Network Security Architectures Part 1 Fundamentals Summer School on Software Security Theory to Practice

1
Network Security ArchitecturesPart 1
FundamentalsSummer School on Software Security
Theory to Practice

• Carl A. Gunter
• University of Pennsylvania
• Summer 2004

2
Public Key Infrastructure

• Mutual authentication of participants in a
  transaction requires a system of identities
• Principals are identified by public keys
• These keys can be used for authentication, but
  only if spoofing is prevented
• A Public Key Infrastructure (PKI) provides a
  basis for establishing trust

3
PKI Systems

• Three Philosophies
• Hierarchy
• ITU X.509 (DAP, PKIX)
• DNS
• Web of Trust
• PGP
• Ad hoc
• SSH
• Most research studies

4
X.509 Certificates
X.509 certificates bind a subject to a public
key. This binding is signed by a Certificate
Authority (CA).
Subject Name
Subject Public Key
CA Name
CA Signature
5
Chaining
6
Certificate Management

• Distribution How to find a certificate
• Certificate accompanying signature or as part of
  a protocol
• Directory service
• DAP
• LDAP
• DNS
• Email
• Cut and paste from web pages

• Revocation Terminate certificates before their
  expiration time.
• How does the relying party know that the
  certificate has been revoked?
• Many CRL distribution strategies proposed
• Mitre report for NIST suggests certificate
  revocation will be the largest maintenance cost
  for PKIs

7
Semantics of CRLs

• Three certificates.
• Q says P is the public key of Alice.
• R says P is the public key of Alice.
• Q says R is the public key of Bob.
• Three kinds of revocation.
• P is not the public key of Alice. (3 not 2.)
• Q no longer vouches for whether P is the public
  key of Alice. (2 and 3.)
• The key of Q has been compromised. (2 not 3.)

Revoke
1998 Fox and LaMacchia
8
Adoption of PKI

• Problems
• Revocation
• User ability to deal with keys
• Registration (challenge for all authentication
  techniques)
• Weak business model

• Areas of Progress
• SSL
• Authenticode
• SSH
• Smart cards for government employees
• Web services

9
Challenges for Network Security

• Sharing
• Complexity
• Scale
• Unknown perimeter
• Anonymity
• Unknown paths

10
Internet Layers

1. Physical
2. Link
3. Network
4. Transport
5. Application

11
Security at Layers

• Physical
• Locked doors
• Spread spectrum
• Tempest
• Link
• WEP
• GSM
• Network
• Firewalls
• IPSec

• Transport
• SSL and TLS
• Application
• S/MIME
• XMLDSIG and WS security
• Access control systems for web pages, databases,
  and file systems

12
Network Layer Security
HTTP
FTP
SMTP
TCP
IP/IPSec
13
Transport Layer Security
HTTP
FTP
SMTP
SSL or TLS
TCP
IP
14
Application Layer Security
PGP
SET
S/MIME
SMTP
HTTP
Kerberos
TCP
UDP
IP
15
Division of Labor in the Internet
Hosts
Routers
Networks
16
TCP/IP Protocol Stack
Host
Host
Router
Router
Application
Application
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
Physical
Physical
Physical
Physical
17
Communication Processing Flow
App2
App1
App2
App1
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
Link
Link
Physical
Physical
Phys
Phys
Phys
Phys
18
Typical Patchwork
App2
App1
App2
App1
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
Link
Link
Physical
Physical
Phys
Phys
Phys
Phys
19
Physical Layer Protection Issues

• Hide signal
• Spread spectrum
• Emission security
• Radio emissions (Tempest)
• Power emissions

20
Encapsulation
Link Layer Frame
Link
Link
IP
TCP
Application
Network Layer Header
Transport Layer Header
Application Layer Payload
21
One Hop Link Layer Encryption
Host
Host
Router
Router
Application
Application
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
Link
Link
22
Link Layer Encryption
Encrypted
Link
Link
IP
TCP
Application
23
End-to-End Network Security
Host
Host
Router
Router
Application
Application
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
24
Network Layer Transport Mode
Link
Link
IP
TCP
Application
Encrypted
Link
Link
IP
TCP
Application
Hdr
Tlr
25
VPN Gateway
Host
Host
Router
Router
Application
Application
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
26
Network Layer Tunnel Mode
Link
Link
IP
TCP
Application
Encrypted
Link
Link
New IP
TCP
Application
Hdr
IP
Tlr
27
Layer 3 Implementation Options

• Location
• Host
• Network
• Style
• Integrated
• Modular (for tunnel mode)

28
Modular ImplementationBump In The Stack (BITS)
App2
App1
App2
App1
Transport
Network
Transport
Security
Network
Network
Net Sec
Link
Link
Link
Link
29
Modular ImplementationBump In The Wire (BITW)
App2
App1
App2
App1
Security
Security
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
30
Implementation OptionsIntegrated on Host
App2
App1
App2
App1
Transport
Transport
Net Sec
Net Sec
Network
Network
Link
Link
Link
Link
31
Implementation OptionsIntegrated on Router
App2
App1
App2
App1
Transport
Transport
Network
Network
Net Sec
Net Sec
Link
Link
Link
Link
32
Network Security Location Options
Application
Application
End-to-End Transport
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
Application
Application
Transport
Transport
Voluntary Tunnel
Network
Network
Network
Network
Link
Link
Link
Link
Application
Application
Transport
Transport
Involuntary Tunnel
Network
Network
Network
Network
Link
Link
Link
Link
33
Transport Layer Security
Host
Host
Router
Router
Application
Application
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
34
Transport Layer Encryption
Link
Link
IP
TCP
Application
Encrypted
Link
Link
IP
TCP
Application
RH
Link
IP
TCP
App
Link
35
Message Processing Sequence
App2
App1
App2
App1
App2 Sec
App2 Sec
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
36
Application Layer Security
Encrypted
Link
Link
IP
TCP
Application
Key ID
37
Link Layer Security

• Advantages
• Transparent to applications
• Hardware solution possible
• Can address especially vulnerable links (viz.
  wireless)
• Disadvantages
• Hop-by-hop protection causes multiple
  applications of crypto operations
• May not provide end to end security

38
Network Layer Security

• Advantages
• Transparent to applications
• Amenable to hardware
• Flexible
• Disadvantages
• Makes routing more complex
• Flexibility introduces policy management and
  compatibility challenges

39
Transport Layer Security

• Advantages
• Transparent to applications and may be packaged
  with applications
• Exposing TCP enables compression and QoS
  classification
• Disadvantages
• Probably implemented in software
• Exposing TCP risks DoS

40
Application Layer Security

• Advantages
• Customized to application
• Requires no special protocol stack (transparent
  to networking)
• Disadvantages
• Hard to share between applications (viz.
  standardization challenge)

41
Protocols to Software

• There are important differences between
  theoretical descriptions, standards and software
• Evolution (versions, extensibility)
• Interoperability (options, negotiation)
• Error modes
• Two brief case studies
• Transport Layer Security (TLS)
• Network layer security (Ipsec)

42
Secure Socket Layer (SSL)

• Session protocol with
• Server authentication
• Client authentication optional
• Integrity checksum
• Confidentiality
• Possibly the most important security-related
  ecommerce protocol
• Session sets up security parameters
• Many connections possible within a given session
• Current version TLS 1.0 http//www.ietf.org/rfc/rf
  c2246.txt

43
X.509 Key Est. Messages

• Let DA EB(k), rA, LA, A.
• Let DB rB, LB, rA, A
• Two messages
• A -gt B certA, DA, SA(DA)
• Check that the nonce rA has not been seen, and
  is not expired according to LA. Remember it for
  its lifetime LA.
• B -gt A certB, DB, SB(DB)
• Check the rA and A. Check that rB has not been
  seen and is not expired according to LB.

44
Establish Security Capabilities
Client
Server
Client Hello
Time
Server Hello
45
Server Auth Key Exchange
Client
Server
Time
Optional
46
Client Auth Key Exchange
Client
Server
Time
Certificate
Client Key Exchange
Optional
Certificate Verification
Optional
47
Client Auth Key Exchange
Client
Server
Change Cipher Spec
Time
Finish
Change Cipher Spec
Finish
48
IPsec

• Modes
• Tunnel
• Transport
• Protocols
• Authenticated Header (AH)
• Encapsulated Security Payload (ESP)

• Configurations
• End-to-end
• Concatenated
• Nested
• Principal elements
• Security Associations (SAD)
• Internet Key Exchange (IKE)
• Policy (SPD)

49
Typical Case
S
Client
Internet
S
ESP
ESP
G
Gateway
Corporate Network
S
Server
50
Encapsulated Security Header and Trailer
16-23
23-31
0-7
8-15
Security Parameter Index (SPI)
Sequence Number
Initialization Vector
Protected Data
Pad
Pad Length
Next Header
Authentication Data
51
Security Association

• An SA describes the parameters for processing a
  secured packet from one node to another
• SAs are simplex use one for each direction
• If more than one SA is used for a packet the
  applicable SAs are called an SA bundle

52
SA Parameters (ESP Only)

• Sequence number, Sequence number overflow,
  Anti-replay window
• Lifetime
• Mode
• Tunnel destination
• PMTU
• Encryption algorithm (IV, etc.)
• Authentication algorithm

53
Policy

• Policy is not standardized in IPSec but certain
  basic functionality is expected
• A Security Policy Database (SPD) is consulted to
  determine what kind of security to apply to each
  packet
• The SPD is consulted during the processing of all
  traffic
• Inbound and outbound
• IPSec and non-IPSec

54
SPD Actions

• Discard
• Bypass IPsec
• Apply IPsec SPD must specify the security
  services to be provided.
• For inbound traffic it is inferred from
  destination address, protocol, SPI.
• For outbound traffic this is done with a selector.

55
Selectors

• Selectors are predicates on packets that are used
  to map groups of packets to SAs or impose policy
• They are similar to firewall filters
• Selector support
• Destination and source IP addresses
• Name (DNS, X.509)
• Source and destination ports (may not be
  available on inbound ESP packets use inner
  header for inbound tunnel mode)

56
IPsec Processing Outbound

• Use selectors in SPD to determine drop, bypass,
  or apply
• If apply, determine whether an SA or SA bundle
  for the packet exists
• If yes, then apply all appropriate SAs before
  dispatching
• If no, then create all necessary SAs. Apply
  these when done before dispatching

57
IPsec Processing Inbound

• If there are no IPsec headers check SPD selectors
  to determine processing discard, bypass, or apply
• If apply, then drop
• If there are IPsec headers, apply SA determined
  by SPI, destination, protocol
• Use selectors on result to retrieve policy and
  confirm correct application

58
Internet Key Exchange (IKE)

• Motivating problem Security settings (SAs) must
  be highly configurable
• Solutions
• Let network administrator manually configure SA
  (most common)
• Provide mechanism to allow automatic negotiation
  and configuration
• Can be found at http//ietf.org/internet-drafts/d
  raft-ietf-ipsec-ikev2-13.txt
• IKEv2 Current as of March 22, 2004

59
Station to Station Protocol

• A -gt B YA (Diffie-Hellman public key)
• Calculate k.
• B gt A YB, E(k, SB(YB, YA))
• Calculate k, use it to decrypt the signature,
  check the signature using the verification
  function of B and known values YB, YA.
• A -gt B E(k, SA(YA, YB))
• Decrypt the signature and check it using the
  verification function of A.

60
High-level view

• Requester
  Responder
• IKE_SA_INIT --gt
• lt-- IKE_SA_INIT
• IKE_AUTH --gt
• lt-- IKE_AUTH
• These are mandatory message exchange pairs, and
  must be executed in this order.

61
High-level view

• Initiator
  Responder
• CREATE_CHILD_SA --gt
• lt-- CREATE_CHILD_SA
• INFORMATIONAL --gt
• lt-- INFORMATIONAL
• These messages are optional and can be sent by
  either party at any time.

62
Changes from IKEv1

• 4 initialization messages instead of 8
• Decrease latency in common case of 1 CHILD_SA by
  piggybacking this onto initial message exchanges
• Protocol is reliable (all messages are
  acknowledged and sequenced)
• Cookie exchange option ensures that the responder
  does not have to commit state until initiator
  proves it can accept messages

63
Summary

• PKI provides potential scalable identities for
  the Internet but adoption has been difficult
• Network protocols are designed in layers
  security can be provided at multiple layers with
  various tradeoffs
• Theoretical protocols differ in significant ways
  from Internet standards and software