Date post: | 13-May-2015 |
Category: |
Technology |
Upload: | hatem-mahmoud |
View: | 14,447 times |
Download: | 0 times |
Network Security Applications 2
AgendaAgenda
▪ Introduction
▪ An Authentication Application
▪ A Web Security Standard
▪ Summary
▪ References
Network Security Applications 3
IntroductionIntroduction
Network Security Applications 4
IntroductionIntroduction
Network security applications:
▪ Authentication Applications (Kerberos)
▪ Web Security Standards (SSL/TLS)
▪ Email Security
▪ IP Security
Network Security Applications 5
KerberosAn Authentication Application
KerberosAn Authentication Application
Network Security Applications 6
OverviewOverview
▪ Kerberos is a trusted third-party authentication protocol designed for TCP/IP networks (developed at MIT)
▪ A Kerberos service on the network acts as a trusted arbitrator
▪ Kerberos allows clients to access different entities (clients/servers) on the network
Kerberos
Network Security Applications 7
The Kerberos ModelThe Kerberos Model
▪ Kerberos keeps a database of clients and their secret keys
▪ Services requiring authentication, as well as their clients, register their secret keys with Kerberos
Kerberos
Network Security Applications 8
The Kerberos ModelThe Kerberos Model
▪ Kerberos creates a shared session key and gives it to client and server (or two clients) to encrypt messages
▪ Kerberos uses DES for encryption
▪ Kerberos Version 4 provided a weak nonstandard mode for authentication
▪ Kerberos Version 5 uses CBC mode
Kerberos
Network Security Applications 9
How Kerberos WorksHow Kerberos Works
1. A client requests a ticket for a TGS (Ticket-Granting Service) from Kerberos
2. Kerberos sends the ticket to the client, encrypted in client’s secret key
3. To use a particular service, client requests a ticket from TGS
4. TGS issues and send a ticket to the client, encrypted with server's secret key
Kerberos
Network Security Applications 10
How Kerberos WorksHow Kerberos Works
- The ticket is used by server to ensure that it is the same client to whom the ticket was issued
- Client can use the ticket multiple times to access the server until the ticket expires
5. Client presents ticket to server with an authenticator (the authenticator contains client’s name and a timestamp, encrypted with the shared session key)
Kerberos
Network Security Applications 11
How Kerberos WorksHow Kerberos Works
- Unlike a ticket, an authenticator can only be used once
- The client can generate authenticators as needed using the shared secret key
6. If client credentials (ticket + authenticator) are correct, server provides access to service
Kerberos
Network Security Applications 12
How Kerberos WorksHow Kerberos WorksKerberos
Kerberos TGS
Client Server
1
2 3
4
5
Network Security Applications 13
Security of KerberosSecurity of Kerberos It may be possible to cache and replay old
authenticators. Although timestamps are supposed to prevent this, replays can be done during the lifetime of the ticket
Authenticators assume all clocks in the network are synchronized. If a host is fooled about the correct time, an old authenticator can be replayed
Kerberos
Network Security Applications 14
Security of KerberosSecurity of Kerberos Password-guessing attacks: an intruder can
collect tickets and then try to decrypt them. The average user doesn’t usually choose good passwords
Malicious software: Kerberos rely on that its software is trustworthy. It is possible to replace all client Kerberos software with a version that records passwords
Kerberos
Network Security Applications 15
Security of KerberosSecurity of Kerberos New enhancements to Kerberos include an
implementation of public-key cryptography and a smart-card interface for key management
Kerberos
Network Security Applications 16
SSL/TLSA Web Security Standard
SSL/TLSA Web Security Standard
Network Security Applications 17
OverviewOverview
Web security threats:
▪ Location● Server or client (System Security)● Network traffic (Web Security)
▪ Type● Passive attacks● Active attacks
SSL/TLS
Network Security Applications 18
OverviewOverview
▪ Passive attacks include accessing network traffic between browser and server, accessing restricted information on a website, etc.
▪ Active attacks includes impersonating another user, altering messages in traffic, altering information on a website, etc.
SSL/TLS
Network Security Applications 19
OverviewOverview
▪ Netscape originated the SSL (Secure Socket Layer) protocol to provide a reliable secure service on TCP
▪ TLS (Transport Layer Service) is the Internet standard version of SSL
▪ TLS is very similar to SSLv3
SSL/TLS
Network Security Applications 20
Connections and SessionsConnections and Sessions
▪ A connection is a transport that provides a suitable type of service
▪ An session is an association between a client and a server
▪ Sessions define a set security parameters which can be shared among multiple connections
SSL/TLS
Network Security Applications 21
Connections and SessionsConnections and Sessions
▪ A number of states are associated with each session
▪ During the handshake, pending read and write states are created
▪ Upon successful conclusion of the handshake, the pending states become the current states
SSL/TLS
Network Security Applications 22
SSL ArchitectureSSL Architecture
▪ Layer1 (provides basic security services to higher-layer protocols such as HTTP):● Record Protocol
▪ Layer 2 (manages SSL exchanges):● Handshake Protocol● Change Cipher Spec Protocol● Alert Protocol
SSL/TLS
Network Security Applications 23
SSL ArchitectureSSL ArchitectureSSL/TLS
Network Security Applications 24
1. Record Protocol1. Record Protocol
Provides:
▪ Confidentiality: a shared secret key is used for encryption
▪ Message Integrity: a shared secret key is used to form a MAC (message authentication code)
SSL/TLS
Network Security Applications 25
1. Record Protocol1. Record Protocol
1)Fragments data into blocks
2)Compresses the data (optional)
3)Applies a MAC
4)Encrypts using a symmetric encryption such as AES and RC4
5)Adds a header (length, SSL version, etc.)
6)Transmits in a TCP segment
SSL/TLS
Network Security Applications 26
1. Record Protocol1. Record Protocol
Received data are:
1)Decrypted
2)Verified
3)Decompressed
4)Reassembled
5)Delivered to higher levels
SSL/TLS
Network Security Applications 27
1. Record Protocol1. Record ProtocolSSL/TLS
Network Security Applications 28
2. Handshake Protocol2. Handshake Protocol Used before any data is transmitted Allows the server and client to
authenticate each other through a series of messages. Each message has: Type: one of 10 types Length: length in bytes Content: session id, version, hash, etc.
SSL/TLS
Network Security Applications 29
2. Handshake Protocol2. Handshake ProtocolSSL/TLS
Network Security Applications 30
2. Handshake Protocol2. Handshake ProtocolSSL/TLS
Network Security Applications 31
3. Change Cipher Spec3. Change Cipher Spec Consists of a single message which
consists of a single byte with the value 1 Copies the pending state into the current
state, which updates the cipher suite to be used on this connection
SSL/TLS
Network Security Applications 32
4. Alert Protocol4. Alert Protocol Conveys SSL-related alert messages Each message consists of two bytes:
● Severity– Warning (1): certificate_expired, etc.– Fatal (2) - terminates the connection:
handshake_failure, bad_record_mac, etc.● Code
SSL/TLS
Network Security Applications 33
SSL ProtocolsSSL ProtocolsSSL/TLS
Network Security Applications 34
TLS vs SSLv3TLS vs SSLv3
Differences include: Version number: 3.x vs 3 MAC algorithm Pseudorandom function for key
generation and validation Alert Codes
SSL/TLS
Network Security Applications 35
SummarySummary
Network Security Applications 36
SummarySummary
▪ Kerberos is a trusted third-party authentication protocol that enables clients and servers to establish authenticated communication
▪ SSL provides security services between TCP and applications that use TCP
▪ TLS is the Internet standard version
Network Security Applications 37
SummarySummary
▪ SSL/TLS provides confidentiality using symmetric encryption and message integrity using a MAC
▪ SSL/TLS enables two TCP users to determine the security mechanisms and services they will use
Network Security Applications 38
ReferencesReferences
Network Security Applications 39
ReferencesReferences
▪ Cryptography and Network Security Principles and Practices, 4th Edition,William Stallings
▪ Applied Cryptography, 2nd Edition,Bruce Schneier