CS 55: Security and Privacy Secure comms 2 https://xkcd.com/1810/ Do not forget about physical security 3 https://www.youtube.com/watch?v=nJu_-Iuppc0&start=21 Discussion What properties would you like in “secure” communications? 4 Agenda 1. The Onion Router (TOR) 2. Transport Layer Security (TLS) 3. Virtual Private Networks (VPNs) 4. Signal/WhatsApp 5 Discussion What is the difference between security and anonymity? Who needs anonymity? 6 Sometimes you don’t want anyone to know you’ve sent a message or to whom cannot tell non-trivial sender when a probability that whose message the sender is not communicati is sent or the node in ons can be not sent question identified is exposed. Anonymous Known can see that sender is probably can demonstrate a message innocent if the this exposure to is sent but sender is no more other entities, the cannot be likely than not to be sender is provably sure where it the originator of a exposed. came from message 7 Prof. Palmer lecture notes When you logon to a server, anyone sniffing along the way can see the traffic Internet User Server 8 The Onion Router (TOR) obscures a message and the source and destination TOR TOR TOR TOR Node Node Node Node TOR TOR TOR TOR Node Node Node Node User TOR TOR TOR TOR Node Node Node Node Server User wants to access server, but doesn’t want TOR TOR TOR TOR Node Node Node Node anyone to know they are accessing that server 9 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination User picks a TOR TOR Node forwards to another node node at random and forwards message TOR TOR TOR TOR First node called Node Node Node Node entry node TOR TOR TOR TOR Node Node Node Node User TOR TOR TOR TOR Node Node Node Node Server Set of links is called TOR TOR TOR TOR a circuit Node Node Node Node By default TOR forwards to Exit node forwards to three nodes destination server Last node called exit node 10 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination k1 TOR TOR TOR TOR Node Node Node Node k1, k2, k3 TOR TOR TOR TOR Node Node Node Node User TOR TOR TOR TOR k2 Beforehand, user does key Node Node Node Node Server exchange separately with each node in circuit (no TOR TOR TOR TOR one else knows keys) Node Node Node Node Use DH k3 Have three keys: k1, k2, k3 11 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination k1 k k2 1 k3 TOR TOR TOR TOR Node Node Node Node k1, k2, k3 TOR TOR TOR TOR Node Node Node Node User TOR TOR TOR TOR k2 Message encrypted three Node Node Node Node Server times Only first node can unlock TOR TOR TOR TOR first layer Node Node Node Node No one else can read k3 First node cannot read message or destination 12 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination k1 TOR TOR TOR TOR Node Node Node Node k1, k2, k3 k2 TOR TOR TOR TORk 3 Node Node Node Node User TOR TOR TOR TOR k2 First node decrypts outer Node Node Node Node Server layer Forwards message to TOR TOR TOR TOR second node Node Node Node Node Second node decrypts, but k3 cannot read message or destination 13 Forwards to exit node The Onion Router (TOR) obscures a message and the source and destination k1 TOR TOR TOR TOR Node Node Node Node k1, k2, k3 TOR TOR TOR TOR Node Node Node Node User TOR TOR TOR TOR k2 Third node decrypts Node Node Node Node Server outer layer k3 Learns message for TOR TOR TOR TOR destination server, but Node Node Node Node doesn’t know where message came from k3 originally (does know previous node) 14 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination k1 TOR TOR TOR TOR Node Node Node Node k1, k2, k3 TOR TOR TOR TOR Node Node Node Node User TOR TOR TOR TOR k2 Exit node forwards Node Node Node Node Server message to destination Response encrypted in TOR TOR TOR TOR reverse Node Node Node Node User receives back triple k3 Message encrypted message, only sent to one who can decrypt server 15 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination Knows user but not destination or message k1 TOR TOR TOR TOR Does not know Node Node Node Node user or destination k , k , k 1 2 3 or message TOR TOR TOR TOR Node Node Node Node User TOR TOR TOR TOR k2 If any node compromised, Node Node Node Node Server do not learn sender or destination TOR TOR TOR TOR Node Node Node Node All messages are of same size: 512 bytes k3 Knows destination and message, but not user 16 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I The Onion Router (TOR) obscures a message and the source and destination TOR TOR TOR TOR Node Node Node Node k1, k2, k3 TOR TOR TOR TOR Node Node Node Node User TOR TOR TOR TOR Downside: Node Node Node Node Server SLOW! TOR TOR TOR TOR If control both entry Node Node Node Node and exit nodes, could do traffic analysis to see who is talking to whom 17 Adapted from https://www.youtube.com/watch?v=QRYzre4bf7I DEMO Start TOR browser Go to www.amazon.com (will be slow to load, but Amazon doesn’t know its me, but show me in Poland or else where) See location by visiting https://ipapi.co/ 18 Agenda 1. The Onion Router (TOR) 2. Transport Layer Security (TLS) 3. Virtual Private Networks (VPNs) 4. Signal/WhatsApp 19 Transport Layer Security (TLS) provides a secure channel between two parties The secure channel has 3 properties: 1. Confidentiality: Nobody other than the two ends of the channel can see the actual content of the data transmitted 2. Integrity: Channel can detect any changes made to the data during transmission 3. Authentication: At least one end of the channel needs to be authenticated, so the other end knows with whom it is talking TLS normally done between a client and a server (e.g., web browser and web server) TLS grew out of SSL • You will often hear people say SSL when they mean TLS • You’ll sometimes see SSL/TLS 20 Adapted from Computer & Internet Security by Du TLS sits between the Transport and Application layers • Unprotected data is given to TLS by Application layer • TLS handles encryption, decryption and integrity checks • TLS gives protected data to Transport layer 21 Adapted from Computer & Internet Security by Du You can see the details in your browser In Firefox • Click on lock in URL bar • Select More Information Key exchange uses ECDHE RSA for public key authentication of certificates 128-bit AES encryption using GCM SHA256 for hashing 128-bit keys TLS version 1.2 22 TLS involves a handshake between client and server to agree upon parameters Before a client and server can communicate securely, several things need to be set up first: • Encryption algorithm and key • MAC algorithm • Algorithm for key exchange These cryptographic parameters need to be agreed upon by both the client and the server, otherwise connection is refused 23 TLS involves a handshake between client and server to agree upon parameters Client Server Client sends “Client Hello” message to server with: • List of ciphers that it can use (e.g., AES) • Random nonce (to prevent replay attacks) • Max TLS version it can support (e.g., TLS 1.2, 1.3) 24 Adapted from https://www.youtube.com/watch?v=86cQJ0MMses TLS involves a handshake between client and server to agree upon parameters Client Server Server responds with “Server Hello” message to client with: • A decision on what cipher to use • Random nonce (to prevent replay attacks) • TLS version to use 25 Adapted from https://www.youtube.com/watch?v=86cQJ0MMses TLS involves a handshake between client and server to agree upon parameters Client Server Server sends its certificate (includes public key) Client verifies certificate (going up to root if needed) Client now knows server is the intended server Hello Done indicates the first portion of handshake is complete In some use cases, the client also sends a certification to server (typically not done on the web) 26 Adapted from https://www.youtube.com/watch?v=86cQJ0MMses TLS involves a handshake between client and server to agree upon parameters Client Server Client creates pre-master secret • Produces a random number to serve as the pre-master secret • Encrypts random number with server’s public key and sends to server 27 Adapted from https://www.youtube.com/watch?v=86cQJ0MMses TLS involves a handshake between client and server to agree upon parameters Client Server Server and client create 48-byte master secret by combining pre- master secret with nonces 28 Adapted from https://www.youtube.com/watch?v=86cQJ0MMses TLS involves a handshake between client and server to agree upon parameters Client Server Finish messages Each side checks exchanged by Finish message encrypting received matches summary of Finish they each messages calculated 29 Adapted from https://www.youtube.com/watch?v=86cQJ0MMses After handshake, client and server exchange encrypted data using records Data is transferred using records, each record contains a header and a payload Indicates the type of data Message Authentication Code (MAC) Which TLS carried • Sender computes based on data version to • Alert How many and sequence number use • Application bytes are • Receiver computes MAC on data • 1.2 • Heartbeat in the and checks with received MAC • 1.3 • Change Cipher Spec payload • Detects if data modified 30 Remember TLS sits between the Application and Transport Layers Sender Receiver • Takes data • Takes data from from TCP Application Layer Layer • Strips header • Adds header and decrypts and encrypts • Sends to payload Application • Sends record Layer to Transport Layer and down stack 31 Agenda 1.