Security Case Studies: Needham-Schroeder, Kerberos, SSL, and Public Key Encryption, Study notes of Operating Systems

Download Security Case Studies: Needham-Schroeder, Kerberos, SSL, and Public Key Encryption and more Study notes Operating Systems in PDF only on Docsity! 1 CS 5523 Lecture 25: Security Case Studies ❚ Review scenarios ❚ Needham-Schroeder ❚ Brief summary of common algorithms ❚ Kerberos ❚ Secure Socket Layer Simplified overview of secret key encryption: Encrypted message: E(K, M) = {M}K Decrypted message: D(K, E(K, M)) = D(K, {M}K) = M It is hard to get M from {M}K without knowing K 2 Scenario 1. Secret communication with shared secret key Alice and Bob share a secret key KAB. Alice wants to send a secret message M to Bob. 1. Alice uses KAB and an agreed encryption function E(KAB, M) to encrypt and send message M to Bob 2. Bob reads the encrypted messages using the corresponding decryption function D(KAB, M) How can Bob and Alice safely get the shared key KAB? How can Bob know that M wasn’t a replay? Scenario 2. Authenticated communication with a server Alice wants to access Bob’s files on a local file server. Sara is a trusted authentication server that holds passwords and current secret keys. 1. Alice sends a message to Sara asking for a ticket to access Bob 2. Sara sends Alice a response encrypted with KA that is a ticket encrypted with KB and a new secret key KAB for communication: {{ticket}KB, KAB} KA 3. Alice decrypts response with KA 4. Alice sends ticket, her ID and request R to Bob: {ticket}KB, Alice, R 5. Bob decrypts ticket using KB (the ticket was {KAB, Alice} KB ) This is the simplified scenario for Kerberos. KAB is the session key. 5 Instructor’s Guide for Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edn. 3 © Addison-Wesley Publishers 2000 Figure 7.5 Public-key certificate for Bob’s Bank 1. Certificate type: Public key 2. Name: Bob’s Bank 3. Public key: KBpub 4. Certifying authority: Fred – The Bankers Federation 5. Signature: {Digest(field 2 + field 3)}KFpriv Instructor’s Guide for Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edn. 3 © Addison-Wesley Publishers 2000 Figure 7.13 X509 Certificate format Subject Distinguished Name, Public Key Issuer Distinguished Name, Signature Period of validity Not Before Date, Not After Date Administrative information Version, Serial Number Extended Information 6 Some popular encryption schemes: ❚ TEA = tiny encryption algorithm – Wheeler and Needham, 1994 uses 32 rounds with combinations of XOR, text shifts ❚ DES = Data Encryption Standard – National Bureau of Standards 1977 – obsolete because of short keys – successfully cracked by brute force attacks in 1997 and a machine was built in 1998 that could crack keys in 3 days. Replaced by AES (Advanced Encryption Standard, NIST 1999) ❚ RSA – Rivest Shamir and Adelman – public key encryption based on factoring products of large primes – widely used (RSA’s patent just expired) Some popular encryption schemes (continued): ❚ 3DES = triple-DES – ANSI 1985 – apply DES 3 times with two keys – very slow ❚ IDEA = International Data Encryption Algorithm – Lai and Massey, 1990 – based on group algebra with 8 rounds of XOR ❚ MD5 = used for data digests – Rivest 1992 – four rounds applying 4 nonlinear functions to each of 16 32-bit segments ❚ SHA - NIST 1995 – based on Rivest’s MD4 algorithm to produce a 160 bit digest 7 Instructor’s Guide for Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edn. 3 © Addison-Wesley Publishers 2000 Figure 7.14 Performance of encryption and secure digest algorithms Key size/hash size (bits) Extrapolated speed (kbytes/sec.) PRB optimized (kbytes/s) TEA 128 700 - DES 56 350 7746 Triple-DES 112 120 2842 IDEA 128 700 4469 RSA 512 7 - RSA 2048 1 - MD5 128 1740 62425 SHA 160 750 25162 Instructor’s Guide for Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edn. 3 © Addison-Wesley Publishers 2000 Figure 7.15 The Needham–Schroeder secret-key authentication protocol Header Message Notes 1. A->S: A, B, NA A requests S to supply a key for communicationwith B. 2. S->A: {NA , B, KAB, {KAB, A}KB}KA S returns a message encrypted in A’s secret key, containing a newly generated key KAB and a ‘ticket’ encrypted in B’s secret key. The nonce NA demonstrates that the message was sent in response to the preceding one. A believes that S sent the message because only S knows A’s secret key. 3. A->B: A sends the ‘ticket’ to B. 4. B->A: B decrypts the ticket and uses the new key KAB to encrypt another nonce NB. 5. A->B: A demonstrates to B that it was the sender of the previous message by returning an agreed transformation of NB. {KAB, A}KB {NB}KAB {NB - 1}KAB 10 Secure socket layer (SSL) - continued ❚ SSL Record Protocol layer implements a secure channel that encrypts and authenticates message through any connection- oriented protocol ❚ SSL Handshake Layer – has three modules: ❙ SSL handshake protocol ❙ SSL change cipher specification ❙ SSL alert protocol ❚ Implemented as application level libraries ❚ Widely uses as a session-layer protocol ❚ In web servers the https URLs initiate a SSL connection ❚ Provides a practical hybrid security scheme ❚ Requires public-key certificates issued by a recognized authority Instructor’s Guide for Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edn. 3 © Addison-Wesley Publishers 2000 Figure 7.17 SSL protocol stack SSL Handshake protocol SSL Change Cipher Spec SSL Alert Protocol Transport layer (usually TCP) Network layer (usually IP) SSL Record Protocol HTTP Telnet SSL protocols: Other protocols: 11 Instructor’s Guide for Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edn. 3 © Addison-Wesley Publishers 2000 Figure 7.18 SSL handshake protocol Client Server ClientHello ServerHello Certificate Certificate Request ServerHelloDone Certificate Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Establish protocol version, session ID, cipher suite, compression method, exchange random values Optionally send server certificate and request client certificate Send client certificate response if requested Change cipher suite and finish handshake Instructor’s Guide for Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edn. 3 © Addison-Wesley Publishers 2000 Figure 7.19 SSL handshake configuration options Component Description Example Key exchange method the method to be used for exchange of a session key RSA with public-key certificates Cipher for data transfer the block or stream cipher to be used for data IDEA Message digest function for creating message authentication codes (MACs) SHA 12 Instructor’s Guide for Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edn. 3 © Addison-Wesley Publishers 2000 Figure 7.20 SSL record protocol Application data abcdefghi abc def ghiRecord protocol units Compressed units MAC Encrypted TCP packet Fragment/combine Compress Hash Encrypt Transmit For next time: ❚ Review