Introduction to PKI Technology

Version 1.5
Elaborated by Sylvain Maret & Cédric Enzler October 1999 Rev. 1.5: August 2000

1

Course Map Day One
x x

Introduction Key Terms
Cryptosystems x Services, Mechanisms, Algorithms
x

x x x

Cryptography in History Cryptanalysis Secret-Key Cryptography
AES x Lab exercise 1
x

Course Map Day One
x

Public-Key Cryptography
RSA x Diffie-Hellman
x

x

Message Digests
x

Lab exercise 2

x x x

Random Numbers Key Length Lab exercise 3
x

File encryption

2

Course Map Day One
x x

Message Authentication Code (MAC, HMAC) Digital Signature
x

RSA, DSS / DSA, ElGamal

x

Hybrid Cryptosystems
RSA Key Wrapping x Diffie-Hellman
x

x

Lab exercise 4
x

PGP (encryption and signature)

Course Map Day One
x x x

PKCS Standard Smart Card Lab exercise 5
SSH x SSH Tunneling
x

x

End of day one

3

Course Map Day Two
x x x

Questions to day one ? Revision quiz ! PKI introduction
Digital certificates x X.509 certificates (Demo) x Certificate Revocation (Demo) x Certification Authorities x RA, LRA x Data Repositories (LDAP)
x

x

S/MIME: How it works ?

Course Map Day two
x

Lab exercise 6
x

S/MIME and LDAP

x x

SSL: How it works ? Lab exercise 7
x

Web server SSL Client SSL authentication

x

Lab exercise 8
x

x

End of day two

4

Course Map Day Three
x x

Questions to day two ? Lab exercise 9
x

Smart Card installation (PKCS #11) Playing the security officer with Keon Certificate Server Revocation with client SSL authentication

x

Lab exercise 10
x

x

Lab exercise 11
x

x

IPSEC: How it works ?

Course Map Day Three
x

Lab exercise 12
x

IPSEC (SecuRemote Checkpoint) IPSEC Cisco with CEP

x

Demo
x

x

Cases study
VPN RadGuard x Secure Gate
x

x x x

Encryption references sites Open discussion End of day three

5

Course Objectives
x

Understand cryptographic fundamentals and how cryptographic technology is applied in a Public Key Infrastructure Know the elements of Public Key Infrastructure and how they interact with each other Understand and be able to describe some of the practical applications of PKI Understand why PKI is an attractive technology to enable e-commerce and enhance security

x

x

x

Lab Topology

Ayrton: SSL Ayrton: SSL

Cerbere: CA Cerbere: CA LDAP, Mail LDAP, Mail

Router IPsec Router IPsec

Checkpoint fw1 Checkpoint fw1

Londron Londron

Rome Rome

Paris Paris

Madrid Madrid

Geneve Geneve

Berlin Berlin

Newton: DNS, SSH Newton: DNS, SSH

6

Lab Topology
x x x x

Domain name: pki.datelec.com Password: abc123 for all applications Be careful! You are an administrator Email: SiteName@pki.datelec.com Do not forget to change name site for labs!
For Labs, you will work together with a partner (London and Rome for instance)

x

Lab applications
x

E-mail
Netscape (example labs) x Outlook 98 x Lotus notes
x

x

Internet browsers
Netscape fortified (domestic) x Microsoft Internet Explorer 5.0 export
x

x x x

SSH Client Ldap Browser etc.

7

PKI, WHY?
x x

The rise of public data networks. Internet is a new platform for business relationships: E-business Business rules need to be “translated” into this new “language”. Hope behind PKI: to preserve classical business rules in this new virtual world.

x

x

Drawbacks for E- business
x

x

Let’s say you have an electronic contract which you need to distribute to another party over the Internet… With existing Internet tools like www and e-mail you lose a lot compared to paper
x x x

No assurance that the contract has been signed No guarantee that the contract is authentic No assurance of the contract’s source

x

Basically, it is worth than the paper where everything is printed on!

8

About needs...
x x x x

You need to know who you are dealing with (Authentication) You need to keep private things private (Confidentiality) You need to make sure that people do not cheat (Non-Repudiation) You need to be sure that information has not been altered (Integrity)

If PKI is the answer then…
What is the question?

On the Internet no one knows you're a dog!

9

Key Terms
x

A message will be defined as plaintext or cleartext The process of disguising a message to hide its substance is encryption The encrypted message is referred to as ciphertext Decryption is the process turning ciphertext back into plaintext

x

x

x

Key Terms
x

Cryptography is the science allowing messages to be kept secure Cryptoanalysis is the art and science of breaking ciphertext Cryptology is the mathematics field Cryptologist are theoretical mathematicians

x

x

x

10

Cryptosystems
x

A cryptosystem is a collection of cryptographic algorithms, cryptographic keys, and all possible plaintexts and theirs corresponding ciphertexts.

Security Services
x

Authentication: Provides the assurance of someone’s identity Confidentiality: Protects against disclosure to unauthorized identities Non-Repudiation: Protects against communications originator to later deny it Integrity: Protects from unauthorized data alteration

x

x

x

11

Security Mechanisms
x

Three basic building blocks are used:
Encryption is used to provide confidentiality and integrity protection x Digital Signatures are used to provide authentication, integrity protection and nonrepudiation x Checksums / hash algorithms are used to provide integrity protection and can provide authentication
x

One or more security mechanisms are combined to provide a security service

Cryptography Algorithms
x

All Cryptosystems are based on only three algorithms:
1 - Secret-Key algorithms x 2 - Public-Key algorithms x 3 - Message-Digest algorithms
x

12

Services, Mechanisms, Algorithms
A typical security protocol provides one or more services
SSL, IPSEC, TLS, SSH, etc...

Services
Hashing

Signatures

Encryption

Mechanisms

DSA

RSA

RSA

DES

SHA

MD5 Algorithms

Services are built from Mechanisms Mechanisms are implemented using Algorithms

Security Protocol Layers
S/MIME, PGP

Application Presentation Session Transport Network DataLink Physical

Application Presentation

SSL, TLS, SSH IPSEC Hardware link encryption

Session Transport Network DataLink Physical

The further down you go, the more transparent it is The further up you go, the easier it is to deploy

13

Cryptography in History
x

2000 B.C. Hieroglyphics
x

Cryptography as an Art

x

Ancient Chinese
x

First to transform messages in Ideographs for privacy First “Networks spies” using phonetics encryption (Javanese or reverse speaking) Numbers associate to letters (cuneiform table)

x

India
x

x

Mesopotamia
x

Cryptography in History
x

ATBASH cipher: In the Bible
x x

ABCDEFGH… (clear) ZYXWVU…(encrypted)

x

Skytale Cipher (Greek)
x x

key: stick papyrus enrolled

x

Polybius square (Greek)

14

Cryptography in History
x

Runiques Stones by Vikings (Arts)

Cryptography in History
x

World War II:
x x

Electromechanical cryptography Rotor based machine transforming plaintext into ciphertext, using electrical signals as encryption key
x Example:

Enigma machine used by Germans x Ciphers were not new, but their processing was…
x

1970-today:
x

New ciphers: based on numbers properties issued from Mathematical theories
x RSA:

Prime numbers factorization x Diffie-Hellman: discrete logarithm x ECDSA: Elliptic curve cryptography

15

Cryptanalysis
x

Two categories of security levels
x

Computationally secure:
x Question

of time and money (Brute force attack) x (Most of the cryptosystems: DES, 3DES, IDEA, RSA, DH etc.)
x

Unconditionally secure:
x Can

“never” be broken independently of the resources x One-time pads

Several Cryptanalytic Attacks
x

Ciphertext only
x

Brute force attack and dictionary attacks on keys Start from a known ciphertext and try to appear as someone else to get information from others behavior Derive the key from knowledge of both plain and ciphertext

x

Chosen ciphertext
x

x

Known Plain ciphertext
x

16

Secret-Key Cryptography
x x x

x

Use a secret key to encrypt a message into a ciphertext Use the same key to decrypt the ciphertext into the original message Secret-key cryptography is referred also as symmetric cryptography or conventional cryptography The secret key is also known as session key or bulk encryption key

Secret-Key Cryptography
x

Let us imagine Alice and Bob who use Secret-Key to protect their messages
Ciphertext Ciphertext Plaintext Plaintext

Plaintext Plaintext

Secret-Key Secret-Key

17

Secret-Key Cryptography
x

How to share the Secret-Key ?
x

Alice and Bob can use the phone, fax, a meeting point, etc.

x

But!?:
Could someone steal the key? x How to proceed without partner knowledge?
x

Secret-Key Cryptography
x

The Advantages
Implementation is efficient to encrypt large volume of data (100 to 1’000 faster than Public-Key Cryptography) x Simple to implement in either software or hardware x Most of the algorithms are well know and secure x Seem to be safe to brute force attack x Widely used
x

18

Secret-Key Cryptography
x

The Disadvantages
Hard to share Secret-Keys x Large number of keys x No non-repudiation (Signature) x Subject to interception (Secret-Key)
x

Secret-Key Cryptography
x

Number of needed keys
x

Suppose Alice, Bob and Chris want to use SecretKey Cryptography! x They need only 3 keys

19

Secret-Key Cryptography
x

Increase of keys number
x

Suppose they want to add Dawn and Eric x Now they need ten keys

Secret-Key Cryptography
x

If n persons want to communicates we have this formula:
x

Key’s number = ((n)*(n-1)) / 2

x

As example: A company of 60’000 people = 1’799’970’000 keys!

20

Secret-Key Cryptography
x

Block cipher: Encrypts data in predefined block size
x

Most well-known ciphers are block ciphers

x

Stream cipher: Encrypts data stream, one-bit at the time
x

Only few algorithms use it

Secret-Key Cryptography
x

Common Secret-Key Ciphers
DES x Triple DES (3DES) x RC2 x IDEA x Blowfish x CAST-128 x Skipjack x RC4 (Stream cipher) x etc.
x

21

Secret-Key Cryptography
x

DES
Data Encryption Standard (1973) by IBM x World Standard for 20 years x DES was broken in 22 hours (DES challenge III, January 18th, 1999) x Key size = 56 bits x Block cipher
x

x

Recommendation: should be replaced by 3DES for high confidentiality requirements !
http://www.rsa.com/rsalabs/challenges/

Secret-Key Cryptography
x

Triple DES (3DES)
Block cipher x Encrypt + decrypt + encrypt with 2 (112 bits) or 3 (168 bits) DES keys x DES’s replacement for Banking (1998)
x

x

Recommendation: Use it for high confidentiality!

22

Secret-Key Cryptography
x

RC2
Designed by Ron Rivest from RSA x Block cipher x Key size = up to 2048 x Encryption speed: independent from the key size x Trade secret from RSA, posted on the net in 1996 x Designed as a DES’ replacement x Faster than DES
x

x

Recommendation: like DES but faster!

Secret-Key Cryptography
x

CAST-128
Designed by C.Adams and S. Tavares (1993) x Block cipher x Key size = 128 bits x Used in PGP 5.x
x

x

Recommendation: unknown

23

Secret-Key Cryptography
x

IDEA
International Data Encryption Algorithm x Designed by X.Lai and J. Massey (ETH Zurich) in 1990 x Block cipher x Key size = 128 bits x More efficient than DES for software implementation x Used in PGP
x

x

Recommendation: Better than DES

Secret-Key Cryptography
x

Blowfish
Designed by B. Schneier in 1993 x Optimized for high-speed execution on 32-bit processors x Block cipher x Key size = up to 448 bits key
x

x

Recommendation: Use for fast performances and with a maximum key size

24

Secret-Key Cryptography
x

Skipjack
Designed by NSA (National Security Agency) x Block cipher x Key size = 80 bits
x

x

Recommendation: Inadequate for long term security (key size too short)

Secret-Key Cryptography
x

GOST
Acronym for “GOsudarstvennyi STandard” x Russian answer to DES x Key size = 256 bits
x

x

Recommendation: Incompletely specified to give an answer...

25

Secret-Key Cryptography
x

RC4
x x x x x x x

Designed by Ron Rivest from RSA Stream cipher Key size = up to 2048 bits Optimized for fast software implementation Trade secret from RSA, posted on the net in 1994 Very fast Used in SSL, Lotus Note, Windows password encryption, Oracle etc.

x

Recommendation: Highly recommended for long keys (>40 bits)

Secret-Key Cryptography
x

Many, many others
x

There is no good reason not to use one of above proven algorithms!

26

Secret-Key Relative Performance
FAST

RC4 Blowfish, CAST-128 Skipjack DES, IDEA, RC2 3DES, GOST

SLOW

AES
x x

x x x

National Institute of Standard and Technology expressed a formal call for algorithm on 09.1997 The aim is to define the “next century’s” symmetric encryption standard or Advanced Encryption Standard AES1 conf. (08.98): 15 potential candidates AES2 conf. (03.99): 5 retained candidates Final choice expected for summer 2001

27

AES candidates
x x x x x

MARS (IBM) RC6 (RSA Laboratories) Rijndael (J. Daemen, V. Rijmen) Serpent (R. Anderson, E. Biham, L. Knudsen) Twofish (B. Schneier - Counterpane)

AES requirements
x x

x

Block cipher of minimum 128 bits Must implement symmetric keys of 128, 192, 256 bits Must be efficient on software and hardware basis (high speed encryption)

Http://www.counterpane.com/aes-comparison.html

28

Secret-Key Cryptography
x

Use a symmetric encryption to encrypt a text file (DES and IDEA) Time: 15 minutes
x

x

P.27

Public-Key Cryptography
x x x x x

x

Use two distinct keys, one public and one private The private is kept secret The public can be freely shared Referred as asymmetric cryptography A public-key and its corresponding key are mathematically related A public-key and its associated private-key are called a key-pair

29

Public-Key Cryptography
x

x

A message encrypted with a public-key can be only decrypted by the private-key A message encrypted with a private-key can be only decrypted by the public-key (Signature)

Public-Key Cryptography
x

Suppose Alice wants to send a message to Bob using Public-Key Cryptography
Ciphertext Ciphertext Plaintext Plaintext

Plaintext Plaintext

Bob’s public key Bob’s public key

Bob’s private key Bob’s private key

30

Public-Key Cryptography
x

How to obtain the public-key ?
Any publishing way can be used to get the publickey (Directory servers, Phone, Web server, Newspapers etc.) x No more confidentiality issues in key distribution
x

Public-Key Cryptography
x

Advantages
No secret sharing x Fewer keys x No prior relationship needed x Easier to administrate x Offers useful mechanisms like digital signature (offering non repudiation)
x

31

Public-Key Cryptography
x

Disadvantages
Not efficient (slow) to encrypt large volume of data x Keys need to be much longer than with secret-key encryption x Impossible to encrypt a plaintext with size > key
x

Types of public-key algorithm
x

A public-key algorithm is reversible if encryption and decryption can be processed with either a private or a public-key A public-key algorithm is irreversible if a privatekey is mandatory for encryption Key exchange algorithm: neither used for encryption nor decryption (Diffie-Hellman)

x

x

32

RSA
x x x

x x x

Inventors: Rivest, Shamir, Adleman in 1977 Most popular Provide confidentiality, digital signature and key exchange Key length up to 4096 Plaintext length < Key length Ciphertext size = Key size

RSA
x

RSA is protected by a patent. Patent expires on 20th September 2000 Relies on irreversible mathematics functions (Prime numbers)

x

PDAs, WAPs: RSA Multi-Prime

33

Diffie-Hellman
x x x

Published in 1976 by W. Diffie and M. Hellman Oldest known public-key cryptosystem Key agreement algorithm
Enables secret-key exchange without prior knowledge x Agrees on shared secret used in conjunction with a secret-key Cryptosystem (DES, 3DES, IDEA, etc.)
x

Diffie-Hellman: How it works ?
Alice’s private key Bob’s public key Alice’s Bob’s public key private key

Share Secret Key Share Secret Key

=

Share Secret Key Share Secret Key

34

DSA
x x x

x x

Compliant to Digital Signature Standard (DSS) Published in 1994 Irreversible algorithm (encryption with private key only) Used in Digital signature only Performance tuned for smart cards

Comparative Public-Key table

Algorithm
DSA El-Gamal RSA

Type
Digital Signature Digital Signature Confidentiality Digital Signature Key exchange Key exchange

Diffie-Hellman

35

Message-Digest Algorithms
x

Take a variable-length message and produce a fixed-length digest as output The fixed-length output is called the message digest, a digest or a hash A message-digest algorithm is also called a one-way hash algorithm or a hash algorithm

x

x

Message-Digest Algorithms
Input Input Message Message

Hash Function

Fixed-length Digest Fixed-length Digest

36

Message-Digest Algorithms
x

Message-Digest Algorithms properties required to be cryptographically secure
It must not be feasible to determine the input message based on its digest x It must not be possible to find an arbitrary message that has a particular, desired digest x It should be impossible to find two messages that have the same digest (collision) x It should be very sensitive to input message changes
x

Message-Digest Algorithms
x

Some Common Message-Digest Algorithms
MD2: 128-bit-output, deprecated, by Ronald Rivest x MD4: 128-bit-output, broken, by Ronald Rivest x MD5: 128-bit-output, weaknesses, by Ronald Rivest x SHA-1: 160-bit-output, NSA-Designed x RIPEMD-160: 160-bit-output x Haval: 128 to 256 bit-output (3 to 5 Passes) x CRC-32: 32-bit-output
x

x

Recommendation: Use SHA-1

37

Message-Digest Algorithms
x

Message-Digest at work
Creation of digital signatures x Creation of MAC, HMAC x Creation of secret-key with a passphrase x File checksum (FTP server, Patches, etc.) x FIA (File Integrity Assessment like Tripwire)
x

Powerful tool to detect small changes

Message-Digest Algorithms
x

Use Message-Digest Algorithms to compute a file’s digest (MD5 and SHA-1) Time: 15 minutes
x

x

p.31

38

Random Numbers
x

x

Random numbers are usually required to generate cryptographic keys or challenge. Two main categories
(PRNG) Pseudo Random Number Generator uses a deterministic algorithm to generate a pseudo random number based on a seed (mouse, keyboard, etc..) x A random number generator generates truly unpredictable numbers. Based generally on special hardware (white noise, radioactive-decay, etc…)
x

Random Numbers
x

A very secure cryptosystem can be broken if it relies on random numbers that can be guessed
x

Netscape browser using SSL broken!

x

Some PRNG
Yarrow from B. Schneier x CryptPack x etc.
x

39

Keys Length
x

x

x

To break a secret-key cryptosystem with “no weakness”, an attacker must try each possible key. This is called a brute force attack To break a public-key cryptosystem an attacker should use “smarter” brute force attack based on mathematics Key space dimension = 2n (n:keylength)

What is the right key size ?

x

The goals of cryptography are to make the value of encrypted information less than the money spent to decrypt it ! the value of information usually decreases over time

x

40

RSA’s Challenge on DES (III)
x

x

x

x

Method: splitting the Key space for distributed Brute Force Attack (space dimension = 2n , where n is the key-length) Starting date: 18.01.99. Ending: 22h15 min. later… Brute Force Attack frequency: 245 Billions keys/sec. Platforms: Cray/Sun/SGI/Pentium etc..

RSA’s Challenge on RSA-155
x x x

x x

Key-length: 512 bits = 155 digits Method: Prime number factorization Starting Date: August 99. Ending: 5 months later Time: 35.7 CPU years Platforms: SGI/Sun/Pentium etc.
x

292 computers

41

Keys’ time of life
x

Most of the time, session keys are changing (IPSec, etc.)
x

to enforce security

x

Can be triggered by time or by encrypted data quantity

Public-Key vs Secret-key
Secret-key (bits)
40 56 64 80 96 112 120 128

Public-Key (bits)
274 384 512 768 1024 1792 2048 2304

42

Blowfish Advanced CS: How it works ?

Blowfish Advanced CS
x

x

x x x

File encryption software using symmetric encryption Used secret-key from a password or a “keydisk” Support key splitting Wipes sensitive information Used secret-key ciphers like:
Blowfish x 3DES x Twofish
x

43

Blowfish Advanced CS
x

Use SHA-1 to generate secret-key from a password Use random (PRNG) to create the key file and to overwrite (wiping) data

x

File Encryption
x

Setup a file’s encryption software to protect sensitive information Time: 20 min
x

x

p.38

44

Message Authentication Code
x

x

x x x

MAC is a fixed-length data item that is send together with a message to prove integrity and origin Provide authentication and integrity without confidentiality Also referred as message integrity code (MIC) Most common form is HMAC ( Hashed Mac) Example: HMAC-MD5

Message Authentication Code
Input Input Message Message

+
Secret-Key

Hash Function

HMAC HMAC

45

Digital Signature
x

x x

x x

Digital signature is a data item that guarantees the origin and integrity of a message The signer of the message uses a signing key The recipient uses a verification key to verify the origin and integrity Signing key = private-key Verification key = public-key

Digital Signature
x

By using his own private key, the signer can not repudiate the fact he has signed the message This mechanism provide non-repudiation Think about the difference with MAC …

x

x

46

Digital Signature: Basics

Simple signature using PRIVATE-key

Plaintext Plaintext

Ciphertext Ciphertext (Signature) (Signature)

Plaintext Plaintext

Alice’s private key Alice’s private key

Alice’s public key Alice’s public key

Digital Signature: How it works?
Plaintext Plaintext Plaintext Plaintext

Alice’s private key

Digest Digest

MD1 = MD2 ??? MD1 = MD2 ???

Alice’s Public key

Signature Signature

Signature Signature

47

Digital Signature
x

Why signing a message involves Hashing ?
Signature (data item) is too big x Performance (public-key is very slow) x Possible attack (known plaintext attack)
x

Common Signature Algorithms
x

RSA
Well known x Export limitation
x

x

DSA
Similar to RSA (algebraic properties of numbers) x Non-reversible algorithm, suitable for digital signature only
x

x

ElGamal
x

Another cipher for digital signature only

48

Hybrid Cryptosystems
x

A Hybrid Cryptosystem combines the best features of both Secret-Key and Public-Key cryptography Used to exchange session key to initiate a symmetric encryption Example: PGP, SSL, IPSEC using Diffie-Hellman or RSA

x

x

Example: Diffie-Hellman and Secret-Key cryptosystem

Asymmetric

Share Secret Key Share Secret Key

=

Share Secret Key Share Secret Key

Symmetric
Plaintext Plaintext Ciphertext Ciphertext Plaintext Plaintext

49

RSA Key wrapping encryption
x

Suppose Alice wants to send an encrypted text to Bob across the Internet , using RSA key wrapping

RSA Key wrapping encryption
x

How it works ?
Alice creates a session key, which is a one-timeonly secret-key x Alice encrypts the data with the session key x Alice encrypts the session key with Bob’s publickey x Alice sends the ciphertext + the encrypted session key to Bob
x

50

RSA Key wrapping encryption

RSA Key wrapping decryption
x

How it works ?
Bob receives the message from Alice x Bob uses his private-key to recover the temporary session key x Bob uses the session key to decrypt the ciphertext
x

51

RSA Key wrapping decryption

RSA Key wrapping question ?
How sure can Alice be about Bob’s presumed public-key ?

52

Man in the Middle Attack!

PGP: How it works ?

53

PGP: introduction
x x x x x x

Stands for Pretty Good Privacy By Phil Zimmerman (1991) Worldwide distributed in 1991 Provides mail and file encryption/signature Today: PGP 6.5.2 Available on many platforms like:
x x x x

Unix Windows Linux Atari, Macintosh, OS/2 etc.

PGP Introduction
x

Contains a set of algorithms for
x

Message digest:
x MD5,

SHA1 and RIPEMD DSA 3DES, CAST-128 and IDEA

x

Public-key:
x RSA,

x

Secret-key:
x DES,

x

Data compression: LZH

54

Original PGP signature
x

Using RSA and MD5 for example

Quiz!

55

Original PGP encryption
x

Encryption based on RSA key wrapping

Original PGP decryption
x

Decryption based on RSA key wrapping

56

Quiz!

PGP today

x

To enforce security, PGP offers today DSS and DH key exchange

x

Support for x.509 certificate as well

57

PGP Trust model
x

Originally, PGP trust models were:
x x

Direct trust (hosts mutually and directly trusted) “Web-of-Trust”
x If

Alice trusts Bob and Bob trusts Charlie, then Alice other words…friends of my friends are my friends

will trust Charlie
x In

x

Today, hierarchical trust is also possible

Other PGP products
x

PGP Phone
x

to transform a desktop into a secure phone via real-time encryption

x

PGP disk
x

offering privacy to file system

x

PGP SDK
x

development kit

58

PGP
x

Use PGP for sending a signed and encrypted e-mail Time: 40 min
x

x

P.49

SSH: How it works ?

59

SSH
x x

SSH = Secure Shell Originally developed in 1995 as a secure replacement for rsh, rlogin,rcp, ftp, telnet Originally implemented in Finland Available worldwide About 3’000’000 users around the world

x x x

Http://www.cs.hut.fi/ssh

SSH
x

x x x x

Also allows port forwarding (tunneling over SSH) X11 connection forwarding SSH v2 submitted to IETF Can be run and used in a short space of time Many SSH clients available
Secure CRT x F-Secure x Java Client x etc.
x

60

SSH: Why ?
Unix Host Unix Host

Login: rome Password: abc123

Network
Original TCP Packet

Attacker with sniffer

Telnet to Unix Host Telnet to Unix Host

SSH-1 Protocol (Hybrid Crypto)
Client TCP 22 Auth request S Session SSH DATA Symmetric Encrypted data
Server decrypt the session key with the two private keys. Begin bulk encrypted data exchange. Client encrypts Server decrypts request, encrypts and sends response

Server

Client performs TCP handshake with the server at port 22 for SSH standard port Start authentication process. Client send authentication request The server responds with two keys. Host key 1024 bit RSA and a Server key 768 bit RSA (Generated hourly)

S

SSH Handshake Public Key

Client verify host key and generate a secret key that is used for bulk encryption then encrypt this secret key twice with Host and Server public keys and send it to the server SSH

61

SSH Ciphers
x

SSH v1
RSA x DES, 3DES, Blowfish, IDEA
x

x

SSH v2
Diffie-Hellman for key exchange algorithm x DSA, RSA x 3DES, Blowfish, IDEA, Twofish, Arcfour, Cast-128
x

SSH Authentication
x

Multiple Authentication mechanisms
Static password (protected by SSH encryption) x RSA or DSA authentication (client decrypts challenge from server) x Plug-in authentication (Securid, Radius, ldap, PAM *) x “.rhosts or /etc/hosts.equiv” (Based on IP address)
x

*

http://www.bg.kernel.org/pub/linux/libs/pam/index.html

62

SSH Authentication (RSA/DSA)
x x

Client decrypts “challenge” from server Provides “strong” authentication (client uses his private-key plus a PIN code)
Server sends encrypted challenge with client’s public key

Client decrypts challenge and sends it to the server

The challenge is chosen randomly

SSH Tunneling mode
SSH SSH Client Client

Corporate Net
HTTP 127.0.0.1 1999 HTTP 127.0.0.1 1999

Web server Web server

Encrypted SSH tunnel
SSH SSH Server Server

Clear text

DMZ

63

SSH
x

x x

Setup a SSH client to replace Telnet. Use two authentication mechanisms. Setup a SSH tunnel Time: 60 min
x

p. 64

PKCS
x

Public Key Cryptographic Standard (PKCS)
x

x

Standardization of public-key algorithmic, in order to maintain interoperability Developed by RSA Laboratories, a consortium of information technology vendors and academic institutions.
x Apple x Microsoft x Compaq x Lotus x Sun x MIT

etc.

64

PKCS list
x x x x x x x x x x x x

#1: Encrypting and signing using RSA public key cryptosystem #3: Key agreement with Diffie-Hellman key exchange #5: Encrypting with a secret key derived from a password #7: Syntax for message with digital signature #8: Format for private key information #9: Attribute type for use in other PKCS standard #10: Syntax for certification request #11: Define a cryptoki programming interface (API for smart cards) #12: Portable format for storing and transporting private keys #13: Encrypting and signing data using elliptic curves cryptography #14: Standard for pseudo number generation #15: Standard to store credentials on tokens

Smart Card
x

x

Smart Cards consist of a chip (processor or/and memory), a contact plate and a piece of plastic (ISO 7810 - 54x85x0.8 mm) Smart Cards are used for multi-applications
x

GSM, Banking, Medical, E-Commerce, Pay TV, etc…

65

Smart Card and PKI
x

x

Storing the private-key and/or X.509 certificate on the Smart Card Provide Strong Authentication
Something you have, Something you know x Access protected by a PIN (like credit card)
x

x

Types of Smart Card
Memory Cards x PKI smart cards using Crypto-processor (RSA, etc.)
x

x

Some Smart Card are “brute force” protected

Smart Card Standard (interface)
x

PKCS #11 also call Cryptoki
Interface for the communication to Smart Card x Netscape, RSA
x

x

PC/SC and their Crypto API
http://www.pcscworkgroup.com/ x Bull, Gemplus, HP, Intel, Microsoft, Schlumberger Siemens, SUN, Toshiba
x

66

Smart Card Reader
x x x x x x

Keyboard USB Serial PCMCIA Diskette reader SCSI

Today’s Smart Card Drawbacks
x x

Hardware... Multi-Services rarely used
x

Users leave Smart Card on the reader

67

End Day One

Questions Day One ?

68

Quiz!
x

Describe Secret-Key ?
x

Advantages / Disadvantages Advantages / Disadvantages

x

Describe Public-Key ?
x

x x x x x

Describe Messages Digest ? Describe Digital Signature and verification ? Differences between MAC and signature? Describe two Hybrid Cryptosystems ? Describe a challenge response based authentication?

PKI introduction
x

x

The aim of PKI is to integrate all the previous mechanisms and algorithms into a coherent and efficient structure. It will answer the following fundamental security needs:
Authentication x Confidentiality x Non-Repudiation x Integrity
x

x

The basis of PKI relies on the concept of certificates

69

PKI basis function
x

PKI will include at least:
One Certificate Authority who delivers certificates x One Directory who stores active Certificates and/or Revoked Certificates x One Registration Authority who allows certificates’ enrollment x One centralized Management
x

Remember Alice, Bob and Charlie...
Bob has no proof of the “link” between Alice’s public-keys and her identities

So What ?

70

Third Trusted Party
Trusted Authority

Direct Trust

Direct Trust

No more Charly

Implicit Trust

Digital Certificates
x

x

A public-key certificate is a bond between an entity’s public-key and one entity The entity can be:
A person x A role (Manager Director) x An organization x A piece of hardware (Router, Server, IPSEC, SSL, etc.) x A software process (JAVA Applet) x A file (Image, Databases, etc.) x etc.
x

71

Digital Certificates
x

x

x

x

A Public-key certificate provides assurance that the public-key belongs to the identified entity A Public-key certificate is also called a digital certificate, digital ID or certificate The entity identified is referred to as the certificate subject If the certificate subject is a person, it is referred to as a subscriber

Digital Certificates
x

A certificate is like a passport ...

72

How to obtain a certificate
x

x x x x

As with passports, you give proof of your identity to an official (or trusted) authority. The authority checks this proof. The authority delivers a signed passport . This procedure is defined as an “enrollment” Instead of “enrolling” for a passport we’ll enroll for digital certificate.

Digital Certificates
x

Graphical representation of a certificate

73

Demo: certificate view

X.509 Certificate Standard
x

x x x

X.509 is a standard for digital certificate by International Telecommunications Union (ITU) First published in 1988 (V1.0) Version 2.0 (1993) adds two new fields Current version is v3.0 (1996) and allows additional extension fields

74

X.509 Basic Certificate Fields
x x

x x

x x

Version: X509 version 1,2 and 3 Certificate serial number: Integer assigned by the CA (unique) Signature algorithm identifier: RSA/MD5 etc. Issuer name: name of CA having signed and issued the certificate Validity period: time interval Subject name: the entity name (this name must be unique = distinguished name (DN) )

X.509 Basic Certificate Fields
x

x x x

Subject public-key information: contains the public-key plus the parameters Issuer unique identifier: optional field Subject unique identifier: optional field Extensions: may provide additional data for specific applications.
And the Certification Authority's Digital Signature

75

SSL X.509 example

Data and Signature section in human-readable format!

SSL X.509 example

Here is the same certificate in the 64-byte-encoded format interpreted by a software

76

How to build a Certificate
CA

X.509 Fields
Public key Identity etc.

X.509 Certificate

Digital Signature Process

CA’s
Signature

Think of it like a credit card…
Digital Credit Union

DCU
5867 9506 3461 1920
GOOD THRU LAST DAY OF

Validity Period Signature Issuer Name Subject Name

06/98

Andrew Nash

AUTHORIZED SIGNATURE

Andrew K Nash

Public Key

77

How to verify a certificate ?
x x

x

x x

Obtain the Signer’s (CA) public-key Pass the X.509 fields into the message digest algorithm and keep the digest (= your digest 1) Decrypt the Certificate signature with the Signer’s (CA) public-key. The decrypting plaintext will be the digest (= your digest 2) Compare the digest 1 with the digest 2 Does this match together?

Verifying a certificate?

X.509 Fields
Public key Identity etc.

CA’s
Signature

MD1 = MD2 ??? MD1 = MD2 ???

CA’s public key CA’s public key

78

A few words about CAs
x

Entities that issue and manage digital certificates including
maintaining x revoking x publishing status information
x

x

CAs’ security policy defined in CPS (Certification Practice Statement)
Security measures to guarantee CA’s integrity x Security measures to check enrollment’s identity
x

x

Trust level relies upon CPS and not technology

Few words about CAs
x

PKI security relies on CA’s private-key secrecy
Should never be acceded x Should be backed-up x Solution: store it inside dedicated tamperproof hardware
x

79

Type of CAs
x

Private CAs:
x

Hold by a private entity (Company, Administration, the Military) Verisign, Swisskey, GTE, Thawte, Global-sign, Certplus, etc.
A CA can be hybrid as for instance “On-site services” of Verisign

x

Public CAs:
x

Registration Authority (RA)
x

x

A Registration Authority is the entity receiving the certification requests and managing them before sending them to the CA. RA acts as a front end. As in hybrid CAs, the registration authority can be separate from the CA itself. In this case we talk about Local Registration Authority (LRA)
Multiple sites for big companies x Distributed environment
x

80

(L)RA Front End

LDAP
x

x

x

X.500 Directories required more effort and complexity than most companies were prepared to invest Lightweight Directory Access Protocol was proposed by the Internet community LDAP uses the X.500 naming conventions but simplifies the way you interact with a directory

81

LDAP
x

x

LDAP is a “front end” that is used to implement simple directory services An LDAP Server may be implemented over:
a full X.500 Directory x a database x a flat file x Most of structured data set
x

x

CA will use LDAP to publish certificates and CRLs

Demo: browsing ldap

http://www.iit.edu/~gawojar/ldap/

82

Certificate Revocation
x

Certificate Revocation:
x

Mechanism used by the CA to publish and disseminate revoked certificates

x

Revocation is triggered in the following cases:
Key compromise x CA compromise x Cessation of operation x Affiliation change x etc...
x

Certificate Revocation
x

Several data structures exist to publish revocation
CRL (Certificate Revocation List) x ARL (Authority Revocation List) x CRT (Certificate Revocation Trees) by Valicert
x

x

Also Online query mechanisms
x

OCSP (Online Certificate Status Protocol)

83

CRL’s publication and retrieval
x

Certificate-using applications must be aware of revoked certificates
Get CRL via ldap x Get CRL via FTP, Http, Https, etc. x Check certificate status via OCSP x Etc.
x

x x

Problem to solve: Revocation delay ! Not yet fully standardized (Delta CRLs, OCSP etc.)

CRL Version 2 structure

Version

Signature algorithm

Issuer DN

Update Date

Next Update Date

List of revoked certificates per-certificates extensions

Extensions

84

CRL Version 1 view (text)

CRL Version 1 view (PEM)

85

Demo: get a CRL

OSCP
Pushing Revocation

CA

LDAP OCSP over http OCSP FTP, http

PKI enable Applications

OCSP Responder

Backend

others

86

Distinguish Names
x

x

x

X.509 certificates bind a Distinguish Name (DN) to a public-key A DN is a set of name-value pairs, such as uid=cenzler, that uniquely identify an entity Example: a typical DN of a Datelec employee:
x

C=CH, O=Datelec, OU=Engineering, L=Geneva, CN=Cedric Enzler, E=cenzler@datelec.com

Distinguish Names
x

DNs may include a variety of other name-value pairs (see X.500 standard) Most CAs are LDAP compliant. Thus, DNs will be used as entries in Directories that support LDAP

x

87

Single CA
x

Until now, we assumed the presence of a unique CA certifying all users. Thus, there’s a direct relation between users and their CA

X509 X509 X509 X509 X509 X509

Multiple CAs top-down
x

Typical CA implementation for large companies

Root CA
X509

Trust relation
X509

Subordinate CAs
X509

Subordinate CAs
X509 X509

Certificates
X509 X509 X509 X509 X509

88

Trust
x

x

x

x

Because a CA has a certificate itself and represents the highest possible trust level, the CA has its self-signed certificate A self-signed certificate is a Root Certificate or Meta-Introducer A certificate-using application (any X.509 holders) must trust the Root certificate Importing a Root certificate into such an application is called Bootstrapping a CA
Bootstrapping must be considered as a very critical operation!

Trusted Root certificates
x

Many applications (as http browsers) have already embedded root certificates

89

Demo: Bootstrap Swisskey

Trust architecture
Assume Alice, Bob and Charly are exchanging e-mails
Root CA
X509

CA3
X509 X509

CA1

CA2
X509 X509

X509 X509

X509 X509

X509

A

B

C

90

Simple Case
x x

Alice receives Bob’s e-mail and the X.509 certificate How can Alice check Bob’s certificate?
x x

She looks at Bob’s signer Does she know the signer?
x Yes:

Is it a self-signed? x No: Is the upper level CA trusted?
X509

X509

Root

3
CA3
X509

2

Bob

1

More complicated...
x x x

x

Alice receives Charly e-mail and the X.509 certificate How can Alice check Charly certificate? Charly sent intermediary CAs certificates along with his own certificate. This is the “chain of certificates” Thus, the validation process will be...
X509

Root
X509

4 3

X509

CA1

CA2
X509

Charly

2 1

91

Cross certification
A typical case: merging of Certification Islands:
X509 X509

X509

X509

X509

X509

X509

X509

X509

X509

X509X509

X509X509

X509

X509X509

X509X509

X509

Let’s be practical!
User enrolls for certificate
http://www... http://www...

Admin mailed notification

User mailed acknowledgement

RA Security Officer
Admin Approves request

User mailed retrieval PIN

User
User retrieves certificate
http://www... http://www...

http://www... http://www...

CA

Certificate installed

LDAP

92

Some X.509 certificate types
x x x x x

CA certificate (Root) S/MIME SSL server/client IPSec gateway/client Object signing certificates
Java script x Image signature for copyright x File detection intrusion (binary certifications)
x

x

etc.

PKI Standards
x

Some standard organizations:
IETF PKI Working Group (PKIX) x ITU x SPKI x RSA with PKCS
x

93

PKI Vendors

Some Public CA

94

PKI Summary
x x x x x x

Based on Certificates (X.509) Trusted third party (CA) (L)RA CRL Data repositories Mechanisms and protocols between all these elements

S/MIME: How it works ?

95

S/MIME
x x x x x

Secure Multipurpose Internet Mail Exchange Developed by RSA, Microsoft, Lotus, Banyan, and Connectsoft in 1995 Implemented at application layer Build on top of PKCS #7 and PKCS #10 Very strong commercial vendor acceptance
x

Netscape, Microsoft, Lotus, etc.

x x

IETF developed S/MIME v3 (last version) Use X.509 certificates

S/MIME
x

S/MIME provides four services:
Security Mechanism
Digital Signature Digital Signature Digital Signature Encryption

Security Services
Message origin authentication Message integrity Non-repudiation of origin Message confidentiality

96

S/MIME Ciphers
x

Symmetric encryption
3DES 168 bit x DES 56 bit x RC2 128, 64 and 40 bit
x

x

Public-Key
x

RSA 512 to 1024 bit

S/MIME Signature
Suppose Alice sends a S/MIME signed e-mail to Bob
Alice’s Private Key

Mime format

Digest

MIME encoded format

97

S/MIME Encryption
Suppose Alice sends a S/MIME encrypted e-mail to Bob
Bob’s Public Key Random Session Key Ciphertext

Mime Format
Plaintext

Encoding

MIME encoded format

S/MIME dual Key ?
x

Dual Key Pair
One key pair for encryption x One key pair for signature and non repudiation
x

x x

x

CA must support key backup and recovery Key pair for encryption generated on the CA itself ! Draw back:
x

Not all Email client support Dual Key Pair

98

S/MIME
x

The student will setup an e-mail system using S/MIME. He will use digital signature and encryption. Certificates retrieval done by ldap. Time: 45 min
x

x

p.77

SSL: How it works ?

99

SSL
x x

x x x

x

Secure Sockets Layer TCP/IP socket encryption Provides end-to-end protection of communications sections Confidentiality protection via encryption Integrity protection with MAC’s Usually authenticates server using a digital signature (option) Can authenticate client (option)

SSL History
x

SSL v1 designed by Netscape in 1994
x

Netscape internal usage Microsoft proposed PCT (Private Communications Technology), which overcame some SSL v2 shortcomings The progresses of PCT were echoed in SSL v3

x

SSL v2 shipped with Navigator 1.0 and 2.0
x

x

SSL v3 latest version
x

x

TLS v1 developed by IETF

100

SSL Protocol
x x

The SSL protocol runs above TCP/IP The SSL protocol runs below higher-level protocols such as HTTP or IMAP

SSL Ports from IANA
x x x x x x x x x x x x x x

nsiiops 261/tcp # IIOP Name Service over TLS/SSL https 443/tcp # http protocol over TLS/SSL smtps 465/tcp # smtp protocol over TLS/SSL (was ssmtp) nntps 563/tcp # nntp protocol over TLS/SSL (was snntp) imap4-ssl 585/tcp # IMAP4+SSL (use 993 instead) sshell 614/tcp # SSLshell ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL telnets 992/tcp # telnet protocol over TLS/SSL imaps 993/tcp # imap4 protocol over TLS/SSL ircs 994/tcp # irc protocol over TLS/SSL pop3s 995/tcp # pop3 protocol over TLS/SSL (was spop3) msft-gc-ssl 3269/tcp # Microsoft Global Catalog with LDAP

101

SSL Ciphers
x

The SSL protocol supports the use of a variety of different cryptographic algorithms or ciphers
x x x x x x x x x

DES (56) 3DES (168) RC4 (40 or 128) RC2 (40) Fortezza (96) IDEA (128) SHA-1, MD5 DSA RSA (Key exchange)

SSL Handshake
x

Negotiate the cipher suite Establish a shared session key Authenticate the server (Optional) Authenticate the client (Optional)

x

x

x

102

SSL Handshake
Client performs TCP handshake with the server at port 443 for HTTPS which is HTTP in SSL

Client TCP

Server 443 Hello Cert

Start Cipher negotiation. Client sends SSL HELLO containing ciphers supported by the client and a random number. The server responds with a HELLO containing the ciphers to use and a random number. Note the server selects the ciphers to be used. RSA, RC4 and MD5 are most common.

S

S GET URL DATA

SSL Handshake Asymmetric 0.2 - 4 KB

Start pass secret. Server sends it’s CERTIFICATE. Client uses certificate to encrypt the pre-master Secret and sends to Server. Both compute bulk encryption KEYS from secret and random numbers. Client and Server exchange CHANGE CIPHER SPEC and FINISH messages. Begin bulk encrypted data exchange. Client encrypts and sends HTTP GET. Server decrypts request, encrypts and sends response Server sends FINISH and closes with TCP handshake A SSL connection consists of an SSL handshake followed by bulk encrypted protocol

Bulk Encrypted HTTP Protocol Symmetric

Client authenticate server
x

x

x

x

Is today's date within the validity period? Is the issuing CA a trusted CA? Does the issuing CA's public-key validate the issuer's digital signature? Does the domain name in the server's certificate match the domain name of the server itself?

103

Demo: Wrong URL !

Server authenticate client
x

x

x

x

x

Does the client's publickey validate its digital signature ? (challenge) Is today's date within the validity period? Is the issuing CA a trusted CA? Does the issuing CA's public-key validate the issuer's digital signature? Is the user's certificate listed in a CRL?

104

SSL Tunneling
x x x

SSL can provide tunneling to transport TCP port over an encrypted channel Some tunneling software can use client and server authentication using Certificates X.509 Some tunneling programs
x x x x x

Webtop (Sun/Netscape) Stunnel bjorb, Jonama SSLProxy Celo Communicationss (SSR)
http://www.openssl.org/related/apps.html

SSL Tunneling mode
X X

Corporate Net
pop3 127.0.0.1 1234 pop3 127.0.0.1 1234 Z Z

POP3 server POP3 server

Encrypted SSL tunnel

Clear text
Y Y

DMZ

105

SSL Hardware accelerator
x

RSA key exchange is very CPU Intensive
x

200 Mhz NT box allows about a dozen concurrent SSL handshakes x Use Multiple server x Use Hardware encryption (Intel-IPIVOT, Ncipher, Rainbow, etc.)

SGC
x x x

x

Server Gated Cryptography Allows strong encryption on a server basis Originally available only to “qualified financial institutions” Requires a special SGC server certificate from:
Verisign Global-ID x Thawte SuperCert x GlobalSign HyperSign128 x Etc.
x
http://www.modssl.org/related/gid.html

106

SGC
x x

Enables strong encryption for export’s browser Procedure:
x x

x x

x

Browser is export version: 40 bit cipher only ! Browser connect to SGC-enabled server with 40 bits cipher Server send his SGC-tagged certificate to browser Browser verifies server certificate and detect that is issued by a CA root certificate which is tagged to enable SGC Browser enabled 128 bit ciphers and force a SSL/TLS renegotiation with the stronger cipher suite.

TLS
x x

Transport Layer Security IETF standardized evolution of SSL v3
Update Mac layer to HMAC x Updated for newer algorithms
x

x

Substantially similar to SSL v3
Cleanup of SSL v3 x Aka SSL v3.1
x

x

Standardized by RFC 2246 (Jan 1999)

107

Installing a SSL Web Server
x

Create the key-pair: Public and Private-Keys
x

Each server includes programs to generate these This adds Information about your server and yourself

x

Generate a CSR (Certificate Signing Request)
x

x

Send the CSR to a CA (Certificate Authority) and wait for your Certificate
x

For instance Verisign, or a internal CA

x

Install the Certificate
If you do not hold a Certificate signed by a well known CA, your client’s browser will display warning messages that the Certificate is from and Unknown CA

Demo: unknown certificate

108

Setup a SSL web server
x

The student will setup a SSL web server using Netscape Enterprise Server Time: 1 hour
x

x

p.100

Setup a SSL Client Authentication
x

The student will setup a SSL client authentication to protect the access to Intranet Server Time: 1 hour
x

x

p.121

109

PKCS#11 Smartcard installation
x

The student will connect and install a smartcard on his PC following PKCS#11 standard Time: 15 min.
x

x

p.136

Playing the security officer...
x

The student plays the security officer character Time: 30 min.
x

x

p.138

110

Revocation with client SSL authentication
x

The student will revoke himself and interpret the results Time: 30 min.
x

x

p.141

IPSec: How it works ?

111

IPSec
Remember!
Application Presentation Session Transport Network DataLink Physical

S/MIME, PGP

Application Presentation

SSL, TLS, SSH IPSEC Hardware link encryption

Session Transport Network DataLink Physical

IPSec will integrate PKI at layer 3

IPSec introduction
x

Stands for IP Security Provide site-to-site and/or host-to-site encryption and/or authentication Driven by the IETF Mandatory for IPv6, optional for IPv4

x

x

x

112

IPSec: two main ”Blocks”
x

IPSec deals with two main “blocks”
IPSec - Encryption and Authentication x ESP - Encapsulating Security Payload x AH - Authentication Header x Two modes: Tunnel and transport x IPSec - Key management x IKE, Skip, Manual IPSEC
x

IPSec: ESP and AH
x x x

The AH (Authentication Header) is a protocol providing authentication only The ESP (Encapsulation Protocol) is an IPSEC protocol for packet encryption and encapsulation. Both protocols offer integrity check with authentication
IP IP IP TCP/UDP TCP/UDP TCP/UDP Payload Payload Payload IP IP IP AH ESP ESP TCP/UDP TCP/UDP AH Payload Payload Payload

TCP/UDP

113

IPSec Tunnel mode
x

x

x

Each datagram is captured by the security gateway, encapsulated inside an IPSEC packet and sent to a remote security gateway, which “decapsulates” it, and sends the original datagram to its original destination The two security gateways create a ‘tunnel’ through which data is passed The two hosts (and their applications) are unaware of the encapsulation process

IPSec Tunnel mode

Hosts
Application TCP UDP IP

IPSec gateway
Protected Data
AH/ESP IP

Protected Data

Application TCP UDP IP

Protected Traffic

AH/ESP IP

114

IPSec Transport mode
x

x

x

In transport mode, the two hosts serve as a security gateway and encrypt their own data In this case, there is no need for a tunnel, nor for the double IP header The two hosts are aware of the encapsulation (since they perform it)

Transport mode

Application TCP UDP IP

Application TCP UDP

Protected Traffic

IP

115

Security Associations (SA)
x

x

x

The SA is shared by the two communicating parties - it provides indications on the algorithms, the keys, the lifetimes and other algorithm dependant information The SPI (Security Parameter Index) is a number and serves as an index to the SA Each SA has two SPIs: incoming & outgoing

SPI and SA (Basics)
SPI: 0x1234567

SA
SPI: 0x1234567 Encryption (ESP): DES Authentication (AH): SHA-1 DES Key: 0x1615613651365365326536 SHA-1: 0x32676362736347672672644

116

IPSec Key management
x

x

In order to create the SA, the two parties need to exchange all the security parameters, as well as the keys. Several methods of key management:
x

x

x

x

Manual keying or manual IPSec (statically defining SPI and SA). SKIP (Simple Key Interchange Protocol by SUN Microsystems) ISAKMP/OAKLEY or IKE: automatic key management using DH Photuris alternative to IKE using DH
Practically IKE and manual IPSec is prevalent

Manual IPSec
x

x

On each gateway a specific SA is defined (according S/WAN) for each remote gateway (SPI, Cipher, Keys, Hash etc.) Drawback:
Very heavy management x Static keys: less security
x

x

Often used between different IPSec vendors
x

Cisco to Check Point for instance

117

Manual IPSec

SPI

SPI

S A

S A

IKE Key management
x x x

IKE is widely used (OSPF, IPSec etc..) SA proposal and negotiation is done using IKE Peers may be authenticated using X.509 certificate
x x

Each IPSec gateway holds a X.509 certificate SA negotiation starts after cross authentication Authentication is provided by pre-shared secrets Drawback: heavy key management etc.

x

Alternate method for authentication:
x x

118

IKE Key management using PKI
Negotiation with Automatic Key Management

SPI
X509

SPI
X509

SA

SA

Hardware implementation...
x x

x x

Tamper proof design Full integration of IPSec for high/slow bandwidth encryption Centralized management Vendors x Radguard, Cisco, Checkpoint, etc.

119

Demo IPSEC with SecuRemote

Checkpoint architecture
te ora k orp twor C e N

Account Management GUI

VPN-1 SecuRemote client

Certificate Authority

VPN-1 / FireWall-1

ISP

ISP

LDAP-based Directory Server CRL X.509 Certificates

Internet

VPN-1 / FireWall-1

120

Creation of the CA Certificate
•Create CA server object in VPN-1 / Firewall-1 •Define where to retrieve CRL’s •Get the CA certificate Obtain CA certificate from a file View the CA’s certificate Save it, allow read by another Mgt station •Create a ldap server for CRL

Creation of Certificate for Firewall-1
•Define a nickname for the certificate •Generate a PKCS#10 certificate request. •VIEW to display certificate •Select the text in the window and copy it to the clipboard.

121

Creation of Certificate for Firewall-1

•GET the certificate from the CA

Creation of Certificate for Secure Remote

x

Importing PKCS#12 Certificates
Import from a browser x Save it as a P12 format
x

122

Using Certificates with SecureRemote

x x

x

IKE Authentication. Specify a profile file (.EPF file) or select a hardware token from the drop-down list. Enter password for accessing the profile.

Using Certificates with SecureRemote

x

View the certificate by clicking on View Certificate
User’s certificate x CA’s certificate
x

123

IPSEC
x

The student will setup an IPSec link between a client and a GW Checkpoint using X.509 certificates Time: 1h30
x

x

p. 155

CEP: How it works ?

124

CEP

x x

Certificate Enrollment Protocol (CEP) A certificate management protocol jointly developed by Cisco Systems and VeriSign, Inc. CEP is an early implementation of Certificate Request Syntax (CRS), a standard proposed to the Internet Engineering Task Force (IETF).

x

CEP
x

CEP specifies how a device communicates with a CA including:
x x x

how to retrieve the CA's public key how to enroll a device with the CA how to retrieve a Certificate revocation list (CRL)

x

CEP uses RSA's PKCS 7 and 10 as key component technologies

125

CEP, cont.

DEMO: CEP

126

Cases Studies !

Encryption references sites
x

SSL
x x

http://www.openssl.org/ http://developer.netscape.com/docs/manuals/security/sslin/ index.htm http://www.ultranet.com/~fhirsch/Papers/wwwj/article.html

x

x

SSH
x x x

http://www.ssh.org/ http://www.Datafellows.com/ http://wwwfg.rz.uni-karlsruhe.de/~ig25/ssh-faq/

127

Encryption references sites
x

IPSEC
x x

http://web.mit.edu/network/isakmp/ http://www.data.com/tutorials/bullet_online.html

x

PGP
x x

http://www.pgp.com http://web.mit.edu/network/pgp.html

x

S/MIME
x

http://www.rsasecurity.com/standards/smime

Encryption references sites
x

Miscellaneous
x

Crypto-Gram:
x http://www.counterpane.com/crypto-gram.html

x

CryptoBytes:
x http://www.rsasecurity.com/rsalabs/cryptobytes/

x

Crypto FAQ V.4.0:
x http://www.rsasecurity.com/rsalabs/faq/

x

http://www.datelec.com/~maret

128

Open discussion...

129

Sign up to vote on this title
UsefulNot useful