Protocols PK Encr./Auth. PK Key Establishment Secure Comm. in Open Networks SSL/TLS Nicolas T....

Protocols PK Encr./Auth.

PK Key EstablishmentSecure Comm. in Open Networks

SSL/TLS

Nicolas T. Courtois - University College London

Security Notions

Nicolas T. Courtois, 2006-20102

3 Stages

CompSec COMPGA01

Nicolas T. Courtois, January 20093

Three Stages in Information Security [Courtois]

3 degrees of evolution:1.Protections that are secret.

2.Based on a secret key.

3.Private-public key solutions.

CompSec COMPGA01


PK Crypto

Public-Key Cryptography == Asymmetric Cryptography

CompSec COMPGA01


3d Stage – Public Key Cryptography

No shared key, One private and

one public key.Private key:

generated and stored securely…

CompSec COMPGA01


Third Stage – Public Key Cryptography

Public key: can be distributed to

many parties. Does not have to be public (but the system remains secure when it is).

CompSec COMPGA01


Public Key Schemes

Symmetric == Conventional Schemes = 1 algorithm.

Asymmetric == Public-Key Cryptography = 3 algorithms:

• Key Generation Algorithm• Encryption / Signature Verification Algorithm.• Decryption / Signature Algorithm.

CompSec COMPGA01


*Traditional Secret-Key Encryption

Alice

Bob

CompSec COMPGA01


Public Key Encryption

encryption algorithm

m

pk

(public key)

decryption algorithm

sk

(private key)

c

m or invalid

Eve

key generation algorithm

c

past: setup phase

r

CompSec COMPGA01


MACs = “Secret-Key Signatures”

MAC algorithm

m

sk

(secret key)

MAC algorithm

sk

(secret key)

(m,)

yes/no

forgery

CompSec COMPGA01


Digital Signatures

signing algorithm

m

sk

(private key)

verification algorithm

pk

(public key)

(m,)

yes/no

forgery

CompSec COMPGA01


Signatures - Requirements

1. Authenticity –2. Non-repudiation – 3. Public verify-ability -

CompSec COMPGA01


Protocols:

Security of Email

CompSec COMPGA01


SMTP Protocol

THE original email protocol.Plaintext commands in a telnet session.Access: No authentication or basic password-based

authentication, Emails: no encryption (in cleartext) no authentication.

In addition everybody can send email => epidemics of spam!!!!

CompSec COMPGA01


Standards for Secure Email

Two main open standards:• PGP

– [Phil Zimmerman, US activist, 1991], – much later became open standard GnuPG [RFC2440]– some PGP products are certified by US gov NIST

• S/MIME [RSA Labs]– free implementation in Open SSL

same general method called hybrid encryption:

CompSec COMPGA01


Hybrid Encryption

PK encryption algorithm +

“good” padding

mi

pk

(public key)

sk

(private key)

ci

mi

Eve

key generation algorithm

ci

past: setup phase

block cipher + mode

block cipher + mode

randomkey K

K

K

PK decryption algorithm +

verif. padding

encapsulated key

Key Encapsulation Module

K

K

IV

r

Data Encapsulation Module

CompSec COMPGA01


PKI Comparison• PGP

– web of trust, totally decentralized system• users can chose how much they trust each key• is trust transitive? not really• in particular, can also implement normal hierarchical PKI.

• S/MIME [RSA Labs]– uses the same standard PKI as SSL: X.509 certificates.

In both cases organisations can implement their own closed PKI.

CompSec COMPGA01


Problems with PK crypto and email encryption

CompSec COMPGA01


* Problems with the PKI Systems• Cf. Ellison and Schneier:

“Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure”http://www.schneier.com/paper-pki.pdf

• Ben Laurie: Seven and a Half Non-risks of PKI.http://www.apache-ssl.org/7.5things.txt

Problem 373:

once done it can hardly be

undone…

CompSec COMPGA01


Main Risks / Pitfalls1. Bugs? Backdoors? Source code? People/country

trusted?2. Is it really the key of Bob?

• Certificates: trusting third parties in foreign countries

3. Was his real key lost or stolen (e.g. virus)?• Revocation Lists: lists of blacklisted keys stored on an

Internet server

4. Was my key of good quality?• size (1024 bit: expired 2010)• strength (RSA-PSS 2048 bits)• randomness (mouse keyboard…)

5. Was the message changed at signing time? • Real-time substitution

6. Did parties perform all the checks?7. Shall I save the message?

CompSec COMPGA01


**Attack Tree for PGP

© Bruce Schneier

CompSec COMPGA01


Email Storage

Questions: • should received and decrypted email be stored

encrypted? • why when sending a message we sometimes need

to add ourselves to the recipient list?

CompSec COMPGA01


Happy with Secure Email?

Problems kind of solved:• confidentiality• authenticity

Unsolved problems: • privacy of the recipient• privacy of the sender• hiding the existence of the message (=>

Steganography).

CompSec COMPGA01


Key Establishment

CompSec COMPGA01


The Need

Need for a session key (a short term key):

CompSec COMPGA01


What PK Encryption Can/Cannot Achieve and

What Kind of Setup is Needed (PKI=Public Key Infrastructure)

CompSec COMPGA01


What Is Achieved by PK Crypto ?

Fact: There is no security possible to two parties that do not know each other and communicate via a public channel.

[Man in the Middle]

Alice

Bob

CompSec COMPGA01


But…

Security is however possible if there is “some authenticity” available.

CompSec COMPGA01


Authentic Channel PK Crypto

For example, if the channel is authentic:

Alice

Bobpassive eavesdropping

CompSec COMPGA01


Can be done With Even Less (!)

Security is however possible • [stronger] when the channel is authentic /

authenticated (!!!).• [weaker] when a public key of Alice

is securely hold by Bob. • [even weaker] when at least one authentic

public key is hold by all parties. Can be used to certify other keys with digital signatures. ROOT OF TRUST

Bob

Alice

CompSec COMPGA01


ROOT of TRUST

PK Crypto is ALL ABOUT trading security for authenticity.

(and there is no security without an authentic public key.)

=> Example: If Windows is hacked and there is no TPM/smart card, there is no security for e-Commerce or e-Banking.

CompSec COMPGA01


Asymmetric Techniques for Key Establishment

CompSec COMPGA01


Key Exchange by Public Discussion

CompSec COMPGA01


Diffie-Hellman Setup

Diffie-Hellman Exponential Key Exchange.

(brilliant idea unique in its kind…)

Setup: (done once, can be the same for all users).

g, a generator of Zp*.

(DH works also in many other groups).also works mod n, composite n.

CompSec COMPGA01


Diffie-Hellman Exponential Key Exchange

Alice a Bob bga mod p

gb mod pshared key:gab mod p

CompSec COMPGA01


Diffie-Hellman Exponential Key Exchange

Alice a Bob bga mod p

gb mod pshared key:gab mod p

Alice computation: (gb)a=gab mod p. Bob’s computation: (ga)b mod p.

CompSec COMPGA01


MIM Attack

ga mod p

gb mod p

gc mod p

gc mod p

Alice computes gac mod p Bob computes gbc mod p

CAlice, ga mod p, SignAlice(ga mod p)

CBob, gb mod p, SignBob(gb mod p)

Man In the Middle

Fix: Authenticated Diffie-HellmanPKCertPKCert

CompSec COMPGA01


Protocols:

Electronic Commerce:SET vs. SSL

or let the worse candidate win…

CompSec COMPGA01


History

See Ross Anderson, chapter 10.

Secure Electronic Transaction (SET) protocol was designed by VISA and MasterCard [1996].

• Required installation of a software on each computer.

• Very nice system – credit card numbers would never be known to merchants.– the bank doesn’t need to know what people buy

• Failed to become widely adopted, – higher cost burden on merchants– also because of much simpler SSL alternative available.

CompSec COMPGA01


TLS = Transport Layer SecurityGoals: • two parties not knowing each other want to communicate• more, they want to involve in business/commerce

– confidentiality: protect your credit card number• also protect your privacy (what I’m buying)

– integrity => authenticity• Am I really talking to Amazon.com?

• Key problem: MIM Attacks.

What is TLS? In a nutshell it is a standard and practical way of doing authenticated Diffie-Hellman + extra bits and pieces

that were required to make it work in the real life…

Originally developed by Netscape as SSL=Secure Socket Layer and

patented(!) – 1994.Now open standard renamed TLS = Transport Layer Security.

CompSec COMPGA01


MIM Attack

ga mod p

gb mod p

gc mod p

gc mod p

Alice computes gac mod p Bob computes gbc mod p

CAlice, ga mod p, SignAlice(ga mod p)

CBob, gb mod p, SignBob(gb mod p)

Man In the Middle

Fix: Authenticated Diffie-HellmanPKCertPKCert

CompSec COMPGA01


Revision: How Kerberos solved the n2 problem…

CompSec COMPGA01


TTP vs. CA, Kerberos vs. TLSAs in Kerberos we need trusted parties (unless we adopt web of trust

model, PGP, very hard to imagine in e-commerce).

Differences:Kerberos is a symmetric system.• TTP must be online.• The TTP has all keys and must be trusted to keep them secret. • Future compromise of TTP can compromise all past sessions.

TLS uses asymmetric cryptography. Much more powerful: less “exposure”.

• CA is offline. Most of the time not needed at all.– Even CRLs can be distributed in asynchronous offline way

(e.g..updates).

• We only need CA to be trusted for authenticity • and only in the past. No compromise of past sessions.

CompSec COMPGA01


TLS = Transport Layer Security

Two Stages:1. TLS Handshake:

– Establish a shared key using PK crypto.• e.g. Authenticated DH• PKs are authenticated with certificates.

2. Encrypted and Authenticated Communication

E + A

CompSec COMPGA01


TLS = Transport Layer Security

Contains lots of options for cryptographic implementation of these: negotiated crypto suite, compatibility and exportability. Example:

1. Establish shared key with authenticated D-H.

2. Encrypt + Authenticate with AES128 + SHA_1-based MAC.

E + A

CompSec COMPGA01


Trouble:

SSL Certificates1) technical side

CompSec COMPGA01


Is TLS Secure?

Should be…

Oops, most current implementations are insecure, as it seems,

due to issues with X509 certificates, as shown at Black Hat 2009 (July

2009).

CompSec COMPGA01


Trouble:

SSL Certificates2) human and practical side

CompSec COMPGA01


Main Certificate Errors• Expired certificate:

– OK if the key sizes are OK and the key was not revoked or compromised.

• Self-signed certificate: – The certificate's issuer is itself.

• common in test servers, and on intranets.• Banks and online businesses should never use it.

• Incomplete certificate chain: – can be OK, information missing to connect.

• Domain mismatch: – can be OK after inspection, example:

• gmail.com redirected to mail.google.com

CompSec COMPGA01


Main Weakness of SSL

People ignore warnings, say YES.

A study by Carnegie Mellon university, 409 participants, The researchers found that the majority of respondents

would ignore warnings about an expired SSL certificate.

– MOREVOER: The more tech-savvy the user, the more likely they would be to ignore it, the study found.

– Respondents were able to identify other risks indicated by browser certificate notifications.

• Of the 59 percent of Firefox 2 users who understood the significance of a "domain mismatch" warning, 19 percent said they would ignore the hazard (!!!!).

CompSec COMPGA01


Solutions?

Block completely all invalid certificates!

Yes, but not so easy: People will • switch to a different browser, • or hack the browser, • or downgrade it • etc…

CompSec COMPGA01


Server Side:

Not a joke: frequent question on Internet forums.

Q: Does anyone know where I can get a free legitimate SSL certificate for my website? Otherwise, rather than having a SSL certificate on the site, is there some sort of JAVA code which makes the site look secure?

Any comments?

CompSec COMPGA01


Has Been DoneCut-&-paste attacks with JAVA, Serge LEFRANC and David NACCACHE

in ICISC 2002http://citeseer.ist.psu.edu/old/737003.html

This paper describes malicious applets that use Java's sophisticated graphic features to rectify the browser's padlock area and cover the address bar with a false https domain name. The attack was successfully tested on Netscape's Navigator and Microsoft's Internet Explorer; we consequently recommend to neutralize Java whenever funds or private data transit via these browsers and patch the flaw in the coming releases.

CompSec COMPGA01


Corrupting the CA

Emerged around 2010.REAL certificates issued to…

• maybe the government spooks (can implement man-in-the middle, can forge the web site, can eavesdrop?, etc…

– a bank can buy equipment to intercept the SSL traffic of employees…

• maybe criminals (not caught yet, no evidence yet)• ‘somebody’ in Iran for sure…

CompSec COMPGA01


Quiz• What is a session key? • What is the minimum integrity/authenticity requirement so that two

computers can securely establish a private channel, by using standard public key cryptography (e.g. SSL).

• Why do we need an authenticated Diffie-Hellman?

Protocols PK Encr./Auth. PK Key Establishment Secure Comm. in Open Networks SSL/TLS Nicolas T....

Documents

Transcript of Protocols PK Encr./Auth. PK Key Establishment Secure Comm. in Open Networks SSL/TLS Nicolas T....