Communication Security

Introduction•As long as data is within a machine, you can place a reference monitor as a guard and rely for protection on classic measures from computer security.•However, when data leaves the machine, protection has to be extended along the connection link to the next safe place. This is the task of communication security.•Cryptography plays an important role on implementing communication security services.

Introduction•Computer networks are the communication infrastructure for transmitting data between nodes in a distributed system.•Network protocols have to find a route from sender to receiver, deal with the loss or corruption of data, and also with the loss of connections.•The ISO/OSI security architecture defines security services to combat communication security threats.•Security services are implemented by security mechanisms. These mechanisms are mostly cryptographic (e.g. encryption, digital signatures, MACs, integrity check functions, etc.)

Threat Model•We assume that the attacker has an access to the communication link between the end points; and that messages can be seen and modified by anyone.

•The job of communication security service is done once data has been delivered to an end point.

•The attacker can be passive or active.

Threat Model•A passive attacker just listens to traffic.

•When the attacker is interested in the content of message , we talk about eavesdropping, wiretapping, or sniffing.

•Traffic analysis: identifying communication patterns (even if the messages captured are not readable), linking messages, finding communicating parties identities and/or locations, etc.

Threat Model•An active attacker may modify messages, insert new messages, or corrupt network management information such as mapping between DNS name and IP addresses.•In spoofing attacks messages come with forged sender addresses.•In flooding attacks a large number of messages is directed at the victim.•Active attacks are not necessarily more difficult to mount than passive attacks for example , in practice it is much easier to send an email with a forged sender address than to intercept for someone else.

Secure Tunnels•A secure tunnel (channel) is a secure logical connection between two end points that crosses an insecure network.

•Typically provide confidentiality, data Integrity, and data origin authentication

•End points may be machines or services on the local computer

•Secure tunnels do not provide security services once data is received.

Secure Tunnels•Secure tunnels are built using the following steps:

1. Secret establishment: an authentication key establishment protocol establishes a fresh, shared secret between the end points. This happens after entity authentication (unilateral or mutual).

2. Key derivation: symmetric keys encryption and MACs are derived from the shared secret.

3. Traffic protection: via encryption and MACs.

•Expensive asymmetric cryptography is only used for entity authentication and key establishment.

•Keyed pseudo-random functions (e.g. hash functions) are used for key derivation.

•Non-cryptographic mechanisms (e.g. nonces, time stamps, sequence numbers, etc.) are used to assure freshness in entity authentication and to prevent replay attacks.

•Fast re-keying is usually supported.

Protocol Design Principle•The seven-layer model of the ISO/OSI architecture is a familiar framework for layering network protocols. It provides a useful abstraction for discussing network security.

•In a Layered Network Architecture, the services are grouped in a hierarchy of layers:o Layer N uses services of layer N-1.o Layer N provides services to layer N+1.

Protocol Design Principle•A communication layer is completely defined byo A peer protocol which specifies how entities at layer-N communicate using an (N)-protocol. .o The service interface which specifies how adjacent layers at the same system communicate.

•Note: When talking about two adjacent layers, o the higher layer is a service user, and o the lower layer is a service provider

Important:– The communication between entities at the same layer is logical– The physical flow of data is vertical

Example: Sending a Letter

Exchange of Data•Assume a layer-N entity at A wants to send data to a layer-N peer entity to B

•The unit of data send between peer entities is called a Protocol Data Unit (PDU)

•What actually happens: Layer N passes the PDU to layer N-1(at A).

•The layer N-1 entity (at A) then constructs its own PDU which it sends to the layer N-1 entity at B

•Note: PDU at layer N-1 = Header + PDU at layer N

Layering and Encapsulation•At the sending site, each layer adds a header to the PDU (encapsulates) from the higher layer.

•At the receiving site, the headers are removed by the corresponding layers

The internet protocol stack•The Internet Layers (TCP/IP) has four layers.

•At the application layer there are protocols such as Telnet, FTP,HTTP, Simple Mail Transfer Protocol (SMTP) or Secure Electronic Transaction (SET).

•Protocols at the transport layer are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

•At Internet layer there is the Internet Protocol (IP).

•The link (and the physical) layer are specific to the network technology.

•TCP and UDP use port numbers to indicate the application protocol a PDU belongs to. Common port numbers are 21 (FTP), 25 (SMTP) , 443 (HTTP, secure web page).

IP/Internet

Application

Transport

Data Link

IP Security•The Internet Protocol (IP) is a connectionless and stateless protocol that transmits IP packets (or datagrams). These are the PDUs at the Internet layer (3rd layer of the ISO/OSI model).

•Each packet is treated as an independent entity. There is no guaranteed delivery of packets, no mechanism for maintaining the order of packets, and no security protection.

•IPSec: is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers at the IP layer.

•IPSec is optional for IPv4 and mandatory for IPv6.

•In both cases, the security features are implemented as extension headers that follow the main IP header.

•IPSec includes two security mechanisms:o Authentication Header (AH).o Encapsulating Security Payload (ESP).

Authentication Header (AH)•The IPSec Authentication Header (AH) mechanism provides integrity and authenticity services for IP packets.

•It achieves this by applying a keyed one-way hash function to the datagram to create a message digest. If any part of the datagram is changed during transit, it will be detected by the receiver when it performs the same one-way hash function on the datagram and compares the value of the message digest.

•The one-way hash also involves the use of a secret shared between the two systems, which means that authenticity can be guaranteed.

•AH can also enforce anti-replay protection by requiring that a receiving host sets the replay bit in the header to indicate that the packet has been seen.

Authentication Header (AH)•The AH function is applied to the entire datagram except for any mutable IP header fields that change in transit: for example, Time to Live (TTL) fields that are modified by the routers along the transmission path.

•AH works as follows:1. The IP header and data payload is hashed.2. The hash is used to build a new AH header, which

is appended to the original packet.3. The new packet is transmitted to the IPSec peer

router.4. The peer router hashes the IP header and data

payload, extracts the transmitted hash from the AH header, and compares the two hashes.

Encapsulating Security Payload (ESP)

•The IPSec Encapsulating Security Payload (ESP) mechanism provides confidentiality (encryption) and integrity and authenticity and some replay protection and limited traffic flow confidentiality services by defeating traffic flow analysis for IP packets.

•An IPSec ESP packet includes:oSecurity parameter index (SPI).oSequence number.oTransport layer PDU (i.e. header, payload, and trailer).oPadding.oPad length.oNext header (contains the type of the transport layer PDU).oAuthentication data (contains the integrity check value ─ ICV).

Encapsulating Security Payload (ESP)

Encapsulating Security Payload (ESP)

ESP can be used in two modes:

•Transport mode. (end-to-end protection)◦ In transport mode, the IP payload is encrypted and the original headers are left intact.◦ The ESP header is inserted after the IP header and before the upper-layer protocol header.◦ The upper-layer protocols are encrypted and authenticated along with the ESP header.◦ ESP does not authenticate the IP header itself.

Encapsulating Security Payload (ESP)

•Tunnel mode. (gateway-to-gateway protection)◦ The original IP header is well protected because the entire original IP

datagram is encrypted.◦ With an ESP authentication mechanism, the original IP datagram and the ESP

header are included.◦ The new IP header is not included in the authentication.

Security Associations(SAs)•To generate, decrypt, or verify an ESP packet a system has to know which algorithm and which key to use. This information is stored in a Security Association (SA).

•An SA is a relationship between two or more entities that describes how the entities will use security services to communicate securely.

•When the security service is determined, the two IPSec peers must determine exactly which algorithms to use (for example, DES or 3DES for encryption, MD5 or SHA for integrity). After deciding on the algorithms, the two devices must share session keys.

•An SA is uniquely identified by:o an SPI.o Source address.o Destination address.o Security protocol or IPSec mechanism (AH or ESP).

Security Associations(SAs)•An SA contains:oAlgorithm identifiers.oKeys.oKey lifetimes.oIVs.oSequence number.oIPSec mode (transport or tunnel).

•A pair of each SA is shared between the two communicating hosts.

•The list of all active SAs is held in the Security Association Database (SAD) at each host.

•SAs can be combined for multiple levels of nesting of IPSec tunnels.

IPSec policies•IPSec policies determine the security processing that should be applied to an IP packet.oWhat type of packets that should be dropped oWhat are the accepted destination and what are the allowed encryptions algorithms …

•IPSec-aware hosts have a Security Policy Database (SPD).

•The SPD is consulted for each outbound and inbound packet.

•For example, for inbound IPSec-protected packets, the search finds the entry that matches the longest SA identifier:

1. Search the SAD for match on {SPI, destination address, source address}, if a SAD entry match, process the inbound packet with that entry.

2. Otherwise, search the SAD for match on {SPI, destination address}, if a SAD entry match, process the inbound packet with that entry.

3. Otherwise, search the SAD for match on {SPI}, if a SAD entry match, process the inbound packet with that entry.

4. Otherwise, discard the packet and log an auditable event.

Network Address Translation (NAT)

•Network Address Translation (NAT) was invented in order to cope with the shortage of IPv4(32 bits) addresses.

•NAT maps private IP addresses to routable addresses in the public network using IPSec ESP tunnel mode.

•NAT does not work with AH IPSec mechanism because IP header included in the hash authentication.

H1

R1

H2

10.0.1.3

10.0.1.1

10.0.1.2

H3

R2

H4

10.0.1.310.0.1.2

Private network 1

Internet

H5

10.0.1.1Private network 1

213.168.112.3

128.195.4.119 128.143.71.21

Network Address Translation (NAT)•NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are replaced at the boundary of a private network•NAT is a method that enables hosts on private networks to communicate with hosts on the Internet•NAT is run on routers that connect private networks to the public Internet, to replace the IP address-port pair of an IP packet with another IP address-port pair.

Basic operation of NAT

NAT device has address translation table

H1

private address: 10.0.1.2public address: 128.143.71.21

H5

Privatenetwork

Internet

Source = 10.0.1.2Destination = 213.168.112.3

Source = 128.143.71.21Destination = 213.168.112.3

public address: 213.168.112.3NATdevice

Source = 213.168.112.3Destination = 128.143.71.21

Source = 213.168.112.3Destination = 10.0.1.2

PrivateAddress

PublicAddress

10.0.1.2 128.143.71.21

Port Address Translation (PAT) Single public IP address is mapped to multiple hosts in a private network applying different port addresses in the TCP or UDP header.

H1

private address: 10.0.1.2

Private network

Source = 10.0.1.2Source port = 2001

Source = 128.143.71.21Source port = 2100

NATdevice

PrivateAddress

PublicAddress

10.0.1.2/2001 128.143.71.21/2100

10.0.1.3/3020 128.143.71.21/4444

H2

private address: 10.0.1.3

Source = 10.0.1.3Source port = 3020

Internet

Source = 128.143.71.21Destination = 4444

128.143.71.21

Secure Socket Layer and Transport Layer Security protocol

•The Internet transport layer supports the TCP which is a stateful (connection-oriented) protocol that detects when packets are lost or arrived out of order, and discards repeated data.

•However, TCP lacks integrity and confidentiality.

•These services can be provided using the Secure Socket Layer (SSL) protocol, which was originally developed by Netscape.

•The Transport Layer Security (TLS) protocol is almost identical with SSLv3,so successor versions are now known as SSL/TLS.

•Today, SSL/TLS is the most widely used Internet security protocol, supported by all major web browsers.

•SSL sites between the application layer and TCP.IP/Internet

Application

Transport

Data Link

SSL

SSL and TLS•The SSL session state contains information required for the execution of cryptographic algorithm, such as session identifier, shared secret key , certificate , random values used by protocol, etc.

•Session: An association between a client and a server which define a set of cryptographic security parameters, that can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection.

•SSL/TLS has two components:

•Record Layer: takes blocks from an upper layer protocol (application layer), fragments them into SSL/TLS plaintext records, and then applies the cryptographic transformation defined by the ‘cipher spec’ in the current session state.

SSL and TLS Handshake Layer: sets up the cryptographic parameters of the session state, as follows. (self-study)

1.Client → Server : ClientHello

2.Server → Client:ServerHello,[Certificate],[ServerKeyExchange],

3.Client → Server : [Certificate], [ClientKeyExchange],

4.Server → Client:ChangeCipherSpec,Finished

[CertificateRequest],ServerHelloDone

[CertificateVerify],ChangeCipherSpec,Finished

Reading “Computer Security ”, 3rd edition by Dieter Gollmann. Wiley, March, 2011.

Chapter 16