Scribd
Upload
247 views27 pages

8 Real-World Protocols

The document discusses several real-world security protocols including SSH, SSL, IPSec, Kerberos, WEP, and GSM. It provides an overview of each protocol and includes simplified examples of how SSH and SSL work. SSH creates a secure tunnel to protect insecure communications. SSL provides security for web transactions and sits between HTTP and TCP. Kerberos uses a trusted third party (KDC) to enable authentication and session keys between users using symmetric cryptography.

Uploaded by

Armaan Sagor
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
247 views27 pages

8 Real-World Protocols

The document discusses several real-world security protocols including SSH, SSL, IPSec, Kerberos, WEP, and GSM. It provides an overview of each protocol and includes simplified examples of how SSH and SSL work. SSH creates a secure tunnel to protect insecure communications. SSL provides security for web transactions and sits between HTTP and TCP. Kerberos uses a trusted third party (KDC) to enable authentication and session keys between users using symmetric cryptography.

Uploaded by

Armaan Sagor
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

CHAPTER 10

REAL-WORLD PROTOCOLS

SSH
SECURE SOCKET LAYER
IPSEC
KERBEROS

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN 1
REAL TIME SECURITY COMM

◼ Real time protocol


◼ The parties negotiate interactively to authenticate each
other and establish a session key
◼ Security Association (SA)
◼ The conversation protected with that session key

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
REAL-WORLD PROTOCOLS

◼Next, we’ll look at specific protocols


◼ SSH ⎯ a simple & useful security protocol
◼ SSL ⎯ practical security on the Web
◼ IPSec ⎯ security at the IP layer
◼ Kerberos ⎯ symmetric key, single sign-on
◼ WEP ⎯ “Swiss cheese” of security protocols
◼ GSM ⎯ mobile phone (in)security

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN 3
SECURE SHELL (SSH)

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN 4
SSH

◼ Creates a “secure tunnel”


◼ Insecure command sent thru SSH tunnel are then
secure
◼ SSH used with things like rlogin
◼ Why is rlogin insecure without SSH?
◼ Why is rlogin secure with SSH?

◼ SSH is very simple protocol

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN 5
SSH

◼ SSH authentication can be based on…


◼ Public keys, or
◼ Digital certificates, or
◼ Passwords

◼ Here, we consider certificate mode


◼ Other modes in homework problems
◼ We consider slightly simplified SSH…
6

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
SIMPLIFIED SSH

Alice, CP, RA
CS, RB
ga mod p
gb mod p, certificateB, SB
Alice Bob
E(Alice, certificateA, SA, K)

◼ CP = “crypto proposed”, and CS = “crypto selected”


◼ H = h(Alice,Bob,CP,CS,RA,RB,ga mod p,gb mod p,gab mod p)
◼ SB = [H]Bob
◼ SA = [H, Alice, certificateA]Alice
◼ K = gab mod p
7

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
MIM ATTACK ON SSH?

Alice, RA Alice, RA
RB RB

ga mod p gt mod p
gt mod p, certB, SB gb mod p, certB, SB
Alice Trudy Bob
E(Alice,certA,SA,K) E(Alice,certA,SA,K)

◼ Where does this attack fail?


◼ Alice computes:
◼ Ha = h(Alice,Bob,CP,CS,RA,RB,ga mod p,gt mod p,gat mod p)
◼ But Bob signs:
◼ Hb = h(Alice,Bob,CP,CS,RA,RB,gt mod p,gb mod p,gbt mod p)

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN 8
SECURE SOCKET LAYER

9
CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
SOCKET LAYER

◼ “Socket layer” applicatio User


Socket
lives between “layer” n
application and OS
transport layers transport
◼ SSL usually lies
between HTTP network
(application) and NIC
TCP (transport) link

physical

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN 10
WHAT IS SSL?

◼ SSL is the protocol used for majority of secure


transactions over the Internet
◼ For example, if you want to buy a book at
amazon.com…
◼ You want to be sure you are dealing with Amazon
(authentication)
◼ Your credit card information must be protected in
transit (confidentiality and/or integrity)
◼ As long as you have money, Amazon doesn’t care who
you are (authentication need not be mutual)

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN 11
SIMPLE SSL-LIKE PROTOCOL

I’d like to talk to you securely


Here’s my certificate
{KAB}Bob

Alice protected HTTP Bob

◼ Is Alice sure she’s talking to Bob?


◼ Is Bob sure he’s talking to Alice?

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN 12
SIMPLIFIED SSL PROTOCOL

Can we talk?, cipher list, RA


Certificate, cipher, RB
{S}Bob, E(h(msgs,CLNT,K),K)
h(msgs,SRVR,K)
Alice Data protected with key K Bob

◼ S is pre-master secret
◼ K = h(S,RA,RB)
◼ msgs = all previous messages
◼ CLNT and SRVR are constants 13

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
SSL KEYS

◼ 6 “keys” derived from K = hash(S,RA,RB)


◼ 2 encryption keys: send and receive
◼ 2 integrity keys: send and receive
◼ 2 IVs: send and receive
◼ Why different keys in each direction?

◼ Q: Why is h(msgs,CLNT,K) encrypted (and


integrity protected)?
◼ A: Apparently, it adds no security…

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN 14
SSL AUTHENTICATION

◼ Alice authenticates Bob, not vice-versa


◼ How does client authenticate server?
◼ Why does server not authenticate client?

◼ Mutual authentication is possible: Bob sends


certificate request in message 2
◼ This requires client to have certificate
◼ If server wants to authenticate client, server could
instead require (encrypted) password
CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR.
15
MUHAMMAD IQBAL HOSSAIN
SSL MIM ATTACK

RA RA
certificateT, RB certificateB, RB
{S1}Trudy,E(X1,K1 {S2}Bob,E(X2,K2)
) h(Y1,K1) h(Y2,K2)
Alice E(data,K1) Trud E(data,K2) Bob
y
◼ Q: What prevents this MiM attack?
◼ A: Bob’s certificate must be signed by a certificate
authority (such as Verisign)
◼ What does Web browser do if sig. not valid?
◼ What does user do if signature is not valid? 16

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
KERBEROS

17
KERBEROS

◼ In Greek mythology, Kerberos is 3-headed dog


that guards entrance to Hades
◼ “Wouldn’t it make more sense to guard the exit?”

◼ In security, Kerberos is an authentication system


based on symmetric key crypto
◼ Originated at MIT
◼ Based on work by Needham and Schroeder
◼ Relies on a Trusted Third Party (TTP)
18
CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
MOTIVATION FOR KERBEROS

◼ Authentication using public keys


◼ N users ⇒ N key pairs
◼ Authentication using symmetric keys
◼ N users requires about N2 keys
◼ Symmetric key case does not scale!
◼ Kerberos based on symmetric keys but only
requires N keys for N users
◼ But must rely on TTP
◼ Advantage is that no PKI is required 19

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
KERBEROS KDC
◼ Kerberos Key Distribution Center or KDC
◼ Acts as a TTP
◼ TTP must not be compromised!
◼ KDC shares symmetric key KA with Alice, key KB
with Bob, key KC with Carol, etc.
◼ Master key KKDC known only to KDC
◼ KDC enables authentication and session keys
◼ Keys for confidentiality and integrity
◼ In practice, the crypto algorithm used is DES 20

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
KERBEROS TICKETS

◼ KDC issues a ticket containing info needed to


access a network resource
◼ KDC also issues ticket-granting tickets or TGTs
that are used to obtain tickets
◼ Each TGT contains
◼ Session key
◼ User’s ID
◼ Expiration time
◼ Every TGT is encrypted with KKDC
◼ TGT can only be read by the KDC
21

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
KERBERIZED LOGIN

◼ Alice enters her password


◼ Alice’s workstation
◼ Derives KA from Alice’s password
◼ Uses KA to get TGT for Alice from the KDC

◼ Alice can then use her TGT (credentials) to


securely access network resources
◼ Plus: Security is transparent to Alice
◼ Minus: KDC must be secure --- it’s trusted!
22

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
KERBERIZED LOGIN

Alice wants
Alice’s a TGT
password
E(SA,TGT, KA)

Alice Computer KDC


◼ Kerberos used for authentication
◼ Key KA derived from Alice’s password
◼ KDC creates session key SA
◼ Workstation decrypts SA, TGT, forgets KA
◼ TGT = E(“Alice”, SA, KKDC)
23

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
ALICE REQUESTS TICKET TO BOB

I want to
talk to Bob
Talk to Bob REQUEST

REPLY
Alice Computer
KDC
◼ REQUEST = (TGT, authenticator) where
authenticator = E(timestamp, SA)
◼ REPLY = E(“Bob”, KAB, ticket to Bob, SA)
◼ ticket to Bob = E(“Alice”, KAB, KB)
◼ KDC gets SA from TGT to verify timestamp 24

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
ALICE USES TICKET TO BOB

ticket to Bob, authenticator

E(timestamp + 1,KAB)

Alice’s Bob
Computer

◼ ticket to Bob = E(“Alice”, KAB, KB)


◼ authenticator = E(timestamp, KAB)
◼ Bob decrypts “ticket to Bob” to get KAB which he then uses
to verify timestamp
25

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
KERBEROS
◼ Session key SA used for
◼ authentication
◼ Can also be used for confidentiality/integrity
◼ Timestamps used for
◼ mutual authentication
◼ Recall that timestamps reduce number of
messages
◼ Acts like a nonce that is known to both sides
◼ Note: time is a security-critical parameter!
26
CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN
KERBEROS KEYS

◼ In Kerberos, KA = h(Alice’s password)


◼ Could instead generate random KA and
◼ Compute Kh = h(Alice’s password)
◼ And workstation stores E(KA, Kh)
◼ Then KA need not change (on workstation or
KDC) when Alice changes her password
◼ This alternative approach is often used in
applications (but not in Kerberos)
27

CHAPTER 10 REAL WORLD SECURITY PROTOCOLS PREPARED BY: DR. MUHAMMAD IQBAL HOSSAIN

You might also like