Internet Security Protocols February 2018 Goals Network Security Protocols • Understandinggy how security can be added to the basic Internet protocols Prof. Bart Preneel • Understandingg TLS and its limitations COSIC • Understanding IPsec and its limitations Bart.Preneel(at)esatDOTkuleuven.be http://homes.esat.kuleuven.be/~preneel February 2018 © Bart Preneel. All rights reserved 2 Outline ItInternet tE Evolution lti ((prediction di ti ffrom 2000) 1800 Subscriptions worldwide (millions) • Internet summaryy mobile 1600 Mobile subscribers • IETF pprocess Fixed 1400 Mobile Internet • Basic principles 1200 FiFixed d Internet I t t 1000 mobile • Transport layer security Internet – SSL / TLS 800 subscribers 600 • Network layer security 400 – IPSecIPSec, VPNVPN, SSH 200 0 1995 2000 2005 2010 3 4 Internet evolution (prediction from 2015) The Internet - A Network of Networks • “IP is the protocol that integrates all infrastructures” Internet Workstation, Workstation, PC, Laptop, PC, Laptop, PDA, ... IP RRouter IP RRouter PDAPDA, ... NtNetwork kA A NtNetwork kB B NtNetwork kC C Fixed broadband: 2-3 users per subscription Mobile: multiple subscriptions per user various Ethernet DECT PSTN 2015: 3.3 billion internet users (world stats) transmission Token Ringg GSM ISDN technologies WLAN UMTS ATM 2020: 50 billion IOT devices (machine to machine) Powerline Satellites Frame Relay 5 6 Source: Ericcson Mobility Report June 2015 1 Internet Security Protocols February 2018 Internet Protocols Data Encapsulationp Applicationpp Layer y Applicationpp Layer y SMTP HTTP . Application SMTP HTTP . Application (Web, FTP, ... ) (Web, FTP, ... ) Transportp Data Data TCP/UDPC/ TCP/UDP Network Transport Layer Transport Transport Layer IP IP (TCP, UDP) (TCP, UDP) Transport Transport Header Data Header Data Link Link Network Layer Network Layer Network (IP) (IP) Transport Transport IP Header Data IP Header Data • Network Layer Header Header – Internet Protocol (IP) Network Access Network Access • TtLTransport Layer Layer Layer – Transmission Control Protocol (TCP), (TCP) User Datagram Protocol ()(UDP) Internet 8 7 Internet Standardization IETF Standards: St d d RFC – PProposed d StStandard d d (PS) • stable spec Experimental • ISOC/IAB/IESG/IETF • lowest level of standards track • Internet Engineering Task Force (IETF) – Draft Standard (DS) Proposed • IETF Working Groups • at least two independentp and – Mailing List Information interoperable implementations Draft std – Scope of the Working Group – Goals and Milestones – Standard (STD) Standard – CICurrent Internet Df&RFCDrafts & RFCs • widely,id l successfully f ll used d – http://www.ietf.org/html.charters/wgpg g-dir.html • RFCs Historic – http://www.rfc-editor.org – fftp://FTP.ISI.EDU/in //FTP ISI EDU/i -notes// 9 10 IETF Securityy Area IETF Intermediate I t di t ddocuments t Area Directors: Kathleen Moriarty and Eric Rescorla ACE Authentication and Authorizati Authorizationon for Constrained Environments • Request for Comments (RFCs) with different ACME Automated Certificate Management Environment CURDLE CURves, Deprecating and a Little more Encryption maturity levels dane DNS-based Authentication of Named Entities dkim Domain Keys Identified Mail – Experimental (E) DOTS DDoS Open Threat Signaling I2NSF Interface to Network Securityy Functions – IInformational f ti l (I) IPSECME IP Security Maintenance and Extensions jose Javascript Object Signing and Encryption – Historic (H) KITTENGSS-API Next Generation krb-wg Kerberos – Best Current Practice (BCP( ) – does not influence bits on the wire LAMPS LiLimited i d AddiAdditional i l MMechanisms h i ffor PKIX and d SMIME MILE Managed Incident Lightweight Exchange • Internet-Drafts (I( -D))g are working documents of the OAUTH Open Authentication A thentication working groups and have no formal status pkix Public-Key Infrastructure (X.509) SACM Security Automation and Continuous Monitoring • Protocol Status (requirement level) SECEVENTS Security Events TLS Transport Layer Security – "required", "recommended", "elective", TOKBIND Token Binding TRANS Public Notaryypy Transparency "limited use", se" or "not recommended” QUIC – “must”must and “should”should securityy work in other areas: Secure Inter-Domain Routing TCP increased security 11 ( DNS Extensions) 12 2 Internet Security Protocols February 2018 CommCommunications nications insecinsecurity rit A historical perspective (1) wireless • architectural errors 1900 data 1960 1980 1990 2000 – wrong trust assumptions – default = no security Vernam: rotor LFSR WLAN OTP machines • protocolp errors PAN 3GSM – unilateral entity authentication – weak entity authentication mechanism wired – downgrade attack 1900 data 1960 1980 1990 2000 block • modes of operation errors rangeg of wireless X25 TLS SSH – no authenticated encryption communication digital ciphers IPsec – wrong use of crypto is often encryption wired • cryptographicthi errors underestimated!dtitd! 1900voice 1960 1980 1990 2000 – weak crypto STU VoIP • implementation errors analog scramblers 13 14 A historical perspective (2) mobile Securityy Goals (started( in ISO 7498-2)) 1980 phones 1990 2000 2010 • confidentiality:fid i li AMPS GSM/TDMA 3G LTE – entities (anonimity) analog cloning, TDMA attacks on A5, – data scanners cloning COMP128 – traffic flow 1997 2002 2004 • (unilateral or mutual) entity authentication WLAN WEP WPA WPA2/802.11i • data authentication (connection-less or WEP WPA WPA2 connection-oriented): data origin authentication broken weak flaw + data integritygy • access control 1999 2007 PAN • non-repudiation of origin versus deniability Bluetooth Zigbee Bluetooth15 2.1 BlBluetooth t th problems bl 16 Securityy Protocols & Services Internet Security Protocols Electronic Commerce Layer PayPal, Ecash, 3D Secure ... • Cryptographic techniques: S-HTTP PGP PEM S/MIME PKIX – symmetricti encipherment i h t – message authentication mechanisms Transport Layer Security (SSH(SSH, SSL, TLS) SPKI – entity authentication mechanisms Transmission Control Protocol User Datagram Protocol (UDP) – key establishment mechanisms (e.g., combined (TCP) with entity authentication) IP/ IPSec (Internet Protocol Security) Public-Key Infrastructure SP hdr hd dtdata SP tltlr MAC • security services depend on the layer of integration: confidentiality – the mechanisms can only protect the payload and/or header integrity information available at this layer – header information of lower layers is not protected !! 17 18 3 Internet Security Protocols February 2018 Security:yy at which layer? SP Architecture I: Encapsulationp • Applicationpp layer: y unprotected data – closer to user – more sophisticated/granular controls SP hdr encrypted data MAC – end-to-end confidentiality – btbut what ht about b tfi firewalls? ll? integrity • Lower layer: – application independent • Bulk data: symmetric cryptography – hide traffic data – but vulnerable in middle points • Authenticated encryption: best choice is to • Combine? authenticate the ciphertext 19 20 SP Architecture II: Algorithm Selection Session (Association) Establishment "a la carte“ “suite” • each algorithm (encryption, • all parameters are encoded Host A Host B SP hdr encrypted data MAC integrity protectionprotection, pseudo- into a single suite number; random function, Diffie- negotiationgg consists of offering Hellman group, etc.) is one or more suites and having negotiatedti t d iindependently d d tl ththe other th side id choose h Securityy Associations • less compact to encode • simpler and more compact to (Security Parameters incl. Shared Keys) • more flexible encode • potentially exponential numberbfit of suites • less flexible Key Management and Security Association Establishment Protocols • e.g.,g, IKEv1 • e.g., TLS and IKEv2 21 22 SSL/TLS Protocols Secure Browser WWW Server http:// https:// Transportpy layer security y SSL SSL Transport System Transport System HTTP over SSL SSL / TLS HTTP – connection-oriented data confidentialityy and integrity, and optional client and server authentication. 24 4 Internet Security Protocols February 2018 Transport Layer Security Protocols SSL / TLS Application • IETF Working W ki GGroup: Data Transportpy Layer Security y() (tls) Application • Mainlyyy in context of WWW security, i.e., to – RFC 2246 (PS), 01/99 Encapsulation Negotiation secure the HyperText Transfer Protocol TLS Authentication Decapsulation • transparent secure channelshl Key Establishment independentpp of the respective (HTTP) application. TCP • TLS: security at the transport layer Protected Handshake • availableil bl protocols: l Data – can be used (and is intended) for other applications too IP – Secure Shell (SSH), (IMAP(IMAP, telnet, telnet ftp, ftp …) ) SSH Ltd. – Secure Sockets Layer (SSL)(SSL), – end-to-end secure channel,,g but nothing more... Netscape – data is only protected during communication – Transport Layer Security – no non-repudiation! (TLS), IETF 25 26 SSL/TLS SSL/TLS DDeployment l t more dildetails: h//llb/lhttps://www.ssllabs.com/ssl-pulse/l/ • “Secure Sockets Layer”Layer (Netscape) TLSS11 1.1 and d12d 1.2 deployment l very slow l (about ( b 25% 2 % of f servers in i – SSL 2.0 (1995):() security y flaws! FebFeb. 14); boost in Nov. Nov 2013 (new attacks + Snowden revelations) – SSL 3.0 (1996): still widely used - not interoperable with TLS 1.0 • “T“Transport t LLayer SSecurity” it ” (IETF) – TLS 1.0 (01/99)()p adopted SSL 3.0 with minor changes g - RFC 2246 - default DSA/3DES Status is – TLS 11.1 1 (4/2006) - RFC 4346 – default: RSA/3DES; several fixes improving for padding oracle and