8 Authentication Security Protocols
- 1. Applied IT Security Applied Cryptography Dr. Stephan Spitz Stephan.Spitz@zv.fraunhofer.de 8 Authentication/Security Protocols
- 2. • Overview & Basics • Network Protocols and the Internet • Operating Systems and Applications • System Security • Operating System Security • Security Threats on Networks • Firewalls and Intrusion Detection Systems • Applied Cryptography • Public Key Infrastructures • Authentication Protocols • Encryption and digital Signatures in topical Applications • Software Development & IT Security • Building Secure IT Systems • Use of Cryptographic Libraries and Devices • The Future of IT Security 8 Authentication/Security Protocols
- 3. • Overview & Basics • Network Protocols and the Internet • Operating Systems and Applications • System Security • Operating System Security • Security Threats on Networks • Firewalls and Intrusion Detection Systems • Applied Cryptography • Public Key Infrastructures Today • Authentication Protocols • Encryption and digital Signatures in topical Applications • Software Development & IT Security • Building Secure IT Systems • Use of Cryptographic Libraries and Devices • The Future of IT Security 8 Authentication/Security Protocols
- 4. Overview Authentication and Security Protocols • Network and Transport Layer Security • Virtual Private Networks • IPSec • Internet Key Exchange • Application Layer Security • SSL / TLS / HTTPS / SSH / SMIME • SSL in Detail • Example: Apache and SSL • Wireless Protocol Security • Wireless Security Protocols • Bluetooth Security • UMTS Security 8 Authentication/Security Protocols
- 5. Protocol Layers Services for applications (E-Mail SMTP, HTTP, SNMP, clients and server, WWW-Server), FTP, SOAP, etc. Application Layer SSL/TLS name resolution (DNS) Transmission Control SOCKET INTERFACE Protocol (TCP), UDP, Connetion-oriented, connectionless ICMP (Internet Control Transport Layer transport service for applications Message Protocol) for IPSec Transport Layer debugging Network Layer Routing, Adressing of packages Internet Protocol (IP) IPSec Network Layer (Tunnel) Ethernet, Token Ring, L2TP, PPTP Package Transmission on ATM, PPP, GPRS Data Link Layer physical media WEP, EAP 8 Authentication/Security Protocols
- 6. Network Layer Security (Tunnel) Application Data Application Layer Application Layer Transport Payload Transport Layer Transport Layer Security Network Payload in a Secure Tunnel Security enhanced enhanced Network Network Layer Layer Data Link Payload Data Link Data Link Layer Layer • Protected communication in an open network between secure systems e.g. firewalls, router 8 Authentication/Security Protocols
- 7. Transport Layer Security Application Data Application Layer Application Layer Secured Packet Transport Security Security enhanced enhanced Transport Layer Transport Layer Network Payload Network Network Layer Layer Data Link Payload Data Link Data Link Layer Layer • Communication inside a secure network with protected transport payload (AH or ESP) 8 Authentication/Security Protocols
- 8. Virtual Private Networks (VPN) • The basic VPN functionality is the provision of authentication, access control, confidentiality and data integrity • A process called „Tunneling“ enables the virtual part of a VPN. There are two tunneling protocols: PPTP Point to Point Tunneling Protocol L2TP Layer 2 Tunneling Protocol • IPSec security services keep the VPN (transport, network) payload private (optionally), integer and authenticated: IPSec AH Authentification Header IPSec ESP Encapsulating Security Payload 8 Authentication/Security Protocols
- 9. IPSec • Tunnel Mode (Network Layer Security) IP IPSec IP TCP/UDP Application Header Header Header Header Protocol Original Packet (AH, optionally kept secret with ESP) • Transport Mode (Transport Layer Security) IP IPSec TCP/UDP Application Header Header Header Protocol Original Packet (AH, optionally kept secret with ESP) 8 Authentication/Security Protocols
- 10. Tunneling • Tunneling with L2TP or PPTP Layer 2 L2TP/PPTP IP TCP/UDP Application Media Header Header Header Data Header Original Packet • Combination of IPSec and L2TP Layer 2 IP IPSec IP TCP/UDP L2TP/PPTP Application Media Header Header Header Header Header Data Header Original Packet 8 Authentication/Security Protocols
- 11. IPSec Network View IPSec Gateway •Physical NWI, IP known in INTERNET •Logical NWI inside VPN INTERNET •Physical NWI with IP known in LAN IPSec Host •Physical NWI (Network Interface) •Logical NWI with IPSec IP inside VPN Company LAN 8 Authentication/Security Protocols
- 12. Internet Key Exchange (IKE) • IKE is the alternative to manual key configuartion to … : … agree between the communicating parties on protocols, algorithms and keys. … ensure talking to the right person (authentication). … secure key management and exchange • IKE = Security Association (SA)+Key Management Protocol (KMP) • KMP can be done in … … main mode i.e. DH-agreement with identity and nonces, key derivation (deriv., auth., enc.) and identity prooving … aggressive mode i.e. main mode without DH identity protection … quick mode inside a SA 8 Authentication/Security Protocols
- 13. Application Layer Security Authenticated and privacy protected Application Data Application Layer Application Layer SSL/TLS/SSH SSL/TLS/SSH Transport Payload Transport Layer Transport Layer Network Payload Network Network Layer Layer Data Link Payload Data Link Data Link Layer Layer • Communication on application level is secured by cryptography 8 Authentication/Security Protocols
- 14. Overview • SSL: Secure Socket Layer = Application level security built on the socket interface to support security in ftp, telnet, http, etc. • TLS: Transport Layer Security eq. SSL (SSL 3.0 = TLS 1.0) • HTTPS: HTTP over TLS/SSL • SSH: Secure Shell supports authenticated and encrypted remote system logins also based on the socket interface (it´s a program and a protocol) • SMIME: Secure MIME (Multipurpose Internet Mail Extensions ) format for secure email exchange based on PKCS#7 8 Authentication/Security Protocols
- 15. SSL History SSL V1.0 (1993) • Security on application level • Developed by Netscape SSL V2.0 (1994) • First implementation in Netscape Navigator • Limitation on 40 bit keys SSL V3.0 (1995) • Bugfixes and new crypto algorithms • Unlimited key length SSL V3.1 TLS V1.0 (1999) • Authentic mode only with message digest and without encryption 8 Authentication/Security Protocols
- 16. SSL Handshake Client Server Client Hello (ID, RND1, CipherSuite) Server Hello (ID, RND2, CipherSuite) Certificate Certificate Request Hello Done Certificate ClientKeyExchange (Enc PubKey Server) Certificate Verify (Enc PrivKey Client) ChangeCiperSpec/Finished (Enc SessionKey) ChangeCiperSpec/Finished (Enc SessionKey) 8 Authentication/Security Protocols
- 17. SSL Communication SSL Record Layer • Complete division of SSL Handshake and Record Layer Communication • Record Layer provides encrypted communication (handshake keys!) • Fragmentation support for encrypted SSL records • Bandwith reduction due to compression in SSL records • Sequence counters ensure connection orientation on SSL level • Integrity of data is ensured by adding message digest 8 Authentication/Security Protocols
- 18. Programming with SSL-Sockets Client side : 1. Define socket parameters in SSL_struct 2. Open socket socket() and connect to server connect() 3. Connect Unix socket and SSL data SSL_ste_fd() 4. Start SSL handshake with SSL_connect() 5. Write and read data on SSL socket SSL_write(), SSL_read() Server side : Step 1-3 is like the client side without connect() 4. Wait on client request listen() and accept it accept() 5. Read the private server key SSL_use_RSAPrivateKey() 6. Select the server certificate again with SSL_use_RSAPrivateKey() 7. After SSL_connect() read and write data to client 8 Authentication/Security Protocols
- 19. Resistance of SSL against Attacks Replay attack • Random numbers inside SSL handshake prevent replay of handshake • Encrypted sequence numbers in SSL record layer prevent replay of „old“ SSL-Records. Man-in-the-Middle attack • Dynamic key agreement via challenge response technique in SSL handshake IP Spoofing • IP packages with faked source IP can not be prevented, because SSL provides no security for the network and the transport layer 8 Authentication/Security Protocols
- 20. Security in Wireless Protocols • General Security Aspects in Wireless LANs according to IEEE 802.1x • WEP (Wired Equivalent Privacy) and EAP (Extensible Authentication Protocol) security in Wireless LANs according to IEEE 802.1x • Bluetooth security architecture (three secure modes), authentification/key negotiation and encryption 8 Authentication/Security Protocols
- 21. General WLAN Security Aspects • Wireless LAN access point detection (war driving) via Netstumbler/ Ministumbler or SSIDsniff; sniffing via CENiffer, Kismet, Ethereal • Denial of service attacks based on jamming in the 2.4 GHz band or the 5 GHz band are possible • Secure Configuration: Don´t use default SSID (Service Set Identifier i.e. WLAN Name) Enable Hidden SSID (connection only with clients knowing SSID) Limit access only to certain MACs (be careful MAC can be faked!) Enable WEP and use EAP authentication 8 Authentication/Security Protocols
- 22. Wired Equivalent Privacy (WEP) • Wired Equivalent Privacy (WEP) is defined in IEEE 802.11Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Spec. • WEP defines a simple stream cipher based on an RC4 pseudo random generator seeded by an initialisation vector and the key. • WEP weaknesses have been announced by Fluhrer, Mantin and Shamir in 2001; meanwhile cracks are available (Airsnort, WEPCrack) based on: IV is first transmitted as plain text and only 24 bit (after 224 packets the key is repeated simple crypto analysis based on autocorrelation) Seed must not be used twice, which is often practiced, because of repetition of IV or using 0 as IV for the first packet 8 Authentication/Security Protocols
- 23. Extensible Authentication Protocol (EAP) • RFC 2284 defines the PPP Extensible Authentication Protocol (EAP) for embedding authentication in other protocols like WEP. • There are different ways for authentication: EAP-MD5 provides a username, password authentication, not advisable with the weaknesses of WEP encryption EAP-TLS uses an asymmetric challenge-response authentication based on X.509 certificates EAP-TLS SSL-Handshake without client certificate transmission EAP-SIM authentication based on mobile phones SIM (Subscriber Identity Module) 8 Authentication/Security Protocols
- 24. Bluetooth Security • Bluetooth defines three modes Non Secure, Service Level Enforced Security and Link Level Enforced Security and offers authentication and encryption services. • Bluetooth symmetric authentication steps: 1. Link Key negotiation based on Unit Key (fixed) or Combination Key 2. Challenge-response system authentication based on Link Key 3. Encryption key derivation based on Link Key, random number and a Ciphering Offset • Bluetooth encryption is based on a non „state of the art“ stream chipher using linear feedback shift registers (LFSR) with max. 128bit key length. 8 Authentication/Security Protocols
- 25. Concerns on Bluetooth Security • Usage of fixed Unit Key for authentication and key derivation causes security problems and narrows variety of authentication and encryption keys. • The quality of the pseudo random number generators can be very weak concerning different implementations. • Security depends on the knowledge of one PIN (personal identification number), because the random challenge and bluetooth adresses are known. • Cryptanalysis already reduced the complexity of the used stream cipher from 2128 (Brute Force) to 266. 8 Authentication/Security Protocols