Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Sunu 6

advertisement

Network Security

Essentials

Chapter 5

Fourth Edition by William Stallings

Lecture slides by Lawrie Brown

Chapter 5 –

Transport-Level Security

Use your mentality

Wake up to reality

—From the song, "I've Got You under My

Skin“ by Cole Porter

Web Güvenliği

Web Artık yaygın iş, devlet, bireyler tarafından kullanılanılır

Fakat internet ve Web saldırılara açıktır

Değişik tehtitler mevcuttur

 integrity confidentiality

 denial of service

 authentication

Güvenlik mekanizmaları eklenmesi gerekir

Web Trafiği Güvenlik önerileri

SSL (Secure Socket Layer)

 transport layer security hizmetleri

 Netscape tarafından ilk olarak geliştirildi

V3 halka açık girişler kabul ediyor.

Sonradan TLS olarak internet standardı haline geldi (Transport Layer Security)

TCP yi uçtan uca güvenli servis verebilmek için kullanır

SSL in iki protokol katmanı vardır.

SSL Architecture

SSL Architecture

 SSL Bağlantısı( connection)

 a transient, peer-to-peer, communications link

 associated with 1 SSL session

 SSL oturumu

 an association between client & server

 created by the Handshake Protocol

 define a set of cryptographic parameters

 may be shared by multiple SSL connections

SSL Kayıt Protokolü ve servis

 Gizlilik (confidentiality)

 using symmetric encryption with a shared secret key defined by Handshake Protocol

AES, IDEA, RC2-40, DES-40, DES, 3DES,

Fortezza, RC4-40, RC4-128

 message is compressed before encryption

Mesaj Bütünlüğü

 using a MAC with shared secret key similar to HMAC but with different padding

SSL Record Protocol

Operation

MAC

 The following encryption algorithms are permitted

SSL Cipher özelliklerini değiştirme protokolü

Change Chiper Spec Pro.

 SSL Record protocol ı kullanan ve SSL has kullanılan 3 protokolden birisi

 Tek bir mesaj içerir (1111 1111)

 Bekleyen durumun aktif hale gelmesini sağlar.

 Bu şekilde kullanılacak chiper listesini belirler

Chiper Spec Protocol (devam)

 The sole purpose of this message is to cause the pending state to be copied into the current state,

 which updates the cipher suite to be used on this connection

SSL Uyarı Protokolü

Alert Protocol

SSL ile alakalı uyarıları karşıdaki eşe bildirir

 Şiddeti, Önemi

• warning veya fatal

 Bazı uyarılar

• fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter

• warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown

 Tüm SSL verileri gibi şıkıştırılıp&şifrelenir

Fatal Alerts

Diğer Alertler

SSL El sıkışma protokolü

Handshake Protocol

İstemci ve sunucu arasında :

Birbirlerini kimlik denetimi yapar to negotiate encryption & MAC algorithms

1.

 to negotiate cryptographic keys to be used

Fazlar halinde bir seri mesajlar içerir

Establish Security Capabilities

2.

3.

4.

Server Authentication and Key Exchange

Client Authentication and Key Exchange

Finish

SSL

Handshake

Protocol

Phase 1 ESTABLISH SECURITY

CAPABILITIES is used to initiate a logical connection and to establish the security capabilities that will be associated with it

Server Key Exchange

 RSA

 Fixed Diffie Hellman

 Ephemeral D-H

 Ananoymous D-H

 ForTezza

PHASE 2.

SERVERAUTHENTICATION AND

KEY EXCHANGE

The server begins this phase by sending its certificate if it needs to be authenticated; the message contains one or a chain of X.509 certificates

 Next, a server_key_exchange message may be sent if it is required. It is not required in two instances: (1) The server has sent a certificate with fixed Diffie-Hellman parameters or (2) a RSA key exchange is to be used. The server_key_exchange message is needed for the following

PHASE 3. CLIENT

AUTHENTICATION AND KEY

EXCHANGE

 If the server has requested a certificate, the client begins this phase by sending a certificate message . If no suitable

Certificate is available, the client sends a no_certificate alert instead.

SSL

Handshake

Protocol

Cryptographic Hesaplamalar

 master secret creation

Tek seferlik 48-byte value

 generated using secure key exchange (RSA /

Diffie-Hellman) and then hashing info

 Kriptografik parametrelerin üretimi

 client write MAC secret, a server write MAC secret, a client write key, a server write key, a client write IV, and a server write IV

 generated by hashing master secret

TLS (Transport Layer

Security)

 IETF standardı, RFC 2246, SSLv3 e çok benzer

 küçük farklar vardır

 in record format version number

 uses HMAC for MAC a pseudo-random function expands secrets

• based on HMAC using SHA-1 or MD5 has additional alert codes some changes in supported ciphers changes in certificate types & negotiations changes in crypto computations & padding

HTTPS

 HTTPS (HTTP over SSL)

HTTP & SSL/TLS birlikte kullanılması bu şekilde browser & server arası güvenli iletişim

• documented in RFC2818

• no fundamental change using either SSL or TLS

 https:// URL rather than http://

 and port 443 rather than 80

 encrypts

URL, document contents, form data, cookies,

HTTP headers

Secure Shell (SSH)

 Güvenli ağ iletişimi için bir protokol

 designed to be simple & inexpensive

 İlk versiyon SSH1 güvenli ve uzaktan erişim içerir

 replace TELNET & other insecure schemes

 also has more general client/server capability

 SSH2 bir çok güvenlik açıklarını giderir

 documented in RFCs 4250 through 4254

 SSH clients & servers çok erişilebilir.

 method of choice for remote login/ X tunnels

SSH Protocol Stack

SSH Transport Layer Protocol

 server authentication occurs at transport layer, based on server/host key pair(s)

 server authentication requires clients to know host keys in advance

 packet exchange establish TCP connection can then exchange data

1.

identification string exchange,

2.

algorithm negotiation,

3.

key exchange,

4.

end of key exchange,

5.

service request using specified packet format

SSH User Authentication

Protocol

 authenticates client to server

 three message types:

SSH_MSG_USERAUTH_REQUEST

SSH_MSG_USERAUTH_FAILURE

SSH_MSG_USERAUTH_SUCCESS

 authentication methods used

 public-key, password, host-based

SSH Connection Protocol

 runs on SSH Transport Layer Protocol

 assumes secure authentication connection

 used for multiple logical channels

SSH communications use separate channels

 either side can open with unique id number

 flow controlled

 have three stages:

• opening a channel, data transfer, closing a channel

 four types:

• session, x11, forwarded-tcpip, direct-tcpip.

SSH

Connection

Protocol

Exchange

Port Forwarding

 convert insecure TCP connection into a secure SSH connection

SSH Transport Layer Protocol establishes a

TCP connection between SSH client & server

 client traffic redirected to local SSH, travels via tunnel, then remote SSH delivers to server

 supports two types of port forwarding

 local forwarding – hijacks selected traffic remote forwarding – client acts for server

Summary

 have considered:

 need for web security

SSL/TLS transport layer security protocols

HTTPS

 secure shell (SSH)

Related documents
Lecture 30
Lecture 30
Slides to chapter 5
Slides to chapter 5
OnlineBankingSecurit..
OnlineBankingSecurit..
Sample PowerPoint Presentation - Volunteer Centers of Michigan
Sample PowerPoint Presentation - Volunteer Centers of Michigan
SSL
SSL
Chapter 17
Chapter 17
Document
Document
Slides for lecture 26
Slides for lecture 26
More Trick For Defeating SSL
More Trick For Defeating SSL
Ssl tls ssh
Ssl tls ssh
Secure Communication: Is it possible with SSL and or SSH?
Secure Communication: Is it possible with SSL and or SSH?
Download
advertisement