 69
Packet filtering Firewall
• Router blocks all or most access to internal network.
• Router can allow selective access to services.
• Usually inherently danagerous services as NIS, NFS, X11 are blocked
Local Network Packet
Filter
Router
Internet
Network Security - R. Molva - Institut Eurecom 2002 70
Dual-Homed Gateway
• Gateway host has a separate interface (network adapter) to each network.• Packet (IP) forwarding on the gateway is disabled.• Proxy server performs application layer access control.
Default condition: only traffic authorized by application gateways can cross the boundary
In a simple setup proxy servers for telnet, ftp, http and a mail server can be located on the firewall.
Firewall
Local Network
Proxy Servers
bastion Host
Internet
Network Security - R. Molva - Institut Eurecom 2002 71
Screened Host Firewall
• packet filter "forces" all inbound packets to connect to the gateway or "bastion host".• packet filter lets out only packets from the gateway.• Proxy servers performs application layer access control.
Main difference from Dual-homed Gateway:
no true network isolation
Internet
Local Network
Firewall
Open Services
Proxy Servers Bastion Host Packet
Filter
Router
Network Security - R. Molva - Institut Eurecom 2002 72
Screened Subnet FirewallBuffer Subnet = De-militarized Zone (DMZ)
• Internal packet filter "forces" all exit packets to connect to the gateway.• External packet filter "forces" all entry packets to connect to the gateway or to open services.• External packet filter lets out only packets from the gateway or from open services.• Internal packet filter lets in only packets from the gateway.• Proxy servers perform application layer access control.
Local Network
Open Services
De-militarized Zone
Proxy Servers Bastion HostInternal
Packet Filter Router
External Packet Filter Router
Internet
Network Security - R. Molva - Institut Eurecom 2002 73
Other Useful Tools
• TCP_WRAPPER• host-based access control and logging for TCP-based services• located at each host• integrated with inetd
• Tripwire• host-based integrity verification • detects modification of essential files• based on hashing
• SATAN, ISS• vulnerability testing on UNIX networks• based on well-known security flaws
• COPS• vulnerability testing on UNIX systems
• ISS Real Secure, Netranger, etc.• network intrusion detection• based on traffic analysis and recognition of well-known attack sequences
Network Security - R. Molva - Institut Eurecom 2002 74
Outline
THEORY1. Symmetric Cryptography2. Asymmetric Cryptography3. Hash Functions and Integrity4. Authentication5. Key Management
APPLICATIONS
6. Internet Security Using Firewalls 7. Internet Security with Cryptographic Mechanisms8. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002 75
Cryptographic Security
ATM xDSL Ethernet
ARP RARP
Internet Protocol
OSPFICMP IGMP
Transmission Control Protocol
SNMPDomain Name System
Routing Information Protocol
EGP BGP
User Datagram Protocol
Transport Layer Security
Routing Security
Internet Layer Security
Data Link Layer
Network Security - R. Molva - Institut Eurecom 2002 76
Internet Layer Security Architecture
IPsecRFC 2401 - Architecture Document
• IP Authentication Header (IP AH)
• IP Encapsulating Security Payload (ESP)
• Keyed Hash Functions
• Key management and Security Associations
• No protection for ARP in IPv4• Secure equivalent in IPv6 using ICMP
Network Security - R. Molva - Institut Eurecom 2002 77
IP Authentication HeaderCryptographic Authentication for IPv4 and IPv6 DatagramsRFC 2402
Services provided:
• support for variable functions and parameters (SPI)
• data origin authentication
• data integrity
• replay detection
Services not provided:
• confidentiality
• traffic secrecy
• denial of service detection
Network Security - R. Molva - Institut Eurecom 2002 78
IP AH
Authentication Data (variable)
Sequence Number
Security Parameter Index (SPI)
0 8 16 24
Secure Hash Function
000IP Datagram
mutable fields Auth.Data
000000000000
Network Security - R. Molva - Institut Eurecom 2002 79
IP AH • Transport mode AH placement in the IP datagram:
• Tunnel mode AH placement in the IP datagram:
coverage of authentication (except for mutable fields)
coverage of authentication (except for mutable fields)
coverage of authentication (except for mutable fields)
Original IP Header
AH TCP Data
Original IP Header
Hop-by-hop extensions
AH End-to-end extensions
TCP Data
TCP DataAHEncapsulating IP Header
Original IP Header +
Extension fields
IPv6
IPv4
Network Security - R. Molva - Institut Eurecom 2002 80
IP AH
Secure Hash Function alternatives:
• Keyed MD5 (RFC 1828)
• HMAC (RFC 2104)
• Asymmetric or Symmetric Encryption of MD5 output
Key + padding IP packet Key padding
MD5
Authentication Data (128 bits)
n x 512512
))text pad(K xor H pad(K xor H text)(K, HMAC 21
Network Security - R. Molva - Institut Eurecom 2002 81
IP Encapsulating Security Payload
RFC 2406Services provided:• data confidentiality• data integrity with replay detection• traffic confidentiality (optional)
Authentication Data (variable)
Padding
Payload
Sequence Number
Security Parameter Index (SPI)
Cov
erag
e of
C
onfid
entia
lity
Cov
erag
e of
A
u the
ntic
atio
n
0 8 16 24
Network Security - R. Molva - Institut Eurecom 2002 82
IP ESP
Coverage of confidentiality
Original IP Header SPI Seq.Nr. TCP Data Padding
Auth. Data
ESP header ESP payload ESP trailer
Coverage of authentication
Original IP Header
Hop-by-hop extensions SPI Seq.Nr.
AuthData
PaddingDataTCPend-to-end extensions
Coverage of confidentiality
Coverage of authentication
ESP header ESP payload ESP trailer
New IP Header
new extensions SPISeq.Nr. Auth
DataPaddingDataTCPoriginal IP Header
Coverage of confidentiality
Coverage of authentication
ESP header ESP trailerOriginal IP datagram
IPv4
IPv6
Transport
Mode
Tunnel
Mode
Network Security - R. Molva - Institut Eurecom 2002 83
End-to-end security with IPsec
: One or more SA’s applied to the same traffic stream IP1 : original IP header IP2 : encapsulating IP header
ULH : Upper Layer Header
Transport Mode Tunnel Mode
ULH
ULH
ULH
ULH
ULH
AH ESPIP1
IP1
IP1 AH
ESP
AH IP1
IP1ESP
IP2
IP2
Internet or Intranet
1Host 2Host
Network Security - R. Molva - Institut Eurecom 2002 84
Simple virtual private network with IPsec
Intranet Internet Intranet
1Host 2Host1SG 2SG
Tunnel Mode
ULH
ULH
IP1
IP1
AH
ESP
IP2
IP2
Network Security - R. Molva - Institut Eurecom 2002 85
Remote access with IPsec
Internet Intranet
SG1Host 2Host
1SA
2SA
Network Security - R. Molva - Institut Eurecom 2002 86
ATM xDSL Ethernet
ARP RARP
Internet Protocol
OSPFICMP IGMP
Transmission Control Protocol
SNMPDomain Name System
Routing Information Protocol
EGP BGP
User Datagram Protocol
Transport Layer Security
Routing Security
Internet Layer Security
Data Link Layer
Internet Security Architecture
Network Security - R. Molva - Institut Eurecom 2002 87
Transport Layer Security (TLS) Protocol
RFC 2246Based on Secure Sockets Layer (SSL) from Netscape Communications
Services provided :
• peer entity authentication• data confidentiality• data integrity (replay detection)• generation/distribution of session keys• security parameter negotiation
Two sub-layers:
• TLS Record Protocol
• TLS Handshake Protocol
• Record sub-layer encapsulates Application Data and Handshake Protocol
Network Security - R. Molva - Institut Eurecom 2002 88
TLS Handshake ProtocolSession Negotiation between peer Transport EntitiesA session consists of:• session Id• X509 public-key certificate of the peer• compression algorithm• encryption algorithm• MAC algorithm (MD5, SHA, etc.)• cryptographic attributes- Session data are used by the TLS Record Layer for encryption and integrity protection of higher layer protocols- A session can be reused by several transport connections.
Application Data
Certificate ClientKeyExchange
ServerClient
ServerHello Certificate ServerKeyExchange
ClientHello
Network Security - R. Molva - Institut Eurecom 2002 89
WWW Security
Vulnerabilities:
• HTTP: risks due to communication over Internet
• CGI: malicious script can expose server resources
• Java: malicious applet can expose client resources
Local resources Local resources
serverbrowser
applet
CGI
HTTP urlgateway program
Network Security - R. Molva - Institut Eurecom 2002 90
HTTP and CGI Security
Client-server communication:• Standard: authentication by the server
• uuencoded cleartext passwords• domain-based access control• per subtree of the html document directory
• application layer: Secure HTTP• transport layer: SSL Netscape (see Transport Layer Security)• proxy server to filter traffic at domain boundary
CGI:• restricted access to cgi-bin directory• user-provided parameter verification in the cgi scripts• limited use of setuid bit with cgi scripts• limited use of process creation in cgi scripts • hide source of cgi scripts from the net
Network Security - R. Molva - Institut Eurecom 2002 91
Mobile Code
Malicious applet (executable content) can cause:- diclosure of client information- modification of client information- denial of service on client resources
Flexibility and power at the cost of higher risk
Libraries
Applet
Browser
Client
Network
Network Security - R. Molva - Institut Eurecom 2002 92
Java SecurityLanguage features• object-oriented data encapsulation• type-safety• final attribute• absence of pointers• garbage collection• namespace encapsulationProtection against malicious Applets: Sandbox Approach Bytecode Verifier converts bytecode from the network into local class, checking:
• stack overflows• pointers• access restrictions• object and method access
Class Loader• protects integrity of local classes• forces class import from origin node• signature verification by subtyped SignedClassLoader
Security Manager• access control by the runtime environment (browser)• used by the other objects
Network Security - R. Molva - Institut Eurecom 2002 93
Outline
THEORY1. Symmetric Cryptography2. Asymmetric Cryptography3. Hash Functions and Integrity4. Authentication5. Key Management
APPLICATIONS
6. Internet Security Using Firewalls 7. Internet Security with Cryptographic Mechanisms8. Multicast Security
Network Security - R. Molva - Institut Eurecom 2002 94
Multicast Security
• Key Management
• Data Origin Authentication
• Data Confidentiality
Network Security - R. Molva - Institut Eurecom 2002 95
Key Management• Security requirements
– membership (JOIN/LEAVE) security;– Containment.
• Scalability
– Processing cost– Membership dynamics
• No group-wide re-key message
– Treat the group as single entity
• Existing algorithms :– one key for the whole group– the group is a set of subgroups : different keys in each subgroup
Network Security - R. Molva - Institut Eurecom 2002 96
Multicast Key management
• Keygraphs [Wong et al. 98]
K0
K1234 K5678
K12 K34 K56 K78
K1 K2 K3 K4 K5 K6 K7 K8
u7u1 u2 u3 u4 u5 u6 u8
K0 = Group Key
u4’s keys = {K3,K34, K1234,K0}
u4 JOINS : trivial
u4 LEAVES :
{K34’, K1234’,K0’}K3 u3
{K1234’, K0’}K12 u1, u2
{K0’}K5678 u5,u6,u7,u8
advantage : number of re-key messages are in the logarithmic order
there is no containment.
Network Security - R. Molva - Institut Eurecom 2002 97
Multicast Key ManagementSub-group approach
• Iolus [Mittra, 97] • intermediate nodes involved in key distribution
GSI GSI
GSI GSI GSI
K1
K2
K5
K3
K6 K4
GSC (Group Security Controller) defines the groups and the GSI
GSI (Group Security Intermediary): 1- decrypt M with the key of the group; 2 - recrypt M with the key of the other group he’s involved in.
GSC
advantage : containment + scalability
disadvantage : we have to trust GSIs
Network Security - R. Molva - Institut Eurecom 2002 98
Multicast Key Management Sub-group Approach
• [Molva et al. 99] • Based on asymmetric algorithms
a2
a3 a4 a5
a6 a7
a1 Source sends:
0
01 mod)( 1
SMT
pSS a
S4
Recipients in subgroup:
pSS aaaa mod)( 7321
1
40
Network Security - R. Molva - Institut Eurecom 2002 99
Multicast Key Management (4/4)
• MARKS [Briscoe 99]
t1
t3 t4
t7 t8 t9 t10
t2
t5 t6
t11 t12 t13 t14
t0
k1 k2 k3 k4 k5 k6 k7 k8
L
L
L L
L
LL
R
R
R R
RR R
access to segments between s4 and s8
using t2 and t10
k4 = t10 ; k5 = L(L(t2)); etc.
L and R are one-way functions.
Network Security - R. Molva - Institut Eurecom 2002 100
Broadcast Encryption(2/3)
• k-resilient scheme [Fiat et al. 1994]
S
u1 u2 u3 un…..
Every user ui is assigned a set of keys Ki
S sends {M}K and a key envelope to a user set T
Each users in T retrieves K from the key envelope using Ki
mathematically proven k-resilient.
Network Security - R. Molva - Institut Eurecom 2002 101
Broadcast encryption(3/3)
• f-redundant key cover schemes [Abdalla et al. 2000]
u8
u9
u2
u10
u11
u3
u6
u12
u7
u13
u4
u5
K4
U
K1
K2
K3
K5
k(ui) = {Kj} \ uiKj
S {u2,u6,u10,u12} : M
S computes Cmin(K) and sends the same message encrypted with the keys in Cmin(K) (minimal key cover).
=> f-redundancy: some of users outside the intended destination group will be able to access M
U = universe of users ui
Ki = sets of users (one key per set)
Network Security - R. Molva - Institut Eurecom 2002 102
Data Encryption (1/3)
• [Pannetrat et al. 2002] Based on same idea as the key distribution algorithm using intermediate nodes
• Symmetric encryption in XOR-Counter mode.
– Apply several layers of encryption at the source and recipients.
– Only two operations in the intermediate elements
• One decryption
• One encryption
Network Security - R. Molva - Institut Eurecom 2002 103
Data Encryption (2/3)
• Link Model
P3
P2
P1
m
P4
P3
P2
m
P5
P4
P3
m
P6
P5
P4
m
P7
P6
P5
m
k1,k2,k3
m
k5,k6,k7
m
k1
k4
k2
k5
k3
k6
k4
k7
Network Security - R. Molva - Institut Eurecom 2002 104
Data Encryption(3/3)
• Group Model
k2
k10
k2
k5
k5,k6,k7
k5,k6,k8
k3,k4,k10
Network Security - R. Molva - Institut Eurecom 2002 105
Multicast Authentication (1/4)
• Requirements– A Multiparty Problem
• One source and an unlimited number of recipients• The source does not trust the recipients authentication technique must be asymmetric
– A Packet Streaming Problem• Individual authentication of each packet• Authentication of packet sequences • cost/packet• Packet loss rate• Real time
• A digital signature per packet is not a practical solution• 1 digital signature for a set of packets• Packet chaining using hash functions
Network Security - R. Molva - Institut Eurecom 2002 106
Multicast Authentication (2/4)
• TESLA [Perrig et al. 2000]
• Lamport’s hash chaining like in S/Key:
K0, K1, K2, . . . Kn \ Ki = h(Ki+1)
• Authenticated multicast message sent at time interval i:
Mi, MAC(Ki, Mi), Ki-1
• Mi authenticated using a further message in the stream
• Synchronization required to detect re-plays: Kj only valid in interval Ij
• The first message asymmetrically authenticated using a digital signature.
Network Security - R. Molva - Institut Eurecom 2002 107
P P P P P P P P P P P P
E.C.1
Sign
E.C.2
has
hha
shha
shha
shha
shhash
Advantages :
•Spread the cost of a signature over several packets.
•Erasure code to tolerate losses.
•No need to send duplicate hash values
Multicast Authentication (3/4)
• [Pannetrat et al. 2002]
Network Security - R. Molva - Institut Eurecom 2002 108
Multicast Authentication (4/4)
• Alternative feedback schemes
P P P P P P P P
P P P P P P P P
P P P P
Network Security - R. Molva - Institut Eurecom 2002 109
Thank You