Network Security Issues, Part 2 EE 122 - Networking Prof. Vern Paxson November 25, 2013
Game Plan • Address any pending questions regarding last Monday's lecture on network security threats • Introduce basic tools of cryptography – A lot of abstraction! • Will go light on a few details
– Ask questions if properties not clear
• Discuss building secure end-to-end channels – TLS/SSL ⇒ HTTPS – Reduces most threats discussed last week to DoS
Revisiting Types of Security Goals • Attacks can subvert each type of goal – Confidentiality: eavesdropping / theft of information – Integrity: altering data, manipulating execution (e.g., code injection) – Availability: denial-of-service
• Attackers can also combine different types of attacks towards an overarching goal – E.g. use eavesdropping (confidentiality) to construct a spoofing attack (integrity) that tells a server to drop an important connection (availability)
Building Secure End-to-End Channels • End-to-end = communication protections achieved all the way from originating client to intended server – With no need to trust network intermediaries
• Dealing with threats: – Eavesdropping? • Encryption (symmetric key; public key)
– Manipulation (injection, MITM)? • Integrity (use of a MAC = Message Authentication Code)
– Impersonation? • Signatures
(
What's missing? Availability …
)
Cryptographic Toolkit: Encryption • Encryption: algorithms that encode information in a form undecipherable unless one possesses the corresponding key • Suppose Alice wants to send a message M to Bob, such that an eavesdropper, Eve, can't read it • Alice sends Bob a value E(M) computed from M • Bob then applies an inverse function D(E(M)) = M – Eve knows D, E but not key ⇒ can't recover M from E(M)
• Two basic types of such functions: – Symmetric key: same key K used to encrypt & decrypt. – Asymmetric or public-key: one key, KE, used to encrypt. A different (but related) key, KD, used to decrypt.
Symmetric-Key Encryption • Symmetric key: the same key K used to encrypt and decrypt. – Alice sends E(M, K) to Bob. – Bob applies D(E(M, K), K) = M. – Eavesdropper Eve observes E(M, K), knows E & D, but can't figure out how to get M from it unless she knows K
• Requirements: – Alice and Bob have to agree on K in advance – K must be kept secret
• Example algorithms: AES, DES, 3DES – Typical key lengths today: 128 or 256 bits – Encryption & decryption can be computed very efficiently
Cryptographic Toolkit: Integrity • Suppose Alice wants to make sure her message M sent to Bob isn't altered by a Man-in-the-Middle (MITM) along the way • Alice computes and also sends a Message Authentication Code (MAC) using a separate key shared between Alice & Bob – I.e., Alice sends both E(M, K1) and MAC(M, K2)
• Upon receipt, Bob verifies that MAC(D(E(M, K1), K1), K2) = MAC(M, K2) • MITM doesn't know K2, so can't construct valid MAC to match their altered message – If MITM alters message, Bob detects this & discards
Asymmetric / Public-Key Encryption • Asymmetric: one key KE used to encrypt; different, related key KD used to decrypt. – Alice sends E(M, KE) to Bob. – Bob applies D(E(M, KE), KD) = M. – Eavesdropper Eve can't recover M unless knows KD.
• Knowing KE doesn't help! Infeasible to figure out KD from KE.
• Requirements: – Alice needs KE, but it doesn't have to be secret Bob can tweet it or stick it on Bob's web page! – KD must be kept secret; only Bob knows it. (Alice doesn’t!)
• Example algorithms: RSA, El Gamal – Typical key lengths today: 1024 or 2048 bits – Computations not nearly as efficient as for symmetric-key
Cryptographic Toolkit: Signatures • Suppose Alice wants people to trust that some message she wrote, M, was indeed generated by her – In the physical world, she would add her signature to a paper document with the statement
• Suppose Alice uses public-key cryptography and has a public/private key pair, APub and APrivate – APub is well known as being Alice's – Alice keeps APrivate secret
• Recall that E(•, APub) and D(•, APrivate) are inverses • Alice now includes* with M the value S = D(M, APrivate) • Anyone who wants to verify the signature for M computes E(S, APub) = E(D(M, APrivate), APub) = M – If result of computation indeed yields M, whomever constructed S must know APrivate, so presumably it must have been Alice
Cryptographic Toolkit: Signatures • Suppose Alice wants people to trust that some message she wrote, M, was indeed generated by her – In the physical world, she would add her signature to a paper document with the statement
• Suppose Alice uses public-key cryptography and has a public/private key pair, APub and APrivate – APub is well known as being Alice's – Alice keeps APrivate secret
• Recall that E(•, APub) and D(•, APrivate) are inverses • Alice actually includes with M the value S = D(H(M), APrivate) – H is a cryptographically strong (non-invertible) hash function • Well-known, no key
– Thus, verifying E(S, APub) = E(D(H(M), APrivate), APub) = H(M) doesn’t leak information about M – (we’ll now leave this out for simplicity)
Signatures, con't • Important: note that digital signatures are bound to a given document – Unlike physical signatures, which might be “lifted” and applied elsewhere
• If Eve possesses a particular digital signature generated by Alice for message M, that doesn't give Eve any ability to forge other messages seemingly from Alice – And in general, possession of APub doesn't let one do anything other than:
• Verify signatures purportedly generated by Alice • Encrypt messages that only Alice can read
• However: if Eve gets copy of APrivate,then all bets are off – Eve can forge Alice's signature for any document Eve wishes – Eve can read any messages meant to be just for Alice
(Digital) Certificates • One prominent use of digital signatures: attesting to someone else's public key • Suppose Bob wants to communicate securely w/ Alice, but doesn't have Alice's public key APub – Alice can't just transmit APub to Bob (why not?)
• Suppose Bob knows & trusts Charlie, and has CPub • Previously, Alice got Charlie to sign a message: “Alice's public key is APub” (a “certificate”)
• Alice can now send Bob her public key APub along w/ M = “Alice's public key is APub”, S = D(M, CPrivate)
• If Bob trusts Charlie, he can verify that Charlie believes Alice's key is Apub ⇒ Bob confidently obtains Apub
(Digital) Certificates • Suppose Bob knows & trusts Charlie, and has CPub • Previously, Alice got Charlie to sign a message: “Alice's public key is APub” (a “certificate”)
• Suppose instead Alice got Daphne to sign the “cert” – Using Daphne’s public/private key pair DPrivate / DPub – But: Bob doesn’t know Daphne. What to do?
• If Charlie knows Daphne, then Alice could give Bob M1 = “Daphne’s public key is DPub” M2 = “Alice’s public key is APub” S1 = D(M1, CPrivate), S2 = D(M2, DPrivate)
• Bob first verifies S1 (since knows CPub and trusts Charlie) … then S2 (since now has/trusts DPub) ⇒ Bob confidently obtains Apub
Building A Secure End-to-End Channel: SSL/TLS • SSL = Secure Sockets Layer (predecessor) • TLS = Transport Layer Security (standard) – Both terms used interchangeably
• Notion: provide means to secure any application that uses TCP
SSL/TLS In Network Layering 7
Application
7
Application
7
SSL / TLS
4
Transport
4
Transport (TCP)
3
(Inter)Network
3
(Inter)Network
2
Link
2
Link
1
Physical
1
Physical
Building A Secure End-to-End Channel: SSL/TLS • SSL = Secure Sockets Layer (predecessor) • TLS = Transport Layer Security (standard) – Both terms used interchangeably
• Notion: provide means to secure any application that uses TCP – Secure = encryption/confidentiality + integrity + authentication (of server, but not of client) – E.g., puts the 's' in “https”
Regular web surfing - http: URL
But if we click here …
Web surfing with TLS/SSL - https: URL
Note: Amazon makes sure that all of these images, etc., are now also fetched via https: URLs. Doing so gives the web page full integrity, in keeping with end-to-end security. (Browsers do not provide this “promotion” automatically.)
Building A Secure End-to-End Channel: SSL / TLS • SSL = Secure Sockets Layer (predecessor) • TLS = Transport Layer Security (standard) – Both terms used interchangeably
• Notion: provide means to secure any application that uses TCP – Secure = encryption/confidentiality + integrity + authentication (of server, but not of client) – E.g., puts the 's' in “https”
• API similar to socket interface used for regular network programming – Fairly easy to convert an app to be secured
HTTPS Connection (SSL / TLS)! • Browser (client) connects via Browser TCP to Amazon's HTTPS server • Client picks 256-bit random number RB, sends over list of crypto protocols it supports • Server picks 256-bit random number RS, selects protocols to use for this session • Server sends over its certificate • (all of this is in the clear) • Client now validates cert
SYN C SYN A
Amazon Server
K
A CK Hell o (TLS . My rn d (SSL +RSA+A # = R . For MACs B I +RS E A+3 S128+S suppor DES t +MD HA1) or 5) or … t's use e L . d # = R S S128+SHA1 n r y M A+AE S R + S TL y cert m s ' e r He
data f o KB 3 2 ~
HTTPS Connection (SSL / TLS), con't! • For RSA, browser constructs long (368 bits) “Premaster Secret” PS
Browser
• Browser sends PS encrypted using Amazon's public RSA key KAmazon PS • Using PS, RB, and RS, browser & server derive symm. cipher keys (CB, CS) & MAC integrity keys (IB, IS) – One pair to use in each direction
cert y m s ' e Her
Amazon Server
ta a d f B o K 3 ~2 {PS} KAma zon
PS
HTTPS Connection (SSL / TLS), con't! • For RSA, browser constructs long (368 bits) “Premaster Secret” PS
Browser
• Browser sends PS encrypted using Amazon's public RSA key KAmazon PS • Using PS, RB, and RS, browser & server derive symm. cipher keys (CB, CS) & MAC integrity keys (IB, IS)
cert y m s ' e Her
Amazon Server
ta a d f B o K 3 ~2 {PS} KAma
– One pair to use in each direction
These seed a cryptographically strong pseudo-random number generator (PRNG). Then browser & server produce CB, CS, etc., by making repeated calls to the PRNG.
zon
PS
HTTPS Connection (SSL / TLS), con't! • For RSA, browser constructs long (368 bits) “Premaster Secret” PS
Browser
• Browser sends PS encrypted using Amazon's public RSA key KAmazon PS • Using PS, RB, and RS, browser & server derive symm. cipher keys (CB, CS) & MAC integrity keys (IB, IS) – One pair to use in each direction
• Browser & server exchange MACs computed over entire dialog so far • If good MAC, Browser displays • All subsequent communication encrypted w/ symmetric cipher (e.g., AES128) cipher keys, MACs – Messages also numbered to thwart replay attacks
cert y m s ' e Her
Amazon Server
ta a d f B o K 3 ~2 {PS} KAma zon
MAC( dialog ,IB )
PS
,I S) g o l a i MAC(d
{M , M 1 AC(M 1 ,IB )} C
B
,I S)} C S M ( 2 C , MA
{M 2
HTTPS Connection (SSL / TLS)! • Browser (client) connects via Browser TCP to Amazon's HTTPS server • Client picks 256-bit random number RB, sends over list of crypto protocols it supports • Server picks 256-bit random number RS, selects protocols to use for this session • Server sends over its certificate • (all of this is in the clear) • Client now validates cert
SYN C SYN A
Amazon Server
K
A CK Hell o (TLS . My rn d (SSL +RSA+A # = R . B I +RS E A+3 S128+S suppor DES t +MD HA1) or 5) or … t's use e L . d # = R S S128+SHA1 n r y M A+AE S R + S TL y cert m s ' e r He
data f o KB 3 2 ~
Certificates • Cert = signed statement about someone's public key – Note that a cert does not say anything about the identity of who gives you the cert – It simply states a given public key KAlice belongs to Alice…
• … and backs up this statement with a digital signature made using a different public/private key pair, say from Alice
• Alice then can prove her identity to you by you sending her something encrypted with KAlice … – … which she then demonstrates she can read
• … or by signing something she demonstrably uses • Works provided you trust that you have a valid copy of cert signer Charlie’s (or Daphne’s) public key … – … and you trust Charlie to use prudence when he signs other people's keys, such as Alice’s
Inside the Server's Certificate! • Domain name associated w/ cert – e.g., amazon.com
• Amazon's public key (e.g., 2048 bits for RSA) • A bunch of auxiliary info (physical address, type of cert, expiration time) • Name of certificate's issuer (e.g., Verisign) • Optional URL to revocation center to check for revoked certificates • A public-key signature of all of this – Constructed using the issuer's private RSA key – Call this signature S
Validating Amazon's Identity! • Browser compares domain name in cert w/ URL – Note: this provides an end-to-end property (as opposed to say a cert associated with an IP address)
• Browser accesses separate cert belonging to issuer – These are hardwired into the browser - trusted! – There could be a chain of these …
• Browser applies issuer's public key to verify signature S indeed valid for Amazon’s cert • Assuming a match, now have high confidence it's indeed Amazon … – assuming signatory is trustworthy
= assuming private key not stolen; assuming didn't sign thoughtlessly
End-to-End ⇒ Powerful Protections • Attacker runs a sniffer to capture our WiFi session? – (maybe by breaking crummy WEP security) – But: encrypted communication is still unreadable • No problem!
• DNS “cache poisoning”? – Client goes to wrong server – But: detects impersonation • No problem!
• Attacker hijacks our connection, injects new traffic – But: data receiver rejects it due to failed integrity check • No problem!
Powerful Protections, con't • DHCP spoofing? – Client goes to wrong server – But: detects impersonation • No problem!
• Attacker manipulates routing to run us by an eavesdropper or take us to the wrong server? – But: they can't read; we detect impersonation • No problem!
• Attacker slips in as a Man In The Middle? – But: they can't read, they can't inject – They can't even replay previous encrypted traffic – No problem!
Validating Amazon's Identity, con't! • Browser retrieves cert belonging to the issuer – These are hardwired into the browser - trusted!
• What if browser can't find a cert for the issuer?
Validating Amazon's Identity, con't! • Browser retrieves cert belonging to the issuer – These are hardwired into the browser - trusted!
• What if browser can't find a cert for the issuer? • If it can't find the cert, then warns the user that site has not been verified – Note, can still proceed, just without authentication
• Q: Which end-to-end security properties do we lose if we incorrectly trust that the site is whom we think?
• A: All of them! – Goodbye confidentiality, integrity, authentication – Attacker can read everything, modify, impersonate
SSL / TLS Limitations! • Properly used, SSL / TLS provides powerful endto-end protections • So why not use it for everything?? • Issues: – Cost of public-key crypto o Takes non-trivial CPU processing (but today a minor issue) o Note: symmetric key crypto on modern hardware is non-issue
– Hassle of buying/maintaining certs (fairly minor)
SSL / TLS Limitations! • Properly used, SSL / TLS provides powerful endto-end protections • So why not use it for everything?? • Issues: – Cost of public-key crypto o Takes non-trivial CPU processing (but today a minor issue) o Note: symmetric key crypto on modern hardware is non-issue
– Hassle of buying/maintaining certs (fairly minor) – Denial-of-service vulnerability o Client can force server to undertake public key operations o But: requires established TCP connection, and given that, there are other juicy targets like back-end databases
– Integrating with other sites that don't use HTTPS – Latency: extra round trips ⇒ pages take longer to load
SSL / TLS Limitations, con't! • Problems that SSL / TLS does not take care of ? • TCP-level denial of service – SYN flooding – RST injection o (but does protect against data injection!)
• SQL injection / XSS / server-side coding/logic flaws • Vulnerabilities introduced by server inconsistencies
Regular web surfing - http: URL So no integrity - a MITM attacker can alter pages returned by server …
And when we click here … … attacker has changed the corresponding link so that it's ordinary http rather than https! We never get a chance to use TLS's protections! :-(
“sslstrip” attack
SSL / TLS Limitations, con't! • Problems that SSL / TLS does not take care of ? • TCP-level denial of service – SYN flooding – RST injection o (but does protect against data injection!)
• SQL injection / XSS / server-side coding/logic flaws • Vulnerabilities introduced by server inconsistencies
• Browser coding/logic flaws • User flaws – Weak passwords – Phishing
• Issues of trust …
TLS/SSL Trust Issues, con't • “Commercial certificate authorities protect you from anyone from whom they are unwilling to take money” – Matt Blaze, circa 2001
• So how many CAs do we have to worry about, anyway?
TLS/SSL Trust Issues • “Commercial certificate authorities protect you from anyone from whom they are unwilling to take money” – Matt Blaze, circa 2001
• So how many CAs do we have to worry about, anyway? • Of course, it's not just their greed that matters …
TLS/SSL Trust Issues • “Commercial certificate authorities protect you from anyone from whom they are unwilling to take money” – Matt Blaze, circa 2001
• So how many CAs do we have to worry about, anyway? • Of course, it's not just their greed that matters … • … and it's not just their diligence & security that matters … – “A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much.” - Matt Blaze, circa 2010
Note: the cert is “forged” in the sense that it doesn't really belong to Gmail, PayPal, or whomever. But it does not appear forged because it includes a legitimate signature from a trusted CA.
TLS/SSL Trust Issues • “Commercial certificate authorities protect you from anyone from whom they are unwilling to take money” – Matt Blaze, circa 2001
• So how many CAs do we have to worry about, anyway? • Of course, it's not just their greed that matters … • … and it's not just their diligence & security that matters … – “A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much.” Matt Blaze, circa 2010
• You also have to trust the developers of libraries … – Both for clients when validating certs …
TLS/SSL Trust Issues • “Commercial certificate authorities protect you from anyone from whom they are unwilling to take money” – Matt Blaze, circa 2001
• So how many CAs do we have to worry about, anyway? • Of course, it's not just their greed that matters … • … and it's not just their diligence & security that matters … – “A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much.” - Matt Blaze, circa 2010
• You also have to trust the developers of libraries … – Both for clients when validating certs … – and servers when generating certs
Survey found bug affected ~1.5% of HTTPS web server certs