CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz Administrivia Final exam reminder + study guide – DSS students contact me Network security protocols in practice Network layers Application Transport Network Data link Physical Roughly… Application layer: the communicating processes themselves and the actual ‘content’ transmitted Transport layer (TCP/UDP): “end-to-end” communication; reliability; flow control Network layer (IP): “host-to-host” communication; routing Data link layer (Ethernet/WiFi): transmission of frames over a single hop Example security protocols Application layer: PGP, SSH Transport layer: SSL/TLS Network layer: IPsec Data link layer: IEEE 802.11 (WEP, WPA) Security in what layer? Depends on the purpose… – How are keys provisioned/shared? – Should the (human) user be involved? – Semantics: authenticate user-to-user, or host-to-host? Security in what layer? Depends on what’s available – E.g., consider a user connecting to a website from a café (over a wireless network) – End-to-end encryption might be unavailable (e.g., if website does not support encryption) – Eavesdropping on Internet backbone less likely than eavesdropping on wireless link in café – Encrypt link from user to wireless router – Link-layer encryption more appropriate • Link-layer authentication also possible Security in what layer? Depends on the threat model/what threats are being addressed – What information needs to be protected? (Ports, IP addresses?) – E.g., network-layer authentication will not prevent DoS attacks at link level (e.g., ARP spoofing, replay disconnect messages, overloading access point) – E.g., an application-layer protocol cannot protect IP header information – End-to-end, or hop-by-hop? Security in what layer? Security interactions with various layers – E.g., if TCP accepts a packet which is rejected by the application above it, then TCP will reject the “correct” packet (detecting a replay) when it arrives! – E.g., if higher-layer header data is used by a firewall to make decisions, this is incompatible with network-layer encryption (if it encrypts headers) Generally… When security is placed at lower levels, it can provide automatic, “blanket” coverage… – …but it can take a long time before it is widely adopted – Can be inefficient to encrypt everything When security is placed at higher levels, individual users can choose when to use it… – …but users who are not security-conscious may not take advantage of it – Can encrypt only what is necessary Example: PGP vs. SSL vs. IPsec PGP is an application-level protocol for “secure email” – Can provide security over insecure networks – Users choose when to use PGP; user must be involved – Alice’s signature on an email proves that Alice actually generated the message, and it was received unaltered; also non-repudiation • In contrast, SSL secures “the connection” from Alice’s computer; would need additional mechanisms to authenticate the user – Communication with off-line party (i.e., email) Example: PGP vs. SSL vs. IPsec SSL sits at the transport layer, “above” TCP – Packet stream authenticated/encrypted – End-to-end security, best for connection-oriented sessions (e.g., http traffic) – User does not need to be involved – The OS does not have to change, but applications do if they want to communicate securely Example: PGP vs. SSL vs. IPsec IPsec sits at the network layer – Individual packets authenticated/encrypted – End-to-end or hop-by-hop security – Need to modify OS – All applications “protected” by default, without requiring any change to applications or actions on behalf of users – Only authenticates hosts, not users – User can be completely unaware that IPsec is running SSL/TLS Brief history… SSLv2 deployed in Netscape 1.1 (1995) Modified version of SSLv3 standardized as TLS This overview will not focus on the differences; I just say “SSL” for convenience SSL is a major success story! – Used extensively and (almost) exclusively to secure web traffic Broad overview SSL runs on top of TCP – Advantage: does not require changes to TCP From the programmer’s point of view, it sits at the transport layer – Same API as for TCP – Runs only with TCP, not UDP Primarily used for HTTP traffic SSL overview Three phases – Handshake – Key derivation – Data transfer Handshake + key derivation Client sends list of supported crypto algorithms and nonce RC Server sends a certificate, selects a crypto algorithm, and sends nonce RS – Nonce protects against client impersonation Client encrypts random K with server’s public key Client/server derive session keys from RC, RS, K – Prevents replay attacks Client sends a MAC of the handshake; server responds with the same Sessions and connections One session may have multiple simultaneous connections Can derive per-connections keys by exchanging fresh RC, RS, and using session (master) key K Data transfer Client and server use K to establish four keys: encryption and authentication, for each direction SSL breaks data stream into records; appends a MAC to each record; and then encrypts the result – Mac-then-encrypt… – What would have been a better choice? The MAC is computed over the record plus a sequence number – Prevents replay, re-ordering, or dropping packets SSL security Provides confidentiality, integrity, and unidirectional authentication – Client wants to make sure they are talking to the right merchant; merchant does not care who client is Mutual authentication supported – If server requests it, and client has a certificate – Note that mutual authentication may be done at application level (e.g., password-based login)