Você está na página 1de 76

CS549:

Cryptography and Network


Security
by Xiang-Yang Li
Department of Computer Science,
IIT
Cryptography and Network Security

Notice
This lecture note (Cryptography and Network Security) is prepared by
Xiang-Yang Li. This lecture note has benefited from numerous
textbooks and online materials. Especially the Cryptography and
Network Security 2nd edition by William Stallings and the
Cryptography: Theory and Practice by Douglas Stinson.
You may not modify, publish, or sell, reproduce, create derivative
works from, distribute, perform, display, or in any way exploit any
of the content, in whole or in part, except as otherwise expressly
permitted by the author.
The author has used his best efforts in preparing this lecture note.
The author makes no warranty of any kind, expressed or implied,
with regard to the programs, protocols contained in this lecture
note. The author shall not be liable in any event for incidental or
consequential damages in connection with, or arising out of, the
furnishing, performance, or use of these.

Cryptography and Network Security

Network Security

Cryptography and Network Security

Topics to be covered
Applications
Email

security
www security
Malicious software
Networks

Wireless LAN security 802.11


IPsec
Firewall
Intrusions

Cryptography and Network Security

Cryptography and Network Security


Email Security
Xiang-Yang Li

Cryptography and Network Security

Electronic Mail Security


Despite the refusal of VADM Poindexter and LtCol North to
appear, the Board's access to other sources of information
filled much of this gap. The FBI provided documents taken from
the files of the National Security Advisor and relevant NSC
staff members, including messages from the PROF system
between VADM Poindexter and LtCol North. The PROF messages
were conversations by computer, written at the time events
occurred and presumed by the writers to be protected from
disclosure. In this sense, they provide a first-hand,
contemporaneous account of events.
The Tower Commission Report to President Reagan on the
Iran-Contra Affair, 1987

Cryptography and Network Security

Email Security
email is one of the most widely used and

regarded network services


currently message contents are not secure
may be inspected either in transit
or by suitably privileged users on destination system

Cryptography and Network Security

Email Security Enhancements


confidentiality
protection

from disclosure

authentication

of sender of message

message integrity

protection from modification

non-repudiation of origin

protection from denial by sender

Cryptography and Network Security

Pretty Good Privacy (PGP)


widely used de facto secure email

developed by Phil Zimmermann


selected best available crypto algs to use
integrated into a single program

available on Unix, PC, Macintosh and Amiga

systems
originally free, now have commercial
versions available also

Cryptography and Network Security

PGP
Five services

Authentication, confidentiality, compression, email


compatibility, segmentation

Functions

Digital signature
Message encryption
Compression
Email compatibility
segmentation

Cryptography and Network Security

10

PGP Operation Authentication


1. sender creates a message
2. SHA-1 used to generate 160-bit hash code of

message
3. hash code is encrypted with RSA using the
sender's private key, and result is attached to
message
4. receiver uses RSA or DSS with sender's public
key to decrypt and recover hash code
5. receiver generates new hash code for message
and compares with decrypted hash code, if
match, message is accepted as authentic

Cryptography and Network Security

11

PGP Operation Confidentiality


1.

2.

3.
4.

5.

sender generates message and random 128-bit


number to be used as session key for this
message only
message is encrypted, using CAST-128 /
IDEA/3DES with session key
session key is encrypted using RSA with
recipient's public key, then attached to message
receiver uses RSA with its private key to decrypt
and recover session key
session key is used to decrypt message

Cryptography and Network Security

12

PGP Operation Confidentiality &


Authentication
uses both services on same message
create

signature & attach to message


encrypt both message & signature
attach RSA encrypted session key

Cryptography and Network Security

13

PGP Operation Compression


by default PGP compresses message after

signing but before encrypting

so can store uncompressed message & signature for


later verification
& because compression is non deterministic

uses ZIP compression algorithm

Cryptography and Network Security

14

PGP Operation Email Compatibility


when using PGP will have binary data to

send (encrypted message etc)


however email was designed only for text
hence PGP must encode raw binary data
into printable ASCII characters
uses radix-64 algorithm
maps 3 bytes to 4 printable chars
also appends a CRC

PGP also segments messages if too big


Cryptography and Network Security

15

PGP Operation Summary

Cryptography and Network Security

16

Segmentation & Reassembly


Email systems impose maximum length
50

Kb, for example

PGP provides automatic segmentation

Done after all other operations


Thus only one session key needed

Cryptography and Network Security

17

Key management
Generating unpredictable session keys

Identifying keys

Multiple public, private key pairs for a user

Maintain keys
Its

own public, private keys of a PGP entity


Public keys of correspondents

Cryptography and Network Security

18

Session Key Generation


Algorithm used: CAST-128

Input to CAST-128

A 128-bit key
Two 64 bits plaintexts to be encrypted

Output using cipher feedback mode

Generates 2 64-bits ciphers form session key

Plaintexts are from 128-bits randomized

number

Based on key stroke of user (timing and actual keys)


Then combined with previous session key

Cryptography and Network Security

19

Key Identifiers
Receiver has multiple public keys
How

to know which private key is proper?

Approach

Sending the least significant 64 bits as key ID


Need send the receivers public key ID used for
encrypting the session key
Need send the senders public key ID, whose
corresponding private key used for signature

Cryptography and Network Security

20

Key Rings
Private key rings
Timestamp,

Key ID, public key, encrypted private key,

user ID
Public key rings

Timestamp, Key ID, public key, owner trust, user ID,


key legitimacy, signature, signature trust

Cryptography and Network Security

21

Public Key Management


A public key attributed to B may belong to

can send messages to A forge Bs sig


C can read any encrypted message to B
Approach to true public key
Physically get key from B
Obtain Bs key from mutual trusted authority
Using key legitimacy field

computed from the signature trust field and number


of certificates for the key
Cryptography and Network Security

22

Revoking Public Key


Reason

It is compromised: private key is open


Simply to avoid use of same key for a period

Approach

Owner issues key revocation certificate, signed by


owner
Using corresponding private key to sign the certificate
Disseminate the certificate as widely and as quickly as
possible

Cryptography and Network Security

23

S/MIME (Secure/Multipurpose
Internet Mail Extensions)
security enhancement to MIME email
original

Internet RFC822 email was text only


MIME provided support for varying content types and
multi-part messages
with encoding of binary data to textual form
S/MIME added security enhancements
have S/MIME support in various modern

mail agents: MS Outlook, Netscape etc

Cryptography and Network Security

24

S/MIME Functions
enveloped data
encrypted

content and associated keys

signed data

encoded message + signed digest

clear-signed data

cleartext message + encoded signed digest

signed & enveloped data

nesting of signed & encrypted entities

Cryptography and Network Security

25

S/MIME Cryptographic Algorithms


hash functions: SHA-1 & MD5

digital signatures: DSS & RSA


session key encryption: ElGamal & RSA
message encryption: Triple-DES, RC2/40

and others
have a procedure to decide which
algorithms to use

Cryptography and Network Security

26

S/MIME Certificate Processing


S/MIME uses X.509 v3 certificates

managed using a hybrid of a strict X.509

CA hierarchy & PGPs web of trust


each client has a list of trusted CAs certs
and own public/private key pairs & certs
certificates must be signed by trusted
CAs

Cryptography and Network Security

27

Certificate Authorities
have several well-known CAs

Verisign one of most widely used


Verisign issues several types of Digital IDs
with increasing levels of checks & hence

trust
Class
1
2+
3+

Identity Checks
Usage
name/email check
web browsing/email
enroll/addr check
email, subs, s/w validate
ID documents e-banking/service access
Cryptography and Network Security

28

Email SPAM
Spam is flooding the Internet with many

copies of the same message, in an attempt


to force the message on people who would
not otherwise choose to receive it. Most
spam is commercial advertising, often for
dubious products, get-rich-quick schemes,
or quasi-legal services. Spam costs the
sender very little to send -- most of the
costs are paid for by the recipient or the
carriers rather than by the sender
Cryptography and Network Security

29

Email Spam
E-mail spam has existed since the beginning

of the Internet, and has grown to about 90


billion messages a day, although about 80%
is sent by fewer than 200 spammers.
Botnets, virus infected computers, account
for about 80% of spam.
E-mail addresses are collected from
chatrooms, websites, newsgroups, and
viruses which harvest users address books,
and are sold to other spammers
Cryptography and Network Security

30

Anti-Spam Techs
Some popular methods for filtering and

refusing spam include

e-mail filtering based on the content of the e-mail,


DNS-based blackhole lists (DNSBL), greylisting,
spamtraps, enforcing technical requirements,
checksumming systems to detect bulk email, and by
putting some sort of cost on the sender via a Proof-ofwork system or a micropayment.
Each method has strengths and weaknesses and each is
controversial due to its weaknesses.

Cryptography and Network Security

31

Filtering Methods

Bayesian spam filtering


CRM114
dSPAM
Markovian discrimination
POPFile
Policyd-weight Postfix policy-daemon before SMTP DATA
Procmail is an MDA (Mail Delivery Agent) for Unix systems.
Maildrop is an MDA (Mail Delivery Agent) for Unix systems.
Sendmail supports libmilter for mail filtering
Sieve (mail filtering language) is an RFC standard for
describing mail filters
SpamAssassin
Anti-Spam SMTP Proxy
information filtering
White list#E-mail whitelists
Cryptography and Network Security

32

Summary
have considered:
secure

email

PGP
S/MIME

Cryptography and Network Security

33

Cryptography and Network Security


Security on WWW
Xiang-Yang Li

Cryptography and Network Security

34

Introduction
Introduction

Presentation of SSL

The inner workings of SSL


Attacks on SSL
Presentation of S-HTTP
Comparison with SSL/TLS
Attacks on S-HTTP
Other aspects of Web security
TLS
IPSec, Kerberos, SET
Conclusion

Cryptography and Network Security

35

Web Security
Web now widely used by business,

government, individuals
but Internet & Web are vulnerable
have a variety of threats
integrity

confidentiality
denial of service
authentication

need added security mechanisms


Cryptography and Network Security

36

SSL (Secure Socket Layer)


transport layer security service

originally developed by Netscape


version 3 designed with public input
subsequently became Internet standard

known as TLS (Transport Layer Security)


uses TCP to provide a reliable end-to-end
service
SSL has two layers of protocols

Cryptography and Network Security

37

Location of SSL
Application Layer

Secure Socket Layer


(SSL)

Transmission Control Protocol


(TCP)

SSL is build on top of

TCP
Provides a TCP like
interface
In theory can be used
by all type of
applications in a
transparent manner

Internet Protocol
(IP)

Cryptography and Network Security

38

SSL Architecture

Cryptography and Network Security

39

SSL Architecture
SSL session
an

association between client & server


created by the Handshake Protocol
define a set of cryptographic parameters
may be shared by multiple SSL connections
SSL connection

a transient, peer-to-peer, communications link


associated with 1 SSL session

Cryptography and Network Security

40

SSL Record Protocol


confidentiality
using

symmetric encryption with a shared secret key


defined by Handshake Protocol
IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC440, RC4-128
message is compressed before encryption
message integrity

using a MAC with shared secret key


similar to HMAC but with different padding

Cryptography and Network Security

41

SSL Change Cipher Spec Protocol


one of 3 SSL specific protocols which use

the SSL Record protocol


a single message
causes pending state to become current
hence updating the cipher suite in use

Cryptography and Network Security

42

SSL Alert Protocol


conveys SSL-related alerts to peer entity

severity
warning or fatal

specific alert
unexpected message, bad record mac, decompression
failure, handshake failure, illegal parameter
close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked,
certificate expired, certificate unknown

compressed & encrypted like all SSL data

Cryptography and Network Security

43

SSL Handshake Protocol


allows server & client to:
authenticate

each other
to negotiate encryption & MAC algorithms
to negotiate cryptographic keys to be used
comprises a series of messages in phases

Establish Security Capabilities


Server Authentication and Key Exchange
Client Authentication and Key Exchange
Finish

Cryptography and Network Security

44

General purpose
1.Handshake
`
2. Data transmission
Two step process:
Handshake : exchange private keys using a public key encryption
algorithm
Data transmission: exchange the required data using a private key
encryption

Cryptography and Network Security

45

SSL Handshake Protocol

Cryptography and Network Security

46

handshake

`
Client

Client Hello

Server

Server Hello
Server Certificate
Server Hello Done
Client Key Exchange
Change Cipher Specification
Handshake Finished
Change Cipher Specifications
Handshake Finished
Cryptography and Network Security

47

hello
Client Hello:
List of supported private
key encryptions +
Client random number
Server Hello:
Selected encryption
algorithm
Server Random number
Session ID
Server Certificate:
Verify servers identity

`
Client

Server
Client Hello
Server Hello
Server Certificate
Server Hello Done
Client Key Exchange
Change Cipher Specification
Handshake Finished
Change Cipher Specifications
Handshake Finished

Cryptography and Network Security

48

Key exchange
Client Key Exchange:
Client
Generate second
random: Pre Master
Key
Send Pre Master Key
Calculate Master Key
Calculate Secret Key
Calculate MAC Key

Server
Calculate Master Key
Calculate Secret Key
Calculate MAC Key

`
Client

Server
Client Hello
Server Hello
Server Certificate
Server Hello Done
Client Key Exchange
Change Cipher Specification
Handshake Finished
Change Cipher Specifications
Handshake Finished

Cryptography and Network Security

49

Resumed based on Session Id

`
Client

Client Hello

Server

Server Hello
Change Cipher Specification
Handshake Finished
Change Cipher Specifications
Handshake Finished
Cryptography and Network Security

50

Certificate authority
Certificate Authority (CA) is a trusted

third party that helps identify the server.


How does everything work?

Server sends ID, public key to CA


CA creates and signs the servers Certificate
Client receives the Certificate from Server
Client verifies the Certificate using the signature and
the CAs public key

Cryptography and Network Security

51

MAC
MAC = Message Authentication Code

The initial message is split into fragments


For each fragment a fingerprint is

calculated using the MAC key


The fragment, fingerprint and record
header are encrypted and sent
Receiver checks the fingerprint using
MAC key to detect inconsistent messages

Cryptography and Network Security

52

Attacks on SSL

Certificate Injection Attack

The list of trusted Certificate Authorities is altered


Can be avoided by upgrading the OS or switching to a safer one.

Man in the Middle

Cipher Spec Rollback : regresses the public key encryption algorithms


Version Rollback : regression from SSL 3.0 to weaker SSL 2.0
Algorithm rollback : modify public encryption method
Truncation attack : TCP FIN|RST used to terminate connection

Can be avoided by randomly delaying the computations

Can be used on servers that accept small key sizes: 40 bits for symmetric
encryptions and 512 for the asymmetric one.

Timing attack
Brute force

Cryptography and Network Security

53

TLS (Transport Layer Security)


IETF standard RFC 2246 similar to SSLv3

with minor differences

in record format version number


uses HMAC for MAC
a pseudo-random function expands secrets
has additional alert codes
some changes in supported ciphers
changes in certificate negotiations
changes in use of padding

Cryptography and Network Security

54

TLS
TLS was developed by IETF to replace SSL version 3.
Based on SSL version 3, with some changes:
Replaced FORTEZZA key exchange option with DSS.

Include the hash method HMAC used by IPSec for


authentication in IP headers.
More differentiation between sub-protocols.
TLS has mechanisms for backwards compatibility with SSL.

Cryptography and Network Security

55

TLS
TLS has about 30 possible cipher suites, combinations of
key exchange, encryption method, and hashing method.
Key exchange includes: RSA, DSS, Kerberos
Encryption includes: IDEA(CBC), RC2, RC4, DES, 3DES,
and AES
Hashing: SHA and MD5
(Note: Some of the suites are intentionally weak export
versions.)

Cryptography and Network Security

56

Secure Electronic Transactions


(SET)
open encryption & security specification

to protect Internet credit card

transactions
developed in 1996 by Mastercard, Visa etc
not a payment system
rather a set of security protocols &
formats
secure communications amongst parties
trust from use of X.509v3 certificates
privacy by restricted info to those who need it

Cryptography and Network Security

57

SET Components

Cryptography and Network Security

58

SET Transaction
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

customer opens account


customer receives a certificate
merchants have their own certificates
customer places an order
merchant is verified
order and payment are sent
merchant requests payment authorization
merchant confirms order
merchant provides goods or service
merchant requests payment

Cryptography and Network Security

59

Dual Signature
customer creates dual messages
order

information (OI) for merchant


payment information (PI) for bank
neither party needs details of other

but must know they are linked


use a dual signature for this

signed concatenated hashes of OI & PI

Cryptography and Network Security

60

Purchase Request Customer

Cryptography and Network Security

61

Purchase Request Merchant

Cryptography and Network Security

62

Purchase Request Merchant


1.

2.

3.

4.

verifies cardholder certificates using CA sigs


verifies dual signature using customer's public
signature key to ensure order has not been
tampered with in transit & that it was signed
using cardholder's private signature key
processes order and forwards the payment
information to the payment gateway for
authorization (described later)
sends a purchase response to cardholder

Cryptography and Network Security

63

Payment Gateway Authorization


1.
2.
3.
4.

5.
6.
7.

8.

verifies all certificates


decrypts digital envelope of authorization block to obtain
symmetric key & then decrypts authorization block
verifies merchant's signature on authorization block
decrypts digital envelope of payment block to obtain
symmetric key & then decrypts payment block
verifies dual signature on payment block
verifies that transaction ID received from merchant
matches that in PI received (indirectly) from customer
requests & receives an authorization from issuer
sends authorization response back to merchant

Cryptography and Network Security

64

Payment Capture
merchant sends payment gateway a

payment capture request


gateway checks request
then causes funds to be transferred to
merchants account
notifies merchant using capture response

Cryptography and Network Security

65

A
B
C
D

C- Secure-HTTP

Presentation of S-HTTP
Designed by E. Rescorla and A. Schiffman

of EIT to secure HTTP connections

Proposed in 1994 but never used

commercially

Not to be confused with HTTPS: encrypts

HTTP messages at the application level

Security on the WWW

Cryptography and Network Security

66

A
B
C
D

C- Secure-HTTP

Location of S-HTTP

Secure-HTTP
Message encryption and
signature
Application Layer:
HTTP message

Transmission Control Protocol


(TCP)

HTTP-specific message
encryption
Can possibly be used
over a secure channel
Designed to be
compatible with HTTP
for handling at lower
layers

Internet Protocol
(IP)

Security on the WWW

Cryptography and Network Security

67

A
B
C
D

C- Secure-HTTP

S-HTTP vs. SSL/TLS


HTTP-specific vs. general purpose SSL (IMAPS,

POPS, LDAPS)
Burden of encryption not on
transmission/reception but rather on message
production/unpacking
Similar set of available ciphers, plus added
capabilities for signing (DSS, RSA)
Very general specifications, leaving a lot to
implement and a potential for incompatible
implementations
Only one reference implementation in NCSA
Mosaic

Security on the WWW

Cryptography and Network Security

68

A
B
C
D

C- Secure-HTTP

S-HTTP vs. SSL/TLS: functionalities


Security Service

S-HTTP

SSL

Privacy

Public or private cryptosystem


Encryption of the complete HTTP
transaction

Symmetric key cryptosystem


Complete communication encryption

Integrity

Simple MAC or signing

MAC only

Authentication

Key management on the keys used,


or digital signature

During the initial public key


exchange (server auth. mandatory,
client auth. optional)

Non-repudiation

Digital signature

Not provided

S-HTTP can make use of key management


Non-repudiation is not provided by SSL
Signing is optional, but a major attraction to S-HTTP
Security on the WWW

Cryptography and Network Security

69

A
B
C
D

C- Secure-HTTP

S-HTTP vs. SSL/TLS: proxy traversal


Proxy traversal: SSL connection

OR
cleartext
SSL tunnel

External
secure server

SSL tunnel

SSL-aware proxy

Enterprise environment

Proxy traversal: S-HTTP messaging

Encrypted data

Authentication

External
secure server
Security on the WWW

S-HTTP-aware proxy

Enterprise environment

Cryptography and Network Security

70

A
B
C
D

C- Secure-HTTP

S-HTTP inner working


Message-based encryption
Superset of HTTP: outer envelope
Specific headers added
S-HTTP message
S-HTTP headers
HTTP payload headers:
Security-Scheme, Encryption-Identity,
Certificate-Info + regular HTTP headers

Request:
Secure*Secure-HTTP/1.2
Response:
Secure-HTTP/1.2 200 OK

HTTP message body

Security on the WWW

Cryptography and Network Security

71

A
B
C
D

C- Secure-HTTP

S-HTTP attacks
Basically the same as on SSL, since the ciphers are the same
Default values more secure in S-HTTP than SSL at the time

of proposal (e.g. DES vs. RC4)


S-HTTP generally stronger by design (more resilient to
proxy compromising)
More complex and wider specifications create a potential for
faulty implementations
No real-world use to field test the actual security of SHTTP

Security on the WWW

Cryptography and Network Security

72

A
B
C
D

D- Other protocols

HTTP Basic Authentication

HTTP has an authentication scheme as part of its original


protocol.
Supported by almost all browsers and web servers.
Password and username are sent in clear text
(base64 encoded) in the HTTP request message.
Obviously not secure enough for sensitive information.
This scheme is being replaced by the slightly more secure
HTTP Digest Authentication, which sends a MD5 hash of the
password and other information.

Security on the WWW

Cryptography and Network Security

73

IPsec
IPSec is a security layer added to a computers protocol
stack in the kernel (Below TCP). It is invisible to the
application. It is implemented by adding additional
protocol numbers in the IP protocol field.

Good for implementing a VPN.


Packets can be either tunneled inside IPSec packets, or
Transported with only the data portion of the original
packet encrypted.
Every IPSec end machine (which could be a LANs router)
must implement IPSec for it to work.

Cryptography and Network Security

74

Summary
have considered:
need

for web security


SSL/TLS transport layer security protocols
de facto standard, versatile and low-level enough
to accommodate many types of payloads
SET

secure credit card payment protocols


IPSec: true network-layer security for any applications
(not just the Web)
Kerberos: robust 2-way authentication framework with
emphasis on security manageability
Cryptography and Network Security

75

A
B
C
D

D- Conclusion

Web Security

SSL/TLS: de facto standard, versatile and low-level


enough to accommodate many types of payloads
S-HTTP: never took off, restricted to HTTP messages
IPSec: true network-layer security for any
applications (not just the Web)
Kerberos: robust 2-way authentication framework
with emphasis on security manageability

Security on the WWW

Cryptography and Network Security

76