Public Key Infrastructure
Network Security Architectures G Mutual authentication of participants in a Part 1 Fundamentals transaction requires a system of identities G Principals are identified by public keys G These keys can be used for authentication, Summer School on Software Security but only if “spoofing” is prevented Theory to Practice G A Public Key Infrastructure (PKI) provides a basis for establishing trust Carl A. Gunter University of Pennsylvania Summer 2004
PKI Systems X.509 Certificates
G Three Philosophies
‹ Hierarchy X.509 certificates bind a subject to a public key. Chaining Certificate Management G Distribution: How to G Revocation: Terminate find a certificate certificates before Subject Joe Smith ‹ Certificate accompanying their expiration time. signature or as part of a ‹ How does the relying Joe‘s Key Subject‘s Key protocol party know that the ‹ Directory service certificate has been Philly CA Issuer < DAP revoked? < LDAP ‹ Many CRL distribution Philly CA < DNS strategies proposed ‹ Email ‹ Mitre report for NIST Philly CA Key ‹ Cut and paste from web suggests certificate Pennsylvania CA pages revocation will be the Pennsylvania CA largest maintenance cost Pennsylvania CA Key for PKIs USA CA 1 Semantics of CRL’s Adoption of PKI G Three certificates. G Problems G Areas of Progress Revoke 1. Q says P is the public key of Alice. ‹ Revocation ‹ SSL 2. R says P is the public key of Alice. ‹ User ability to deal ‹ Authenticode with keys 3. Q says R is the public key of Bob. ‹ SSH ‹ Registration G ‹ Smart cards for Three kinds of revocation. (challenge for all government 1. P is not the public key of Alice. (3 not 2.) authentication employees techniques) 2. Q no longer vouches for whether P is the ‹ Web services public key of Alice. (2 and 3.) ‹ Weak business model 3. The key of Q has been compromised. (2 not 3.) 1998 Fox and LaMacchia Internet Layers Challenges for Network Security 1. Physical G Sharing 2. Link G Complexity 3. Network G Scale 4. Transport G Unknown perimeter 5. Application G Anonymity G Unknown paths Security at Layers Network Layer Security G Physical G Transport ‹ Locked doors ‹ SSL and TLS ‹ Spread spectrum G Application HTTP FTP SMTP ‹ Tempest ‹ S/MIME G Link ‹ XMLDSIG and WS security ‹ WEP TCP ‹ Access control ‹ GSM systems for web G Network pages, databases, and IP/IPSec file systems ‹ Firewalls ‹ IPSec 2 Transport Layer Security Application Layer Security HTTP FTP SMTP S/MIME PGP SET SSL or TLS Kerberos SMTP HTTP TCP UDP TCP IP IP Division of Labor in the Internet TCP/IP Protocol Stack Hosts Host Router Router Host Routers Networks Application Application Transport Transport Network Network Network Network Link Link Link Link Physical Physical Physical Physical Communication Processing Flow Typical Patchwork App1 App2 App1 App2 App1 App2 App1 App2 Transport Transport Transport Transport Network Network Network Network Network Network Network Network Link Link Link Link Link Link Link Link Link Link Link Link Physical Phys Phys Phys Phys Physical Physical Phys Phys Phys Phys Physical 3 Physical Layer Protection Issues Encapsulation G Hide signal Link Layer Frame ‹ Spread spectrum G Emission security ‹ Radio emissions (Tempest) Link IP TCP Application Link ‹ Power emissions Network Layer Transport Layer Application Layer Header Header Payload One Hop Link Layer Encryption Link Layer Encryption Host Router Router Host Encrypted Application Application Link IP TCP Application Link Transport Transport Network Network Network Network Link Link Link Link Link Link End-to-End Network Security Network Layer Transport Mode Host Router Router Host Link IP TCP Application Link Application Application Transport Transport Network Network Network Network Encrypted Link Link Link Link Link IP Hdr TCP Application Tlr Link 4 VPN Gateway Network Layer Tunnel Mode Host Router Router Host Link IP TCP Application Link Application Application Transport Transport Network Network Network Network Encrypted Link Link Link Link Link New IP Hdr IP TCP Application Tlr Link Layer 3 Implementation Options Modular Implementation: Bump In The Stack (BITS) G Location ‹ Host App1 App2 App1 App2 ‹ Network G Style Transport ‹ Integrated Network Transport ‹ Modular (for tunnel mode) Security Network Net + Sec Network Link Link Link Link Modular Implementation: Implementation Options: Bump In The Wire (BITW) Integrated on Host App1 App2 App1 App2 App1 App2 App1 App2 Transport Security Security Transport Transport Transport Network Network Network Network Net + Sec Network Network Net + Sec Link Link Link Link Link Link Link Link 5 Implementation Options: Network Security Location Options Integrated on Router Application Application App1 App2 App1 App2 Transport Transport End-to-End Transport Network Network Network Network Link Link Link Link Application Application Transport Transport Transport Transport Voluntary Tunnel Network Network Network Network Network Net + Sec Net + Sec Network Link Link Link Link Link Link Link Link Application Application Transport Transport Network Network Network Network Involuntary Tunnel Link Link Link Link Transport Layer Security Transport Layer Encryption Host Router Router Host Link IP TCP Application Link Application Application Transport Transport Network Network Network Network Encrypted Link Link Link Link Link IP TCP RH Application Link Link IP TCP App Link Message Processing Sequence Application Layer Security Link IP TCP Application Link App1 App2 App1 App2 App2 Sec App2 Sec Transport Transport Encrypted Network Network Network Network Link IP Key ID TCP Application Link Link Link Link Link 6 Link Layer Security Network Layer Security G Advantages: G Advantages ‹ Transparent to applications ‹ Transparent to applications ‹ Hardware solution possible ‹ Amenable to hardware ‹ Can address especially vulnerable links (viz. ‹ Flexible wireless) G Disadvantages G Disadvantages: ‹ Makes routing more complex ‹ Hop-by-hop protection causes multiple ‹ Flexibility introduces policy management applications of crypto operations and compatibility challenges ‹ May not provide end to end security Transport Layer Security Application Layer Security G Advantages G Advantages ‹ Transparent to applications and may be ‹ Customized to application packaged with applications ‹ Requires no special protocol stack ‹ Exposing TCP enables compression and QoS (transparent to networking) classification G Disadvantages: G Disadvantages ‹ Hard to share between applications (viz. ‹ Probably implemented in software standardization challenge) ‹ Exposing TCP risks DoS Protocols to Software Secure Socket Layer (SSL) G There are important differences G Session protocol with: between theoretical descriptions, ‹ Server authentication ‹ Client authentication optional standards and software ‹ Integrity checksum ‹ Evolution (versions, extensibility) ‹ Confidentiality G Possibly the most important security-related ‹ Interoperability (options, negotiation) ecommerce protocol ‹ Error modes G Session sets up security parameters G Two brief case studies G Many connections possible within a given session G ‹ Transport Layer Security (TLS) Current version TLS 1.0 http://www.ietf.org/rfc/rfc2246.txt ‹ Network layer security (Ipsec) 7 X.509 Key Est. Messages Establish Security Capabilities G Let DA = EB(k), rA, LA, A. Client Server G Let DB = rB, LB, rA, A Client Hello G Two messages: Time 1. A -> B : certA, DA, SA(DA) Check that the nonce rA has not been seen, and is not expired according to LA. Remember it for its lifetime LA. 2. B -> A : certB, DB, SB(DB) Server Hello Check the rA and A. Check that rB has not been seen and is not expired according to LB. Server Auth & Key Exchange Client Auth & Key Exchange Client Server Client Server Certificate Time Time Certificate Optional Client Key Exchange Server Key Exchange Optional Certificate Verification Certificate Request Server Hello Done Optional Client Auth & Key Exchange IPsec ClientChange Cipher Spec Server G Modes G Configurations ‹ Tunnel ‹ End-to-end Time Finish ‹ Transport ‹ Concatenated G Protocols ‹ Nested ‹ Authenticated G Principal elements Header (AH) ‹ Security ‹ Encapsulated Associations (SAD) Change Cipher Spec Security Payload ‹ Internet Key Finish (ESP) Exchange (IKE) ‹ Policy (SPD) 8 Typical Case Encapsulated Security Header and Trailer S 0-7 8-15 16-23 23-31 Security Parameter Index (SPI) Client Internet Sequence Number Initialization Vector G ESP S ESP Gateway Corporate Network Protected Data S Pad Pad Length Next Header Server Authentication Data Security Association SA Parameters (ESP Only) G An SA describes the parameters for G Sequence number, Sequence number processing a secured packet from one overflow, Anti-replay window node to another G Lifetime G SAs are simplex: use one for each G Mode direction G Tunnel destination G If more than one SA is used for a G PMTU packet the applicable SAs are called an G “SA bundle” Encryption algorithm (IV, etc.) G Authentication algorithm Policy SPD Actions G Policy is not standardized in IPSec but G Discard certain basic functionality is expected G Bypass IPsec G A Security Policy Database (SPD) is G Apply IPsec: SPD must specify the consulted to determine what kind of security services to be provided. security to apply to each packet ‹ For inbound traffic it is inferred from: G The SPD is consulted during the destination address, protocol, SPI. processing of all traffic: ‹ For outbound traffic this is done with a ‹ Inbound and outbound selector. ‹ IPSec and non-IPSec 9 Selectors IPsec Processing: Outbound G Selectors are predicates on packets G Use selectors in SPD to determine drop, that are used to map groups of packets bypass, or apply to SAs or impose policy G If apply, determine whether an SA or SA bundle for the packet exists G They are similar to firewall filters ‹ If yes, then apply all appropriate SAs before G Selector support dispatching ‹ Destination and source IP addresses ‹ If no, then create all necessary SAs. Apply these when done before dispatching ‹ Name (DNS, X.509) ‹ Source and destination ports (may not be available on inbound ESP packets; use inner header for inbound tunnel mode) IPsec Processing: Inbound Internet Key Exchange (IKE) G If there are no IPsec headers check G Motivating problem: Security settings SPD selectors to determine processing (SAs) must be highly configurable discard, bypass, or apply G Solutions: G If apply, then drop ‹ Let network administrator manually G If there are IPsec headers, apply SA configure SA (most common) ‹ Provide mechanism to allow automatic determined by SPI, destination, negotiation and configuration protocol G Can be found at: G Use selectors on result to retrieve http://ietf.org/internet- policy and confirm correct application drafts/draft-ietf-ipsec-ikev2-13.txt G IKEv2 Current as of March 22, 2004 Station to Station Protocol High-level view 1. A -> B : YA (Diffie-Hellman public key) G Requester: Responder: Calculate k. G IKE_SA_INIT --> 2. B –> A : YB, E(k, SB(YB, YA)) G <-- IKE_SA_INIT Calculate k, use it to decrypt the G IKE_AUTH --> signature, check the signature using the G <-- IKE_AUTH verification function of B and known values YB, YA. ‹ These are mandatory message exchange pairs, and must be executed in this order. 3. A -> B : E(k, SA(YA, YB)) Decrypt the signature and check it using the verification function of A. 10 High-level view Changes from IKEv1 G Initiator: Responder: G 4 initialization messages instead of 8 G CREATE_CHILD_SA --> G Decrease latency in common case of 1 G <-- CHILD_SA by piggybacking this onto initial CREATE_CHILD_SA message exchanges G Protocol is reliable (all messages are G INFORMATIONAL --> acknowledged and sequenced) G <-- G Cookie exchange option ensures that the INFORMATIONAL responder does not have to commit state ‹ These messages are optional and can be until initiator proves it can accept messages sent by either party at any time. Summary G PKI provides potential scalable identities for the Internet but adoption has been difficult G Network protocols are designed in layers; security can be provided at multiple layers with various tradeoffs G Theoretical protocols differ in significant ways from Internet standards and software 11