Note 11: Network Security
<ul><li>The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to rec...
<ul><li>Network Security Threats </li></ul><ul><li>Security and Cryptography </li></ul><ul><li>Network Security Protocols ...
<ul><li>What is information security? </li></ul><ul><ul><li>Keeping information secure against stealing & changing & destr...
<ul><li>Computer security </li></ul><ul><ul><li>the generic name for the collection of tools designed to protect data and ...
<ul><li>Our focus is on  Network Security (Internet & Wireless Network Security) </li></ul><ul><li>This consists of measur...
<ul><li>Network Security Threats </li></ul><ul><ul><li>Eavesdropping, man-in-the-middle, client and server imposters </li>...
<ul><li>Information transmitted over network can be observed and recorded by eavesdroppers (using a packet sniffer)  </li>...
<ul><li>Imposters attempt to gain unauthorized access to server </li></ul><ul><ul><li>Ex. bank account or database of pers...
<ul><li>Attacker can flood a server with requests, overloading the server resources </li></ul><ul><ul><li>Results in  deni...
<ul><li>An imposter impersonates a legitimate server to gain sensitive information from a client </li></ul><ul><ul><li>E.g...
<ul><li>An imposter manages to place itself as  man in the middle </li></ul><ul><ul><li>convincing the server that it is l...
<ul><li>A client becomes infected with malicious code  </li></ul><ul><ul><li>Opening attachments in email messages </li></...
<ul><li>Trojan horse </li></ul><ul><ul><li>A program with an overt (documented or known) effect and a covert (undocumented...
<ul><li>Written by bad guys (except the trapdoor) </li></ul><ul><li>A virus can be installed in just about any program </l...
<ul><li>Floppy or CD-R, CD-RW </li></ul><ul><li>Email  </li></ul><ul><li>Resource sharing </li></ul><ul><li>Log into the o...
<ul><li>Operating System: resource access control </li></ul><ul><li>Virus Checker: instruction patterns, file lengths or d...
<ul><li>Don’t run software from suspicious sources </li></ul><ul><li>Frequently run virus checkers </li></ul><ul><li>Try t...
<ul><li>Security threats motivate the following requirements: </li></ul><ul><li>Privacy : information should be readable o...
<ul><li>Secure communication channels </li></ul><ul><li>Encryption </li></ul><ul><li>Cryptographic checksums and hashes </...
<ul><li>Secure borders </li></ul><ul><li>Firewalls </li></ul><ul><li>Virus checking </li></ul><ul><li>Intrusion detection ...
Security and Cryptography
<ul><li>Encryption :  transformation of  plaintext  message into encrypted (and unreadable) message called  ciphertext </l...
<ul><li>Substitution Cipher:  Map each letter or numeral into another letter or numeral: </li></ul><ul><ul><li>a b c d e f...
<ul><li>Transposition Cipher:  Rearrange order of letters/numerals in a message using a particular rearrangement: </li></u...
<ul><li>Sender encrypts  P  by applying mapping  E K  which depends on  secret key K:  C = E K (P) </li></ul><ul><li>Recei...
<ul><li>Algorithm should be easy to implement and deploy on large scale </li></ul><ul><li>Algorithm should be difficult to...
<ul><li>Privacy :  secret key renders messages confidential  </li></ul><ul><li>Integrity :  alteration of the cyphertext w...
Sender (John) Receiver (Jane) E k (r) r E k (r´) r´ John to Jane, “let’s talk” <ul><li>Send message identifying self </li>...
<ul><li>Transmitter calculates a fixed number of bits (crypto checksum/hash) that depends on secret key  K:  H K (P) </li>...
<ul><li>To be secure, it must be very difficult to find a message that generates a given hash </li></ul><ul><ul><li>If not...
<ul><li>M  = 1000,  m  = 128 </li></ul><ul><li>Number of possible messages:  2 1000 </li></ul><ul><li>Number of possible h...
<ul><li>Message Digest 5 (MD5) </li></ul><ul><ul><li>Pad message to be multiple of 512 bits </li></ul></ul><ul><ul><li>Ini...
<ul><li>HMAC improves strength of a hash code </li></ul><ul><ul><li>Pad secret key with zeros to length of 512 bits and X-...
<ul><li>Public key cryptography  provides  privacy  using two different keys: </li></ul><ul><ul><li>Public key K1  availab...
<ul><li>E K1  and  D K2   should be readily implementable </li></ul><ul><li>Inverse relationship should hold: </li></ul><u...
<ul><li>Named after Rivest, Shamir, and Adleman </li></ul><ul><li>Modular arithmetic & factorization of large numbers </li...
<ul><li>Fact:  For  P<n  and  n, p, q, d  as above: </li></ul><ul><ul><li>P de  mod  n  =  P  mod  n </li></ul></ul><ul><l...
<ul><li>Let  p  = 5,  q  = 11 </li></ul><ul><ul><li>n  =  pq  = 55 and ( p  – 1)( q  – 1) = 40 </li></ul></ul><ul><li>Let ...
<ul><li>Encrypt “RSA”:  R=18, S=19, A=1 </li></ul><ul><ul><li>C 1  = 18 7  mod 55  = 18 4+2+1  mod 55  </li></ul></ul><ul>...
<ul><li>Integrity: </li></ul><ul><ul><li>Any one can send messages using public key, so integrity not assured directly </l...
<ul><li>Transmitter identifies itself </li></ul><ul><li>Receiver sends a nonce encoded using the sender’s public key in a ...
<ul><li>Digital signatures provide nonrepudiation </li></ul><ul><ul><li>User “signs” a message that cannot be repudiated <...
<ul><li>Public key systems have more capabilities </li></ul><ul><ul><li>Secret key:  privacy, integrity, authentication </...
<ul><li>PGP developed by Phillip Zimmerman to provide secure email </li></ul><ul><ul><li>http://www.philzimmermann.com/ind...
<ul><li>Every pair of users requires a separate shared secret key </li></ul><ul><ul><li>N ( N  – 1) keys for  N  users; Gr...
<ul><li>User A contacts the KDC to request a key for use with user B. </li></ul><ul><li>KDC: </li></ul><ul><ul><li>Authent...
<ul><li>Kerberos:  authentication service for users to access servers over network </li></ul><ul><li>KDC has secret key wi...
<ul><li>In public key only one pair of keys per user </li></ul><ul><li>Key distribution problem:  How to determine whether...
<ul><li>Generate keys instead of distributing keys </li></ul><ul><li>Diffie-Hellman exchange to  create  a shared key </li...
<ul><li>An intruder C can interpose itself between A & B </li></ul><ul><li>C establishes a shared key  K 1  with A and a s...
<ul><li>Diffie-Hellman exchange involves computation of powers of large numbers </li></ul><ul><ul><li>Large number of mult...
Network Security Protocols
<ul><li>Computers A & B communicate across the Internet </li></ul><ul><li>Exposure to eavesdropping, imposters, DoS </li><...
<ul><li>Computers A and B have gateways interposed between their internal network and Internet </li></ul><ul><li>Gateway c...
<ul><li>Mobile host needs access to internal network </li></ul><ul><li>Gateway must provide user with access while barring...
<ul><li>Firewalls can operate at different layers </li></ul><ul><ul><li>IP-layer filtering cannot operate on payload conte...
<ul><li>Security Services can be provided at different layers of the protocol stack </li></ul><ul><li>Data Link Layer secu...
. <ul><li>IPsec defined in RFCs 2401, 2402, 2406 </li></ul><ul><li>Provides authentication, integrity, confidentiality, an...
<ul><li>A  Security Association (SA)  is a logical simplex connection between two network-layer entities </li></ul><ul><li...
<ul><li>Integrity can be ascertained by sending a  cryptographic checksum  or  hash  of message </li></ul><ul><li>Authenti...
<ul><li>Inserted between regular header & payload </li></ul><ul><li>Packet header contains field indicating presence of au...
<ul><li>A tunnel can be created by encapsulating a packet within another packet </li></ul><ul><ul><li>Inner packet header ...
<ul><li>Privacy requires encryption of message </li></ul><ul><li>Encryption header identifies security association & seque...
<ul><li>In tunnel mode, entire original packet is encrypted and unreadable to eavesdroppers </li></ul><ul><ul><li>All orig...
<ul><li>To setup security association, computers must: </li></ul><ul><ul><li>Agree on security services that will be provi...
Initiator Host Contains C i Proposes Security Association options Contains C i  & C r Selects SA options Select random # C...
Initiator Host T=g x  mod p Nonce N i Initiate Diffie-Hellman exchange Check responder cookie, discard if not valid;  If v...
Initiator Host Prepare signature based on SKEYID, T, R, C i , C r , the SA field, initiator ID SKEYID, T, R, C i , C r , S...
<ul><li>SKEYID for authentication, based on: </li></ul><ul><ul><li>Shared key that results from Diffie-Hellman  </li></ul>...
<ul><li>Authentication header (AH) placed after headers that are examined at every hop </li></ul><ul><li>Presence of AH in...
<ul><li>Format used in IPv4 and IPv6 </li></ul><ul><li>Next Header  indicates next payload after AH </li></ul><ul><li>Leng...
<ul><li>ESP provides: </li></ul><ul><ul><li>Integrity & authentication service </li></ul></ul><ul><ul><li>Privacy service ...
<ul><li>Authenticated coverage from SPI until next header field </li></ul><ul><li>Encrypted coverage from payload data fie...
<ul><li>SSL developed by Netscape Communications </li></ul><ul><ul><li>Operates on top of TCP </li></ul></ul><ul><ul><li>P...
<ul><li>TLS protocols operate at two layers </li></ul><ul><li>TLS Record Protocol  operates on top of TCP </li></ul><ul><l...
<ul><li>TLS Record protocol provides </li></ul><ul><ul><li>Privacy service through secret key encryption </li></ul></ul><u...
<ul><li>TLS Handshake protocol used by client & server </li></ul><ul><ul><li>Negotiate protocol version, encryption algori...
Request connection Includes: Version #; Time & date; Session ID (if resuming); Ciphersuite (combinations of key exchange, ...
Client’s part of key agreement: Diffie-Hellman g y ; RSA, random #s Change Cipher protocol message notifies server that su...
Notify client that subsequent records protected under new CipherSpec & keys Client changes CipherSpec Hash using new Ciphe...
Server requests certificate if client needs to be authenticated Client sends suitable certificate  If server finds certifi...
Upcoming SlideShare
Loading in...5
×

Network Security

2,839

Published on

Presentation

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,839
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
153
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Network Security"

  1. 1. Note 11: Network Security
  2. 2. <ul><li>The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. </li></ul><ul><li> — The Art of War, Sun Tzu </li></ul>
  3. 3. <ul><li>Network Security Threats </li></ul><ul><li>Security and Cryptography </li></ul><ul><li>Network Security Protocols </li></ul><ul><li>Cryptographic Algorithms </li></ul>
  4. 4. <ul><li>What is information security? </li></ul><ul><ul><li>Keeping information secure against stealing & changing & destroying & forging </li></ul></ul><ul><ul><li>Traditionally provided by physical (e.g., cabinets with locks) and administrative means (e.g., personal screening procedures) </li></ul></ul><ul><li>Information security requirements have dramatically changed in the last several decades </li></ul><ul><ul><li>Growing computer use requires automated tools to protect files and other stored information </li></ul></ul><ul><ul><li>Growing use of networks and communications links requires measures to protect data during transmission </li></ul></ul>
  5. 5. <ul><li>Computer security </li></ul><ul><ul><li>the generic name for the collection of tools designed to protect data and to thwart hackers </li></ul></ul><ul><li>Network security </li></ul><ul><ul><li>measures to protect data during their transmission </li></ul></ul><ul><li>Internet security </li></ul><ul><ul><li>measures to protect data during their transmission over a collection of interconnected networks </li></ul></ul><ul><li>Note: boundaries among these definitions are blurred </li></ul>
  6. 6. <ul><li>Our focus is on Network Security (Internet & Wireless Network Security) </li></ul><ul><li>This consists of measures to deter, prevent, detect, and correct security violations that involve the transmission & storage of information </li></ul>
  7. 7. <ul><li>Network Security Threats </li></ul><ul><ul><li>Eavesdropping, man-in-the-middle, client and server imposters </li></ul></ul><ul><ul><li>Denial of Service attacks </li></ul></ul><ul><ul><li>Viruses, worms, and other malicious code </li></ul></ul><ul><li>Network Security Requirements </li></ul><ul><ul><li>Privacy, Integrity, Authentication, Non-Repudiation, Availability </li></ul></ul><ul><li>Countermeasures </li></ul><ul><ul><li>Communication channel security </li></ul></ul><ul><ul><li>Border security </li></ul></ul>
  8. 8. <ul><li>Information transmitted over network can be observed and recorded by eavesdroppers (using a packet sniffer) </li></ul><ul><li>Information can be replayed in attempts to access server </li></ul>Client Server Request Response replay
  9. 9. <ul><li>Imposters attempt to gain unauthorized access to server </li></ul><ul><ul><li>Ex. bank account or database of personal records </li></ul></ul><ul><ul><li>For example, in IP spoofing imposter sends packets with false source IP address </li></ul></ul>Client Imposter Server
  10. 10. <ul><li>Attacker can flood a server with requests, overloading the server resources </li></ul><ul><ul><li>Results in denial of service to legitimate clients </li></ul></ul><ul><li>Distributed denial of service attack on a server involves coordinated attack from multiple (usually hijacked) computers </li></ul>Attacker Server
  11. 11. <ul><li>An imposter impersonates a legitimate server to gain sensitive information from a client </li></ul><ul><ul><li>E.g. bank account number and associated user password </li></ul></ul>Client Server Imposter
  12. 12. <ul><li>An imposter manages to place itself as man in the middle </li></ul><ul><ul><li>convincing the server that it is legitimate client </li></ul></ul><ul><ul><li>convincing legitimate client that it is legitimate server </li></ul></ul><ul><ul><li>gathering sensitive information and possibly hijacking session </li></ul></ul>Client Server Man in the middle
  13. 13. <ul><li>A client becomes infected with malicious code </li></ul><ul><ul><li>Opening attachments in email messages </li></ul></ul><ul><ul><li>Executing code from bulletin boards or other sources </li></ul></ul><ul><li>Virus: code that, when executed, inserts itself in other programs </li></ul><ul><li>Worms: code that installs copies of itself in other machines attached to a network </li></ul><ul><li>Many variations of malicious code </li></ul>Client Server Imposter
  14. 14. <ul><li>Trojan horse </li></ul><ul><ul><li>A program with an overt (documented or known) effect and a covert (undocumented or unexpected) effect </li></ul></ul><ul><li>Virus </li></ul><ul><ul><li>A set of instructions that inserts copies of itself into other programs </li></ul></ul><ul><li>Worm </li></ul><ul><ul><li>A program that replicates itself on other machines across a network </li></ul></ul><ul><li>Bacteria/rabbit </li></ul><ul><ul><li>A free-standing program that absorbs all of some class of resource </li></ul></ul><ul><li>Trapdoor </li></ul><ul><ul><li>An undocumented entry point in a program </li></ul></ul><ul><li>Logic bomb </li></ul><ul><ul><li>A program that performs an action when some external event occurs </li></ul></ul><ul><li>Zombie </li></ul><ul><ul><li>Malicious instructions on comprised machines used to launch attacks </li></ul></ul>
  15. 15. <ul><li>Written by bad guys (except the trapdoor) </li></ul><ul><li>A virus can be installed in just about any program </li></ul><ul><ul><li>Jump x </li></ul></ul><ul><li>Original infection </li></ul><ul><ul><li>Running a single infected program </li></ul></ul><ul><li>The halting problem </li></ul><ul><ul><li>It is impossible in general to tell what an arbitrary program will do by looking at it. -- Nobody looks. </li></ul></ul>
  16. 16. <ul><li>Floppy or CD-R, CD-RW </li></ul><ul><li>Email </li></ul><ul><li>Resource sharing </li></ul><ul><li>Log into the other machine </li></ul><ul><li>Mobile programs </li></ul><ul><li>Program bugs </li></ul><ul><li>Buffer overflow </li></ul>
  17. 17. <ul><li>Operating System: resource access control </li></ul><ul><li>Virus Checker: instruction patterns, file lengths or digests </li></ul><ul><li>Software Patch: bug fixes </li></ul><ul><li>Intrusion Detection: host intrusion detection, network intrusion detection </li></ul><ul><li>Firewall: filter unwanted/unauthorized traffic </li></ul>
  18. 18. <ul><li>Don’t run software from suspicious sources </li></ul><ul><li>Frequently run virus checkers </li></ul><ul><li>Try to run programs in the most limited possible environments </li></ul><ul><li>Do frequent backups, and save old backups for a long time </li></ul><ul><li>Don’t boot off floppies </li></ul>
  19. 19. <ul><li>Security threats motivate the following requirements: </li></ul><ul><li>Privacy : information should be readable only by intended recipient </li></ul><ul><li>Integrity : recipient can confirm that a message has not been altered during transmission </li></ul><ul><li>Authentication : it is possible to verify that sender or receiver is who he claims to be </li></ul><ul><li>Non-repudiation : sender cannot deny having sent a given message. </li></ul><ul><li>Availability : information and services should be available whenever needed </li></ul>
  20. 20. <ul><li>Secure communication channels </li></ul><ul><li>Encryption </li></ul><ul><li>Cryptographic checksums and hashes </li></ul><ul><li>Authentication </li></ul><ul><li>Digital Signatures </li></ul>
  21. 21. <ul><li>Secure borders </li></ul><ul><li>Firewalls </li></ul><ul><li>Virus checking </li></ul><ul><li>Intrusion detection </li></ul><ul><li>Authentication </li></ul><ul><li>Access Control </li></ul>
  22. 22. Security and Cryptography
  23. 23. <ul><li>Encryption : transformation of plaintext message into encrypted (and unreadable) message called ciphertext </li></ul><ul><li>Decryption : recovery of plaintext from ciphertext </li></ul><ul><li>Cipher : algorithm for encryption & decryption </li></ul><ul><li>A key is required to perform encryption & decryption </li></ul>
  24. 24. <ul><li>Substitution Cipher: Map each letter or numeral into another letter or numeral: </li></ul><ul><ul><li>a b c d e f g h i j k l m n o p q r s t u v w x y z </li></ul></ul><ul><ul><li>z y x w v u t s r q p o n m l k j i h g f e d c b a </li></ul></ul><ul><li>Example: </li></ul><ul><ul><li>hvxfirgb  security </li></ul></ul><ul><li>Substitution ciphers are easy to break </li></ul><ul><ul><li>Take histogram of frequency of occurrence of letters in a ciphertext message </li></ul></ul><ul><ul><li>Match to known frequencies of letters </li></ul></ul>
  25. 25. <ul><li>Transposition Cipher: Rearrange order of letters/numerals in a message using a particular rearrangement: </li></ul><ul><ul><li>interchange character k with character k+1 </li></ul></ul><ul><li>Example: </li></ul><ul><ul><li>security  esuciryt </li></ul></ul><ul><li>Transposition Ciphers are easy to break </li></ul><ul><ul><li>Suppose plaintext and ciphertext are known; matching of letters in plaintext and ciphertext will reveal transposition mapping </li></ul></ul><ul><ul><li>Using anagram analysis: sliding pieces of ciphertext around, then looking for sections that look like anagrams of English words, and solving the anagrams </li></ul></ul>
  26. 26. <ul><li>Sender encrypts P by applying mapping E K which depends on secret key K: C = E K (P) </li></ul><ul><li>Receiver decrypts C by applying inverse mapping D K which also depends on K: D K (E K (P)) = P </li></ul>E K (.) Key K Key K Plaintext P Ciphertext C=E K (P) P Encryption Decryption D K (.)
  27. 27. <ul><li>Algorithm should be easy to implement and deploy on large scale </li></ul><ul><li>Algorithm should be difficult to break: </li></ul><ul><li>Number of keys should be very large </li></ul><ul><ul><li>Attacker cannot try all possible keys </li></ul></ul><ul><li>The secret key should be very hard to derive from intercepted messages </li></ul><ul><ul><li>Even if a large number of plaintext & corresponding cyphertexts are known to the attacker </li></ul></ul><ul><li>Examples of secret key methods discussed later: </li></ul><ul><ul><li>Data Encryption Standard (DES) and Triple DES </li></ul></ul><ul><ul><li>Advanced Encryption Standard (AES) </li></ul></ul>
  28. 28. <ul><li>Privacy : secret key renders messages confidential </li></ul><ul><li>Integrity : alteration of the cyphertext will be detected, because the decrypted message will be gibberish </li></ul><ul><ul><li>When privacy is not required, encryption of the entire message is overkill because much processing involved </li></ul></ul><ul><ul><li>We will see that cryptographic checksums provide integrity and require less processing </li></ul></ul>
  29. 29. Sender (John) Receiver (Jane) E k (r) r E k (r´) r´ John to Jane, “let’s talk” <ul><li>Send message identifying self </li></ul><ul><li>Send response with encrypted r </li></ul><ul><li>Can now authenticate receiver by issuing a challenge </li></ul><ul><li>Reply with challenge that contains random number r, nonce = n umber once </li></ul><ul><li>Apply secret key to decrypt message. If decrypted number is r then the transmitter is authenticated </li></ul>
  30. 30. <ul><li>Transmitter calculates a fixed number of bits (crypto checksum/hash) that depends on secret key K: H K (P) </li></ul><ul><li>Receiver recalculates hash from received message & compares to received hash </li></ul>Message Crypto Checksum Calculator CrytoChk Message K P P H K (P)
  31. 31. <ul><li>To be secure, it must be very difficult to find a message that generates a given hash </li></ul><ul><ul><li>If not difficult, an attacker could produce a message and corresponding hash that would be accepted as valid </li></ul></ul><ul><li>Suppose message is M bits long and hash is m bits long, and m << M </li></ul><ul><ul><li>For each given hash value there are 2 M/m messages that give that hash </li></ul></ul><ul><ul><li>How long does it take to find a match? </li></ul></ul><ul><ul><li>Probability that a random message generates given hash is 2 - m since there are 2 m hashes </li></ul></ul><ul><ul><li>Mean # tries to find a given hash is: 2 m </li></ul></ul>
  32. 32. <ul><li>M = 1000, m = 128 </li></ul><ul><li>Number of possible messages: 2 1000 </li></ul><ul><li>Number of possible hashes: 2 128 </li></ul><ul><li>For each hash value there are 2 1000 /2 128 = 2 872 messages that generate the hash </li></ul><ul><li>A randomly selected message produces a desired hash value with probability 2 -128 </li></ul><ul><li>If each attempt requires 1 microsecond, time to find matching message to a hash is: </li></ul><ul><ul><li>2 128 x1 microsecond = 2 25 years </li></ul></ul>
  33. 33. <ul><li>Message Digest 5 (MD5) </li></ul><ul><ul><li>Pad message to be multiple of 512 bits </li></ul></ul><ul><ul><li>Initialize 128 buffer to given value </li></ul></ul><ul><ul><li>Modify buffer content according to next 512 bits </li></ul></ul><ul><ul><li>Repeat until all blocks done </li></ul></ul><ul><ul><li>Buffer holds 128 bit hash </li></ul></ul><ul><li>Keyed MD5 </li></ul><ul><ul><li>Pad message to be multiple of 512 bits </li></ul></ul><ul><ul><li>Attach and append secret key to padded message prior to performing hash function </li></ul></ul><ul><ul><li>Could also append/attach other information such as sender ID </li></ul></ul><ul><li>Secure Hash Algorithm 1 (SHA-1) </li></ul><ul><ul><li>Produce a 160-bit hash; more secure than MD5 </li></ul></ul><ul><ul><li>Keyed version available </li></ul></ul>
  34. 34. <ul><li>HMAC improves strength of a hash code </li></ul><ul><ul><li>Pad secret key with zeros to length of 512 bits and X-OR with 64 repetitions of 00110110 </li></ul></ul><ul><ul><li>Pad message to multiple of 512 bits </li></ul></ul><ul><ul><li>Calculate hash of padded key followed by padded message, 128 bits for MD5, 160 bits for SHA-1 </li></ul></ul><ul><ul><li>Pad hash to 512 bits </li></ul></ul><ul><ul><li>Pad secret key with zeros to 512 bits and X-OR with 64 repetitions of 01011010 </li></ul></ul><ul><ul><li>Calculate hash of padded key and padded hash </li></ul></ul><ul><ul><li>Result is final hash </li></ul></ul>
  35. 35. <ul><li>Public key cryptography provides privacy using two different keys: </li></ul><ul><ul><li>Public key K1 available to all for encrypting messages to a certain user: C = E K1 (P) </li></ul></ul><ul><ul><li>Private key K2 for user to decrypt messages: P = D K2 (E K1 (P)) </li></ul></ul>E K1 (.) Public key K 1 Private key K 2 Plaintext P Ciphertext C = E K1 (P) P Encryption Decryption D K2 (.)
  36. 36. <ul><li>E K1 and D K2 should be readily implementable </li></ul><ul><li>Inverse relationship should hold: </li></ul><ul><ul><li>P = D K2 (E K1 (P)) and sometimes P = E K1 (D K2 (P)) </li></ul></ul><ul><li>K1 is a relatively small number of bits and K2 is usually a large number of bits </li></ul><ul><li>It is extremely difficult to decrypt E K1 (P) without K2 </li></ul><ul><li>It should not be possible to deduce K2 from K1 </li></ul><ul><li>Example: RSA public key cryptography </li></ul>
  37. 37. <ul><li>Named after Rivest, Shamir, and Adleman </li></ul><ul><li>Modular arithmetic & factorization of large numbers </li></ul><ul><ul><li>Let n = pq , where p & q are two large numbers </li></ul></ul><ul><ul><ul><li>n typically several hundred bits long, i.e. 512 bits </li></ul></ul></ul><ul><ul><ul><li>Plaintext must be shorter than n </li></ul></ul></ul><ul><ul><li>Find e relatively prime to ( p – 1)( q – 1) </li></ul></ul><ul><ul><ul><li>i.e. e has no common factors with ( p – 1)( q – 1) </li></ul></ul></ul><ul><ul><ul><li>Public key is { e , n } </li></ul></ul></ul><ul><ul><li>Let d be multiplicative inverse of e </li></ul></ul><ul><ul><ul><li>de = 1 modulo ( p – 1)( q – 1) </li></ul></ul></ul><ul><ul><ul><li>Private key is { d,n } </li></ul></ul></ul>
  38. 38. <ul><li>Fact: For P<n and n, p, q, d as above: </li></ul><ul><ul><li>P de mod n = P mod n </li></ul></ul><ul><li>Encryption: </li></ul><ul><ul><li>C = P e mod n </li></ul></ul><ul><ul><li>Result is number less than n and is represented by same number of bits as key </li></ul></ul><ul><li>Decryption: </li></ul><ul><ul><li>C d mod n = P ed mod n = P mod n = P </li></ul></ul><ul><li>Security stems from fact that it is very difficult to factor large numbers n , and with e to then determine d </li></ul>
  39. 39. <ul><li>Let p = 5, q = 11 </li></ul><ul><ul><li>n = pq = 55 and ( p – 1)( q – 1) = 40 </li></ul></ul><ul><li>Let e = 7, which is relatively prime to 40 </li></ul><ul><ul><li>7d mod 40 = 1, gives d = 23 </li></ul></ul><ul><li>Public key is {7, 55} </li></ul><ul><li>Private key is {23, 55} </li></ul>
  40. 40. <ul><li>Encrypt “RSA”: R=18, S=19, A=1 </li></ul><ul><ul><li>C 1 = 18 7 mod 55 = 18 4+2+1 mod 55 </li></ul></ul><ul><ul><li> = (18 mod 55) (18 2 mod 55) (18 4 mod 55) mod 55 </li></ul></ul><ul><ul><li> = (18) (324 mod 55) (18 4 mod 55) mod 55 </li></ul></ul><ul><ul><li> = (18) (49) (49 2 mod 55) mod 55 = (18)(49)(36) mod 55 </li></ul></ul><ul><ul><li> = 31752 mod 55 = 17 </li></ul></ul><ul><ul><li>C 2 = 19 7 mod 55 = 24 </li></ul></ul><ul><ul><li>C 3 = 1 7 mod 55 = 1 </li></ul></ul><ul><li>Decrypt </li></ul><ul><ul><li>17 23 mod 55 = 17 16+4+2+1 mod 55 =18 </li></ul></ul><ul><ul><li>24 23 mod 55 = 19 </li></ul></ul><ul><ul><li>1 23 mod 55 = 1 </li></ul></ul>
  41. 41. <ul><li>Integrity: </li></ul><ul><ul><li>Any one can send messages using public key, so integrity not assured directly </li></ul></ul><ul><ul><li>For integrity, transmitter: </li></ul></ul><ul><ul><ul><li>encodes P with its private key K2 ΄ to obtain P ΄ = D K2 ΄ (P) </li></ul></ul></ul><ul><ul><ul><li>encodes P ΄ using receiver’s public key: C = E K1 (P ΄ ) </li></ul></ul></ul><ul><ul><li>Receiver: </li></ul></ul><ul><ul><ul><li>decrypts C, D K2 (E K1 (P ΄ )) = P ΄ </li></ul></ul></ul><ul><ul><ul><li>decrypts P ΄ using transmitters public key, E K1 ΄ (D K2΄ (P)) = P </li></ul></ul></ul><ul><ul><ul><li>Only the transmitter could have sent this message. </li></ul></ul></ul>
  42. 42. <ul><li>Transmitter identifies itself </li></ul><ul><li>Receiver sends a nonce encoded using the sender’s public key in a challenge message </li></ul><ul><li>Transmitter uses its private key to recover the nonce, and it returns the unencrypted nonce </li></ul><ul><li>Only the holder of the private key can find the nonce </li></ul>E K1 (r) r John to Jane, “let’s talk” Sender Receiver
  43. 43. <ul><li>Digital signatures provide nonrepudiation </li></ul><ul><ul><li>User “signs” a message that cannot be repudiated </li></ul></ul><ul><li>Digital signature obtained as follows: </li></ul><ul><ul><li>Transmitter obtains a hash of the message </li></ul></ul><ul><ul><li>Transmitter encrypts the hash using its private key; result is the digital signature </li></ul></ul><ul><ul><li>Transmitter sends message and signature </li></ul></ul><ul><li>To check the signature: </li></ul><ul><ul><li>Receiver obtains hash of message </li></ul></ul><ul><ul><li>Receiver decrypts signature using sender’s public key </li></ul></ul><ul><ul><li>Receiver compares hash computed from message and hash obtained from signature </li></ul></ul><ul><ul><li>Procedure also ensures message integrity </li></ul></ul>
  44. 44. <ul><li>Public key systems have more capabilities </li></ul><ul><ul><li>Secret key: privacy, integrity, authentication </li></ul></ul><ul><ul><li>Public key: all of above + digital signature </li></ul></ul><ul><li>Public key algorithms are more complex </li></ul><ul><ul><li>Require more processing and hence much slower than secret key </li></ul></ul><ul><li>Practice: </li></ul><ul><ul><li>Use public key method during session setup to establish a session key </li></ul></ul><ul><ul><li>Use secret key cryptography during session using the session key </li></ul></ul>
  45. 45. <ul><li>PGP developed by Phillip Zimmerman to provide secure email </li></ul><ul><ul><li>http://www.philzimmermann.com/index.shtml </li></ul></ul><ul><ul><li>http://www.pgpi.org </li></ul></ul><ul><li>Notorious for becoming publicly available for download over Internet in violation of US export restrictions </li></ul><ul><li>Uses public key cryptography to provide </li></ul><ul><ul><li>Privacy, integrity, authentication, digital signature </li></ul></ul><ul><li>De facto standard for email security </li></ul><ul><li>Also provides privacy and integrity for stored files </li></ul>
  46. 46. <ul><li>Every pair of users requires a separate shared secret key </li></ul><ul><ul><li>N ( N – 1) keys for N users; Grows quickly with N </li></ul></ul><ul><ul><li>Similar to full-mesh connections for N users </li></ul></ul><ul><li>Solution: Introduce Key Distribution Centers </li></ul><ul><ul><li>Each users has shared key with the KDC </li></ul></ul><ul><ul><li>User A has shared key K KA with KDC </li></ul></ul><ul><ul><li>User B has shared key K KB with KDC </li></ul></ul><ul><ul><li>KDC provides shared key when A & B need to communicate </li></ul></ul>
  47. 47. <ul><li>User A contacts the KDC to request a key for use with user B. </li></ul><ul><li>KDC: </li></ul><ul><ul><li>Authenticates user A </li></ul></ul><ul><ul><li>Selects a key K AB and encrypts it to produce E KA (K AB ) and E KB (K AB ) . </li></ul></ul><ul><li>KDC sends both versions of the encrypted key to A. </li></ul><ul><li>User A contacts user B and provides a ticket in the form of E KB (K AB ) </li></ul><ul><li>Users A & B both have KAB </li></ul>KDC A B C D request E KA (K AB ), EKB(KAB) challenge response E KB (K AB )
  48. 48. <ul><li>Kerberos: authentication service for users to access servers over network </li></ul><ul><li>KDC has secret key with every user </li></ul><ul><li>At login, user supplies ID and password </li></ul><ul><ul><li>KDC authenticates user & generates session key </li></ul></ul><ul><ul><li>Session key & ticket-granting ticket (TGT) is sent to user encrypted using shared secret key </li></ul></ul><ul><li>To access a particular server, user sends request to KDC with server name and TGT </li></ul><ul><ul><li>KDC decrypts TGT to recover session key & then returns ticket to client for desired server </li></ul></ul>
  49. 49. <ul><li>In public key only one pair of keys per user </li></ul><ul><li>Key distribution problem: How to determine whether an advertised public key is not from an imposter? </li></ul><ul><li>Certification Authority (CA) </li></ul><ul><ul><li>Issues digitally signed certificate that provides </li></ul></ul><ul><ul><ul><li>User’s name & public key </li></ul></ul></ul><ul><ul><ul><li>Certificate serial #, expiration date </li></ul></ul></ul><ul><ul><li>Certificates can be stored in publicly accessible directories </li></ul></ul><ul><ul><li>To communicate with B, a user contacts the CA to obtain the certificate for B </li></ul></ul><ul><ul><li>Users are configured to have the CA’s public key, which they use to verify the digital signature </li></ul></ul>
  50. 50. <ul><li>Generate keys instead of distributing keys </li></ul><ul><li>Diffie-Hellman exchange to create a shared key </li></ul><ul><li>A & B pick p a large prime #, and generator g < p </li></ul><ul><ul><li>A picks x and sends T = g x to B; B picks y and sends R = g y </li></ul></ul><ul><ul><li>Secret key is K = (g x ) y = (g y ) x which are calculated by A & B </li></ul></ul><ul><li>Eavesdropper that obtains p, g, T, R cannot obtain x and y because x = logT and y = logR are extremely difficult to solve </li></ul>Transmitter A Receiver B T = g x R = g y K = R x mod p = g xy mod p K = T y mod p = g xy mod p
  51. 51. <ul><li>An intruder C can interpose itself between A & B </li></ul><ul><li>C establishes a shared key K 1 with A and a shared key K 2 with B </li></ul><ul><li>C can then intercept, decipher, and re-encrypt all communications </li></ul><ul><li>Need mutual authentication between A & B </li></ul><ul><li>Alternative: Community agrees on g & p; users publish their T, R, … </li></ul>Transmitter A Man in the middle C Receiver B T R' T' R K 1 = R´ x = g xy ´ K 1 = T y ´ = g xy ´ K 2 = R x ´ K 2 = T´ y = g x ´ y = g x ´ y
  52. 52. <ul><li>Diffie-Hellman exchange involves computation of powers of large numbers </li></ul><ul><ul><li>Large number of multiplications implies heavy computational burden </li></ul></ul><ul><ul><li>Susceptible to denial-of-service attacks </li></ul></ul>
  53. 53. Network Security Protocols
  54. 54. <ul><li>Computers A & B communicate across the Internet </li></ul><ul><li>Exposure to eavesdropping, imposters, DoS </li></ul><ul><li>Can encrypt some transmitted information </li></ul><ul><ul><li>But IP headers need to be visible to routers & hence others </li></ul></ul><ul><ul><li>Eavesdropper can gather variety of usage information & deduce nature of interaction </li></ul></ul><ul><ul><li>Choice of which layer to apply security: IP, transport, or application layer </li></ul></ul>A B Internet
  55. 55. <ul><li>Computers A and B have gateways interposed between their internal network and Internet </li></ul><ul><li>Gateway can be a firewall </li></ul><ul><ul><li>Controls external access to internal network </li></ul></ul><ul><ul><li>Packet filtering according to various header fields </li></ul></ul><ul><ul><ul><li>IP addresses, port numbers, ICMP types, fields within payload </li></ul></ul></ul><ul><li>Secure tunnels can be established between gateways </li></ul><ul><ul><li>All internal information including headers can be encrypted </li></ul></ul>A B Internet
  56. 56. <ul><li>Mobile host needs access to internal network </li></ul><ul><li>Gateway must provide user with access while barring intruders from accessing internal network </li></ul><ul><li>May also need to protect identity of mobile user </li></ul><ul><li>IP-address of mobile user changes </li></ul>Internet
  57. 57. <ul><li>Firewalls can operate at different layers </li></ul><ul><ul><li>IP-layer filtering cannot operate on payload contents </li></ul></ul><ul><li>Circuit-Level Gateways </li></ul><ul><ul><li>Direct client-to-server TCP connections not allowed </li></ul></ul><ul><ul><li>Relays TCP segments between actual client & actual server </li></ul></ul><ul><li>Application-Level Gateways or Proxies </li></ul><ul><ul><li>Interposed between actual client and actual server </li></ul></ul><ul><ul><li>Performs authentication and determines what features are available to client </li></ul></ul><ul><ul><li>Monitors, filters & relays messages </li></ul></ul>
  58. 58. <ul><li>Security Services can be provided at different layers of the protocol stack </li></ul><ul><li>Data Link Layer security </li></ul><ul><ul><li>Point-to-point security between directly-connected devices, e.g. wireless LAN security </li></ul></ul><ul><li>IP-Layer security </li></ul><ul><ul><li>Security service between IP layers </li></ul></ul><ul><ul><li>e.g. IPsec </li></ul></ul><ul><li>Transport Layer security </li></ul><ul><ul><li>Security service between Transport Layers </li></ul></ul><ul><ul><li>E.g. Secure Sockets Layer & Transport Layer Security </li></ul></ul>
  59. 59. . <ul><li>IPsec defined in RFCs 2401, 2402, 2406 </li></ul><ul><li>Provides authentication, integrity, confidentiality, and access control at the IP layer </li></ul><ul><li>Provides a key management protocol to provide automatic key distribution techniques. </li></ul><ul><li>Security service can be provided between a pair of communication nodes, where the node can be a host or a gateway (router or firewall). </li></ul><ul><li>Two protocols & two modes to provide traffic security: </li></ul><ul><ul><li>Authentication Header and Encapsulating Security Payload </li></ul></ul><ul><ul><li>Transport mode or tunnel mode </li></ul></ul>
  60. 60. <ul><li>A Security Association (SA) is a logical simplex connection between two network-layer entities </li></ul><ul><li>Two SA’s required for bidirectional secure communication </li></ul><ul><li>SA is specified by </li></ul><ul><ul><li>A unique identifier </li></ul></ul><ul><ul><li>Security services to be used </li></ul></ul><ul><ul><li>Cryptographic algorithms to be used </li></ul></ul><ul><ul><li>How shared keys will be established </li></ul></ul><ul><ul><li>Other attributes such as lifetime </li></ul></ul><ul><li>SA negotiated before security service begins </li></ul>
  61. 61. <ul><li>Integrity can be ascertained by sending a cryptographic checksum or hash of message </li></ul><ul><li>Authentication also provided if hash covers: </li></ul><ul><ul><li>Shared secret key, sender’s identity & message </li></ul></ul><ul><ul><li>Fields that are changed while packet traverses Internet are set to zero in calculation of hash </li></ul></ul><ul><li>To protect against replay attacks, message should carry a sequence number that is covered by the hash </li></ul><ul><ul><li>Receiver accepts a packet only once </li></ul></ul><ul><ul><li>Receiver maintains a window of packets it accepts </li></ul></ul><ul><li>Receiver recalculates hash and compares to hash in received packet </li></ul>
  62. 62. <ul><li>Inserted between regular header & payload </li></ul><ul><li>Packet header contains field indicating presence of authentication header </li></ul><ul><li>Authentication header includes: </li></ul><ul><ul><li>Security association ID </li></ul></ul><ul><ul><li>Sequence number </li></ul></ul><ul><ul><li>Cryptographic hash </li></ul></ul>Packet header Authentication header Packet payload Authenticated except for changeable fields
  63. 63. <ul><li>A tunnel can be created by encapsulating a packet within another packet </li></ul><ul><ul><li>Inner packet header carries original source address </li></ul></ul><ul><ul><li>Entire contents of inner packet covered by hash </li></ul></ul><ul><ul><li>Outer packet header carries gateway’s address </li></ul></ul>New header Authentication header Packet payload Authenticated except for changeable fields in new header Original header In tunnel mode Internet Tunnel
  64. 64. <ul><li>Privacy requires encryption of message </li></ul><ul><li>Encryption header identifies security association & sequence number </li></ul><ul><li>Encryption can cover payload + padding: </li></ul><ul><li>Authentication header can be used to detect alteration of any non-changeable fields & protect against replay attacks </li></ul>Packet + pad payload Packet header Encryption header Encrypted Encrypted Packet + pad payload New header Authentication header Encryption header
  65. 65. <ul><li>In tunnel mode, entire original packet is encrypted and unreadable to eavesdroppers </li></ul><ul><ul><li>All original packet header fields are unreadable </li></ul></ul><ul><ul><li>Only gateway packet header is visible </li></ul></ul><ul><li>It is also possible to use tunnel mode between trusted routers while traversing untrusted segments of the Internet </li></ul><ul><ul><li>Trusted routers can decrypt inner packet & perform routing </li></ul></ul>In tunnel mode New header Encryption header Original header Encrypted Packet payload
  66. 66. <ul><li>To setup security association, computers must: </li></ul><ul><ul><li>Agree on security services that will be provided </li></ul></ul><ul><ul><li>Agree on cryptographic algorithms </li></ul></ul><ul><ul><li>Authenticate each other </li></ul></ul><ul><ul><li>Establish a shared secret key </li></ul></ul><ul><li>Last two steps are difficult; possible approaches: </li></ul><ul><ul><li>Manual set up of shared key between pair of users </li></ul></ul><ul><ul><li>Use Key Distribution Center </li></ul></ul><ul><ul><li>Contact a Certificate Authority </li></ul></ul><ul><li>Internet Key Exchange (RFC 2409) for IPsec </li></ul><ul><ul><li>Assumes parties have a name/identity for other party as well as a pre-established shared secret (secret key or private key) </li></ul></ul>
  67. 67. Initiator Host Contains C i Proposes Security Association options Contains C i & C r Selects SA options Select random # C i : initiator’s cookie Check to see if C i already in use; If not, generate C r , responder’s cookie; Associate C r with initiator’s address Check C i & address against list; Associate (C i , C r ) with SA; record SA as “unauthenticated” Responder Host HDR, SA Cookie Request HDR, SA Cookie Response
  68. 68. Initiator Host T=g x mod p Nonce N i Initiate Diffie-Hellman exchange Check responder cookie, discard if not valid; If valid identify SA with (C i , C r ) & record as “unauthenticated” R=g y mod p Nonce N r Calculate K=(g y ) x mod p Calculate K=(g x ) y mod p Calculate secret string of bits SKEYID known only to initiator & responder Calculate secret string of bits SKEYID known only to initiator & responder Responder Host HDR, KE, N i Key Request HDR, KE, N r Key Response
  69. 69. Initiator Host Prepare signature based on SKEYID, T, R, C i , C r , the SA field, initiator ID SKEYID, T, R, C i , C r , SA, ID i Hash of info in HDR encrypted Authenticates initiator comparing decrypted hash to recalculated hash. If agree, SA declared authenticated. Prepares signature based on SKEYID, T, R, C i , C r , the SA field, responder ID r SKEYID, T, R, C i , C r , SA, ID r Hash of info in HDR Authenticate initiator. If successful, SA declared authenticated. Responder Host HDR, {ID i , Sig i } Signature Request HDR, {ID r , Sig r } Signature Request
  70. 70. <ul><li>SKEYID for authentication, based on: </li></ul><ul><ul><li>Shared key that results from Diffie-Hellman </li></ul></ul><ul><ul><li>Pre-shared key </li></ul></ul><ul><ul><ul><li>Pre-configured secret key </li></ul></ul></ul><ul><ul><ul><li>Private part of a public key pair </li></ul></ul></ul><ul><ul><li>Nonces and/or cookies </li></ul></ul><ul><li>Cookies </li></ul><ul><ul><li>To counteract denial-of-service attacks </li></ul></ul><ul><ul><li>A user that wants to make a connection requests must first request a cookie </li></ul></ul><ul><ul><li>Connections requests are only accepted from users that have a valid cookie, and hence that must receive packets at the IP address from which they sent the request </li></ul></ul>
  71. 71. <ul><li>Authentication header (AH) placed after headers that are examined at every hop </li></ul><ul><li>Presence of AH indicated by protocol value = 51 in IPv4 header </li></ul><ul><li>Authentication performed over all fields including IP header, except fields that change at every hop </li></ul>IPv4 Header AH Upper Layer (e.g., TCP or UDP)
  72. 72. <ul><li>Format used in IPv4 and IPv6 </li></ul><ul><li>Next Header indicates next payload after AH </li></ul><ul><li>Length of Authentication data in multiples of 32 bits </li></ul><ul><li>SPI = unique ID for security association </li></ul><ul><li>Sequence number for anti-replay protection </li></ul><ul><li>Authentication data contains result of authentication computation </li></ul>Next Header Length Reserved Security Parameters Index 0 8 16 31 Sequence Number Authentication Data
  73. 73. <ul><li>ESP provides: </li></ul><ul><ul><li>Integrity & authentication service </li></ul></ul><ul><ul><li>Privacy service by encryption of payload </li></ul></ul><ul><li>Authentication data at end is optional </li></ul><ul><ul><li>Placement at ends makes implementation simpler </li></ul></ul>IPv4 Header ESP Upper Layer (e.g., TCP or UDP) HMAC
  74. 74. <ul><li>Authenticated coverage from SPI until next header field </li></ul><ul><li>Encrypted coverage from payload data field until next header </li></ul><ul><li>Protocol type = 50 </li></ul><ul><li>Next header field is encrypted, so transport type not visible </li></ul>Security Parameters Index 0 16 24 31 Sequence Number Payload Data Padding Pad Length Next Header Authentication Data
  75. 75. <ul><li>SSL developed by Netscape Communications </li></ul><ul><ul><li>Operates on top of TCP </li></ul></ul><ul><ul><li>Provides secure connections </li></ul></ul><ul><ul><ul><li>HTTP, FTP, telnet, … </li></ul></ul></ul><ul><ul><li>Electronic ordering & payment; e-mail </li></ul></ul><ul><ul><li>SSL 3.0 submitted to IETF for standardization </li></ul></ul><ul><li>TLS standardized by IETF (RFC 2246) </li></ul><ul><ul><li>Slight differences with SSL 3.0 </li></ul></ul>
  76. 76. <ul><li>TLS protocols operate at two layers </li></ul><ul><li>TLS Record Protocol operates on top of TCP </li></ul><ul><li>Protocols on top of TLS Record Protocol </li></ul><ul><ul><li>TLS Handshake Protocol </li></ul></ul><ul><ul><li>TLS Change Cipher Specification Protocol </li></ul></ul><ul><ul><li>TLS Alert Protocol </li></ul></ul>TCP TLS Record Protocol Handshake Protocol Change cipher spec Protocol Alert Protocol HTTP Protocol IP
  77. 77. <ul><li>TLS Record protocol provides </li></ul><ul><ul><li>Privacy service through secret key encryption </li></ul></ul><ul><ul><ul><li>Encryption algorithm is negotiated at session setup </li></ul></ul></ul><ul><ul><ul><li>Secret keys generated per connection using another protocol such as Handshake protocol </li></ul></ul></ul><ul><ul><li>Reliability service through keyed message authentication code </li></ul></ul><ul><ul><ul><li>Hash algorithm negotiated at session setup </li></ul></ul></ul><ul><ul><ul><li>Operates without hash only during session negotiation </li></ul></ul></ul>
  78. 78. <ul><li>TLS Handshake protocol used by client & server </li></ul><ul><ul><li>Negotiate protocol version, encryption algorithm, key generation method </li></ul></ul><ul><ul><li>Can authenticate each other using public key algorithm </li></ul></ul><ul><ul><li>Client & server establish a shared secret </li></ul></ul><ul><ul><li>Multiple secure connections can be set up after session setup </li></ul></ul><ul><li>Session specified by following parameters </li></ul><ul><ul><li>Session Identifier : byte sequence selected by server </li></ul></ul><ul><ul><li>Peer Certificate : certificate of peer </li></ul></ul><ul><ul><li>Compression method : used prior to encryption </li></ul></ul><ul><ul><li>Cipher spec : encryption & message authentication code </li></ul></ul><ul><ul><li>Master Secret : 48-byte secret shared by client & server </li></ul></ul><ul><ul><li>Is resumable?: flag indicating if new connections can be initiated </li></ul></ul>
  79. 79. Request connection Includes: Version #; Time & date; Session ID (if resuming); Ciphersuite (combinations of key exchange, encryption, MAC, compression) Send ServerHello if there is acceptable Ciphersuite combination; else, send failure alert & close connection. * Optional messages Server Certificate Server part of handshake done Server part of key exchange: Diffie-Hellman, g x; ; RSA, public key ServerHello includes: Version #; Random number; Session ID ; Ciphersuite & compression selections Compute shared key May contain public key New CipherSpec pending TLS Record protocol initially specifies no compression or encryption Client Server ClientHello ServerHello Certificate * ServerKeyExchange * ServerHelloDone
  80. 80. Client’s part of key agreement: Diffie-Hellman g y ; RSA, random #s Change Cipher protocol message notifies server that subsequent records protected under new CipherSpec & keys Server changes CipherSpec Hash using new CipherSpec; allows server to verify change in Cipherspec Compute shared key Verify CipherSpec Client Server ClientKeyExchange [ChangeCipherSpec] Finished
  81. 81. Notify client that subsequent records protected under new CipherSpec & keys Client changes CipherSpec Hash using new CipherSpec; Client verifies new CipherSpec <ul><li>TLS Record protocol encapsulates application-layer messages </li></ul><ul><li>Privacy through secret key cryptography </li></ul><ul><li>Reliability through MAC </li></ul><ul><li>Fragmentation of application messages into blocks for compression/encryption </li></ul><ul><li>Decompression/Decryption/Verification/Reassembly </li></ul>Client Server Application Data [ChangeCipherSpec] Finished
  82. 82. Server requests certificate if client needs to be authenticated Client sends suitable certificate If server finds certificate unacceptable; server can send fatal failure alert message & close connection Client prepares digital signature based on messages sent using its private key Server verifies client has private key Client Server ClientHello ServerHello Certificate* ServerKeyExchange* CertificateRequest ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished Application Data [ChangeCipherSpec] Finished
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×