CS 55: Security and Privacy
Secure comms 2 https://xkcd.com/1810/ Do not forget about physical security
3 https://www.youtube.com/watch?v=nJu_-Iuppc0&start=21 Discussion
What properties would you like in “secure” communications?
4 Agenda
1. The Onion Router (TOR)
2. Transport Layer Security (TLS)
3. Virtual Private Networks (VPNs)
4. Signal/WhatsApp
5 Discussion
What is the difference between security and anonymity?
Who needs anonymity?
6 Sometimes you don’t want anyone to know you’ve sent a message or to whom
cannot tell non-trivial sender when a probability that whose message the sender is not communicati is sent or the node in ons can be not sent question identified is exposed. Anonymous Known
can see that sender is probably can demonstrate a message innocent if the this exposure to is sent but sender is no more other entities, the cannot be likely than not to be sender is provably sure where it the originator of a exposed. came from message
7 Prof. Palmer lecture notes When you logon to a server, anyone sniffing along the way can see the traffic
Internet
User Server
8 The Onion Router (TOR) obscures a message and the source and destination
TOR TOR TOR TOR Node Node Node Node
TOR TOR TOR TOR Node Node Node Node
User TOR TOR TOR TOR Node Node Node Node Server User wants to access server, but doesn’t want TOR TOR TOR TOR Node Node Node Node anyone to know they are accessing that server
9 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination User picks a TOR TOR Node forwards to another node node at random and forwards message TOR TOR TOR TOR First node called Node Node Node Node entry node TOR TOR TOR TOR Node Node Node Node
User TOR TOR TOR TOR Node Node Node Node Server
Set of links is called TOR TOR TOR TOR a circuit Node Node Node Node
By default TOR forwards to Exit node forwards to three nodes destination server Last node called exit node 10 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination
k1
TOR TOR TOR TOR Node Node Node Node k1, k2, k3
TOR TOR TOR TOR Node Node Node Node
User TOR TOR TOR TOR k2 Beforehand, user does key Node Node Node Node Server exchange separately with each node in circuit (no TOR TOR TOR TOR one else knows keys) Node Node Node Node Use DH k3 Have three keys: k1, k2, k3
11 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination k1 k k2 1
k3 TOR TOR TOR TOR Node Node Node Node k1, k2, k3
TOR TOR TOR TOR Node Node Node Node
User TOR TOR TOR TOR k2 Message encrypted three Node Node Node Node Server times Only first node can unlock TOR TOR TOR TOR first layer Node Node Node Node No one else can read k3 First node cannot read message or destination 12 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination
k1
TOR TOR TOR TOR Node Node Node Node k1, k2, k3 k2
TOR TOR TOR TORk 3 Node Node Node Node
User TOR TOR TOR TOR k2 First node decrypts outer Node Node Node Node Server layer Forwards message to TOR TOR TOR TOR second node Node Node Node Node Second node decrypts, but k3 cannot read message or destination 13 Forwards to exit node The Onion Router (TOR) obscures a message and the source and destination
k1
TOR TOR TOR TOR Node Node Node Node k1, k2, k3
TOR TOR TOR TOR Node Node Node Node
User TOR TOR TOR TOR k2 Third node decrypts Node Node Node Node Server outer layer k3 Learns message for TOR TOR TOR TOR destination server, but Node Node Node Node doesn’t know where message came from k3 originally (does know previous node) 14 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination
k1
TOR TOR TOR TOR Node Node Node Node k1, k2, k3
TOR TOR TOR TOR Node Node Node Node
User TOR TOR TOR TOR k2 Exit node forwards Node Node Node Node Server message to destination Response encrypted in TOR TOR TOR TOR reverse Node Node Node Node User receives back triple k3 Message encrypted message, only sent to one who can decrypt server 15 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination Knows user but not destination or message k1
TOR TOR TOR TOR Does not know Node Node Node Node user or destination k , k , k 1 2 3 or message TOR TOR TOR TOR Node Node Node Node
User TOR TOR TOR TOR k2 If any node compromised, Node Node Node Node Server do not learn sender or destination TOR TOR TOR TOR Node Node Node Node All messages are of same size: 512 bytes k3 Knows destination and message, but not user 16 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination
TOR TOR TOR TOR Node Node Node Node k1, k2, k3
TOR TOR TOR TOR Node Node Node Node
User TOR TOR TOR TOR Downside: Node Node Node Node Server SLOW! TOR TOR TOR TOR If control both entry Node Node Node Node and exit nodes, could do traffic analysis to see who is talking to whom
17 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I DEMO
Start TOR browser
Go to www.amazon.com (will be slow to load, but Amazon doesn’t know its me, but show me in Poland or else where)
See location by visiting https://ipapi.co/
18 Agenda
1. The Onion Router (TOR)
2. Transport Layer Security (TLS)
3. Virtual Private Networks (VPNs)
4. Signal/WhatsApp
19 Transport Layer Security (TLS) provides a secure channel between two parties
The secure channel has 3 properties: 1. Confidentiality: Nobody other than the two ends of the channel can see the actual content of the data transmitted 2. Integrity: Channel can detect any changes made to the data during transmission 3. Authentication: At least one end of the channel needs to be authenticated, so the other end knows with whom it is talking
TLS normally done between a client and a server (e.g., web browser and web server) TLS grew out of SSL • You will often hear people say SSL when they mean TLS • You’ll sometimes see SSL/TLS 20 Adapted from Computer & Internet Security by Du TLS sits between the Transport and Application layers
• Unprotected data is given to TLS by Application layer • TLS handles encryption, decryption and integrity checks • TLS gives protected data to Transport layer
21 Adapted from Computer & Internet Security by Du You can see the details in your browser
In Firefox • Click on lock in URL bar • Select More Information
Key exchange uses ECDHE
RSA for public key authentication of certificates 128-bit AES encryption using GCM SHA256 for hashing
128-bit keys
TLS version 1.2 22 TLS involves a handshake between client and server to agree upon parameters
Before a client and server can communicate securely, several things need to be set up first: • Encryption algorithm and key • MAC algorithm • Algorithm for key exchange
These cryptographic parameters need to be agreed upon by both the client and the server, otherwise connection is refused
23 TLS involves a handshake between client and server to agree upon parameters Client Server
Client sends “Client Hello” message to server with: • List of ciphers that it can use (e.g., AES) • Random nonce (to prevent replay attacks) • Max TLS version it can support (e.g., TLS 1.2, 1.3)
24 Adapted from https://www.youtube.com/watch?v=86cQJ0MMses TLS involves a handshake between client and server to agree upon parameters Client Server
Server responds with “Server Hello” message to client with: • A decision on what cipher to use • Random nonce (to prevent replay attacks) • TLS version to use
25 Adapted from https://www.youtube.com/watch?v=86cQJ0MMses TLS involves a handshake between client and server to agree upon parameters Client Server
Server sends its certificate (includes public key) Client verifies certificate (going up to root if needed) Client now knows server is the intended server Hello Done indicates the first portion of handshake is complete In some use cases, the client also sends a certification to server (typically not done on the web)
26 Adapted from https://www.youtube.com/watch?v=86cQJ0MMses TLS involves a handshake between client and server to agree upon parameters Client Server
Client creates pre-master secret • Produces a random number to serve as the pre-master secret • Encrypts random number with server’s public key and sends to server
27 Adapted from https://www.youtube.com/watch?v=86cQJ0MMses TLS involves a handshake between client and server to agree upon parameters Client Server
Server and client create 48-byte master secret by combining pre- master secret with nonces 28 Adapted from https://www.youtube.com/watch?v=86cQJ0MMses TLS involves a handshake between client and server to agree upon parameters Client Server
Finish messages Each side checks exchanged by Finish message encrypting received matches summary of Finish they each messages calculated 29 Adapted from https://www.youtube.com/watch?v=86cQJ0MMses After handshake, client and server exchange encrypted data using records Data is transferred using records, each record contains a header and a payload
Indicates the type of data Message Authentication Code (MAC) Which TLS carried • Sender computes based on data version to • Alert How many and sequence number use • Application bytes are • Receiver computes MAC on data • 1.2 • Heartbeat in the and checks with received MAC • 1.3 • Change Cipher Spec payload • Detects if data modified
30 Remember TLS sits between the Application and Transport Layers
Sender Receiver • Takes data • Takes data from from TCP Application Layer Layer • Strips header • Adds header and decrypts and encrypts • Sends to payload Application • Sends record Layer to Transport Layer and down stack
31 Agenda
1. The Onion Router (TOR)
2. Transport Layer Security (TLS)
3. Virtual Private Networks (VPNs)
4. Signal/WhatsApp
32 Local Area Networks (LANs) are networks set up for a physical location Often people outside want access to LAN Devices set up • Work from home with addresses in • Travelling non-routable • Customer/partners range(e.g., 10.0.0.2 Could give devices routable IP 10.0.0.0/8 or address (or do port forwarding) 192.168.0.0/16) and open them to the Internet Device in local Problem? 10.0.0.3 area able to talk to • Increases attack surface! each other (router • Netscout found devices not shown) attacked within 5 minutes • Hard and crunchy on the 10.0.0.4 outside, software and Private LAN
chewy on the inside! 33 https://www.netscout.com/sites/default/files/2019-07/SECR_010_EN-1901%20%E2%80%93%20NETSCOUT%20Threat%20Report%201H%202019%20%E2%80%93%20Web.pdf Outside traffic that comes over the public Internet cannot be trusted
10.0.0.2
Internet
Remote Outside traffic comes over user the public Internet 10.0.0.3
Traffic could be captured, spoofed, or modified
10.0.0.4 Private LAN
34 Adapted from Computer & Internet Security by Du All traffic from outside to inside devices must come through VPN server
10.0.0.2
Internet VPN server Firewall Remote user 10.0.0.3 • Firewall blocks connections directly to inside devices (devices have not routable addresses here anyway!) • Connection must come through VPN server 10.0.0.4 Private LAN
35 Adapted from Computer & Internet Security by Du VPNs allow secure access to private LAN from outside as if device is inside
10.0.0.2
Internet VPN server Firewall Remote user 10.0.0.3 • VPN server exposed to outside • Can send/receive receive traffic through firewall • VPN authenticates outsiders, creates encrypted tunnel 10.0.0.4 Private LAN All other hosts on inside with non-routable addresses 36 Adapted from Computer & Internet Security by Du All traffic from outside to inside devices must come through VPN server
10.0.0.2
Internet VPN server Firewall Remote user 10.0.0.3 • Goals? • Confidential • Integrity • Authenticated • Will set up an encrypted tunnel between the remote user and 10.0.0.4 the private LAN Private LAN
37 Adapted from Computer & Internet Security by Du Transport Layer tunneling securely sends packets to another network in three steps VPN Client VPN Server
VPN client application encrypts IP packet VPN client app adds new headers addressed to VPN server Send packet over TLS connection to server Someone sniffing on Internet sees packet, but Original source and destination as does not know ultimate destination or data well as payload are encrypted TLS without VPN would reveal destination (here just see the VPN server as destination) 38 Adapted from Computer & Internet Security by Du This technique is called TLS tunneling Step 1: Establish a TLS tunnel
Internet Tunnel Tunnel app VPN client app exchanges app credentials (e.g., user name and password) with VPN VPN Client App VPN Server App server Header Data VPN server app Header Data authenticates client, client All traffic for app authenticates server All traffic for 10.0.8.0/24 10.0.7.0/24 Use TLS to encrypt traffic routed through routed through VPN Each TLS record sent with VPN MAC to prevent tampering Private network: 10.0.7.0/24 Private network: 10.0.8.0/24 39 Adapted from Computer & Internet Security by Du Step 2: Forward IP packets
New IP Data header Internet Tunnel Tunnel app app VPN client encrypts IP packet and adds new VPN Client App VPN Server App TCP/UDP header with Header Data VPN server as destination Header Data
All traffic for Packet routed across All traffic for 10.0.8.0/24 Internet using TLS 10.0.7.0/24 routed through connection from Step 1 routed through VPN VPN Private network: 10.0.7.0/24 Plaintext Private network: 10.0.8.0/24 40 Adapted from Computer & Internet Security by Du Encrypted Step 3: Release IP packets on the other network
New IP Data header Internet Tunnel Tunnel app app When packet arrives at VPN server, strip off new header, VPN Client App VPN Server App returning payload Header Data Payload is the encrypted Header Data Decrypt payload and verify All traffic for All traffic for 10.0.8.0/24 not changed, then send to 10.0.7.0/24 routed through destination on the other routed through network (10.0.8.0/24) VPN VPN Private network: 10.0.7.0/24 Private network: 10.0.8.0/24 41 Adapted from Computer & Internet Security by Du Apart from tunneling, VPNs can be used to bypass firewalls
Image a country has implemented a firewall to prevent access to some international Internet sites • Firewall looks at destination IP address
• Drops packet if address is on Facebook blacklist Say a country blocks Facebook
Internet
Country User Firewall VPN Server 42 Apart from tunneling, VPNs can be used to bypass firewalls
To bypass firewall • Establish VPN to server not on blocked list • Say VPN server is in another country and VPN server IP address not block by country firewall • Firewall cannot see real destination (e.g., Facebook) because IP headers encrypted inside VPN tunnel Facebook • Firewall only knows packet bound for VPN server • Traffic allowed by firewall
Internet
Country User Firewall VPN Server 43 Apart from tunneling, VPNs can be used to bypass firewalls
Traffic to/from Facebook comes from the VPN Country’s firewall allows server’s return traffic Facebook network Traffic is coming from IP address not on blacklist
Internet
Country Responses sent User Firewall back encrypted VPN Server over VPN tunnel 44 Agenda
1. The Onion Router (TOR)
2. Transport Layer Security (TLS)
3. Virtual Private Networks (VPNs)
4. Signal/WhatsApp
45 When sending messages, often an intermediary server can read text
Encrypted Server Encrypted Alice/Server Bob/Server
Server can decrypt traffic from both parties
Do you trust the server and its admins? Alice Bob If you don’t trust the server, better if things were end-to-end encrypted Problem: Alice and Bob might not be online at the same time Also, would like forward and backward secrecy Could use PGP, but hard to use 46 Signal is an app that uses built-in end-to- end (E2EE) encryption to send messages Alice to send message to Bob Bob generates Server IPK Alice gets pre-key B Identity key pair, SPK Signed key pair bundle with 1 IPKB Works if Alice and Bob B (signed with IPK ) one-time key SPK not online at same time OPK B B B1 and n one-time OPKBi Server cannot read OPKB2 key pairs … Alice has previously IPKA OPKBn generated identity key What if someone EPKA pair and now generates suddenly starts using ephemeral key Signal? KDF (DH(IPK ,SPK ) || DH(EPK ,IPK )||DH(EPK ,SPK )||DH(EPK ,OPK ) Alice A B A B A B A B Bob Concatenate results of DH using four different keys Bob does the same to Pass through Key Derivation Function (like hash) decrypt Use this as master key to create “ratchet” function Signal can visually confirm master that creates a new key for each message keys as QR code (if in same place)
Use RSA with message key, include IPKA and EPKA 47 Adapted from Security Engineering, 3rd Edition, by Ross Anderson https://www.whatsapp.com/security/ 48