Public Key Infrastructure Network Security Architectures G Mutual authentication of participants in a Part 1 Fundamentals transaction requires a system of identities G Principals are identified by public keys G These keys can be used for authentication, Summer School on Software Security but only if “spoofing” is prevented Theory to Practice G A Public Key Infrastructure (PKI) provides a basis for establishing trust Carl A. Gunter University of Pennsylvania Summer 2004 PKI Systems X.509 Certificates G Three Philosophies Hierarchy X.509 certificates bind a subject to a public key. <ITU X.509 (DAP, PKIX) This binding is signed by a Certificate Authority (CA). <DNS Web of Trust Subject Name <PGP Ad hoc Subject Public Key <SSH CA Name <Most research studies CA Signature Chaining Certificate Management G Distribution: How to G Revocation: Terminate find a certificate certificates before Subject Joe Smith Certificate accompanying their expiration time. signature or as part of a How does the relying Joe‘s Key Subject‘s Key protocol party know that the Directory service certificate has been Philly CA Issuer < DAP revoked? < LDAP Many CRL distribution Philly CA < DNS strategies proposed Email Mitre report for NIST Philly CA Key Cut and paste from web suggests certificate Pennsylvania CA pages revocation will be the Pennsylvania CA largest maintenance cost Pennsylvania CA Key for PKIs USA CA 1 Semantics of CRL’s Adoption of PKI G Three certificates. G Problems G Areas of Progress Revoke 1. Q says P is the public key of Alice. Revocation SSL 2. R says P is the public key of Alice. User ability to deal Authenticode with keys 3. Q says R is the public key of Bob. SSH Registration G Smart cards for Three kinds of revocation. (challenge for all government 1. P is not the public key of Alice. (3 not 2.) authentication employees techniques) 2. Q no longer vouches for whether P is the Web services public key of Alice. (2 and 3.) Weak business model 3. The key of Q has been compromised. (2 not 3.) 1998 Fox and LaMacchia Internet Layers Challenges for Network Security 1. Physical G Sharing 2. Link G Complexity 3. Network G Scale 4. Transport G Unknown perimeter 5. Application G Anonymity G Unknown paths Security at Layers Network Layer Security G Physical G Transport Locked doors SSL and TLS Spread spectrum G Application HTTP FTP SMTP Tempest S/MIME G Link XMLDSIG and WS security WEP TCP Access control GSM systems for web G Network pages, databases, and IP/IPSec file systems Firewalls IPSec Transport Layer Security Application Layer Security HTTP FTP SMTP S/MIME PGP SET SSL or TLS Kerberos SMTP HTTP TCP UDP TCP IP IP Division of Labor in the Internet TCP/IP Protocol Stack Hosts Host Router Router Host Routers Networks Application Application Transport Transport Network Network Network Network Link Link Link Link Physical Physical Physical Physical Communication Processing Flow Typical Patchwork App1 App2 App1 App2 App1 App2 App1 App2 Transport Transport Transport Transport Network Network Network Network Network Network Network Network Link Link Link Link Link Link Link Link Link Link Link Link Physical Phys Phys Phys Phys Physical Physical Phys Phys Phys Phys Physical 3 Physical Layer Protection Issues Encapsulation G Hide signal Link Layer Frame Spread spectrum G Emission security Radio emissions (Tempest) Link IP TCP Application Link Power emissions Network Layer Transport Layer Application Layer Header Header Payload One Hop Link Layer Encryption Link Layer Encryption Host Router Router Host Encrypted Application Application Link IP TCP Application Link Transport Transport Network Network Network Network Link Link Link Link Link Link End-to-End Network Security Network Layer Transport Mode Host Router Router Host Link IP TCP Application Link Application Application Transport Transport Network Network Network Network Encrypted Link Link Link Link Link IP Hdr TCP Application Tlr Link 4 BPN Gateway Network Layer Tunnel Mode Host Router Router Host Link IP TCP Application Link Application Application Transport Transport Network Network Network Network Encrypted Link Link Link Link Link New IP Hdr IP TCP Application Tlr Link Layer 3 Implementation Options Modular Implementation: Bump In The Stack (BITS) G Location Host App1 App2 App1 App2 Network G Style Transport Integrated Network Transport Modular (for tunnel mode) Security Network Net + Sec Network Link Link Link Link Modular Implementation: Implementation Options: Bump In The Wire (BITW) Integrated on Host App1 App2 App1 App2 App1 App2 App1 App2 Transport Security Security Transport Transport Transport Network Network Network Network Net + Sec Network Network Net + Sec Link Link Link Link Link Link Link Link 1 Implementation Options: Network Security Location Options Integrated on Router Application Application App1 App2 App1 App2 Transport Transport End-to-End Transport Network Network Network Network Link Link Link Link Application Application Transport Transport Transport Transport Voluntary Tunnel Network Network Network Network Network Net + Sec Net + Sec Network Link Link Link Link Link Link Link Link Application Application Transport Transport Network Network Network Network Involuntary Tunnel Link Link Link Link Transport Layer Security Transport Layer Encryption Host Router Router Host Link IP TCP Application Link Application Application Transport Transport Network Network Network Network Encrypted Link Link Link Link Link IP TCP RH Application Link Link IP TCP App Link Message Processing Sequence Application Layer Security Link IP TCP Application Link App1 App2 App1 App2 App2 Sec App2 Sec Transport Transport Encrypted Network Network Network Network Link IP Key ID TCP Application Link Link Link Link Link C Link Layer Security Network Layer Security G Advantages: G Advantages Transparent to applications Transparent to applications Hardware solution possible Amenable to hardware Can address especially vulnerable links (viz. Flexible wireless) G Disadvantages G Disadvantages: Makes routing more complex Hop-by-hop protection causes multiple Flexibility introduces policy management applications of crypto operations and compatibility challenges May not provide end to end security Transport Layer Security Application Layer Security G Advantages G Advantages Transparent to applications and may be Customized to application packaged with applications Requires no special protocol stack Exposing TCP enables compression and QoS (transparent to networking) classification G Disadvantages: G Disadvantages Hard to share between applications (viz. Probably implemented in software standardization challenge) Exposing TCP risks DoS Protocols to Software Secure Socket Layer (SSL) G There are important differences G Session protocol with: between theoretical descriptions, Server authentication Client authentication optional standards and software Integrity checksum Evolution (versions, extensibility) Confidentiality G Possibly the most important security-related Interoperability (options, negotiation) ecommerce protocol Error modes G Session sets up security parameters G Two brief case studies G Many connections possible within a given session G Transport Layer Security (TLS) Current version TLS 1.0 http://www.ietf.org/rfc/rfc2246.txt Network layer security (Ipsec) 7 0.509 Key Est. Messages Establish Security Capabilities G Let DA = EB(k), rA, LA, A. Client Server G Let DB = rB, LB, rA, A Client Hello G Two messages: Time 1. A -> B : certA, DA, SA(DA) Check that the nonce rA has not been seen, and is not expired according to LA. Remember it for its lifetime LA. 2. B -> A : certB, DB, SB(DB) Server Hello Check the rA and A. Check that rB has not been seen and is not expired according to LB. Server Auth & Key Exchange Client Auth & Key Exchange Client Server Client Server Certificate Time Time Certificate Optional Client Key Exchange Server Key Exchange Optional Certificate Verification Certificate Request Server Hello Done Optional Client Auth & Key Exchange IPsec ClientChange Cipher Spec Server G Modes G Configurations Tunnel End-to-end Time Finish Transport Concatenated G Protocols Nested Authenticated G Principal elements Header (AH) Security Encapsulated Associations (SAD) Change Cipher Spec Security Payload Internet Key Finish (ESP) Exchange (IKE) Policy (SPD) 8 Typical Case Encapsulated Security Header and Trailer S 0-7 8-15 16-23 23-31 Security Parameter Index (SPI) Client Internet Sequence Number Initialization Vector G ESP S ESP Gateway Corporate Network Protected Data S Pad Pad Length Next Header Server Authentication Data Security Association SA Parameters (ESP Only) G An SA describes the parameters for G Sequence number, Sequence number processing a secured packet from one overflow, Anti-replay window node to another G Lifetime G SAs are simplex: use one for each G Mode direction G Tunnel destination G If more than one SA is used for a G PMTU packet the applicable SAs are called an G “SA bundle” Encryption algorithm (IV, etc.) G Authentication algorithm Policy SPD Actions G Policy is not standardized in IPSec but G Discard certain basic functionality is expected G Bypass IPsec G A Security Policy Database (SPD) is G Apply IPsec: SPD must specify the consulted to determine what kind of security services to be provided. security to apply to each packet For inbound traffic it is inferred from: G The SPD is consulted during the destination address, protocol, SPI. processing of all traffic: For outbound traffic this