Figure 8-1: Cryptographic System

Cryptographic Systems: Three Initial “Hand-Shaking” Phases

SSL/TLS, VPNs, and Kerberos Phase 1: Initial Negotiation of Security Parameters

Chapter 8 Client PC Phase 2: Server Mutual Authentication

Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Phase 3: Key Exchange or Key Agreement 1 2

Figure 8-2: Major Cryptographic Figure 8-1: Cryptographic System Systems

Layer Cryptographic System Phase 4: Ongoing Communication with Application Kerberos Message-by-Message Confidentiality, Authentication, Transport SSL/TLS and Message Integrity Client PC Internet IPsec Server Data Link PPTP, L2TP (really only a tunneling system) Not applicable. No messages are sent at this The Initial Hand-Shaking Stages are Very Brief Physical layer—only individual bits Almost All Messages are Sent During the Ongoing Exchange Phase

3 4

Figure 8-3: Virtual Private Network (VPN) Virtual Private Network (VPN) New Not in Book

Site-to-Site VPN

VPN Protected Protected VPN Internet Server Internet Server Server Server Server Corporate Corporate Host-to-Host VPN Site A Site B Hosts can communicate Remote Remote Directly with each other Remote Access Access Remote Client-Server Customer or VPN VPN Corporate PC Client-Client Supplier PC 5 6

1 Figure 8-4: SSL/TLS Operation Figure 8-4: SSL/TLS Operation

Applicant Verifier (Customer Client) (Merchant Server) Applicant Verifier (Customer Client) (Merchant Server) Protects All Application Traffic That is SSL/TLS-Aware 1. Negotiation of Security Options (Brief) SSL/TLS Works at Transport Layer

2. Merchant Authenticates Self to Customer Uses a Digital Certificate Customer Authentication is Optional and Uncommon

7 8

Figure 8-4: SSL/TLS Operation SSL/TLS VPNs New

Verifier Applicant „ Growing rapidly in popularity for remote access (Customer Client) (Merchant Server) { Easy to implement

„ Webservers already implement it 3. Client Generates Random Session Key Client Sends Key to Server Encrypted „ Clients already have browsers with Public Key Encryption „ If only using HTTP, very easy

„ Becoming popular

4. Ongoing Communication with Confidentiality and Merchant Digital Signatures

9 10

Figure 8-5: Point-to-Point Protocol (PPP) and

SSL/TLS VPNs New RADIUS for Dial-Up Remote Access

„ Growing rapidly in popularity for remote access Public Switched Remote Telephone Corporate PC { SSL/TLS gateways at sites allow more 2. OK? Network „ Single point of encryption for access to multiple webservers Dial-Up 1. Login Connection „ Output from some applications, such as Outlook RADIUS RAS 1 Remote and Outlook express, are “webified” so that they Username Server And Password Corporate PC can be delivered to browsers 2. OK? „ If browser will accept a downloaded add-in Corporate Dial-Up program, can get access to even more Site A applications RAS 2 Connection RAS = Remote Access Server 11 12

2 Figure 8-5: Point-to-Point Protocol (PPP) and RADIUS for Dial-Up Remote Access Figure 8-6: PPP Authentication

Remote Corporate PC No Authentication Is an Option

Dial-Up 3. OK 4. Welcome Connection RADIUS RAS 1 Remote Server Public Switched Corporate PC Server Client Telephone 3. No Network

Corporate Dial-Up Site A 4. Refuse RAS 2 Connection

13 14

Figure 8-6: PPP Authentication Figure 8-6: PPP Authentication

PAP Authentication CHAP Authentication

Authentication-Request Messages Challenge Message (Send Until Response) Response Message Authentication-Response Message Server Hash (Challenge Message + Secret) Client Server Client

Server computes hash of challenge message plus secret Poor Security: Usernames and Passwords If equals the response message, authentication is successful Are Sent in the Clear

15 16

Figure 8-6: PPP Authentication Figure 8-6: PPP Authentication

MS-CHAP Authentication EAP Authentication

Challenge Message Authenticate

Response Message Server Hash (Challenge Message + Password) Client Defer authentication; Server Will provide more information Client

CHAP, but with password as the secret. Widely used because allows password authentication Standard on Microsoft Windows client EAP defers authentication to a later process Only as secure as password strength Such as RADIUS authentication

17 18

3 Figure 8-7: PPP Encryption Figure 8-7: PPP Encryption

„ IETF Specifies DES and 3DES for PPP encryption

New PPP Trailer. Original PPP Frame. New PPP Header. „ Microsoft uses Microsoft Point-to-Point Plaintext. Encrypted. Plaintext. Encryption (MPPE) for its remote access servers

„ Increasingly, AES is being incorporated into PPP products New

19 20

Figure 8-8: PPP on Direct Links and Figure 8-8: PPP on Direct Links and Internets Internets

Verifier PPP Frame PPP Frame in IP Packet (Server) Connection over Internet Connection over Direct Link PPP Provides End-to-End Link

Applicant Verifier Applicant PPP Router Router (Client) (Server) (Client) Limited to First The PPP frame is encapsulated in an IP packet. Data Link This is the opposite of the normal practice (Network) The packet is carried in a separate Frame in each network along the route

21 22

Figure 8-8: PPP on Direct Links and Figure 8-9: Point-to-Point Tunneling Internets Protocol (PPP)

Note: IP Protocol 47 (GRE) Data Connection Local „ Tunneling Places the PPP Frame in an IP ISP Access Packet, Which Delivers the Frame. (Not Secure)

„ To the Receiver, Appears to be a Direct Link. Internet Remote RADIUS PPTP ISP Corporate „ Allows organization to continue using existing Server RAS PPTP TCP Port 1723 PC PPP-based security such as encryption and Corporate Supervisory Access authentication Site A Connection Concentrator (Vulnerable)

23 24

4 Figure 8-9: Point-to-Point Tunneling Figure 8-10: PPTP Encapsulation for Protocol (PPP) Data Frames New: Not in Book

Direct connection between PC and RAS

Enhanced General IP Protocol 47 (GRE) Data Connection New IP Header; Routing Protocol=47; Encapsulation Encapsulated IP Destination (GRE) Header; Original Frame Address Is That of Information About Remote Access Encapsulated Server Internet Packet RADIUS PPTP Remote Server RAS Corporate TCP Port 1723 PC Corporate Supervisory Site A Connection (Vulnerable) 25 26

Figure 8-11: Layer 2 Tunneling Protocol Figure 8-12: IPsec Operation: Tunnel (L2TP) and Transport Modes

DSL Access Multiplexer Client Transport Mode Internal L2TP (DSLAM) Running Site Server RAS with L2TP Site PPP Network Network Secure Connection L2TP Tunnel DSL

Local Extra Security Security Extra Network Carrier Network Software in Site in Site Software Secure on Required Network Network Required the Internet Note: L2TP does not provide security. It provides only tunneling. L2TP recommends the use of IPsec for security.

27 28

Figure 8-12: IPsec Operation: Tunnel Figure 8-12: IPsec Operation: Tunnel and Transport Modes and Transport Modes

Tunnel Mode Transport Mode IPsec IPsec Destination IP Address Orig. IP IPsec Protected Packet Site Server Server Site Tunneled Is Actual Address; Hdr Hdr Data Field Network Network Connection Vulnerable to Scanning

Tunnel Mode No No No No Security Destination IP Address is New IP IPsec Protected Security Secure on Extra Extra in Site IPsec Gateway Address Hdr Hdr Original Packet in Site the Internet Software Software Network Network Host IP Address Is not Revealed

29 30

5 Figure 8-13: IPsec ESP and AH Protection Modes and Protections

Confidentiality Encapsulating ESP AH IP ESP ESP Security Protected Confidentiality Authentication Payload Header Header Trailer Authentication Integrity Integrity Protocol = 50 Authentication and Message Integrity Transport Mode Possible Possible Protocol = 51 (End-to-End)

Authentication IP Authentication Protected Header Header Header Tunnel Mode Possible Possible Authentication and Message Integrity (IPsec Gateway to No Confidentiality Gateway) 31 32

Figure 8-14: IPsec Security Figure 8-15: Establishing IPsec Associations Security Associations Using IKE

2. Security Association (SA) for Transmissions from A to B Internet Key Exchange Security Association 3. Security Association (SA) UDP Port 500 For Transmission from B to A Party A (Can Be Different Than Party B Party A Party B A to B SA) 1. List of 1. List of Allowable Allowable First establish IKE association and IPsec SAs Security Security protected session Associations Associations Then create IPsec SAs within the Protection of the IKE session. IPsec Policy Server 33 34

Figure 8-16: Key-Hashed Message Figure 8-16: Key-Hashed Message Authentication Codes (HMACs) Authentication Codes (HMACs)

Shared Key Original Plaintext Receiver Redoes the HMAC Computation On the Received Plaintext Hashing with MD5, SHA1, etc. Shared Key Received Original Plaintext HMAC Key-Hashed Message Authentication Code (HMAC) Hashing with same algorithm.

Appended to Plaintext Before Transmission Computed HMAC Received HMAC HMAC Original Plaintext Note: There is no If computed and received HMACs are the same, encryption; only The sender must know the key and so is authenticated hashing 35 36

6 Figure 8-17: Kerberos Authentication Figure 8-17: Kerberos Authentication System System

Kerberos Server *TGT (Ticket-Granting Kerberos Server Key Distribution Center Ticket) is encrypted in a Key Distribution Center (K) way that only K can (K) decrypt. Contains information that K 1. Request for will read later. Ticket-Granting Ticket **Key nA (Network Login Key for A) is 2. Response: Abbreviations: encrypted with A’s TGT* A = Applicant Master Key (Key mA). Key nA** V = Verifier In future interactions K = Kerberos Server with K, A will use nA Verifier (V) to limit the master Verifier (V) Applicant (A) Applicant (A) key’s exposure. 37 38

Figure 8-18: Kerberos Ticket-Granting Figure 8-19: Kerberos Ticket-Granting Service: Part 1 Service: Part 2 *Authenticator (Auth) Kerberos Server *Authenticator is A’s encrypted with Key AV. IP address, user name, Key Distribution Center Kerberos Server and time stamp. This (K) Key Distribution Center **Service Ticket contains authenticator is encrypted Key AV encrypted with the 1. Request Service (K) with Key nA to prove that Verifier’s master key, Key mV. Ticket for V; TGT; A sent it. Authenticator* encrypted with **Key AV is a Key nA 3. Request for Connection: symmetric session Auth*; Service Ticket** 2. Response: key that A will use Key AV** encrypted with V. with Key nA; 5. Ongoing Communication with Key AV Service Ticket Applicant (A) Verifier (V) Verifier (V) 4. V decrypts Service Ticket; Applicant (A) Uses Key AV to test Auth 39 40

Figure 8-20: Placement of Firewalls and Figure 8-20: Placement of Firewalls Cryptographic Servers and Cryptographic Servers

„ Dilemma Not Internet Filtered { Firewalls must examine packet contents by Firewall { But a growing percentage of packets are being Some firewalls Cryptographic encrypted to prevent eavesdroppers from reading pass through encrypted Firewall packets in VPNs. Server them Filtered by Cryptographic server Firewall { Firewalls cannot filter encrypted packets without Comes after the firewall. decrypting them Firewall Creates No filtering can be done Holes for by the firewall. Cryptographic Internal Systems Host 41 42

7 Figure 8-20: Placement of Firewalls and Cryptographic Servers The Market Situation New

Alternatively, „ SSL/TLS is becoming very popular for remote Filtered Internet the cryptographic server access VPN service by can be placed Firewall before the firewall. { Built into browsers and servers already Cryptographic Firewall Server The firewall can filter { Users can access the network from any client the decrypted packets „ Home PCs, internet cafés, kiosks, etc. This leaves the cryptographic server Internal Can Open to open to attack Host Read Attack Decrypted If the firewall is taken Packets over, the hacker can read everything43 44

The Market Situation New The Market Situation New

„ SSL/TLS is becoming very popular for remote „ IPsec is Popular for Site-to-Site Networking access VPN service { In tunnel mode, no need to install software on { Works automatically for HTTP individual clients and servers

{ Other applications are harder „ For remote access, however, need software and configuration on client PC „ Some applications can be “webified”—each

output output can be incorporated as a webpage { Transparent to applications—no need to provide „ For other applications, a small program can be different applications differently downloaded to the client to add features

„ Non-HTTP applications are very time consuming to manage 45 46

Topics Covered Topics Covered

„ Cryptographic Systems „ Virtual Private Networks

{ Initial Hand-Shaking Phases { Secure communication over the Internet

„ Negotiation of parameters { Site-to-Site VPNs

„ Mutual authentication „ Between security gateways at each site

„ Key exchange of symmetric session key „ Must handle a large amount of intersite traffic

{ Ongoing Communication { Remote Access VPNs

„ Message-by-message confidentiality, „ To connect an individual user to a site authentication, and message integrity { Host-to-Host (not mentioned in the text) { Occur at several layers 47 48

8 Topics Covered Topics Covered

„ SSL/TLS „ SSL/TLS

{ Works at the transport layer { Negotiation of security parameters

{ Protects SSL/TLS-aware applications { Server authenticates self to client using digital „ Mostly HTTP certificate (usually not mutual authentication)

{ Widely used in e-commerce { Client generates random session key, sends to { Firms are beginning to use it for remote access server with public key exchange

„ HTTP access

„ Webified applications (e-mail)

„ With downloaded client program, even more 49 50

Topics Covered Topics Covered

„ Point-to-Point Tunneling Protocol (PPTP) „ Point-to-Point Tunneling Protocol (PPTP)

{ Traditional PPP remote access { PPTP Tunneling „ Dial-in using PPP at the data link layer „ Encapsulates PPP frame within a packet „ Remote access servers at site „ Packet travels to the RAS over the Internet „ Single RADIUS server holds authentication data „ This allows end-to-end PPP frame transfer { Usually client password „ Placing a message in another message is called „ PPP can only work over a single data link tunneling „ Will not work over the Internet, which has multiple data links along a route

51 52

Topics Covered Topics Covered

„ Point-to-Point Tunneling Protocol (PPTP) „ Point-to-Point Tunneling Protocol (PPTP)

{ PPTP Security { PPTP uses two connections

„ Based on PPP security „ GRE connection for carrying PPP frames (secure) „ Several forms of PPP authentication „ TCP Port 1723 supervisory connection (not { Some very weak secure!) { EAP allows advanced options

„ PPP confidentiality { PPTP gateways often get authentication data from { DES or MPPE (more recently, AES) a RADIUS server New

53 54

9 Topics Covered Topics Covered

„ Layer 2 Tunneling Protocol „ IP Security (IPsec)

{ Protocol for tunneling messages over the Internet { Internet layer security „ Transparently protects all upper layers { Has not security of its own „ Dominates site-to-site security today „ Assumes you will be using IPsec security at the internet layer „ The highest-security VPN

{ Tunnel versus Transport Mode

„ Gateway-to-gateway vs host-to-host

„ Ease of installation vs higher security

„ Tunnel mode dominates today 55 56

Topics Covered Topics Covered

„ IPsec „ IPsec

{ ESP versus AH { Key-Hashed Message Authentication Codes

„ ESP dominates (HMACs)

„ Both work with both tunnel and transport mode „ Used for message-by-message authentication

{ Security Associations „ Created using hashing, which is much faster than the public key encryption used with digital „ Policy-based restrictions on security parameters signatures in a connection

„ Two end points first set up IKE session { Within IKE protection, negotiate the SA

57 58

Topics Covered Topics Covered

„ Kerberos Cryptographic System „ Kerberos Cryptographic System

{ Complete cryptographic system { Complete cryptographic system

„ Known best for authentication { Authentication System (Initial Stage) „ Also does key exchange for subsequent „ Applicant gets a ticket-granting ticket confidential communication „ Applicant gets a key to use during a session for { Elements use with the Kerberos server „ Kerberos server

„ Applicant

„ Verifier 59 60

10 Topics Covered Topics Covered

„ Kerberos Cryptographic System „ Firewall Placement

{ Ticket-Granting Service { If place the firewall before the gateway server, „ Applicant sends ticket-granting ticket and name „ Will not be able to filter the encrypted of a verifier to which it would like to connect communication

„ Kerberos server sends back a symmetric „ Merely pass through the VPN traffic to the session key to use with the verifier gateway server „ Kerberos server also sends the applicant a { If after the gateway server, which decrypts traffic service ticket, which the applicant sends to the verifier „ Can filter the VPN traffic „ The service ticket gives the verifier the „ But the gateway server is not protected by the symmetric session key to use with the applicant firewall 61 62

Topics Covered

„ Market Situation

{ IPsec now dominates for site-to-site networking VPNs

{ SSL/TLS is beginning to dominate for remote access VPNs

63

11