Network security - EIT, Electrical and Information Technology

Ch 17 Network Security
Datasäkerhet/Data security
EITF55 – Lect 7
Overview security challenges specific to networks.
Design of network protocols.
IPSec, TLS, SSL.
Network boundaries and firewall technologies.
Network security
2018 B. Smeets
1
Datasäkerhet EITF55
Introduction
2018 B. Smeets
Datasäkerhet EITF55
2
Internet Threats
Computer network: infrastructure for
transmitting data between nodes in a distributed
system.
Data integrity
The contents of a packet can be accidentally or deliberately
modified.
Identity spoofing
Network protocols: “rules” followed by the
nodes to guarantee service.
The origin of an IP packet can be forged.
Anti-replay attacks
Unauthorized data can be retransmitted.
Management protocols: provide support
needed.
Loss of privacy
The contents of a packet can be examined in transit.
2018 B. Smeets
Datasäkerhet EITF55
3
2018 B. Smeets
Datasäkerhet EITF55
4
Understanding TCP/IP
OSI Reference Model
Sniffing and Spoofing
TCP/IP Model
Application Layer
Encryption is not enough!
Transport Layer
TCP, UDP
Network Layer
IP
Logical Link Layer
Device Driver
Physical Layer
Network Adapter
2018 B. Smeets
Network addresses
Protocols that nodes can run
Network diagnostics,
NFS
SNMP
FTP
DNS
FTP
SMTP
Session Layer
Application
HTTP
Presentation Layer
Wiretapping in computer networks is not difficult.
Opportunity for sniffer software.
A lot of information may be sensitive:
Datasäkerhet EITF55
Other threats:
Forged source addresses (spoofing),
Entities denying involvement in transactions,
Traffic flow analysis
5
2018 B. Smeets
(Perfect) Forward Secrecy (PFS)
TCP/IP Security
Perfect Forward Secrecy is a feature of a key agreement protocols that gives
assurances your session keys, even those in the past, will not be compromised
even if the private master key is compromised.
Note: But when the crypto scheme is broken they might be lost
In the Internet model ISO/OSI
collapses to four layers
Application
Application: telnet, ftp, http, SET
Transport/Session: TCP, UDP
Internet: IP
Interface: specific to network
technology
Weak Perfect Forward Secrecy is like PFS but secrecy of session keys is
only guaranteed for sessions in which the attacker did not participated.
master key
time
6
Datasäkerhet EITF55
Session/Transport
Internet
Interface
Session keys
Most modern protocols like TLS 1.2/1.3 have support for PFS
2017-09-13 B. Smeets
EITN50 - Dept of Electrical and Information technology
7
2018 B. Smeets
Datasäkerhet EITF55
8
Security at the different levels
Security at Application Layer
(PGP, Kerberos, SSH, etc.)
Application Layer
PGP, Kerberos, SSH, etc.
Transport Layer
Transport Layer Security (TLS)
Network Layer
IP Security
Data Link Layer
Implemented in end-hosts
Advantages
Extend application without involving operating system.
Application can understand the data and can provide the appropriate
security.
Hardware encryption
Disadvantages
Security mechanisms have to be designed independently by each
application.
2018 B. Smeets
Datasäkerhet EITF55
9
Security at Transport Layer
2018 B. Smeets
IP Security (IPSec)
Implemented in end-hosts
Advantages
Advantages
Provides seamless security to application and transport
layers (ULPs).
Allows per flow or per connection security and thus
allows for very fine-grained security control.
Application developer/user has control over the security
Disadvantages
Disadvantages
Existing applications must be adopted
Protocol specific
Datasäkerhet EITF55
10
Security at Network Layer
Transport Layer Security (SSL, TLS)
2018 B. Smeets
Datasäkerhet EITF55
More difficult to exercise on a per user basis on a multiuser machine.
11
2018 B. Smeets
Datasäkerhet EITF55
12
Security at Data Link Layer
IPSEC
(Hardware encryption)
Need a dedicated link between host/routers.
Two major security mechanisms:
Application
IP authentication header (AH).
IP encapsulating security payload (ESP). Session/Transport
IPSEC
Advantages
No cautions taken against traffic analysis
Speed.
Interface
Disadvantages
Not scalable.
Need dedicated links.
2018 B. Smeets
Datasäkerhet EITF55
13
IPSec Basic Features
2018 B. Smeets
14
Datasäkerhet EITF55
IPSec Transport Mode
IPSec provides security at network (Internet) layer.
So all IP datagrams covered.
No re-engineering of applications needed
Transparent to users.
IP datagram
Mandatory for next-generation IPv6,
Optional for current-generation (IPv4).
Header
IP datagram
Payload
Header
Payload
Defined in IETF RFC 4301-4303, 4305,4306
(these replace RFCs 2401–2412)
2018 B. Smeets
Network
Datasäkerhet EITF55
15
2018 B. Smeets
Datasäkerhet EITF55
16
IPSec Tunnel Mode
AH Protocol
Inner IP datagram
Header
AH = Authentication Header (RFC 2402).
Provides data origin authentication and data integrity.
AH authenticates whole payload and most of header.
Prevents IP address spoofing.
Inner IP datagram
Payload
Header
Payload
Source IP address is authenticated.
Security
Network
Gateway
Creates stateful channel.
Security
Use of sequence numbers.
Gateway
Prevents replay of old datagrams.
Inner IP datagram
Outer
Header
AH sequence number is authenticated.
Inner IP datagram
Header
Payload
2018 B. Smeets
Outer
Header
Uses MAC and secret key shared between endpoints.
Header
Payload
Datasäkerhet EITF55
17
AH Protocol
2018 B. Smeets
Datasäkerhet EITF55
18
AH Protocol – Transport and Tunnel
AH in transport mode:
AH specifies a header added to IP datagrams.
Fields in header include:
Payload length
SPI = Security Parameters Index
Original
AH
IP header
Len, SPI, seqno, MAC
Payload (eg TCP, UDP, ICMP)
MAC scope - all immutable fields
• Identifies which algorithms and keys are to be used for IPSec
processing (more later).
Sequence number
Authentication data (the MAC value)
AH in tunnel mode:
• Calculate over immutable IP header fields (so omit TTL) and
(payload or inner IP datagram).
Outer
AH
Inner
IP header
Len, SPI, seqno, MAC
IP header
Payload (eg TCP, UDP, ICMP)
MAC scope - all immutable fields
2018 B. Smeets
Datasäkerhet EITF55
19
2018 B. Smeets
Datasäkerhet EITF55
20
ESP Protocol
ESP Protocol
ESP = Encapsulating Security (RFC 2406).
Provides one or both of:
ESP specifies a header and trailing fields to be added
to IP datagrams.
Fields in header include:
confidentiality for payload/inner datagram.
• NB sequence number not protected by encryption.
SPI.
Sequence number.
authentication of payload/inner datagram
• but not of any header fields (original header or outer header).
Traffic-flow confidentiality in tunnel mode.
Uses symmetric encryption and MACs based on
secret keys shared between endpoints.
There are both engineering and political reasons for
the separate existence of authentication in AH and in
ESP.
2018 B. Smeets
Fields in trailer include:
Any padding needed for encryption algorithm (may also
help disguise payload length).
Padding length.
Authentication data (if any) – the MAC value.
21
Datasäkerhet EITF55
2018 B. Smeets
22
Datasäkerhet EITF55
IPsec - endpoints
ESP Protocol – Transport and Tunnel
ESP in transport mode:
Original
ESP hdr
Payload
IP header
SPI, seqno
(eg TCP, UDP, ICMP)
ESP ESP
trlr
sender
auth
An SA is a one-way (simplex)
relationship between sender and
receiver endpoint.
receiver
MAC scope
SA
Encryption scope
ESP in tunnel mode:
Outer
ESP hdr
IP header
SPI, seqno
Inner
IP header
Payload
(eg TCP, UDP, ICMP)
SA
IP stack in
Intermedia
nodes
ESP ESP
trlr
SA
SA
auth
MAC scope
Encryption scope
2018 B. Smeets
Datasäkerhet EITF55
23
2018 B. Smeets
Datasäkerhet EITF55
24
SAs (Security Associations)
VPN
The keys for encryption and integrity protection are
different for in- and outgoing data
Keys have limited life time and must be renewed (rekeying)
Organized (grouped) through security association; it is a
relationship between the sending and receiving entities that
tells what the keys are, the policies of use, which service (e.g.
encryption and/or integrity). In the IP header the specific SA
to be used is indicated by the SPI (security parameter index)
(so at least 2 SAs per connection at each endpoint)
2018 B. Smeets
25
Datasäkerhet EITF55
Thus not all VPNs will function with each other.
However there are some key exchange methods that
are standardised, e.g. IKE
2018 B. Smeets
Datasäkerhet EITF55
26
Summary IPsec
VPN with ”TLS”
IPSEC provides security for everyone using IP without
changing the interface to IP.
The cost is increased protocol processing and communication
overhead.
All VPNs use IPSEC but are not based on a standard key
exchange protocols which gives interoperability problems.
PC
Application 1
Virtual Private Networks (VPNs) are created by
adding IPSEC to the IP stack often together with a
proprietary key exchange method.
Application 2
TLS over UDP
User space
Kernel space
Virtual interface
2018 B. Smeets
real interface
Datasäkerhet EITF55
27
2018 B. Smeets
Datasäkerhet EITF55
28
SSL, TLS, DTLS
TLS/SSL: Server authentication
Two scenarios:
Only Server authentication
Mutual Server & Client authentication
Application
Hello
Client
SSL
Server
Authentication
Server Certificate
Session/Transport
Non-transparent secure connections
Server
Hello
Client Key Exchange
Interface
Change connection state
TLS established
Server Challenge
Client
Authentication
Client Response
TLS can also be used in a pre-shared key setting, we will not
discuss this.
2018 B. Smeets
MOST USED scenario!
29
Datasäkerhet EITF55
2018 B. Smeets
TLS/SSL: Server & Client authentication
TLS has many CipherSuites
NULL ciphers will be taken out in the future
One of
Hello
Server
Client
30
Datasäkerhet EITF55
KeyExchange
Hello
Cipher
Hash
Server Certificate
Request client Certificate
Client Certificate
Server & Client
Authentication
Client Key Exchange
TLS_ NULL_
WITH_
NULL_
NULL
TLS_ RSA_
WITH_
NULL_
MD5
TLS_ DH_RSA_
WITH_
AES_CBC
SHA1
etc
WITH_
GCM
SHA1
Certificate Verify
Change connection state
TLS established
DHE_RSA
Ex: TLS_DH_RSA_WITH_AES_128_CBC_SHA
2018 B. Smeets
Datasäkerhet EITF55
31
2018 B. Smeets
Datasäkerhet EITF55
32
TLS weaknesses
How to use TLS
There have been several problems with TLS and the
implementations (often in OpenSSL, e.g. Heartbleed
2014)
Implementation errors
Error codes leak state
Information leakage
Unclarities in spec:
http://en.wikipedia.org/wiki/Transport_Layer_Security
See very nice summary in
http://eprint.iacr.org/2013/049.pdf
SSL 3.0 should not be used anymore since 2014 (due to Poodle man-inthe-middle attack)
Until TLS 1.3 will come (now draft) use only TLS 1.2 and (amongst
others)
Remove bad ciphers
Do not use compression
Do not use CBC modes
Use only Authenticated Encryption with Associated Data (AEAD)
modes:
• AES Galois Counter Mode (GCM) and
• AES with Counter and CBC-MAC (CCM)
AEAD cipher mode of operation provides simultaneously confidentiality, integrity, and authenticity checking of the data. The
decryption is combined in single step with integrity validation.
2018 B. Smeets
33
Datasäkerhet EITF55
AEAD modes
mac
Encrypt
MAC
Older TLS: Have to pass data
in two algorithms
Datasäkerhet EITF55
34
TLS1.3
TLS 1.2 and TLS1.3 support better algorithms that
are more secure but also faster
encrypted
2018 B. Smeets
encrypted
TLS1.3 is still a draft. It is a major rework of TLS with
many security improvements and it is faster due to
reduction of messages that need to be sent.
One less round trip (i.e. reducing RTT) so ordinary
handshake may only be 1-RTT and session resume can
even be done in 0-RTT
mac
AEAD
Newer TLS: Have to pass data
only once in one algorithm
RTT = return trip time
2018 B. Smeets
Datasäkerhet EITF55
35
2018 B. Smeets
Datasäkerhet EITF55
36
TLS1.2 –case: 2-RTTs
TLS1.3 –case – 1-RTT
Client
Client Hello
Supported cipher suites
Key Share
Server
Client
Server
Client Hello
Supported cipher suites
Key share
Server Hello
Chosen cipher suites
Key share
Certificate & signature
Finished
Server Hello
Chosen cipher suites
Key share
Certificate & Signature
Finished
Finished
HTTP GET
Finished
HTTP GET
HTTP response
2018 B. Smeets
37
Datasäkerhet EITF55
TLS1.3 –case – 0-RTT resume
Client
Datasäkerhet EITF55
38
DTLS/TLS/SSL provides security for applications: typically
used by browser and Java applications
Most often used with server authentication and client
authentication is then solved with various methods:
passwords, token devices
Server Hello
Key share
HTTP GET
2018 B. Smeets
Summary DTLS/TLS/SSL
Server
Client Hello
Session Ticker (PSK)
Key share
HTTP response
In TLS 1.3 the client starts by sending
not only the ClientHello and the list of
supported ciphers, but it guesses as to
which key agreement algorithm the
server will choose, and sends a key
share for that.
Finished
HTTP response
Use the correct modes for TLS!
The client connects to the server and they agree on a resumption key (or Pre-Shared Key), and the server gives the
client a Session Ticket. This ticket can be an encrypted copy of the PSK.
On resume, the client sends the Session Ticket in the ClientHello and then immediately, without waiting for any
round trip, sends the HTTP request encrypted with the PSK. The server recovers the PSK using the Session Ticket
and uses that to decrypt the 0-RTT data.
2018 B. Smeets
Datasäkerhet EITF55
DTLS for datagram (UDP)
39
2018 B. Smeets
Datasäkerhet EITF55
40
Firewalls
Firewalls (cont’d)
By collecting our protection mechanisms in the place
where the internal network meets the outside world,
we create a firewall.
Def. Firewall is the generic name for any security
system protecting the boundary of an internal
network.
A bastion host is a computer with strong security
exposed to the outside world.
2018 B. Smeets
41
Datasäkerhet EITF55
Perimeter defence
NT
Unix
Unix
NT
Firewall
Network
E-Mail
Server
2018 B. Smeets
Datasäkerhet EITF55
42
Purpose
Web
Server
Router
Firewall: a network security device controlling traffic flow
between two parts of a network.
Often installed between an entire organisation’s network and
the Internet.
Can also be installed in an intranet to protect individual
departments.
All traffic has to go through the firewall for protection to be
effective.
Clients & Workstations
Firewalls control network traffic to and from the
protected network.
Can allow or block access to services (both internal
and external).
Can enforce authentication before allowing access to
services.
Can monitor traffic in/out of network.
Corporate Network
2018 B. Smeets
Datasäkerhet EITF55
43
2018 B. Smeets
Datasäkerhet EITF55
44
Types of Firewalls
Continuous monitoring
Packet filtering:
Check the header information of packets
Use machine learning and AI techniques to analyze
what is going one
Packet filter
Stateful packet filter
Automated response
Control ports and routing (e.g. black hole routing to
mitigate DDOS attacks)
Efficient use of Software Define Network technology for
security; e.g. create virtual networks/routing for special
traffic/payloads
But how to handle encrypted traffic?
Proxy servers:
The only entity seen by the outside world that performs a
certain service. (Used by internal nodes)
Circuit-level proxy
Application-level proxy
2018 B. Smeets
45
Datasäkerhet EITF55
DMZ – Demilitarized Zone
Mail
server
Internet
Screening router
Peripheral network
DMZ
Firewall
Internal network
2018 B. Smeets
Datasäkerhet EITF55
47
2018 B. Smeets
Datasäkerhet EITF55
46