Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download INS PPT - Home Kalim Puthawala
Document related concepts
Piggybacking (Internet access) wikipedia , lookup
Wake-on-LAN wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Computer security wikipedia , lookup
Wireless security wikipedia , lookup
Distributed firewall wikipedia , lookup
Transcript
Information and Network Security B.E. Semester VII (CE/IT) Text: CRYPTOGRAPHY AND NETWORK SECURITY – Principles and Practice by William Stallings Hiren B Patel CONVENTIONAL ENCRYPTION: CLASSICAL TECHNIQUES Home MODEL OF CONVENTIONAL ENVRYPTION Home MODEL OF CONVENTIONAL CRYPTOSYSTEM Home CRYPTOGRAPHY 1. Types of operations used for transforming plaintext to ciphertext. a. b. 2. Number of keys used. a. b. 3. Substitution Transposition Symmetric/Single key/Secret key/Conventional Asymmetric/Two key/public key The way in which the plaintext is processed. a. b. Block Cipher Stream Cipher Home CLASSICAL ENCRYPTION TECHNIQUES Home CRYPTANALYSIS It is the study of methods for obtaining the meaning of encrypted information, without access to the secret information. It includes methods and techniques of recovering information from encrypted material without knowledge of the key. Someone who performs cryptanalysis is called a cryptanalyst. Home TYPES OF ATTACKS ON ENCRYPTED MESSAGES Home Classical Encryption Techniques Caesar Cipher Playfair Cipher Hill Cipher Rotor Machines Home Caesar Cipher – Substitution Cipher Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC Home Caesar Cipher - Example Plaintext: the quick brown fox jumps over the lazy dog Ciphertext: WKH TXLFN EURZQ IRA MXPSV RYHU WKH ODCB GRJ Encryption: En(X) = (X + n) mod 26 Decryption: Dn(X) = (X – n) mod 26 Home Caesar Cipher – Breaking the Code The Caesar cipher can be easily broken even in a ciphertext-only scenario. Since there are only a limited number of possible shifts (26 in English), they can each be tested in turn in a brute force attack. A brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities. Have some fun on: http://www.secretcodebreaker.com/caesar.html Home Playfair Cipher The Playfair cipher uses a 5 X 5 (also 6 X 6) table containing a key word or phrase. For example, Using "playfair example" as the key, the table becomes PLAYF IREXM BCDGH JKNOS TUVWZ Encrypting the message "Hide the gold in the tree stump": HI DE TH EG OL DI NT HE TR EX ES TU MP Encrypted Message BM ND ZB XD KY BE JV DM UI XM MN UV IF Home Playfair Cipher Home Hill Cipher Each letter is first encoded as a number. Often the simplest scheme is used: A = 0, B =1, ..., Z=25. This algorithm takes m successive plaintext letters and substitutes for them m ciphertext letters. For m=3, the system can be described as below. C1 = (k11p1 + k12p2 + k13p3) mod 26 C2 = (k21p1 + k22p2 + k23p3) mod 26 C4 = (k31p1 + k32p2 + k33p3) mod 26 Home Hill Cipher - Encryption Home Hill Cipher - Decryption In order to decrypt, we turn the ciphertext back into a vector, then simply multiply by the inverse matrix of the key matrix (IFKVIVVMI in letters). Home Steganography Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing" from the Greek words steganos (στεγανός) meaning "covered or protected", and graphein (γράφειν) meaning "to write". Home Steganography Vs. Cryptography The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal. Therefore, whereas cryptography protects the contents of a message, steganography can be said to protect both messages and communicating parties. Home Steganography Steganography includes the concealment of information within computer files. In digital steganography, electronic communications may include steganographic coding inside of a transport layer, such as a document file, image file, program or protocol. Media files are ideal for steganographic transmission because of their large size. As a simple example, a sender might start with an innocuous image file and adjust the color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that someone not specifically looking for it is unlikely to notice it. Home Steganography: Example Steganart example: Within this picture, the letter positions of a hidden message are represented by increasing numbers (1 to 20), and a letter value is given by its intersection position in the grid. For instance, the first letter of the hidden message is at the intersection of 1 and 4. So, after a few tries, the first letter of the message seems to be the 14th letter of the alphabet; the last one (number 20) is the 5th letter of the alphabet. Home CONVENTIONAL ENCRYPTION: MODERN TECHNIQUES Home SIMPLIFIED DES IP: Initial Permutation fk: A Complex Function (which involved both substitution and permutation) SW: Switch the data into two halves IP-1: The inverse of IP P: Permutation Ciphertext = IP-1(fk2(SW(fk1(IP(plaintext))))) k1=P8(Shift(P10(key))) k2=P8(Shift(Shift(P10(key)))) Plaintext = IP-1(fk1(SW(fk2(IP(ciphertext))))) Home BLOCK CIPHER PRINCIPLES • Stream Ciphers and Block Ciphers Stream cipher: one bit or byte at a time Block cipher: a large block, typically 64 or 128 bits, at a time – Block ciphers work on a block at a time, which is some number of bits. All of these bits have to be available before they can be processed – Broader range of applications than stream ciphers – Large block thwarts statistical attacks Home BLOCK CIPHER PRINCIPLES • Motivation for the Feistel Cipher Structure What is the most general form of block cipher? – For n-bit block, consider the transformation, F: 2n 2n – F must be reversible, i.e., 1-1 correspondence – (Ideal block cipher) 2n! mappings mapping itself is a key key size = O(n 2n) bits – 64-bit block 270 1021 bits key Not practical Need approximation (k-bit key, 2k possible mappings) Reversible Mapping Irreversible Mapping Plaintext Ciphertext Plaintext Ciphertext 00 11 00 11 01 10 01 10 10 00 10 01 11 01 11 01 Home Ideal Block Cipher Home Motivation for Feistel Cipher Structure In 1949, Claude Shannon introduced the idea of substitution-permutation (S-P) networks which form the basis of modern block ciphers Home Motivation for Feistel Cipher Structure S-P network: a special form of substitutiontransposition product cipher Product cipher – Two or more simple ciphers are performed in sequence in such a way that the final result or product is cryptographically stronger than any of the component ciphers Feistel cipher – In 1970’s, Horst Feistel (IBM T.J. Watson Research Labs) invented a suitable (practical) structure which adapted Shannon’s S-P network – Encryption and decryption use the same structure Home Feistel Cipher Structure Input block is partitioned into two halves, Li-1 and Ri-1 In round i, Li = Ri-1 Ri = Li-1 F(Ki,Ri-1) Substitution followed by permutation Multiple rounds An Implementation of Shannon’s S-P network (SPN) concept Home Feistel Cipher Design Elements Block size – Increasing size improves security, but slows cipher Key size – Increasing size improves security, makes exhaustive key searching harder, but may slow cipher Number of rounds – Increasing number improves security, but slows cipher Subkey generation algorithm – Greater complexity can make analysis harder, but slows cipher Round function – Greater complexity can make analysis harder, but slows cipher Fast software encryption/decryption Home Ease of analysis Feistel Decryption Algorithm Essentially same as the encryption Same algorithm but use the subkeys Ki in reverse order F need not be a reversible function Satisfy DK(EK(P)) = P Home THE DATA ENCRYPTION STANDANRD Block cipher (64-bit block) Uses 56-bit key (out of 64 bits) 16 rounds 48-bit subkeys Feistel structure (except initial and final permutations) Home THE DATA ENCRYPTION STANDANRD Home Initial / Inverse Initial Permutation Home Single Round of DES Home DIFFERENTIAL AND LINEAR CRYPTANALYSIS Linear cryptanalysis is a general form of cryptanalysis based on finding affined approximations to the action of a cipher. There are two parts to linear cryptanalysis. The first is to construct linear equations relating plaintext, ciphertext and key bits that have a high bias; that is, whose probabilities of holding (over the space of all possible values of their variables) are as close as possible to 0 or 1. The second is to use these linear equations in conjunction with known plaintext-ciphertext pairs to derive key bits. Constructing linear equations Deriving key bits Home BLOCK CIPHER DESIGN PRINCIPLES •Permutation •Number of rounds •Design of Function F •S-Box Design •Key Schedule Algorithm Home BLOCK CIPHER MODES OF OPERATION Electronic Codebook (ECB) Cipher Block Chaining (CBC) Cipher Feedback (CFB) Output Feedback (OFB) Home BLOCK CIPHER MODES OF OPERATION Electronic Codebook (ECB) Home BLOCK CIPHER MODES OF OPERATION Cipher Block Chaining (CBC) Home BLOCK CIPHER MODES OF OPERATION Cipher Feedback Mode (CFB) Home BLOCK CIPHER MODES OF OPERATION Output Feedback Mode (OFB) Home CONVENTIONAL ENCRYPTION: ALGORITHS Home Triple DES Triple DES is the common name for the Triple Data Encryption Algorithm (TDEA) block cipher. It is so named because it applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. Triple DES provides a relatively simple method of increasing the key size of DES to protect against brute force attacks, without requiring a completely new block cipher algorithm. Triple DES Triple DES Triple DES Triple DES Triple DES uses a "key bundle" which comprises three DES keys, K1, K2 and K3, each of 56 bits (excluding parity bits). The encryption algorithm is: ciphertext = EK3(DK2(EK1(plaintext))) i.e., DES encrypt with K1, DES decrypt with K2, then DES encrypt with K3. Decryption is the reverse: plaintext = DK1(EK2(DK3(ciphertext))) I.e., decrypt with K3, encrypt with K2, then decrypt with K1. Each triple encryption encrypts one block of 64 bits of data. In each case the middle operation is the reverse of the first and last. This improves the strength of the algorithm when using keying option 2, and provides backward compatibility with DES with keying option 3. International Data Encryption Algorithm (IDEA) In cryptography, the International Data Encryption Algorithm (IDEA) is a block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. As a block cipher, it is also symmetric. The algorithm was intended as a replacement for the Data Encryption Standard. IDEA is a minor revision of an earlier cipher, PES (Proposed Encryption Standard); IDEA was originally called IPES (Improved PES). International Data Encryption Algorithm (IDEA) IDEA operates on 64-bit blocks using a 128-bit key, and consists of a series of eight identical transformations (a round, see the illustration) and an output transformation (the half-round). The processes for encryption and decryption are similar. IDEA derives much of its security by interleaving operations from different groups — modular addition and multiplication, and bitwise eXclusive OR (XOR) — which are algebraically "incompatible" in some sense. In more detail, these operators, which all deal with 16-bit quantities, are: After the eight rounds comes a final "half round", the output transformation illustrated below: An Encryption Round of IDEA Bitwise eXclusive OR (denoted with a blue circled plus ⊕). Addition modulo 216 (denoted with a green boxed plus ⊞). Multiplication modulo 216+1, where the all-zero word (0x0000) is interpreted as 216 (denoted by a red circled dot ⊙). International Data Encryption Algorithm (IDEA) After the eight rounds comes a final "half round", the output transformation illustrated above: IDEA: Key Schedule Each round uses six 16-bit sub-keys, while the half-round uses four, a total of 52 for 8.5 rounds. The first eight sub-keys are extracted directly from the key, with K1 from the first round being the lower sixteen bits; further groups of eight keys are created by rotating the main key left 25 bits between each group of eight. This means that it is rotated less than once per round, on average, for a total of six rotations. Blowfish Blowfish is a keyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard now receives more attention. Blowfish has a 64-bit block size and a variable key length from 32 up to 448 bits. It is a 16-round Feistel cipher and uses large key-dependent S-boxes. It is similar in structure to CAST-128, which uses fixed S-boxes. Blowfish Feistel Structure Round Function Blowfish The Feistel diagram shows the action of Blowfish. Each line represents 32 bits. The algorithm keeps two subkey arrays: the 18-entry P-array and four 256-entry S-boxes. The S-boxes accept 8-bit input and produce 32-bit output. One entry of the P-array is used every round, and after the final round, each half of the data block is XORed with one of the two remaining unused P-entries. The F-function splits the 32-bit input into four eight-bit quarters, and uses the quarters as input to the S-boxes. The outputs are added modulo 232 and XORed to produce the final 32-bit output. Decryption is exactly the same as encryption, except that P1, P2,..., P18 are used in the reverse order. This is not so obvious because xor is commutative and associative. A common mistake is to use inverse order of encryption as decryption algorithm (i.e. first XORing P17 and P18 to the ciphertext block, then using the P-entries in reverse order). RC-2 In cryptography, RC2 is a block cipher designed by Ron Rivest in 1987. "RC" stands for "Ron's Code" or "Rivest Cipher"; other ciphers designed by Rivest include RC4, RC5 and RC6. Block Cipher: 64 bit block Number of rounds: 18 (16 MIXING + 2 MASHING) Key Size: Variable. [8–128 bits, in steps of 8 bits; default 64 bits] RC2 is vulnerable to a related-key attack using 234 chosen plaintexts (Kelsey et al., 1997). RC-2 The MIX transformation of RC2; four of these comprise a MIXING round RC-5 In cryptography, RC5 is a block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for "Rivest Cipher", or alternatively, "Ron's Code". The Advanced Encryption Standard (AES) candidate RC6 was based on RC5. Unlike many schemes, RC5 has a variable block size (32, 64 or 128 bits), key size (0 to 2040 bits) and number of rounds (0 to 255). The original suggested choice of parameters were a block size of 64 bits, a 128-bit key and 12 rounds. RC-5 A key feature of RC5 is the use of data-dependent rotations; one of the goals of RC5 was to prompt the study and evaluation of such operations as a cryptographic primitive. RC5 also consists of a number of modular additions and eXclusive OR (XOR)s. The general structure of the algorithm is a Feistel-like network. The encryption and decryption routines can be specified in a few lines of code. The key schedule, however, is more complex, expanding the key using an essentially one-way function with the binary expansions of both e and the golden ratio as sources of "nothing up my sleeve numbers". The tantalising simplicity of the algorithm together with the novelty of the data-dependent rotations has made RC5 an attractive object of study for cryptanalysts. The RC5 is basically denoted as RC5-w/r/b where w=word size in bits, r=number of rounds, b=number of 8-bit byte in the key. One round (two half-rounds) of the RC5 block cipher Cast-128 CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size of between 40 to 128 bits (but only in 8-bit increments). The full 16 rounds are used when the key size is longer than 80 bits. Components include large 8×32-bit S-boxes based on bent functions, key-dependent rotations, modular addition and subtraction, and XOR operations. There are three alternating types of round function, but they are similar in structure and differ only in the choice of the exact operation (addition, subtraction or XOR) at various points. Three rounds of the CAST-128 block cipher Characteristics of Advanced Symmetric Block Ciphers Variable Mixed Data key length, operators dependent rotation Key-dependent rotation Key-dependent S-boxes Lengthy key scheduling algorithms Variable F Variable plaintext/ciphertext block length Variable number of rounds Operation on both halves of data CONFIDENTIALITY USING CONVENTIONAL ENCRYPTION Home Traffic Confidentiality Knoweldge about the length and number of messages between nodes may enable an Outsider to determine who is talking to whom. Various types of information can be derived from a traffic analysis attack: -Identities of Sender, Receiver, and associated parties -How frequently Sender and Receiver are communicating -Message pattern, message length, or quantity of messages -Events that correlate with special conversations Traffic patterns could also reveal elements of the Covert Channel being used between Sender and Receivers. Traffic Confidentiality Traffic Confidentiality Link Encryption Approach: Packet Headers are encrypted Still possible for Outsiders to assess the amount of traffic entering and leaving each end system When input plaintext is not present, random data are encrypted, making it possible for an attacker to distinguish true data flow from padding, and thereby deduce the amount of traffic. End-to-End Encryption Approach: One technique is to pad out data units to a uniform length at either the transport of application level. Additionally, null values can be inserted randomly into the stream. These tactics are designed to deny an Outsider knowledge about the amount of data exchanged between users, and obsure underlying traffic patterns. Key Distribution For encryption to work over a network, the two parties (Sender and Receiver) must exchange and share the same keys, while protecting access to the keys from others. A key could be selected by A and physically delivered to B. A third party could select the key and physically deliver it to A and B. If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B. Symmetric Vs Asymmetric Automatic Key Distribution for Connection Oriented Protocol Automatic Key Distribution for Connection Oriented Protocol (1) Host sends packet requesting connection. (2) Front end buffers packet; asks KDC for sess key (3) KDC distributes keys to both front-ends. (4) Buffer packet transmitted. (5) Terminology: -FEP: Front-End Processor -KDC: Key Distribution Center -Session Key: Data encrypted with a one-time sess key. At the conclusion of the sess, key is destroyed -Permanent key: Used between entities for the purpose of distributing sess keys Random Number Generation •Use of random numbers (in cryptography) –As key stream for a one-time pad –For session keys –For public key –For nonces (random numbers) in protocols to prevent replays –Good cryptography requires good random numbers •Random number requirements –Statistically random (uniform distribution, etc) –Unpredictable (independent) Random Number Generation •Natural random noise (Natural real randomness) –Radiation counters, radio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes, etc –Generally need special H/W for this –Starting to see this in new CPU’s (Pentium III) •Almost random sources –Keystroke timing –Mouse tracking –Disk latency, etc •Published lists –e.g., Rand Co. in 1955 published a book of 1 million numbers generated using an electronic roulette wheel –Predictable • In practice, pseudorandom numbers are algorithmically derived from a deterministic PRNG (Pseudorandom Number Generator) Pseudorandom Number Generation Cyclic encryption – Generate session keys from a master key – A counter with period N is input to the encryption logic – e.g. 56-bit counter for 56-bit DES – X0 X1 … Xn-1 – Xi’s can not be deduced since the master key is protected – Full-period PRNG can be used instead of a simple counter DES OFB mode – Can be used as a PRNG (IV is the seed) – Successive 64-bit outputs constitute a sequence of pseudorandom numbers with good statistical properties Email Security Enhancements confidentiality – protection from disclosure authentication – of sender of message message integrity – protection from modification non-repudiation of origin – protection from denial by sender Pretty Good Privacy (PGP) Pretty Good Privacy (PGP) Pretty Good Privacy (PGP) It is an open source for email security. It is developed by Phil Zimmermann It incorporates tools for developing a public-key trust model and public-key certificate management It provides – – – – – Authentication (using digital signature) Confidentiality (using symmetric block encryption) Compression (using ZIP algorithm) Compatibility (using radix-64 encoding scheme) Segmentation & reassembly (for long emails) Pretty Good Privacy (PGP): Features Platform independent PGP package includes – – – RSA, DSS, Diffie-Hellman (for public key encryption) CAST-128, IDEA, 3DES (for symmetric encryption) SHA-1 (for hash coding) Flexibility to select & enforce a standardized scheme for encryption Recognizes standard (RFC 3156) PGP Operation – Authentication 1. 2. 3. 4. 5. sender creates message use SHA-1 to generate 160-bit hash of message signed hash with RSA using sender's private key, and is attached to message receiver uses RSA with sender's public key to decrypt and recover hash code receiver verifies received message using hash of it and compares with decrypted hash code PGP Operation – Confidentiality & Authentication can use both services on same message – create signature & attach to message – encrypt both message & signature – attach RSA/ElGamal encrypted session key PGP Operation – Compression by default PGP compresses message after signing but before encrypting – so can store uncompressed message & signature for later verification – & because compression is non deterministic uses ZIP compression algorithm PGP Operation – Email Compatibility when using PGP will have binary data to send (encrypted message etc) however email was designed only for text hence PGP must encode raw binary data into printable ASCII characters uses radix-64 algorithm – maps 3 bytes to 4 printable chars – also appends a CRC PGP also segments messages if too big PGP Cryptographic Functions Transmission and Reception of PGP Messages General format of PGP Messages PGP Operation – Summary PGP Session Keys need a session key for each message – of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit TripleDES generated using ANSI X12.17 mode uses random inputs taken from previous uses and from keystroke timing of user PGP Public & Private Keys since many public/private keys may be in use, need to identify which is actually used to encrypt session key in a message – could send full public-key with every message – but this is inefficient rather use a key identifier based on key – is least significant 64-bits of the key – will very likely be unique also use key ID in signatures PGP Message Format PGP Key Rings each PGP user has a pair of keyrings: – public-key ring contains all the public-keys of other PGP users known to this user, indexed by key ID – private-key ring contains the public/private key pair(s) for this user, indexed by key ID & encrypted keyed from a hashed passphrase security of private keys thus depends on the pass-phrase security PGP Message Generation PGP Message Reception PGP Key Management rather than relying on certificate authorities in PGP every user is own CA – can sign keys for users they know directly forms a “web of trust” – trust keys have signed – can trust keys others have signed if have a chain of signatures to them key ring includes trust indicators users can also revoke their keys PGP Trust Model Example S/MIME Secure/Multipurpose Internet Mail Extensions S/MIME (Secure/Multipurpose Internet Mail Extensions) security enhancement to MIME email – original Internet RFC822 email was text only – MIME provided support for varying content types and multi-part messages – with encoding of binary data to textual form – S/MIME added security enhancements have S/MIME support in many mail agents – eg MS Outlook, Mozilla, Mac Mail etc RFC 822 defines a format for text messages to be sent using e-mail Internet standard structure of RFC 822 compliant messages – header lines (e.g., from: …, to: …, cc: …) – blank line – body (the text to be sent) example Date: Tue, 16 Jan 1998 10:37:17 (EST) From: “Levente Buttyan” <[email protected]> Subject: Test To: [email protected] Blablabla Problems with RFC 822 and SMTP executable files must be converted into ASCII – various schemes exist (e.g., Unix UUencode) – a standard is needed text data that includes special characters (e.g., Hungarian text) some servers – reject messages over a certain size – delete, add, or reorder CR and LF characters – truncate or wrap lines longer than 76 characters – remove trailing white space (tabs and spaces) – pad lines in a message to the same length – convert tab characters into multiple spaces MIME defines new message header fields defines a number of content formats (standardizing representation of multimedia contents) defines transfer encodings that protects the content from alteration by the mail system MIME - New header fields MIME-Version Content-Type – describes the data contained in the body – receiving agent can pick an appropriate method to represent the content Content-Transfer-Encoding – indicates the type of the transformation that has been used to represent the body of the message Content-ID Content-Description – description of the object in the body of the message – useful when content is not readable (e.g., audio data) MIME – Content types and subtypes text/plain, text/enriched image/jpeg, image/gif video/mpeg audio/basic application/postscript, application/octet-stream multipart/mixed, multipart/parallel, multipart/alternative, multipart/digest (each part is message/rfc822) message/rfc822, message/partial, message/external-body MIME – Transfer encodings 7bit – 8bit short lines of non-ASCII characters binary – non-ASCII characters – lines are not necessarily short quoted-printable – non-ASCII characters are converted into hexa numbers (e.g., =EF) base64 (radix 64) – 3 8-bit blocks into 4 6-bit blocks x-token – non-standard encoding – short lines of ASCII characters Delivered-To: [email protected] Received: by 10.204.184.193 with SMTP id cl1csp161691bkb; Sat, 7 Apr 2012 06:09:25 -0700 (PDT) Received: by 10.220.79.134 with SMTP id p6mr622809vck.51.1333804164619; Sat, 07 Apr 2012 06:09:24 -0700 (PDT) Return-Path: <[email protected]> Received: from mail-iy0-f170.google.com (mail-iy0-f170.google.com [209.85.210.170]) by mx.google.com with ESMTPS id hj4si4051548vdb.98.2012.04.07.06.09.23 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 07 Apr 2012 06:09:24 -0700 (PDT) Received-SPF: pass (google.com: domain of [email protected] designates 209.85.210.170 as permitted sender) client-ip=209.85.210.170; Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 209.85.210.170 as permitted sender) [email protected]; dkim=pass [email protected] Received: by iaeh11 with SMTP id h11so4319198iae.15 for <[email protected]>; Sat, 07 Apr 2012 06:09:22 -0700 (PDT) DomainKeys Identified Mail (DKIM) is a method for associating a DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; domain name to an email message. d=gmail.com; s=20120113; v: version h=mime-version:date:message-id:subject:from:to:content-type; a: signing algorithm bh=K8R2aD7HufER5dJx+djgPQf/7ntxTjP/y3q8gYq2htM=; b=WbNNuN4KLfNEFVEUWpBSkAofpqwe1/Op1IqFtDTmjK/c6hXBXFfPKG0O1LSQZGR++W c: canonicalization algorithm(s) for header and body Idf1bKHix4FLKSCr2VX0mHik8GdST3XMMvzPJh/EzDGHF9upkY1kPVufB4WTfBugWM3+ d: signing domain aQDZvM1ALrz5w+rYnI3T5uyhv6CAMv123oRgI3kHPHrgQbIzNS9Wnne/WlimhWOXIyLg s: selector SGTtVpdremGGr0SWcEAsoAj17wqgXXzTyCWgNRdxFaMrizyHIxSIVFsxRXNrGbkoEvlq b: actual digital signature of the contents (headers and body) of the gPgrSuRiP9z9QXr5DifoxTdMAq7s9pOE5zoBxnDIhOGLNpCsszJsJ9DLTM9rU715D5RU mail message 1euw== bh: body hash MIME-Version: 1.0 q: query method Received: by 10.50.88.168 with SMTP id bh8mr907641igb.29.1333804162707; Sat, 07 Apr 2012 06:09:22 -0700 (PDT) l: length of the canonicalized part of the body that has been signed Received: by 10.42.141.3 with HTTP; Sat, 7 Apr 2012 06:09:22 -0700 (PDT) t: signature timestamp Date: Sat, 7 Apr 2012 18:39:22 +0530 x: expire time Message-ID: <CAHMW_usQwMsRUZZP51N=x3hrdCt=2YBUT5ygvNKGnuNQiJQ+=w@mail.gmail.com> h: list of signed header fields Subject: Test From: Hiren Patel <[email protected]> To: [email protected] Content-Type: multipart/alternative; boundary=e89a8f3ba55151727604bd167b53 --e89a8f3ba55151727604bd167b53 Content-Type: text/plain; charset=ISO-8859-1s: selector b: actual digital signature of the contents (headers and body) of the mail message bh: body hash This is a test mail from [email protected] to [email protected] --e89a8f3ba55151727604bd167b53 Content-Type: text/html; charset=ISO-8859-1 This is a test mail from <a href="mailto:[email protected]">[email protected]</a> to <a href="mailto:[email protected]">[email protected]</a><br> MIME – Example MIME-Version: 1.0 From: Nathaniel Borenstein <[email protected]> To: Ned Freed <[email protected]> Date: Fri, 07 Oct 1994 16:15:05 -0700 (PDT) Subject: A multipart example Content-Type: multipart/mixed; boundary=unique-boundary-1 This is the preamble area of a multipart message. Mail readers that understand multipart format should ignore this preamble. If you are reading this text, you might want to consider changing to a mail reader that understands how to properly display multipart messages. --unique-boundary-1 Content-type: text/plain; charset=US-ASCII … Some text … --unique-boundary-1 Content-type: text/enriched --unique-boundary-1 Content-Type: multipart/parallel; boundary=unique-boundary-2 This is <bold><italic>enriched.</italic></bold><smaller>as defined in RFC 1896</smaller> Isn’t it <bigger><bigger>cool?</bigger></bigger> --unique-boundary-2 Content-Type: audio/basic Content-Transfer-Encoding: base64 --unique-boundary-1 Content-Type: message/rfc822 ... base64-encoded 8000 Hz single-channel mu-law-format audio data goes here ... --unique-boundary-2 Content-Type: image/jpeg Content-Transfer-Encoding: base64 From: (mailbox in US-ASCII) To: (address in US-ASCII) Subject: (subject in US-ASCII) Content-Type: Text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: Quoted-printable ... Additional text in ISO-8859-1 goes here ... ... base64-encoded image data goes here ... --unique-boundary-1---unique-boundary-2-- S/MIME Functions/Services enveloped data (application/pkcs7-mime; smime-type = enveloped-data) – standard digital envelop signed data (application/pkcs7-mime; smime-type = signed-data) – standard digital signature (“hash and sign”) – content + signature is encoded using base64 encoding clear-signed data (multipart/signed) – standard digital signature – only the signature is encoded using base64 – recipient without S/MIME capability can read the message but cannot verify the signature signed and enveloped data – signed and encrypted entities may be nested in any order S/MIME Cryptographic Algorithms message digest – must: SHA-1 – should (receiver): MD5 (backward compatibility) digital signature – must: DSS – should: RSA asymmetric-key encryption – must: ElGamal – should: RSA symmetric-key encryption – sender: should: 3DES, RC2/40 – receiver: must: 3DES should: RC2/40 S/MIME / message formats PKCS7 “signed data” Version (Set of) Digest Algorithms Content type Content Info Content Set of certificates Version Set of CRLs Signer ID (issuer and ser. no.) Digest Algorithm Signer Info Authenticated Attributes Digest Encryption Alg. Encrypted digest (signature) S/MIME / message formats PKCS7 “enveloped data” Version Originator Info Version Recipient ID (issuer and s.no.) Recipient Info Key Encryption Algorithm Encrypted Key Encrypted Content Info Content type Content Encryption Alg. Encrypted Content S/MIME / message formats Enveloped data – Example Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7m rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6 7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 0GhIGfHfQbnj756YT64V S/MIME / message formats Clear-signed data – Example Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary=boundary42 --boundary42 Content-Type: text/plain This is a clear-signed message. --boundary42 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 7GhIGfHfYT64VQbnj756 --boundary42-- S/MIME / key management S/MIME certificates are X.509 conformant key management scheme is between strict certification hierarchy and PGP’s web of trust – – – certificates are signed by certification authorities (CA) key authentication is based on chain of certificates users/managers are responsible to configure their clients with a list of trusted root keys K S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed using a hybrid of a strict X.509 CA hierarchy & PGP’s web of trust each client has a list of trusted CA’s certs and own public/private key pairs & certs certificates must be signed by trusted CA’s Certificate Authorities have several well-known CA’s Verisign one of most widely used Verisign issues several types of Digital IDs increasing levels of checks & hence trust Class Identity Checks Usage 1 name/email check web browsing/email 2 + enroll/addr check email, subs, s/w validate 3 + ID documents e-banking/service access IP Security IP Security The Internet community has developed applicationspecific security mechanisms in a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets Layer), and others. However users have some security concerns that cut across protocol layers. By implementing security at the IP level, an organization can ensure secure networking not only for applications that have security mechanisms but also for the many security-ignorant applications. IPSec general IP Security mechanisms provides – Authentication (assures that a received packet was transmitted by the party identified as the source in the packet header, and that the packet has not been altered in transit) – Confidentiality (enables communicating nodes to encrypt messages to prevent eavesdropping by third parties) – key management (is concerned with the secure exchange of keys) applicable to use over LANs, across public & private WANs, & for the Internet An IP Security Scenario Benefits of IPSec When IPSec is implemented in a firewall/router; it provides strong security to all traffic crossing the perimeter IPSec in a firewall/router is resistant to bypass IPSec is below transport layer (TCP/UDP), hence transparent to applications IPSec can be transparent to end users IPSec can provide security for individual users IPSec secures routing architecture IP Security Architecture specification is quite complex defined in numerous RFC’s – incl. RFC 2401/2402/2406/2408 – many others, grouped by category mandatory in IPv6, optional in IPv4 have two security header extensions: – Authentication Header (AH) – Encapsulating Security Payload (ESP) IPSec Document Overview Optional Architecture: Covers the general concepts, security requirements, definitions and mechanisms defining IPSec technology. Encapsulating Security Payload (ESP): Covers the packet format and general issues related to the use of ESP for packet encryption & optionally authentication. Authentication Header (AH): Covers the packet format and general issues related to the use of AH for packet authentication. Encryption Algorithm: A set of documents that describes how various encryption algorithms are used for ESP. Authentication Algorithm: A set of documents that describes how various authentication algorithms are used for AH and authentication option for ESP. Key Management: Documents that describes the key management schemes/ Domain of Interpretation (DOI): Contains values needed for the other documents to relate each other. These include identifiers for approved encryption and authentication algorithm; as well as operational parameters such as key lifetime. IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets – a form of partial sequence integrity Confidentiality (encryption) Limited traffic flow confidentiality Security Associations (SA) It is a one-way relationship between sender & receiver that affords security for traffic flow SA is defined by 3 parameters: • Security Parameters Index (SPI): A bit string assigned to this SA and having local significance only. • IP Destination Address: This is the address of the destination endpoint of the SA (E.g. firewall/router). • Security Protocol Identifier: This indicates whether the association is an AH or ESP security association. has a number of other parameters – Sequence number counter, Sequence counter overflow, Anti-replay window, AH information, ESP information, Lifetime of this SA, IPSec protocol mode, Path MTU have a database of Security Associations Tunnel Mode Vs Transport Mode Transport Mode SA AH Tunnel Mode SA Authenticates IP payload and Authenticates entire inner IP selected portions of IP header packet (inner header + payload) & IPv6 ext. headers. PLUS selected portion of outer IP header & outer IPv6 ext. headers. ESP Encrypts IP payload & any Encrypts entire inner IP packet. (Without IPv6 ext. headers following Authentication) the ESP headers. ESP Encrypts IP payload & any Encrypt entire IP packet. (with IPv6 ext. headers following Authenticates inner IP packet. Authentication) the ESP headers. Authenticates IP payload but not IP header. Authentication Header (AH) The Authentication Header provides support for data integrity and authentication of IP packets. – The data integrity feature ensures that undetected modification to a packet’s content in transit is not possible. – The authentication feature enables an end system or network device to authenticate the user or application and filter traffic accordingly; it also prevents address spoofing attacks and replay attacks. – Authentication is based on the use of a message authentication code (MAC), hence the two parties must share a secret key. AH supports MACs using HMAC-MD5-96 or HMAC-SHA-1-96. Both of these use the HMAC algorithm , the first with the MD5 hash code and the second with the SHA-1 hash code. Authentication Header • Next Header (8 bits): Identifies the type of header immediately following this header • Payload Length (8 bits): Length of Authentication Header in 32-bit words, minus 2. (In above example, six-32 bit words, so payload length=6-2=4) • Reserved (16 bits): For future use • Security Parameters Index (32 bits): Identifies a security association • Sequence Number (32 bits): A monotonically increasing counter value • Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value (ICV), or MAC, for this packet. Transport & Tunnel Modes Scope of AH Authentication IP Payload is a TCP segment. AH for Transport Mode (IPv4): AH is inserted after the original IP header and before the IP payload (TCP segment). Authentication covers the entire packet, excluding the mutable fields in IPv4 header that are set to zero for MAC calculations. AH for Transport Mode (IPv6): AH is viewed as an end-to-end payload, that is, it is not examined or processed by intermediate routers. Therefore, the AH appears after the IPv6 base header and the hop-by-hop, routing and fragment extension headers. AH for Tunnel Mode (IPv4): The entire original IP packet is authenticated and the AH is inserted between the original IP header and the new outer IP header. The inner IP header carries the ultimate source and destination addresses while the outer IP header may contain different IP addresses (e.g. firewall/gateways). AH for Tunnel Mode (IPv6): The entire IP packet, including the inner IP header, is protected by AH. The outer IP header is protected except for mutable and unpredictable fields. Encapsulating Security Payload (ESP) provides message content confidentiality & limited traffic flow confidentiality can optionally provide the same authentication services as AH supports range of ciphers, modes, padding – incl. DES, Triple-DES, RC5, IDEA, CAST etc – CBC & other modes – padding needed to fill blocksize, fields, for traffic flow Encapsulating Security Payload • Security Parameters Index (32 bits): Identifies a security association • Sequence Number (32 bits): A monotonically increasing counter value; this provides an anti-replay function ,as discussed for AH • Payload Data (variable): This is a transport-level segment (transport mode) or IP packet (tunnel mode) that is protected by encryption • Padding (0–255 bytes): for various reasons • Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field • Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying the first header in that payload • Authentication Data (variable): A variable-length field that contains the Integrity Check Value computed over the ESP packet minus the Authentication Data field Transport vs Tunnel Mode ESP transport mode is used to encrypt & optionally authenticate IP data – data protected but header left in clear – can do traffic analysis but is efficient – good for ESP host to host traffic tunnel mode encrypts entire IP packet – add new header for next hop – good for VPNs, gateway to gateway security (a) Transport-level security (b) A virtual private network via tunnel mode Scope of ESP Encryption & Authentication Transport mode ESP is used to encrypt and optionally authenticate the data carried by IP (E.g. TCP segment). Transport mode ESP for IPv4: The ESP header is inserted into the IP packet immediately before the transport layer header (TCP/UDP) and an ESP trailer (padding, pad length & next header fields) is placed after the IP packet. If authentication is selected, the ESP authentication data field is added after ESP trailer. The entire transport-level segment plus the ESP trailer are encrypted. Transport mode ESP for IPv6: ESP is viewed as an end-to-end payload.; that is, it is not examined or processed by immediate router. Therefore ESP header appears after the IPv6 base header and the hopby-hop, routing, and fragment extension headers. Tunnel mode ESP is used to encrypt the entire IP packet. Combining Security Associations SA’s can implement either AH or ESP to implement both need to combine SA’s – form a security association bundle – may terminate at different or same endpoints – combined by transport adjacency iterated tunneling issue of authentication & encryption order Combining Security Associations Key Management handles key generation & distribution typically need 2 pairs of keys – 2 per direction for AH & ESP manual key management – sysadmin manually configures every system automated key management – automated system for on demand creation of keys for SA’s in large systems – has Oakley & ISAKMP elements Oakley a key exchange protocol based on Diffie-Hellman key exchange adds features to address weaknesses – cookies, groups (global params), nonces, DH key exchange with authentication can use arithmetic in prime fields or elliptic curve fields ISAKMP Internet Security Association and Key Management Protocol provides framework for key management defines procedures and packet formats to establish, negotiate, modify, & delete SAs independent of key exchange protocol, encryption alg, & authentication method ISAKMP ISAKMP Payloads & Exchanges have a number of ISAKMP payload types: – Security, Proposal, Transform, Key, Identification, Certificate, Certificate, Hash, Signature, Nonce, Notification, Delete ISAKMP has framework for 5 types of message exchanges: – base, identity protection, authentication only, aggressive, informational Web Security Web Security Secure Socket Layer (SSL) provides security services between TCP and applications that uses TCP. The Internet standard version is called Transport Layer Service (TLS). SSL/TLS provides confidentiality (using symmetric encryption) and message integrity (using MAC). SSL/TLS includes protocol mechanism , to enable two TCP users to determine the security mechanisms and service they will use. Secure Electronic Transaction (SET) is an open encryption and security specification designed to protect credit card transactions on the Internet. SSL (Secure Socket Layer) transport layer security service originally developed by Netscape version 3 designed with public input subsequently became Internet standard known as TLS (Transport Layer Security) uses TCP to provide a reliable end-to-end service SSL has two layers of protocols SSL Architecture SSL is not a single protocol but rather two layers of protocols. The SSL Record Protocol provides basic security services to various higher-layer protocols. In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL. Three higherlayer protocols are also defined as part of SSL: the Handshake Protocol, Change Cipher Spec Protocol, and Alert Protocol. These SSL-specific protocols are used in the management of SSL exchanges. SSL Architecture Two important SSL concepts are the SSL connection and the SSL session: Connection: A connection is a network transport that provides a suitable type of service, such connections are transient, peer-to-peer relationships, associated with one session Session: An SSL session is an association between a client and a server, created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection. SSL Record Protocol Services SSL Record Protocol defines two services for SSL connections: Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC), which is similar to HMAC Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional encryption of SSL payloads. The message is compressed before being concatenated with the MAC and encrypted, with a range of ciphers being supported as shown. SSL Record Protocol Operation SSL Record Format Content Type: The higher layer protocol used to process the enclosed fragment. (change_cipher_spec, alert, handshake, application_data) Version Number: Major and Minor version for SSL. (E.g. SSLv3, Major=3, Minor=0) Compressed Length: The length in bytes of plaintext fragment. Maximum value is 214+2048 SSL Change Cipher Spec Protocol The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL Record Protocol, and it is the simplest, consisting of a single message. Its purpose is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection. SSL Alert Protocol conveys SSL-related alerts to peer entity severity warning or fatal specific alert fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data SSL Handshake Protocol allows server & client to: – authenticate each other – to negotiate encryption & MAC algorithms – to negotiate cryptographic keys to be used comprises a series of messages in phases 1. Establish Security Capabilities 2. Server Authentication and Key Exchange 3. Client Authentication and Key Exchange 4. Finish SSL Handshake Protocol TLS (Transport Layer Security) IETF standard RFC 2246 similar to SSLv3 with minor differences – in record format version number – uses HMAC for MAC – a pseudo-random function expands secrets – has additional alert codes – some changes in supported ciphers – changes in certificate types & negotiations – changes in crypto computations & padding TLS (Transport Layer Security) Content Type: The higher layer protocol used to process the enclosed fragment. (change_cipher_spec, alert, handshake, application_data) Version Number: Major and Minor version for SSL. (E.g. SSLv3, Major=3, Minor=0) Compressed Length: The length in bytes of plaintext fragment. Maximum value is 214+2048 Secure Electronic Transactions (SET) open encryption & security specification to protect Internet credit card transactions developed in 1996 by Mastercard, Visa etc not a payment system rather a set of security protocols & formats – secure communications amongst parties – trust from use of X.509v3 certificates – privacy by restricted info to those who need it SET Components SET Transaction 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. customer opens account customer receives a certificate merchants have their own certificates customer places an order merchant is verified order and payment are sent merchant requests payment authorization merchant confirms order merchant provides goods or service merchant requests payment Dual Signature customer creates dual messages – order information (OI) for merchant – payment information (PI) for bank neither party needs details of other but must know they are linked use a dual signature for this – signed concatenated hashes of OI & PI DS=E(PRc, [H(H(PI)||H(OI))]) SET Purchase Request SET purchase request exchange consists of four messages 1. Initiate Request - get certificates 2. Initiate Response - signed response 3. Purchase Request - of OI & PI 4. Purchase Response - ack order Purchase Request – Customer Purchase Request – Merchant 1. 2. 3. 4. verifies cardholder certificates using CA sigs verifies dual signature using customer's public signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature key processes order and forwards the payment information to the payment gateway for authorization (described later) sends a purchase response to cardholder Purchase Request – Merchant Payment Gateway Authorization 1. 2. 3. 4. 5. 6. 7. 8. verifies all certificates decrypts digital envelope of authorization block to obtain symmetric key & then decrypts authorization block verifies merchant's signature on authorization block decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block verifies dual signature on payment block verifies that transaction ID received from merchant matches that in PI received (indirectly) from customer requests & receives an authorization from issuer sends authorization response back to merchant Payment Capture merchant sends payment gateway a payment capture request gateway checks request then causes funds to be transferred to merchants account notifies merchant using capture response Firewalls Firewalls - Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent security concerns – can’t easily secure every system in org typically use a Firewall to provide perimeter defence as part of comprehensive security strategy What is a Firewall? A firewall is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter, forming a single choke point where security and audit can be imposed. A firewall: 1. defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks. 2. provides a location for monitoring security-related events 3. is a convenient platform for several Internet functions that are not security related, such as Network Address Translation - NAT and Internet usage audits or logs 4. A firewall can serve as the platform for IPSec to implement virtual private networks. The firewall itself must be immune to penetration, since it will be a target of attack. Firewall Limitations Firewalls have their limitations, including that they: 1. cannot protect against attacks that bypass the firewall, eg PCs with dialout capability to an ISP, or dial-in modem pool use 2. do not protect against internal threats, eg disgruntled employee or one who cooperates with an attacker 3. cannot protect against the transfer of virus-infected programs or files, given wide variety of O/S & applications supported Firewalls – Packet Filters Three common types of firewalls: packet filters, application-level gateways, & circuit-level gateways. A packet-filtering router applies a set of rules to each incoming and outgoing IP packet to forward or discard the packet. Filtering rules are based on information contained in a network packet such as src & dest IP addresses, ports, transport protocol & interface. Some advantages are simplicity, transparency & speed. If there is no match to any rule, then one of two default policies are applied: • that which is not expressly permitted is prohibited (default action is discard packet), conservative policy • that which is not expressly prohibited is permitted (default action is forward packet), permissive policy Firewalls – Packet Filters Figure illustrates the packet filter firewall placement in the border router, on the security perimeter, between the external less-trusted Internet, and the internal more trusted private network. Firewalls – Packet Filters Attacks on Packet Filters Some of the attacks that can be made on packet-filtering routers & countermeasures are: IP address spoofing: where intruder transmits packets from the outside with internal host source IP addr, need to filter & discard such packets Source routing attacks: where source specifies the route that a packet should take to bypass security measures, should discard all source routed packets Tiny fragment attacks: intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate fragments to circumvent filtering rules needing full header info, can enforce minimum fragment size to include full header. Firewalls – Stateful Packet Filters A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context. A stateful inspection packet filter tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, and will allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory. Hence they are better able to detect bogus packets sent out of context. Firewalls - Application Level Gateway (or Proxy) An application-level gateway (or proxy server), acts as a relay of application-level traffic. A user contacts the gateway to access some service, provides details of the service, remote host & authentication details, contacts the application on the remote host and relays all data between the two endpoints. If the gateway does not implement the proxy code for a specific application, then it is not supported and cannot be used. Note that some services naturally support proxying, whilst others are more problematic. Application-level gateways tend to be more secure than packet filters, &can log and audit traffic at application level. Firewalls - Application Level Gateway (or Proxy) Figure illustrates an application-level gateway (or proxy server), emphasizing that it only supports a specific list of application services. Firewalls - Circuit Level Gateway A circuit-level gateway relays two TCP connections, one between itself and an inside TCP user, and the other between itself and a TCP user on an outside host. Once the two connections are established, it relays TCP data from one connection to the other without examining its contents. The security function consists of determining which connections will be allowed. It is typically used when internal users are trusted to decide what external services to access. One of the most common circuit-level gateways is SOCKS, defined in RFC 1928. It consists of a SOCKS server on the firewall, and a SOCKS library & SOCKS-aware applications on internal clients. Firewalls - Circuit Level Gateway Figure illustrates a circuit-level gateway, showing how it relays between 2 TCP connections. Note that it can be implemented in a stand-alone system or can be a specialized function in an application-level gateway for certain applications. Note also that relaying UDP packets is more problematical, because of the lack of connection context, and require a parallel TCP connection to provide these details. Bastion Host A bastion host is a critical strong point in the network’s security, serving as a platform for an application-level or circuit-level gateway, or for external services. It is thus potentially exposed to "hostile" elements and must be secured to withstand this. Common characteristics of a bastion host include that it: – – – – – – – – – – executes a secure version of its O/S, making it a trusted system has only essential services installed on the bastion host may require additional authentication before a user is allowed access to the proxy services is configured to support only a subset of the standard application’s command set, with access only to specific hosts maintains detailed audit information by logging all traffic has each proxy module a very small software package specifically designed for network security has each proxy independent of other proxies on the bastion host have a proxy performs no disk access other than to read its initial configuration file have each proxy run as a nonprivileged user in a private and secured directory A bastion host may have two or more network interfaces (or ports), and must be trusted to enforce trusted separation between these network connections, relaying traffic only according to policy. Firewall Configurations Figure shows the “screened host firewall, single-homed bastion configuration”, where the firewall consists of two systems: •a packet-filtering router - allows Internet packets to/from bastion only •a bastion host - performs authentication and proxy functions This configuration has greater security, as it implements both packet-level & application-level filtering, forces an intruder to generally penetrate two separate systems to compromise internal security, & also affords flexibility in providing direct Internet access to specific internal servers (eg web) if desired. Firewall Configurations Figure illustrates the “screened host firewall, dual-homed bastion configuration” which physically separates the external and internal networks, ensuring two systems must be compromised to breach security. The advantages of dual layers of security are also present here. Again, an information server or other hosts can be allowed direct communication with the router if this is in accord with the security policy, but are now separated from the internal network. Firewall Configurations Figure shows the “screened subnet firewall configuration”, being the most secure shown. It has two packetfiltering routers, one between the bastion host and the Internet and the other between the bastion host and the internal network, creating an isolated subnetwork. This may consist of simply the bastion host but may also include one or more information servers and modems for dial-in capability. Typically, both the Internet and the internal network have access to hosts on the screened subnet, but traffic across the screened subnet is blocked. This configuration offers several advantages: • There are now three levels of defense to thwart intruders • The outside router advertises only the existence of the screened subnet to the Internet; therefore the internal network is invisible to the Internet • Similarly, the inside router advertises only the existence of the screened subnet to the internal network; hence systems on the inside network cannot construct direct routes to the Internet Access Control given system has identified a user determine what resources they can access general model is that of access matrix with – subject - active entity (user, process) – object - passive entity (file or resource) – access right – way object can be accessed can decompose by – columns as access control lists – rows as capability tickets Access Control Matrix Trusted Computer Systems information security is increasingly important have varying degrees of sensitivity of information – cf military info classifications: confidential, secret etc subjects (people or programs) have varying rights of access to objects (information) known as multilevel security – subjects have maximum & current security level – objects have a fixed security level classification want to consider ways of increasing confidence in systems to enforce these rights Bell LaPadula (BLP) Model one of the most famous security models implemented as mandatory policies on system has two key policies: no read up (simple security property) – a subject can only read/write an object if the current security level of the subject dominates (>=) the classification of the object no write down (*-property) – a subject can only append/write to an object if the current security level of the subject is dominated by (<=) the classification of the object Reference Monitor Figure illustrates the reference monitor as a controlling element in the h/w & O/S of a computer. It regulates access of subjects to objects on the basis of their security parameters. It has access to the security kernel database, which lists the access privileges (security clearance) of each subject & the protection attributes (classification level) of each object. The reference monitor enforces the security rules (no read up, no write down). It must have properties of: • Complete mediation: security rules are enforced on every access • Isolation: reference monitor & database are protected from unauthorized modification • Verifiability: reference monitor’s correctness must be provable These are stiff requirements, usually met only by a trusted system. Evaluated Computer Systems governments can evaluate IT systems against a range of standards: – TCSEC, IPSEC and now Common Criteria define a number of “levels” of evaluation with increasingly stringent checking have published lists of evaluated products – though aimed at government/defense use – can be useful in industry also Common Criteria international initiative specifying security requirements & defining evaluation criteria incorporates earlier standards – eg CSEC, ITSEC, CTCPEC (Canadian), Federal (US) specifies standards for – evaluation criteria – methodology for application of criteria – administrative procedures for evaluation, certification and accreditation schemes Common Criteria defines set of security requirements have a Target Of Evaluation (TOE) requirements fall in two categories – functional – assurance both organised in classes of families & components Common Criteria Requirements Functional Requirements – security audit, crypto support, communications, user data protection, identification & authentication, security management, privacy, protection of trusted security functions, resource utilization, TOE access, trusted path Assurance Requirements – configuration management, delivery & operation, development, guidance documents, life cycle support, tests, vulnerability assessment, assurance maintenance Common Criteria The CC also defines two kinds of documents that can be generated using the CC-defined requirements • Protection profiles (PPs): define an implementation-independent reusable set of security requirements and objectives for a category of products or systems that meet similar consumer needs for IT security, reflecting user security requirements • Security targets (STs): contain the IT security objectives and requirements of a specific identified TOE and defines the functional and assurance measures offered by that TOE to meet stated requirements, and forms the basis for an evaluation Stallings Figure 20.6 illustrates the relationship between requirements and profiles and targets. Common Criteria Figure shows the security functional requirements paradigm. It is based on the reference monitor concept but makes use of the terminology and design philosophy of the CC.
