CSCI 467 – IP and Web Security

Chapter 16, 17 from Cryptography and Network Security,

4th Edition, William Stallings

Jason Detchevery
With slides adapted from Lawrie Brown
April 1st 2009
IP Security
Chapter 16
IP Security
• Chapter Goals
• Understand why we use IP Security (IPSec)
• To learn how IP Security works
• Gain insight on the specific sections
• The pros and cons of IP Security
• Learn of specific implementations IP Security
• Learn of IP Security Architecture and Standers
IP Security
• Purpose of IP Security
• Application specific security measures insufficient
• Organizations have needs of security which cut layers
• IP-level security enhances both application security
already in place, and provides to security to applications
lacking security
• What an IP Security system should provide
• Three functional areas
• Authentication
• Confidentiality
• Key management
• Look at security architecture, then each of the functional areas
IP Security Overview
• IP Security: Known as “IPSec”
• IPv6 (successor to IPv4) has authentication and
encryption
• IPSec was designed to be work with both IPv4 and IPv6
• In v6, IPSec’s implementation is mandatory
• For IPv4, it’s still optional
• Benefit is v6 security can be rolled out immediately,
before v6 is mainstream
IPSec Applications
• Secure communications across a LAN
• Indented uses of IPSec:
• Companies can use Internet for secure intra-office
communication
• Secure remote access (VPN, dial systems) from
external computer to secured network
• Secure connectively of terminals between
companies
• Adding security to E – commerce (which as
application level security)
IPSec Applications
IPSec Benefits
• Applied on a router level to all traffic
• Hard to bypass when used for firewall implementation
• Below the transport layer: software is unaffected
• Transparent to users
• Can be customized to specific users
• IPSec used in routing:
• router advertisements are authentic
• neighbor advertisements are authentic
• verification of redirect messages
• prevents update forges
IP Security Architecture
• Complex specification (many documents/specs)
• Protocols specify:
• Architecture
• Encapsulating Security Payload (ESP)
• Authentication Header (AH)
• Encryption Algorithm
• Authentication Algorithm
• Key Management
• Domain of Interpretation
IPSec Services
• Services at the IP Layer
• Selecting protocols, algorithms, crypto-keys
• Important security protocols: ESP and AH
• ESP and AH services:
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets
• Confidentiality (cipher text)
• Confidentiality with limited cipher text
IPSec Services
Security Associations
• Very important concept (used throughout)
• Association: one-way relationship between sender
and receiver
• Provides security on traffic between it
• Can use two Security Associations (SA’s) for two way
communication
• Services provided to AH, ESP, but not both
simultaneously (but can be combined, as seen later)
• SA uniquely identified by three parameters: Security
Parameters Index (SPI), IP Destination Address, Security
Protocol Identifier
SA Parameters
• An SA must carry with it a number of important values
• Sequence Number Counter
• Sequence Counter Overflow
• Anti-replay window
• AH, ESP Information
• Lifetime of the SA
• Protocol mode (Tunnel/Transport, see in a moment)
• MTU: Maximum transmission unit
SA Selectors
• IPSec: Flexibility on application of services to traffic
• How to relate IP traffic to an SA?
• Security Policy Database:
• Simple idea: Table to relate subset of IP traffic to a
specific SA
• Becomes very complex (many to many relationship)
• An entry: IP and upper-layer protocol field values
• Known as selectors (filter outgoing traffic to SA)
• Outgoing traffic: 1) compares fields of packet against
SPD, finds match. 2) Determine the SA (if exists) 3) Do
IPSec (AH ESP)
SPD Entry
• What does an SPD entry look like?
• Destination IP Address – Single or Range (mask)
• Source IP Address
• UserID
• Data Sensitivity Level
• Transport Layer Protocol
• Source and Destination Ports
Transport and Tunnel Mode
• Another important concept reused:
• Transport mode: Protection of packet payload
• Tunnel mode: Protection of entire packet
• Transport mode used in end to end communication
between hosts.
• ESP: encrypts (+ authenticate) payload, not header
• AH: Authenticates payload, selected header bits
• Tunnel mode: new routing info added
• ESP: encrypts (+ authenticate) packet(not outer
header)
• AH: authenticates entire packet, selected outer bits
Authentication Header
• Adds data integrity and authentication to IP packets
• Integrity: avoid alteration of packets
• Authentication: filter traffic correctly
• Prevent spoof attacks and replay attacks
• Uses a message authentication code (MAC)
• Required shared secret key
• Uses the following fields:
• Next Header, Payload Length
• Reserved, SPI
• Sequence Number, Authentication Data
Authentication Header
Preventing Replays
• Attacker grabs authentic packet, transmits later
• Sequence Number tries to prevent this
• Sequence Number is generated by sender for a new SA
• Starts and 0 and increments to 232 – 1
• Incremented for each new packet, thus first value, 1
• Cannot be allowed to cycle. Passing limit must
negotiate NEW SA with a NEW secret key
• Since IP does not guarantee packet delivery order
(or at all for that matter), the receiver uses the
familiar sliding window concept for data
transmission.
Integrity Check Value
• ICV value in the Authentication Data
• Authentication code from a MAC algorithm
• Can use HMAC-MD5-96 or HMAC-SHA-1-96
• Calculation of the MAC code:
• Includes immutable fields and predictable fields
• Other fields set to 0
• Authentication Data field = 0
• Includes all additional protocol information
(TCP/IP), which should be immutable
• Recalculated and destination
Transport and Tunnel Modes
Encapsulating Security Payload
• Confidentiality services
• ESP can optionally provide authentication
• Parameters in an ESP Packet:
• Security Parameters Index
• Sequence Number
• Payload Data
• Padding
• Pad Length
• Next Header
• Authentication Data (e.g. ICV value)
Encapsulating Security Payload
Encryption and Decryption
• Uses any number symmetric encryption algorithms
• Three-key DES
• RC5
• Blowfish
• More
• Specified by the DOI
• Padding:
• Padding can indicate cipher text length, make plain
text long enough
• Used to align fields
• Conceal actual payload length
Transport and Tunnel Modes
• Transport Mode
• IP Header removed. Payload (including TCP header)
encrypted/replaced by cipher text
• Header attached/sent to destination
• Destination detaches and decrypts payload
• Tunnel Mode
• Entire packet is encrypted
• New IP Header added to cipher text and routed
• Decrypts the packet at destination
• Secondary header used for final routing
Combining Security Associates/Keys
• Can combine security associates (4 cases)
• IPSec requires management of secret keys
• Two types of key management: auto and manual
• Oakley Key Determination Protocol (like Diffie-Hellman,
but more secure)
• Cookies against clog attacks
• nonces to prevent replays
• authenticate against man in the middle
• Internet Security Association and Key Management
Protocol (allows various key exchange algorithms)
Web Security
Chapter 17
Web Security Introduction
• Need for security on the Transport Control Protocol
(TCP) Layer
• Uses Secure Socket Layer (SSL) and Internet standard
SSL called Transport Layer Service
• Allows TCP users to indentify security mechanisms
• Particularly concerted with E – commerce security:
Secure Electronic Transaction (SET)
Web Security Considerations
• Room for nearly all levels of security in the Web
• E.g. previous considerations
• Nevertheless: Web presents unique challenges
• All communication two way thus doubling the
opportunity for attack
• Web integrated into business: high losses if security
compromised
• Security flaws in complex software
• Web Servers may provide access to local intranet
• Users not aware of security risks
Threats Classifications
Web Security Approaches
• Different ways of implementing security
• Similar in services and (to an extent) mechanisms
• Differ with respect to scope and location with TCP/IP
stack
• Simple security: Use IP Security! IPSec runs over TCP
• Another solution: Run security just above TCP, below IP
• Basis of SSL and TLS
• Choice: Make SSL/TLS transparent or integrate into
applications? (advantage: tailored to needs,
disadvantage: complexity)
SSL and TLS
• Current version is SSL v3. TLS is essentially SSLv3.1
• Not a “successor” exactly, just a different standard
• SSL Architecture
• Make TCP reliable/secure
• Higher level protocols operate (HTTP for instance)
on SSL
• SSL uses three protocols: Handshake Protocol,
Change Cipher Spec Protocol, Alter Protocol
• Also a special “record” protocol
• Used in management of SSL exchanges
SSL Architecture
SSL Session and Connection
• Connection: A transport (recall OSI layers) providing
suitable service types. Here, these are peer-to-peer
connections and are transient (short lived). That is,
connections associated with one session.
• Session: An association between client and a server.
The Handshake protocol initiates sessions, which define
cryptographic parameters. The parameters may be
shared: in fact we use sessions to avoid negotiation of
new security parameters for each connection
(expensive)
Session and Connection States
• Session state has following parameters
•Session Identifier, Peer certificate (X509, etc)
• Compression Method
• Cipher spec (data encryption) and hash
• Master secret
• Is resumable?
• Connection state:
•Server and client randomness
• Keys: Server/Client MAC, Server/Client Write
• Initialization vectors
• Sequence numbers
SSL Record Protocol
• SSL Record protocol provides two services:
• Confidentiality
• Using symmetric encryption with a shared secret
key defined by Handshake Protocol
•AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza,
RC4-40, RC4-128
• Message is compressed before encryption
• Message integrity
• Using a MAC with shared secret key
• Similar to HMAC but with different padding
• Concerns itself with: fragmentation, compression,
authentication (MAC), encryption, header
SSL Record Appearance
Handshake Protocol
• Allows server & client to:
• Authenticate each other
• To negotiate encryption & MAC algorithms
• To negotiate cryptographic keys to be used
•Comprises a series of messages in phases
• Establish Security Capabilities
• Server Authentication and Key Exchange
• Client Authentication and Key Exchange
• Finish
Handshake Protocol
SSL Change Cipher Spec Protocol
• One of 3 SSL specific protocols which use the SSL
Record protocol
• A single message
• Causes pending state to become current
• Hence updating the cipher suite in use
SSL Alert Protocol
• Conveys SSL-related alerts to peer entity
• Severity
• Warning or fatal
• Specific Alert
• Fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter
• Warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked,
certificate expired, certificate unknown
• Compressed & encrypted like all SSL data
Transport Layer Security
• As stated, standard similar to SSL
• Some differences:
• Un record format version number
• Uses HMAC for MAC
• A pseudo-random function expands secrets
• Has additional alert codes
• Some changes in supported ciphers
• Changes in certificate types & negotiations
• Changes in crypto computations & padding
Secure Electronic Transactions
• Open encryption & security specification
• To protect Internet credit card transactions
• Developed in 1996 by Mastercard, Visa etc
• Not a payment system
• Rather a set of security protocols & formats
• Secure communications amongst parties
• Trust from use of X.509v3 certificates
• Privacy by restricted info to those who need it
SET Components
SET Transaction
• Customer opens account
• Customer receives a certificate
• Merchants have their own certificates
• Customer places an order
• Merchant is verified
• Order and payment are sent
• Merchant requests payment authorization
• Merchant confirms order
• Merchant provides goods or service
• Merchant requests payment
Purchase Request
• SET purchase request exchange consists of four
messages
• Initiate Request - get certificates
• Initiate Response - signed response
• Purchase Request - of OI & PI
• Purchase Response - ack order
Payment Gateway Authorization
• Verifies all certificates
• Decrypts digital envelope of authorization block to
obtain symmetric key & then decrypts authorization
block
• Verifies merchant's signature on authorization block
• Decrypts digital envelope of payment block to obtain
symmetric key & then decrypts payment block
• Verifies dual signature on payment block
• Verifies that transaction ID received from merchant
matches that in PI received (indirectly) from customer
• Requests & receives an authorization from issuer
• Sends authorization response back to merchant
Payment Capture
• Merchant sends payment gateway a payment capture
request
• Gateway checks request
• Then causes funds to be transferred to merchants
account
• Notifies merchant using capture response