École Internationale de Printemps Systèmes Répartis ...Architecture, Sécurité & Fiabilité Rabat, 20-23 Mai 2008 Prof. Gildas Avoine UCL Belgium Solutions pour la Sécurité des

École Internationale de PrintempsSystèmes Répartis : METIS’2008Architecture, Sécurité & Fiabilité

Rabat, 20-23 Mai 2008

Prof. Gildas AvoineUCL Belgium

Solutions pour la Sécurité des réseaux

Introduction

Confidentiality, Integrity, Authentication, Availability.

Is security important, or just a toy for academia?

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction






Security Incident: A Real Issue

Issues are real and have significant consequences.

Cost (direct, indirect).Image of the company.Competitive intelligence.


How to Manage Security

Locksmiths don’t secure a building, architects do.

According to Thucydide: its not the walls that protect the citadel, but the spirit of its inhabitants.

Attack the weakest link.


Our Focus

We focus on the communication security.

Symmetric-key AuthenticationPublic-key AuthenticationSSL/TLS (public key, many-to-one)WEP (symmetric key, many-to-one)Kerberos (symmetric key, many-to-many)PGP (public key, many-to-many)

Symmetric-Key Auth.

PasswordsOne-Time PasswordsChallenge-Response


Identification, AuthenticationIdentification: We identify a person or entity, that is we receive the name he agrees to provide.

Authentication: We get a proof that the person we speak with is the right one.

Example, when log-on: we use the username for identification, and the password for authentication.

Authentication can be done with the help of:Something he possesses (token).Something he is (biometrics).Something he knows (password, key).


Passwords vs KeysPassword: human-memorizable.

Issue: weak entropy.

Keys: used by computers, not by humans.Issue: where to store them.


Pwd: Naïve Idea

Password fileUser

123456abc123qwerty

…

123456

All passwords are revealed if the password file is stolen!


Passwords are never stored as such. The risk of theft would be too high.

Instead of passwords, we store a hash.Resistant to first preimage.Resistant to second preimage.Resistant to collision.Random oracle.

When logging in, the hashedpassword is compared with the stored hash.

Password Storage

hmessage (pwd)

hash

ciphertextE

plaintextkey


*%-=(++S%dc-z5’0lé

...

Implemented Idea

Password fileUser

123456

Hash


Win NT/2000/XP (NT LM Hash)Win NT/2000/XP uses the NT Lan Manager Hash(aka NT hash).Passwords can be longer than 14 characters (but compatibility issues arise beyond 14 characters). Lowercase letters are not converted to uppercase.The hash function is MD4


Win 9x Passwords (LM Hash)Win98/ME uses the Lan Manager Hash (LM hash).The password is cut in two blocks of 7 charactersafter completion to 14 characters with empty char.Lowercase letters are converted to uppercase.A separate hash is generated for each 7-char block.The 7 bytes block are used as DES keys to encrypt an 8-byte constant string:

0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25.


Win 9x Passwords (LM Hash)


LM Hash & NT HashBy default, LM Hash and NT Hash are both stored on the computer for compatibility reasons.

We can deactivate the creation of LM hash: Require to modify the registry.Deactivated by default in Windows Vista.Choosing a pwd longer than 14 char desactivates the LM Hash.


Cracking a (the) Password(s)Online Attack

The system is used as an oracle (black box).Slow.How to avoid such an attack?

Offline AttackWe recover the passwords offline.Need to steal the hash file.How to avoid such an attack?


StorageThe hash file is encrypted, but by default the key can be extracted from the machine.

If the machine is running we need administratorprivileges plus a special exploit (pwdump) to extract the hashes (Windows).

If we can boot another OS, we can steal and decrypt the hashes.


Weak PasswordsPercentLength

0.93%13-32

0.93%12

2.7%11

13%10

17%9

25%8

23%7

15%6

1.1%5

0.82%1-4

Source: www.schneier.com

1.3%numbers only

8.3%non-alphanumeric

81%alphanumeric

9.6%letters only


Dictionary AttacksBased on common dictionary words

Including dictionary words that have been altered:Reversed (e.g., “terces”)Mixed case (e.g., SeCreT)Character/Symbol replacement (e.g., “$ecret”)Words with vowels removed (e.g., “scrt”)Numbers concatenated to word (e.g., “house123”)

Based on common names.Based on user/account identifier.Short (under 6 characters).Based on keyboard patterns (e.g., “qwerty”).Composed of single symbol type (e.g., all characters).Resemble license plate values.


Top-used passwords are (in order):

“We used to quip that ‘password’ is the most common password. Now it's ‘password1.’ Who said users haven't learned anything about security?” (Schneier, 2006).

password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer,

monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, monkey.

Weak Passwords

Source: www.schneier.com


Cracking Times

mAI-2OnMAI2SONMAISONT

876

100 days100 days1.2 daysLM Spec5 h5 h9 malphanum33m33 m77 salpha

lengthWindows LM Hash

mAI-2OnMAI2SONMAISONT

876

196 years1.7 years5.7 daysUNIX Spec630 days10 days3.9 halphanum14 days33 m77 salpha

lengthUnix (56 bits DES)


Some Vulnerabilities

Written down passwords.Shoulder surfing.Social engineering.Key logger, Rootkit.Eavesdropping the network. Multi-website passwords.Audit trails.Guessing the password (low entropy).


Alternative: One-Time PwdsA chain of hashes is generated.

The last element (hn) is provided to the verifier.

The first element (h1) is provided to the prover.

To authenticate himself, the prover sends hn-1 to the verifier.

Nobody is able to compute hn-1 except the prover.


Challenge-ResponseA challenge sent by the verifier is encrypted by the prover with a secret k.

The secret never transits on the channel.

The password is hashed to generate a key.

c

Ek(c)VerifierProver

Public-Key Authentication


Certificate

Gildas Avoine

Certificate Primer

bla bla bla bla

bla bla bla bla

bla bla bla bla

bla bla bla bla

bla bla bla bla

bla bla bla blaSignatureby Gildas

Public key

Signatureby trusted

party

Trusted Party

Public key

Signatureby trusted

party

Root Certificate


X.509: Certificates in PracticeX.509: Standard from International Telecommunication Union (ITU), released in 1988Then IETF RFC-2459 (and updates).Three required fields:

TBS Certificate (TBS = “To Be Signed”)The useful payload of the certificate (see next slide).

Signature algorithmIdentifier for the cryptographic algorithm used by the CA to sign this certificate.

Signature valueSignature of the certificate by the CA.


X.509: TBS CertificateSerial number

Unique number assigned by the CA to the certificate.Issuer field

Identifies the entity who has signed and issued the certificate.Subject

Identifies the entity associated with the public key (O:organization, C: country, OU: Organization Unit, CN: common name eg. DNS, ST: state, L: city, etc. no IP address).

ValidityNot before, not after.

Subject Public Key InfoPublic key and identify the algorithm with which the key is used(e.g., RSA, DSA, or DH)

Etc.


UCL Webmail


RootCertificateExample


Belgian Passport CertificateCertificate:Data:

Version: 3 (0x2)Serial Number: 10 (0xa)Signature Algorithm: sha1WithRSAEncryptionIssuer: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=CSCAPKI_BEValidity

Not Before: Apr 10 00:00:00 2006 GMTNot After : Jul 15 23:59:59 2011 GMT

Subject: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=DSPKI_BESubject Public Key Info:

Public Key Algorithm: rsaEncryptionRSA Public Key: (2048 bit)

Modulus (2048 bit):00:8f:9c:2c:f8:05:b5:bd:ed:51:1a:9f:b0:57:6e:86:53:07:46:ac:ab:b6:05:e7:d6:e8:a6:6a:7b:ba:9b:27:aa:8a:9f:80:ec:87:b3:9d:68:b7:29:cb:b1:df:de:5e:48:9e:34:21:9f:97:ea:98:7a:f7:f6:88:1c:ca:a3:b1:3f:b2:d8:36:9a:06:0b:b3:f0:02:20:ce:ff:a9:e2:12:00:b2:1d:71:df:3e:cc:64:83:e2:f9:e8:30:15:a5:62:95:ab:8e:8c:ee:dc:73:9a:9f:58:78:c9:38:fd:ae:7c:71:17:73:c8:64:23:d2:34:99:58:ef:bc:ca:dc:e3:38:39:d4:30:16:c1:8e:52:a9:b0:eb:7f:5f:06:65:02:bc:72:1e:eb:14:40:af:39:20:25:48:cf:2f:8e:1b:4f:2e:d6:fb:49:b7:ab:a3:e5:56:2e:31:a1:30:56:69:dc:4f:b4:d8:49:a4:af:e6:0c:e8:65:df:58:d5:ee:7f:80:02:d5:35:63:2a:14:81:0a:eb:7d:5e:17:f8:63:9a:67:28:b0:b8:f4:39:0b:cb:91:63:4b:e3:14:e0:69:dd:dd:92:26:b2:8b:a4:0c:4d:de:10:b8:96:2b:e7:f1:ac:2e:2f:11:15:bd:13:1d:61:c4:bf:69:24:28:9f:67:dd:b6:49:b5Exponent: 65537 (0x10001)

X509v3 extensions:X509v3 Authority Key Identifier:

keyid:00:84:19:14:B2:CE:7E:0A:DE:3A:26:F9:FD:DD:1F:F4:01:42:A8:0EX509v3 Key Usage: critical

Digital SignatureSignature Algorithm: sha1WithRSAEncryption

5d:ed:53:da:14:3d:e2:ab:2d:41:3c:ea:bc:55:3b:78:2a:2c:8e:0b:54:74:af:bd:a9:e1:c5:92:a4:f0:db:a9:0b:7d:0c:96:…


Certification AuthoritiesIssuers of certificates found on web servers.

Source: www.securityspace.com

Verisign, GeoTrust, and Thawte: same group.

7.64Comodo Limited

0.79Snake Oil Ltd0.85SWsoft Inc0.86Chained SSL1.22SomeOrganization1.51AddTrust AB1.61Entrust.Net1.85Unkown

2.76StarfieldTechnologies

15.21Thawte19.56GeoTrust (Equifax)29.25Verisign


Obtaining a Certificate1. Each new participant must present himself.

2. The CA (physically) authenticates the participant.

3. It asks the participant to generate a pair of public/private keys.

4. It creates a certificate with the participant’s identity, his public key, an expiry date, etc. and the CA’s signature.

5. It provides a copy of its own public key to the participant.

6. The new participant can communicate with all other participants who share a common “trusted ancestor”.


Public-Key vs Sym-Key

Advantages ?

Drawbacks ?

SSL/TLS


Client-server communications, random client, corporate server.

Authentication of server based on public key.Trusted third party: certificate authority (CA).

SSL Primer

client server

eavesdropping

fake serverfake client

Modifying


Secure Sockets Layer (SSL)The most widely deployed security protocol in the world.

SSL was developed by Netscape to offer secure access to web servers (https).

HistorySSL v1.0 never publicly released.SSL v2.0 released in 1994 (flawed).SSL v3.0 released in 1996, leads to TLS 1.0 (1999).


Transport Layer Security TLS is an IETF’s standard based on SSL v3.0:

Slight modifications compared to SSL v3.0.TLS v1.0 and SSL v3.0 do not interoperate.TLS v1.0 sometimes called SSL v3.1.TLS v1.0 defined in RFC 2246.

Current approved version:TLS v.1.1Released in 2006RFC 4346Fixes a vulnerability discovered by Vaudenay.

Next proposed version:TLS v.1.2Draft expires Sept 2008, may lead to RFC 4492.


SSL in the Layers

Data Link

Physical Layer

Network

Transport

SSLApplication


ApplicationsEither create a new protocol from an existing protocol:

Examples: HTTP (80) / HTTPS (443), FTP (21) / FTPS (990), SMTP (25) / SMTPS (995), POP3 (110) / POP3S (995), IMAP(143) / IMAPS (993).Disadvantage: only clients supporting TLS can connectAdvantage: we are sure that the communication are secure.

Or extend a protocol to negotiate SSL/TLS:Examples: (E)SMTP, POP3, IMAP, with the help of the STARTTLS command the client can ask to use TLS.Advantage: the client is not required to support TLS to use the service.


Example: WebHTTPS

The use of TLS or not is not negotiable.Guarantees confidentiality of transmitted data and authenticity (server, possibly client).The server must have a certificateThe client can have one (eg eBanking)

HTTPS


TLS LayersFor initializing

a session

For setting-up cryptographic

algorithms

For managing warnings and fatal

errors

For passing data from an application to the record

layer in a transparent manner

Processing data


TLS Record LayerProcessing of data:

FragmentationCompression (optional)AuthenticationEncryption

It delivers such processed fragments to the transport layer (TCP).At the receiving end, the inverse operations are carried out.


Record Layer SummaryData

Data Data MACMAC

Encrypted Data and MAC EncryptedHEADERHEADER


EncryptionEncryption is performed on compressed and authenticated records.Block ciphers:

DES (40 bits or 56 bits), 3DES, IDEA, RC2 (40 bits)Why 40-bit key alternative?AES (128 bits or 256 bits) in TLS v1.1

Stream ciphers:NULL, RC4 (40 bits or 128 bits).

The client should refuse 40-bit keys if such a cipher is suggested by the server (warning enforced in TLS 1.1).


Handshake in BriefNegotiation of:

The protocol version (SSL 3.0, TLS 1.0, TLS 1.1).The algorithms:

Key exchange (RSA, Diffie-Hellman).Encryption (DES, 3DES, IDEA, RC4, RC2, AES).MAC (HMAC-MD5, HMAC-SHA).The client proposes the desired algorithms in order of preference, the server chooses.

Optional authentication of the partner using a certificate.Messages are not encrypted.Last messages authenticate the exchange.

WEP

Introduction to WLANWEP DescriptionAttacks on WEP (Theory)Attacks on WEP (Practice)


Infrastructure ModeAccess points connect to wired network.Multiple mobile stations per Access Point.

Full internet connection for mobile users.University campus.Coffee shops.Airport lounges.

Wired network

Access Point (AP)

Mobile Devices


Ad Hoc ModeWireless stations communicate directly, without a wired network.

On the fly networking.Impromptu meeting.Rescue operations.

LAN set up is difficult.Natural areas.

LAN set up is dangerous.Battle field.

People are not aware that they launch an ad hoc network eg. search for networks in a train…


Eavesdropping RangeTypical use inside: ~30mTypical outdoor range with suited antenna: ~5 km.Record: 382 km by EsLaRed of Venezuel (2007).


War Driving

Just discovering WiFinetworks, no unauthorized access.

To war-drive:Laptop802.11 cardSoftwareGPSCar

While you drive:Listens and builds map of all WiFi networks found.

Examples:www.wigle.netwww.wardriving.com


Map of WiFi APs.

Source: www.wigle.net


Authentication, EncryptionAuthentication

Open systemsDo not broadcast AP’s SSIDMAC address filterWEPWPA / WPA2

EncryptionWEPWPA / WPA2


Authentication: Open SystemsNo authentication at all.

Less and less used?Usually, providers impose authentication by default.

Not the case with Belgacom (Observed in 2007).Public free hot spots without authentication.Non-free hot spots in hotels, train stations, etc.

High Level Authentication (eg. RADIUS Server).Communities sharing their access.

Eg. Communauté Neuf Wifi.What kind of problem do we face?


Authentication: AP’s SSID The AP broadcasts its SSID.

Allow clients to dynamically discover the AP.

Can be used to authenticate a clientClient must know the SSID.

Not secure because SSID can be eavesdropped.

When a legitimate client connects to the AP.

Can be used to restrict features.Eg. Club Internet by default (Observed in 2007).People pay to activate the wireless feature of their router.

Lack of broadcast can be due to the channel number.

Do not broadcast the SSID.


Authentication: AP’s SSID In practice, snif the environment with eg. Kismet, Airodump, Network Stumbler (Windows), etc.

Kismet in a Linux shell


Authentication: MAC AddressThe router has a list of authorized MAC addresses.

The router checks the MAC address of the station trying to connect to the network.Attacker can read MAC address of a legitimate wireless station and replace his own MAC address with the stolen one.


Authentication: MAC Address

MAC addresses of the devices

connected to the AP


WEP Features

Authentication ("shared key" user authentication).Confidentiality (RC4 stream cipher encryption).Integrity checking (CRC-32 integrity mechanism).No key management.No protection against replay attacks.


Authentication + Enc: WEPWEP = Wired Equivalent Privacy.

Part of 802.11 Standard (1999)

The stated goal of WEP is to make wireless LAN as secure as a wired LAN.

According to Tanenbaum:“The 802.11 standard prescribes a data link-level security protocol called WEP (Wired Equivalent Privacy), which is designed to make the security of a wireless LAN as good as that of a wired LAN. Since the default for a wired LAN is no security at all, this goal is easy to achieve, and WEP achieves it as we shall see.”


No key management in WEP: every wireless station and AP has the same "preshared" key that is used during authentication and encryption.

This key is distributed manually.

No Key Management

Key AKey A

Key A

Key A


No Key ManagementIn practice:

Key is loaded in device by hand when set up.Often keep manufacturer’s default.

Printed under the router, in the user guide, etc.Never updated again.

Same key for everybody:In a large network, users may wish to have independent secure connections. Just a single non-honest WLAN user can break the security.

Static key:Since it is relatively easy to crack WEP encryption in a reasonably short time (see next slides), the keys should be changed often, but the preshared key concept does not support this.

Belgacom’s default WEP keys…(64 bits)


Replay AttacksThe adversary can “replay” a packet she has already seen.

Solutions?


IntegrityIntegrity is ensured using a CRC.

CRC does not provide a cryptographic integrity check.CRC designed to detect random errors.Not designed to detect intelligent changes.

In WEP, the message is concatenated to the CRC, then encrypted.

The encrypted message can be modified s.t. it is still valid after decryption.


MAC address

Challenge (128 bytes)

Response (encrypted)

Status code Authentication is successful, if

WEP decryption gives original

challenge text

WEP Authentication


Stream Cipherplaintext

secret key

ciphertext

Stream Cipherkeystream


RC4 for WEP Encryption

plaintextsecret key

ciphertext

RC4keystream

checksumIV

24 bits 40 bits

IV


RC4: A Well-kown Stream CipherDesigned by Ron Rivest (MIT) in 1987 for RSA Labs.

Kept as a secret trade until 1994.Publicly disclosed in Sept. 1994 on Cypherpunks’ mailing list.

Bytes-orientedGenerate keystream byte at a step

Efficient in software (compared to LFSR, Block Ciph.).Encryption in software is about 10 times faster that DES.Simple and elegant.

Widely used:Commercial softwares as MS Office, Oracle Secure SQL.Network protocols as SSL, IPSec, WEP.Copy protection: inside MS XBOX.


Attacks on RC4Not under the spotlights as all other stream ciphers.Theoretical attacks.Weak keys.To be used carefully.

Remove the first bytes (e.g. the first 768 bytes) to avoid some attacks…Do not encrypt too long stream to avoid other attacks…If plaintext and ciphertext known, then keystream known.

No problem if keystream is not reused.If keystream reused, at least as bad as reuse of one-time pad.


#1 Known-Plaintext AttackWEP uses 24-bit (3 byte) IV.

Each packet gets a new IV.RC4 packet key: IV pre-pended to long-term key, K.

If long-term key and IV are same, then same keystream is used.

There is a 50% chance of key-reuse after 212 packets (birthday paradox).


#1 Known-Plaintext AttackKeystream leaks, under known-plaintext attack.

Suppose we intercept a ciphertext C, and suppose we can guess the corresponding plaintext PLet Z = RC4(K, IV) be the RC4 keystreamSince C = P ⊕ Z, we can derive the RC4 keystream Z by P ⊕C = P ⊕ (P ⊕ Z) = Z

This is not a problem ... unless keystream is reused!


#2 CRC PropertyCRC is a linear function wrt to XOR:

CRC(X ⊕ Y) = CRC(X) ⊕ CRC(Y)Attacker observes (M | CRC(M)) ⊕ K where K is the key stream output.

For any ∆M, the attacker can compute CRC(∆M).Hence, the attacker can compute:

([M | CRC(M]) ⊕ K) ⊕ [∆M | CRC(∆M)]= ([M ⊕ ∆M) | (CRC(M) ⊕ CRC(∆M)]) ⊕ K= [M ⊕ ∆M) | CRC(M ⊕ ∆M)] ⊕ K

Example: Modify an IP address


#3 Statistical CryptanalysisFluhrer, Mantin, and Shamir (FMS) – 2001

Two years only after WEP was published.Some IVs are weak, ie, they allow to guess some internal states, leading to the key.IV and first byte of plaintext/ciphertext must be known.

IV is sent in the clear.Ciphertext is eavesdropped.First bytes of ARP or TCP are fixed or can be easily guessed.

4 million IVs to recover a 128-bit key.Number of IVs linear with the key-length (vs exponential)Key is revealed byte after byte (sequentially)


Korek - 2004Proposed 17 attacks based on FMS.New classes of weak IVs.1 million IVs.2 bytes must be observable.

Tews, Weinmann, Pyshkin (PTW) - 2007Still new classes.80’000 IVs.More bytes must be observableVariant by Vaudenay/Vuagnoux (32’000 IVs)Key bytes are no longer necessarily guessed sequentially.

#3 Statistical Cryptanalysis


WEP Cryptanalytic AttackWEP data encrypted using RC4.

Packet key is IV and long-term key K.3-byte IV is pre-pended to K.Packet key is (IV,K).

IV is sent in the clear (not secret).New IV sent with every packet.Long-term key K never changed.

Assume Trudy (=attacker) knows IVs and ciphertext, and can guess the first bytes of the plaintext.Trudy wants to find the key K.


3-byte IV pre-pended to key.

We denote the RC4 key bytes:K0,K1,K2,K3,K4,K5,…Where IV = (K0,K1,K2), which Trudy knowsTrudy wants to find K3,K4,K5,…

Attack due to Fluhrer, Mantin, and Shamir:Trudy watches IVs until she sees 3-byte IV of the form: IV=(K0,K1,K2) = (3,255,X) where X can be anything.Then RC4 key for this packet is key = (3,255,X,K3,K4,K5,…)

WEP Cryptanalytic Attack


RC4 StepsKSA (Key-Scheduling Algorithm)

InitializationScrambling

PRGA (Pseudo-Random Generation Algorithm)


WEP Cryptanalysis

……

Ki

iK4K3X255343210

i=3, j=(5+X)+(1)+K3=6+X+K3

i=2, j=3+S2+K2=3+2+X=5+X

i=1, j=3+S1+K1=3+1+255=3 [N]

i=0, j=0+S0+K0=0+0+3=3

initial state

…1…2…46+X+K35+X03i=3

…6+X+K3…2…415+X03i=2

…6+X+K3…5+X…41203i=1

…6+X+K3…5+X…40213i=0

…6+X+K3…5+X…43210init

…6+X+K3…5+X…43210i\S

Scramblingj = 0For i = 0 To N-1

j = (j + Si + Ki) mod NSwap(Si,Sj)

Initialization //N=256For i = 0 To N-1

Si = i


Assumption: 6+X+K3 > 5+X (mod N).Otherwise 6+X+K3 will be to the left of 5+X.

Up to now, we have only considered the first 4 steps of initialization, i = 0,1,2,3.

In reality, there are 256 steps.For now, assume that initialization stops after i = 3.So, outputted keystream is:


PRGA //init i=j=0i = (i + 1) mod N = 1j = (j + Si) mod N = S1 = 0Swap(Si, Sj) Swap(S1, S0)Output S(Si+Sj) mod N Output S3 = 6+X+K3


Note: keystreamByte = 6+X+K3.

If keystreamByte is known, we can solve for K3 sinceK3 = (keystreamByte−6−X) mod N.

But initialization does not stop at i=3.

So can this “attack” really work?If elements at 0,1 and 3 not swapped in remaining initialization steps, attack works.



Can Trudy really recover the key?If she sees enough IVs she gets K3.

Suppose Trudy has found K3.Then how to find K4?

Consider IVs of the form: IV = (4,255,X).Then after initialization step i=4, one could show that:

keystreamByte = S4 = 10+X+K3+K4. And so on…



Attack Summary in Practice

Client IP Discovery phase.

(Flooding).

Sniffing IV’s and keystreams.

Key cracking.


Downloadable ToolsAirCrack-ng

http://www.aircrack-ng.orgImplement Korek, PTW (needs ARP flooding).Available eg in BackTrack.

WepCrackhttp://sourceforge.net/projects/wepcrack/“WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling.”Last version: Oct 2004

AirSnorthttp://airsnort.shmoo.com/Last update: 2005.Implement Korek’s attacks.

Kerberos


How do users prove their identities when requesting services from servers on the network?Solution: every server knows every user’s password.

Insecure: break into one server may compromise all users.Inefficient: passwords must be changed on every servers.Not convenient: passwords must be typed for each request.

Many-to-Many Authentication

users

servers


users

servers

User proves his identity and requests a credential.

Trusted third party provides a credential to the user.

Credential is supplied to get the expected service.

2

3

1The credential akaticket is an identity proof but does not necessarily give the ability to use a given service.

Server-Aided Authentication


Server-Aided AuthenticationHypotheses:

There is an online (trusted) authentication server (AS).AS shares KC with client C.AS shared KS with server S.

Goal:To help C and S to share a session key K.


Very Weak Example

Identity of the Client

Identity of the Server

Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

The client can give the server’s key to other clients.


Weak Example

An attacker can replace Ic by IA


A solution consists in not revealing the server’s key: AS encrypts itself the session key K with the server’s key. “sealed envelop”


Still Weak Example


Replay attack by impersonating AS if K is

compromised, due to careless users: no means

to be sure that K is fresh.


Needham Schroeder (1978)


Replay attack by impersonating C if K is compromised, due to

careless users: no means to be sure that K is

fresh.


Kerberos VThe name Kerberos comes from Greek mythology.

It is the three-headed dog that guarded Hades’ entrance.

Created at the MIT, free of charge.Kerberos 4 (1988), obsolete.Kerberos 5 (1993), RFC 1510, then RFC 4120 (2005).

Deployed:Initially on Unix systems.Used in many commercial products eg Windows from 2K.

Based on symmetric-key cryptography.


Kerberos VOnce you log into a workstation after authentication, you can access remote resources without any more input of username and password .

Kerberos software on the workstation will finish the authentication automatically on behalf of you.


C SAS

TGS

56

43

12

Kerberos ElementsClient C.Authentication server AS

a.k.a. KDC (key distribution center)Ticket granting server TGS.Server S which the client wants to access to.

1- Request a Ticket Granting ticket

2- Provide a Ticket Granting Ticket

3- Request a Ticket for a given service

4- Provide a Ticket for a given service

5- Forward the Ticket

6- Provide a service


TicketsTo access a service, the client must have a ticket for that service.

The user can get this ticket from the Ticket Granting Server (TGS).

The service ticket confirms that the user can access the service.

The Ticket Granting Ticket (TGT) only confirms the identity of the user.

The client shows a ticket + an authenticator.


Tickets, AuthenticatorsThe ticket contains:

Ic: the client’s identity.v: validity period.Kc,s: symmetric session key to be used between the client and the server.Others: Flags, IP address, etc.

It is encrypted with the key of the server Ks.

The authenticator is just the client’s identity and a timestamp encrypted with the session key.


C SAS

TGS

12

Between C and ASTo start, the user must authenticate at the AS to have access to the TGS.C sends his name and the name of the TGS he wants to access to the AS.The AS replies with a Ticket Granting Ticket encrypted with TGS’s key and a session key encrypted with C’s key.

(1) Ic, Itgs, N(2) {Itgs,N,kc,tgs}Kc, {Ic,v,Kc,tgs}Ktgs


User & Service AuthenticationThe user types his username and password on his machine.

The client applies a one-way function (in practice a hash function) on the password in order to get the cryptographic key Kc.

Server’s keys are random bit-strings.


C SAS

TGS

43

Between C and TGSThe client sends the ticket as well as an authenticator to the TGS.

The ticket contains the session key Kc,tgs.The TGS uses the session key to verify the authenticator.The TGS knows whether C is authorized to access the server S.The TGS delivers a ticket to access the service.

(3) Is,N’,{Ic,v,Kc,tgs}Ktgs {Ic,t}Kc,tgs(4) {Is,N’,kc,s}Kc,tgs, {Ic,v,Kc,s}Ks


Between C and S

C SAS

TGS

56

The service ticket again contains the client’s identity, his IP address, a validity period and the session key to be used between the client and server.The client has also received a copy of the session key, encrypted with the previous session key.He sends an authenticator and the ticket to the server.

(5) {Ic,v,Kc,s}Ks, {Ic,t}Kc,s(6) {t+1}Kc,s


DiscussionIt is the client's responsibility to store his authentication data (the tickets), the servers are stateless.

The authentication server is accessed only once during the ticket validity (typically 8 hours).

Clients can access services with their tickets even if the authentication server is down.

Once a client is authenticated, his ticket cannot be revoked.


Ski Pass AnalogyThe developers of Kerberos propose an analogy between Kerberos and a ski package.

You get a three-pass ski (TGT) from your travel agency against a proof of identity (and money…).Then, the three-day ski pass (TGT) can be used at four different resorts. You show the pass at whichever resort you decide to go (until it expires), and you receive a lift ticket (ST) for that resort.Once you have the lift ticket (ST), you can ski all you want at that resort (until it expires).If you go to another resort later, you once again show the three-pass ski (TGT), and you get another lift ticket (ST) for the new resort.

S/MIME


CertificatesS/MIME.

Hierarchical.Users trust a certification authority.

PGP.Peer-to-peer.Users trust some other users.One or several identities (names, e-mail addresses).One or several signatures per identity.


Mime (Multipurpose Internet Mail Extensions) is a standard used to represent any object in e-mails or other electronic documents (e.g. HTTP replies).A Mime document at least contains the following two headers:

Mime-version.Content-type.

text/plaintext/htmlimage/gifvideo/mpegmultipart/mixedetc.

Mime


S/Mime BasicsS/Mime proposed by RSA Security in 1997, S/Mime now owned by IETF.

S/Mime adds digital signature and encryption to Mime messages.

S/Mime exclusively uses X.509 certificates, signed by a certification authority (chain of trust).

Thus, before using S/Mime we have to obtain a certificate from a CA.


S/MIME: PrinciplesReceived: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) by mmp.sipr-dc.ucl.ac.be for [email protected]; Wed, 30 Apr 2008 01:04:21 +0200 (CEST)Received: from [192.168.1.2] (45.66-136-217.adsl-dyn.isp.belgacom.be [217.136.66.45]) by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for <[email protected]>;Wed, 30 Apr 2008 01:04:29 +0200 (CEST)Date: Wed, 30 Apr 2008 01:04:14 +0200From: avoine <[email protected]>Subject: testTo: [email protected]: <[email protected]>MIME-version: 1.0Content-type: multipart/signed; protocol="application/x-pkcs7-signature";micalg=sha1; boundary=------------ms070301020000070200060202

User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)

This is a cryptographically signed message in MIME format.

--------------ms070301020000070200060202Content-Type: text/plain; charset=ISO-8859-1; format=flowedContent-Transfer-Encoding: 7bit

Hello World!


S/MIME: PrinciplesHello World!

--------------ms070301020000070200060202Content-Type: application/x-pkcs7-signature; name="smime.p7s"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="smime.p7s"Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIICezCAncwggHgoAMCAQICBQCJgWDNMA0GCSqGSIb3DQEBBQUAMCkxFDASBgNVBAoTC1NlbGYtU2ln

(…)

hvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYBqlFmpWmAD1er41TC6xECUG508seotHJZphg4ueJqfegikYos7gkBLm93hHFOr70gkuvLbqNtMX4ro0I2Jd2iIdfrY03jDIZFKVt5vg1+LGKv/3ZfX1T6kv9+nJU7M8epOcYdP+IJjr6JgyqVGMW95WDyA0sKMOuA2/2unjqrgHgAAAAAAAA==--------------ms070301020000070200060202--


S/MIME: PrinciplesHybrid encryption.

What does this mean?One recipient.Several recipients.

PGPBasicsPublic-Key ValidityKey DistributionKey Revocation


PGP History 1/PGP = Pretty Good Privacy Several flavors: PGP, PGPi, GPG.PGP.

Published by Philip Zimmermann in 1991.Portable software initially containing classical algorithms MD5, IDEA, RSA.First software allowing anybody to completely protect their documents and messages.3 years of enquiry and harassment by the American government

Patented algorithms (RSA patented in the US until 2000).Suspicion of violating export regulations.


PGP History 2/1997:

Selling of PGP Inc. to McAffee (Network Associates).Code no longer public

During the 39th IETF meeting at Munich, Zimmermann and Callas requested the IETF to setup a working group on the standardization of PGP (OpenPGP [RFC1991, aug 96], [RFC2440, nov 98], [RFC4880, nov 07]).Richard Stallman at the Individual-Network Betriebstagung at Aachen requested the European hackers to implement public key softwares (US citizens were not allowed to do so outside us).

2001:Zimmermann leaves Network Associates.Network Associates abandons PGP.


2002:PGP Corporation is created, buys back PGP rights.Code is again public.Free vs Trial download.

Basic functionalities remain available after 30 days.But not the additional functionalities eg disk encryption.

Complete system compliant with OpenPGP.www.pgp.comCurrent version: 9.8

PGP History 3/


PGP History 4/PGPi

Developed by Ståle S. Ytteborg(Norway) to counter the US export regulations.

Maintained from 1997 to 2000.

Obtained from the printed source code of PGP.

MIT Press thus published a book with the PGP source code.

www.pgpi.org


PGP History 5/GPG

GPG = GnuPG = GNU Privacy Guard.GnuPG is the GNU GPL version of PGP. Initially, used Elgamaland Blowfish instead of RSA and IDEA.Follow the Open PGP Standard.Version 0.0.0 released on December 1997.Initially called G10.

www.gnupg.orgCurrent version: 2.0GUI Frontends:

http://www.gnupg.org/related_software/frontends.en.html

Das Briefgeheimnis sowie dasPost- und Fernmeldegeheimnissind unverletzlich.Grundgesetz, Artikel 10, Abs 1.

Secrecy of letters as well as sanctity of mail, telephone and telegraph are inviolable. Basic Law, Article 10, Paragraph 1


PGP SpecialtiesEncryption / Signature.

Key management.What is called a PGP key is actually a PGP certificate.Web of trust.


Signed Message Example


Symmetric Encryption [RFC4880]TDES [Mandatory]

Slow. Considered to be secure.IDEA

Still patented till 2010. Seem to be secure, resisted to all cryptanalysis for 17 years…

CAST5 (128 bit-key) [should impl. CAST5]Less studied than the other algorithms.

Blowfish (128 bit-key)Less studied than the other algorithms.

Twofish (256 bit-key) (AES contest top-5 finalists)Rather new.

AES (128/192/256 bit-key) [should impl. AES128]THE standard since 2000.

All of them seem to be secure.


Public-Key [RFC4880]Encryption

RSAElgamal [Mandatory] (randomized encryption)

SignatureRSADSA [Mandatory]Elgamal no longer recommended for signature.

Attack by Phong Nguyen (2003) when Elgamal keys used for both encryption and signature.The flaw was exploitable during 4 years…


Hash Functions [RFC4880]MD5

Deprecated.SHA-1 [Mandatory]

Its use should be avoided.SHA-224/256/384/512

Seem Ok.RIPEMD-160

Seem Ok. Tiger

Seem Ok.


Protection of the Private KeyThe private key cannot be memorized by the user.How can we protect our private key?It is stored on the hard disk.

Encrypted with from a password (no means to access it without the user’s collaboration). The password is hashed to generate a symmetric key.Once decrypted, it is in the computer’s memory (dangerous).

It may be stored on a smart card.Access to the card is protected by a password.The key never leaves the card, it’s the data that transits through the card to get encrypted, decrypted or signed.

The passphrase must be as strong as the key (i.e., same entropy at least).


Key Size [Lenstra,Verheul, 01]

307299204887153680102471

public key (bits)

symmetric key (bits)

What should be the minimum passphrase-length (in chars) to protect a 1024-bit

RSA private key?


Public Key ValidityHow to be sure that the key we use to encrypt a message is the correct one.

Directory.Who did put the key into the directory?

Fake identity associated to the key?Is the directory a legitimate one?

Face to face, check the ID, check the hash of the key, sign the key (Why?)

Certificates.


Validity and Trust in PGPTwo important notions in PGP.

Validity: I know that this key belongs to Bob.Trust: I know that Bob does not sign keys arbitrarily.

When we sign a key, we declare its validity.


Validity and Trust in PGPWe can also declare a full or partial trust.A key is valid if the sum of the partial trusts of its valid signatures is at least 1.


Key PublicationSeveral PGP key servers exist across the world.

http://pgp.mit.edu/

They contain all keys of all PGP users that want to publish their key.

If Alice is sure that the key associated to Clara belongs to Clara, she can sign Clara’s key and re-submit it to the servers.

If Eddy trusts Alice, he can accept Clara’s key.


Key RevocationHow can we revoke a key published on a server?Servers are replicated: withdrawing a key is useless because another server will duplicate it again.How can we prove that we are allowed to revoke a key if we lost it?We generate a key revocation certificate when we generate the key. The confidentiality of this certificate is not a major issue.We put a validity deadline to the key when we generate it.


Cryptographic Key Summary

Which keys are involved when Alice sends an encrypted/signed message to Bob?

Conclusion


ConclusionSymmetric-key crypto or public-key crypto.One Key / One service.Avoid to use the key directly.

Session Key (forward secrecy).Key generation (Who, How eg issue in PRNGs).Key distribution.Identify the trusted parties.Revocation of the public-keys.

More generally, think about how to react to an attack.Check the weak link (cf PGP).

Documents

École Internationale de Printemps Systèmes Répartis ...Architecture, Sécurité & Fiabilité Rabat, 20-23 Mai 2008 Prof. Gildas Avoine UCL Belgium Solutions pour la Sécurité des