Protocols PK Encr./Auth. PK Key Establishment Secure Comm. in Open Networks SSL/TLS Nicolas T. Courtois - University College London Security Notions 3 Stages 2 Nicolas T. Courtois, 2006-2010 CompSec COMPGA01 Three Stages in Information Security [Courtois] 3 degrees of evolution: 1.Protections that are secret. 2.Based on a secret key. 3.Private-public key solutions. 3 Nicolas T. Courtois, January 2009 CompSec COMPGA01 PK Crypto Public-Key Cryptography == Asymmetric Cryptography 4 Nicolas T. Courtois, January 2009 CompSec COMPGA01 3d Stage – Public Key Cryptography No shared key, One private and one public key. Private key: generated and stored securely… 5 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Third Stage – Public Key Cryptography Public key: can be distributed to many parties. Does not have to be public (but the system remains secure when it is). 6 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Public Key Schemes Symmetric == Conventional Schemes = 1 algorithm. Asymmetric == Public-Key Cryptography = 3 algorithms: • • • 7 Key Generation Algorithm Encryption / Signature Verification Algorithm. Decryption / Signature Algorithm. Nicolas T. Courtois, January 2009 CompSec COMPGA01 *Traditional Secret-Key Encryption Bob Alice 8 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Public Key Encryption r m m or invalid Eve encryption algorithm c c decryption algorithm past: setup phase pk key generation algorithm (public key) 9 Nicolas T. Courtois, January 2009 sk (private key) CompSec COMPGA01 MACs = “Secret-Key Signatures” m MAC algorithm yes/no (m,) MAC algorithm forgery 10 sk sk (secret key) (secret key) Nicolas T. Courtois, January 2009 CompSec COMPGA01 Digital Signatures m signing algorithm yes/no (m,) verification algorithm forgery 11 sk pk (private key) (public key) Nicolas T. Courtois, January 2009 CompSec COMPGA01 Signatures - Requirements 1. Authenticity – 2. Non-repudiation – 3. Public verify-ability - 12 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Protocols: Security of Email 13 Nicolas T. Courtois, January 2009 CompSec COMPGA01 SMTP Protocol THE original email protocol. Plaintext commands in a telnet session. Access: No authentication or basic password-based authentication, Emails: no encryption (in cleartext) no authentication. In addition everybody can send email => epidemics of spam!!!! 14 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Standards for Secure Email Two main open standards: • PGP – – – • [Phil Zimmerman, US activist, 1991], much later became open standard GnuPG [RFC2440] some PGP products are certified by US gov NIST S/MIME [RSA Labs] – free implementation in Open SSL same general method called hybrid encryption: 15 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Hybrid Encryption random key K IV mi mi Data Encapsulation Module K block cipher + mode block cipher + mode Eve ci K ci Key Encapsulation Module r PK encryption algorithm + K “good” padding encapsulated key PK decryption algorithm + verif. padding past: setup phase pk key generation algorithm (public key) 16 Nicolas T. Courtois, January 2009 sk (private key) K CompSec COMPGA01 PKI Comparison • PGP – web of trust, totally decentralized system • • • • users can chose how much they trust each key is trust transitive? not really in particular, can also implement normal hierarchical PKI. S/MIME [RSA Labs] – uses the same standard PKI as SSL: X.509 certificates. In both cases organisations can implement their own closed PKI. 17 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Problems with PK crypto and email encryption 18 Nicolas T. Courtois, January 2009 CompSec COMPGA01 • • * Problems with the PKI Systems Cf. Ellison and Schneier: “Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure” http://www.schneier.com/paper-pki.pdf Ben Laurie: Seven and a Half Non-risks of PKI. http://www.apache-ssl.org/7.5things.txt Problem 373: once done it can hardly be undone… 19 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Main Risks / Pitfalls 1. 2. Bugs? Backdoors? Source code? People/country trusted? Is it really the key of Bob? • 3. Was his real key lost or stolen (e.g. virus)? • 4. 5. size (1024 bit: expired 2010) strength (RSA-PSS 2048 bits) randomness (mouse keyboard…) Was the message changed at signing time? • 20 Revocation Lists: lists of blacklisted keys stored on an Internet server Was my key of good quality? • • • 6. 7. Certificates: trusting third parties in foreign countries Real-time substitution Did parties perform all the checks? Shall I save the message? Nicolas T. Courtois, January 2009 CompSec COMPGA01 21 Nicolas T. Courtois, January 2009 **Attack Tree for PGP © Bruce Schneier CompSec COMPGA01 Email Storage Questions: • should received and decrypted email be stored encrypted? • why when sending a message we sometimes need to add ourselves to the recipient list? 22 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Happy with Secure Email? Problems kind of solved: • confidentiality • authenticity Unsolved problems: • privacy of the recipient • privacy of the sender • hiding the existence of the message (=> Steganography). 23 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Key Establishment 24 Nicolas T. Courtois, January 2009 CompSec COMPGA01 The Need Need for a session key (a short term key): 25 Nicolas T. Courtois, January 2009 CompSec COMPGA01 What PK Encryption Can/Cannot Achieve and What Kind of Setup is Needed (PKI=Public Key Infrastructure) 26 Nicolas T. Courtois, January 2009 CompSec COMPGA01 What Is Achieved by PK Crypto ? Fact: There is no security possible to two parties that do not know each other and communicate via a public channel. [Man in the Middle] Bob Alice 27 Nicolas T. Courtois, January 2009 CompSec COMPGA01 But… Security is however possible if there is “some authenticity” available. 28 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Authentic Channel PK Crypto For example, if the channel is authentic: passive eavesdropping Bob Alice 29 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Can be done With Even Less (!) Security is however possible • [stronger] when the channel is authentic / authenticated (!!!). • [weaker] when a public key of Alice is securely hold by Bob. • [even weaker] when at least one authentic public key is hold by all parties. Can be used to certify other keys with digital signatures. ROOT OF TRUST Bob 30 Alice Nicolas T. Courtois, January 2009 CompSec COMPGA01 ROOT of TRUST PK Crypto is ALL ABOUT trading security for authenticity. (and there is no security without an authentic public key.) => Example: If Windows is hacked and there is no TPM/smart card, there is no security for e-Commerce or e-Banking. 31 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Asymmetric Techniques for Key Establishment 32 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Key Exchange by Public Discussion 33 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Diffie-Hellman Setup Diffie-Hellman Exponential Key Exchange. (brilliant idea unique in its kind…) Setup: (done once, can be the same for all users). g, a generator of Zp*. (DH works also in many other groups). also works mod n, composite n. 34 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Diffie-Hellman Exponential Key Exchange Alice a Bob b ga mod p gb mod p shared key: gab mod p 35 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Diffie-Hellman Exponential Key Exchange Alice a Bob b ga mod p gb mod p shared key: gab mod p Alice computation: (gb)a=gab mod p. Bob’s computation: (ga)b mod p. 36 Nicolas T. Courtois, January 2009 CompSec COMPGA01 MIM Attack Man In the Middle ga mod p gc mod p gc mod p Alice computes gac mod p PKCert gb mod p Bob computes gbc mod p Fix: Authenticated Diffie-Hellman PKCert CAlice, ga mod p, SignAlice(ga mod p) CBob, gb mod p, SignBob(gb mod p) 37 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Protocols: Electronic Commerce: SET vs. SSL or let the worse candidate win… 38 Nicolas T. Courtois, January 2009 CompSec COMPGA01 History See Ross Anderson, chapter 10. Secure Electronic Transaction (SET) protocol was designed by VISA and MasterCard [1996]. • Required installation of a software on each computer. • Very nice system – – • Failed to become widely adopted, – – 39 credit card numbers would never be known to merchants. the bank doesn’t need to know what people buy higher cost burden on merchants also because of much simpler SSL alternative available. Nicolas T. Courtois, January 2009 CompSec COMPGA01 TLS = Transport Layer Security Goals: • two parties not knowing each other want to communicate • more, they want to involve in business/commerce – confidentiality: protect your credit card number • – integrity => authenticity • • also protect your privacy (what I’m buying) Am I really talking to Amazon.com? Key problem: MIM Attacks. What is TLS? In a nutshell it is a standard and practical way of doing authenticated Diffie-Hellman + extra bits and pieces that were required to make it work in the real life… Originally developed by Netscape as SSL=Secure Socket Layer and patented(!) – 1994. Now open standard renamed TLS = Transport Layer Security. 40 Nicolas T. Courtois, January 2009 CompSec COMPGA01 MIM Attack Man In the Middle ga mod p gc mod p gc mod p Alice computes gac mod p PKCert gb mod p Bob computes gbc mod p Fix: Authenticated Diffie-Hellman PKCert CAlice, ga mod p, SignAlice(ga mod p) CBob, gb mod p, SignBob(gb mod p) 41 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Revision: How Kerberos solved the n2 problem… 42 Nicolas T. Courtois, January 2009 CompSec COMPGA01 TTP vs. CA, Kerberos vs. TLS As in Kerberos we need trusted parties (unless we adopt web of trust model, PGP, very hard to imagine in e-commerce). Differences: Kerberos is a symmetric system. • TTP must be online. • The TTP has all keys and must be trusted to keep them secret. • Future compromise of TTP can compromise all past sessions. TLS uses asymmetric cryptography. Much more powerful: less “exposure”. • CA is offline. Most of the time not needed at all. – • • 43 Even CRLs can be distributed in asynchronous offline way (e.g..updates). We only need CA to be trusted for authenticity and only in the past. No compromise of past sessions. Nicolas T. Courtois, January 2009 CompSec COMPGA01 TLS = Transport Layer Security Two Stages: 1. TLS Handshake: – Establish a shared key using PK crypto. • e.g. Authenticated DH • PKs are authenticated with certificates. 2. Encrypted and Authenticated Communication E+A 44 Nicolas T. Courtois, January 2009 CompSec COMPGA01 TLS = Transport Layer Security Contains lots of options for cryptographic implementation of these: negotiated crypto suite, compatibility and exportability. Example: 1. Establish shared key with authenticated D-H. 2. Encrypt + Authenticate with AES128 + SHA_1-based MAC. E+A 45 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Trouble: SSL Certificates 1) technical side 46 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Is TLS Secure? Should be… Oops, most current implementations are insecure, as it seems, due to issues with X509 certificates, as shown at Black Hat 2009 (July 2009). 47 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Trouble: SSL Certificates 2) human and practical side 48 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Main Certificate Errors • Expired certificate: – • OK if the key sizes are OK and the key was not revoked or compromised. Self-signed certificate: – The certificate's issuer is itself. • • • Incomplete certificate chain: – • can be OK, information missing to connect. Domain mismatch: – can be OK after inspection, example: • 49 common in test servers, and on intranets. Banks and online businesses should never use it. gmail.com redirected to mail.google.com Nicolas T. Courtois, January 2009 CompSec COMPGA01 Main Weakness of SSL People ignore warnings, say YES. A study by Carnegie Mellon university, 409 participants, The researchers found that the majority of respondents would ignore warnings about an expired SSL certificate. – – MOREVOER: The more tech-savvy the user, the more likely they would be to ignore it, the study found. Respondents were able to identify other risks indicated by browser certificate notifications. • 50 Of the 59 percent of Firefox 2 users who understood the significance of a "domain mismatch" warning, 19 percent said they would ignore the hazard (!!!!). Nicolas T. Courtois, January 2009 CompSec COMPGA01 Solutions? Block completely all invalid certificates! Yes, but not so easy: People will • switch to a different browser, • or hack the browser, • or downgrade it • etc… 51 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Server Side: Not a joke: frequent question on Internet forums. Q: Does anyone know where I can get a free legitimate SSL certificate for my website? Otherwise, rather than having a SSL certificate on the site, is there some sort of JAVA code which makes the site look secure? Any comments? 52 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Has Been Done Cut-&-paste attacks with JAVA, Serge LEFRANC and David NACCACHE in ICISC 2002 http://citeseer.ist.psu.edu/old/737003.html This paper describes malicious applets that use Java's sophisticated graphic features to rectify the browser's padlock area and cover the address bar with a false https domain name. The attack was successfully tested on Netscape's Navigator and Microsoft's Internet Explorer; we consequently recommend to neutralize Java whenever funds or private data transit via these browsers and patch the flaw in the coming releases. 53 Nicolas T. Courtois, January 2009 CompSec COMPGA01 Corrupting the CA Emerged around 2010. REAL certificates issued to… • maybe the government spooks (can implement man-in-the middle, can forge the web site, can eavesdrop?, etc… – • • 54 a bank can buy equipment to intercept the SSL traffic of employees… maybe criminals (not caught yet, no evidence yet) ‘somebody’ in Iran for sure… Nicolas T. Courtois, January 2009 CompSec COMPGA01 Quiz • What is a session key? • What is the minimum integrity/authenticity requirement so that two computers can securely establish a private channel, by using standard public key cryptography (e.g. SSL). • Why do we need an authenticated Diffie-Hellman? 55 Nicolas T. Courtois, January 2009