(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
Pki Training V1.5
1. Introduction to PKI Technology
Version 1.5
Elaborated by Sylvain Maret & Cédric Enzler
October 1999
Rev. 1.5: August 2000
1
2. Course Map Day One
x Introduction
x Key Terms
x Cryptosystems
x Services, Mechanisms, Algorithms
x Cryptography in History
x Cryptanalysis
x Secret-Key Cryptography
x AES
x Lab exercise 1
Course Map Day One
x Public-Key Cryptography
x RSA
x Diffie-Hellman
x Message Digests
x Lab exercise 2
x Random Numbers
x Key Length
x Lab exercise 3
x File encryption
2
3. Course Map Day One
x Message Authentication Code (MAC, HMAC)
x Digital Signature
x RSA, DSS / DSA, ElGamal
x Hybrid Cryptosystems
x RSA Key Wrapping
x Diffie-Hellman
x Lab exercise 4
x PGP (encryption and signature)
Course Map Day One
x PKCS Standard
x Smart Card
x Lab exercise 5
x SSH
x SSH Tunneling
x End of day one
3
4. Course Map Day Two
x Questions to day one ?
x Revision quiz !
x PKI introduction
x Digital certificates
x X.509 certificates (Demo)
x Certificate Revocation (Demo)
x Certification Authorities
x RA, LRA
x Data Repositories (LDAP)
x S/MIME: How it works ?
Course Map Day two
x Lab exercise 6
x S/MIME and LDAP
x SSL: How it works ?
x Lab exercise 7
x Web server SSL
x Lab exercise 8
x Client SSL authentication
x End of day two
4
5. Course Map Day Three
x Questions to day two ?
x Lab exercise 9
x Smart Card installation (PKCS #11)
x Lab exercise 10
x Playing the security officer with Keon Certificate
Server
x Lab exercise 11
x Revocation with client SSL authentication
x IPSEC: How it works ?
Course Map Day Three
x Lab exercise 12
x IPSEC (SecuRemote Checkpoint)
x Demo
x IPSEC Cisco with CEP
x Cases study
x VPN RadGuard
x Secure Gate
x Encryption references sites
x Open discussion
x End of day three
5
6. Course Objectives
x Understand cryptographic fundamentals and how
cryptographic technology is applied in a Public
Key Infrastructure
x Know the elements of Public Key Infrastructure
and how they interact with each other
x Understand and be able to describe some of the
practical applications of PKI
x Understand why PKI is an attractive technology to
enable e-commerce and enhance security
Lab Topology Ayrton: SSL
Ayrton: SSL
Cerbere: CA
Cerbere: CA
LDAP, Mail
LDAP, Mail
Router IPsec
Router IPsec Checkpoint fw1
Checkpoint fw1
Londron
Londron Rome
Rome Paris
Paris Madrid
Madrid Geneve
Geneve Berlin
Berlin Newton: DNS, SSH
Newton: DNS, SSH
6
7. Lab Topology
x Domain name: pki.datelec.com
x Password: abc123 for all applications
x Be careful! You are an administrator
x Email: SiteName@pki.datelec.com
x Do not forget to change name site for labs!
For Labs, you will work together with a partner
(London and Rome for instance)
Lab applications
x E-mail
x Netscape (example labs)
x Outlook 98
x Lotus notes
x Internet browsers
x Netscape fortified (domestic)
x Microsoft Internet Explorer 5.0 export
x SSH Client
x Ldap Browser
x etc.
7
8. PKI, WHY?
x The rise of public data networks.
x Internet is a new platform for business
relationships: E-business
x Business rules need to be “translated” into this
new “language”.
x Hope behind PKI: to preserve classical business
rules in this new virtual world.
Drawbacks for E- business
x Let’s say you have an electronic contract which
you need to distribute to another party over the
Internet…
x With existing Internet tools like www and e-mail
you lose a lot compared to paper
x No assurance that the contract has been signed
x No guarantee that the contract is authentic
x No assurance of the contract’s source
x Basically, it is worth than the paper where
everything is printed on!
8
9. About needs...
x You need to know who you are dealing with
(Authentication)
x You need to keep private things private
(Confidentiality)
x You need to make sure that people do not cheat
(Non-Repudiation)
x You need to be sure that information has not been
altered (Integrity)
If PKI is the answer then…
What is the question?
On the Internet no one knows you're a dog!
9
10. Key Terms
x A message will be defined as plaintext or cleartext
x The process of disguising a message to hide its
substance is encryption
x The encrypted message is referred to as ciphertext
x Decryption is the process turning ciphertext back
into plaintext
Key Terms
x Cryptography is the science allowing messages to
be kept secure
x Cryptoanalysis is the art and science of breaking
ciphertext
x Cryptology is the mathematics field
x Cryptologist are theoretical mathematicians
10
11. Cryptosystems
x A cryptosystem is a collection of cryptographic
algorithms, cryptographic keys, and all possible
plaintexts and theirs corresponding ciphertexts.
Security Services
x Authentication: Provides the assurance of
someone’s identity
x Confidentiality: Protects against disclosure to
unauthorized identities
x Non-Repudiation: Protects against communications
originator to later deny it
x Integrity: Protects from unauthorized data alteration
11
12. Security Mechanisms
x Three basic building blocks are used:
x Encryption is used to provide confidentiality and
integrity protection
x Digital Signatures are used to provide
authentication, integrity protection and non-
repudiation
x Checksums / hash algorithms are used to provide
integrity protection and can provide authentication
One or more security mechanisms are
combined to provide a security service
Cryptography Algorithms
x All Cryptosystems are based on only three
algorithms:
x 1 - Secret-Key algorithms
x 2 - Public-Key algorithms
x 3 - Message-Digest algorithms
12
13. Services, Mechanisms, Algorithms
A typical security protocol provides one or more services
SSL, IPSEC, TLS, SSH, etc... Services
Signatures Encryption Hashing Mechanisms
DSA RSA RSA DES SHA MD5 Algorithms
Services are built from Mechanisms
Mechanisms are implemented using Algorithms
Security Protocol Layers
Application
S/MIME, PGP Application
Presentation Presentation
Session Session
SSL, TLS, SSH
Transport Transport
IPSEC
Network Network
DataLink
Hardware link encryption
DataLink
Physical Physical
The further down you go, the more transparent it is
The further up you go, the easier it is to deploy
13
14. Cryptography in History
x 2000 B.C. Hieroglyphics
x Cryptography as an Art
x Ancient Chinese
x First to transform messages in Ideographs for privacy
x India
x First “Networks spies” using phonetics encryption
(Javanese or reverse speaking)
x Mesopotamia
x Numbers associate to letters (cuneiform table)
Cryptography in History
x ATBASH cipher: In the Bible
x ABCDEFGH… (clear)
x ZYXWVU…(encrypted)
x Skytale Cipher (Greek)
x key: stick
x papyrus enrolled
x Polybius square (Greek)
14
15. Cryptography in History
x Runiques Stones by Vikings (Arts)
Cryptography in History
x World War II:
x Electromechanical cryptography
x Rotor based machine transforming plaintext into
ciphertext, using electrical signals as encryption key
x Example: Enigma machine used by Germans
x Ciphers were not new, but their processing was…
x 1970-today:
x New ciphers: based on numbers properties issued from
Mathematical theories
x RSA: Prime numbers factorization
x Diffie-Hellman: discrete logarithm
x ECDSA: Elliptic curve cryptography
15
16. Cryptanalysis
x Two categories of security levels
x Computationally secure:
x Question of time and money (Brute force attack)
x (Most of the cryptosystems: DES, 3DES, IDEA,
RSA, DH etc.)
x Unconditionally secure:
x Can “never” be broken independently of the
resources
x One-time pads
Several Cryptanalytic Attacks
x Ciphertext only
x Brute force attack and dictionary attacks on keys
x Chosen ciphertext
x Start from a known ciphertext and try to appear as
someone else to get information from others
behavior
x Known Plain ciphertext
x Derive the key from knowledge of both plain and
ciphertext
16
17. Secret-Key Cryptography
x Use a secret key to encrypt a message into a
ciphertext
x Use the same key to decrypt the ciphertext into
the original message
x Secret-key cryptography is referred also as
symmetric cryptography or conventional
cryptography
x The secret key is also known as session key or
bulk encryption key
Secret-Key Cryptography
x Let us imagine Alice and Bob who use Secret-Key
to protect their messages
Plaintext
Plaintext Ciphertext
Ciphertext Plaintext
Plaintext
Secret-Key
Secret-Key
17
18. Secret-Key Cryptography
x How to share the Secret-Key ?
x Alice and Bob can use the phone, fax, a meeting
point, etc.
x But!?:
x Could someone steal the key?
x How to proceed without partner knowledge?
Secret-Key Cryptography
x The Advantages
x Implementation is efficient to encrypt large volume
of data (100 to 1’000 faster than Public-Key
Cryptography)
x Simple to implement in either software or hardware
x Most of the algorithms are well know and secure
x Seem to be safe to brute force attack
x Widely used
18
19. Secret-Key Cryptography
x The Disadvantages
x Hard to share Secret-Keys
x Large number of keys
x No non-repudiation (Signature)
x Subject to interception (Secret-Key)
Secret-Key Cryptography
x Number of needed keys
x Suppose Alice, Bob and Chris want to use Secret-
Key Cryptography!
x They need only 3 keys
19
20. Secret-Key Cryptography
x Increase of keys number
x Suppose they want to add Dawn and Eric
x Now they need ten keys
Secret-Key Cryptography
x If n persons want to communicates we have
this formula:
x Key’s number = ((n)*(n-1)) / 2
x As example: A company of 60’000 people =
1’799’970’000 keys!
20
21. Secret-Key Cryptography
x Block cipher: Encrypts data in predefined
block size
x Most well-known ciphers are block ciphers
x Stream cipher: Encrypts data stream, one-bit
at the time
x Only few algorithms use it
Secret-Key Cryptography
x Common Secret-Key Ciphers
x DES
x Triple DES (3DES)
x RC2
x IDEA
x Blowfish
x CAST-128
x Skipjack
x RC4 (Stream cipher)
x etc.
21
22. Secret-Key Cryptography
x DES
x Data Encryption Standard (1973) by IBM
x World Standard for 20 years
x DES was broken in 22 hours (DES challenge III,
January 18th, 1999)
x Key size = 56 bits
x Block cipher
x Recommendation: should be replaced by
3DES for high confidentiality requirements !
http://www.rsa.com/rsalabs/challenges/
Secret-Key Cryptography
x Triple DES (3DES)
x Block cipher
x Encrypt + decrypt + encrypt with 2 (112 bits) or 3
(168 bits) DES keys
x DES’s replacement for Banking (1998)
x Recommendation: Use it for high
confidentiality!
22
23. Secret-Key Cryptography
x RC2
x Designed by Ron Rivest from RSA
x Block cipher
x Key size = up to 2048
x Encryption speed: independent from the key size
x Trade secret from RSA, posted on the net in 1996
x Designed as a DES’ replacement
x Faster than DES
x Recommendation: like DES but faster!
Secret-Key Cryptography
x CAST-128
x Designed by C.Adams and S. Tavares (1993)
x Block cipher
x Key size = 128 bits
x Used in PGP 5.x
x Recommendation: unknown
23
24. Secret-Key Cryptography
x IDEA
x International Data Encryption Algorithm
x Designed by X.Lai and J. Massey (ETH Zurich) in
1990
x Block cipher
x Key size = 128 bits
x More efficient than DES for software
implementation
x Used in PGP
x Recommendation: Better than DES
Secret-Key Cryptography
x Blowfish
x Designed by B. Schneier in 1993
x Optimized for high-speed execution on 32-bit
processors
x Block cipher
x Key size = up to 448 bits key
x Recommendation: Use for fast performances
and with a maximum key size
24
25. Secret-Key Cryptography
x Skipjack
x Designed by NSA (National Security Agency)
x Block cipher
x Key size = 80 bits
x Recommendation: Inadequate for long term
security (key size too short)
Secret-Key Cryptography
x GOST
x Acronym for “GOsudarstvennyi STandard”
x Russian answer to DES
x Key size = 256 bits
x Recommendation: Incompletely specified to
give an answer...
25
26. Secret-Key Cryptography
x RC4
x Designed by Ron Rivest from RSA
x Stream cipher
x Key size = up to 2048 bits
x Optimized for fast software implementation
x Trade secret from RSA, posted on the net in 1994
x Very fast
x Used in SSL, Lotus Note, Windows password
encryption, Oracle etc.
x Recommendation: Highly recommended for long
keys (>40 bits)
Secret-Key Cryptography
x Many, many others
x There is no good reason not to use one of above
proven algorithms!
26
27. Secret-Key Relative Performance
FAST
RC4
Blowfish, CAST-128
Skipjack
DES, IDEA, RC2
3DES, GOST
SLOW
AES
x National Institute of Standard and Technology
expressed a formal call for algorithm on 09.1997
x The aim is to define the “next century’s”
symmetric encryption standard or Advanced
Encryption Standard
x AES1 conf. (08.98): 15 potential candidates
x AES2 conf. (03.99): 5 retained candidates
x Final choice expected for summer 2001
27
28. AES candidates
x MARS (IBM)
x RC6 (RSA Laboratories)
x Rijndael (J. Daemen, V. Rijmen)
x Serpent (R. Anderson, E. Biham, L. Knudsen)
x Twofish (B. Schneier - Counterpane)
AES requirements
x Block cipher of minimum 128 bits
x Must implement symmetric keys of 128, 192,
256 bits
x Must be efficient on software and hardware
basis (high speed encryption)
Http://www.counterpane.com/aes-comparison.html
28
29. Secret-Key Cryptography
x Use a symmetric encryption to encrypt a text
file (DES and IDEA)
x Time: 15 minutes
x P.27
Public-Key Cryptography
x Use two distinct keys, one public and one private
x The private is kept secret
x The public can be freely shared
x Referred as asymmetric cryptography
x A public-key and its corresponding key are
mathematically related
x A public-key and its associated private-key are
called a key-pair
29
30. Public-Key Cryptography
x A message encrypted with a public-key can be
only decrypted by the private-key
x A message encrypted with a private-key can
be only decrypted by the public-key
(Signature)
Public-Key Cryptography
x Suppose Alice wants to send a message to Bob
using Public-Key Cryptography
Plaintext
Plaintext Ciphertext
Ciphertext Plaintext
Plaintext
Bob’s public key Bob’s private key
Bob’s private key
Bob’s public key
30
31. Public-Key Cryptography
x How to obtain the public-key ?
x Any publishing way can be used to get the public-
key (Directory servers, Phone, Web server,
Newspapers etc.)
x No more confidentiality issues in key distribution
Public-Key Cryptography
x Advantages
x No secret sharing
x Fewer keys
x No prior relationship needed
x Easier to administrate
x Offers useful mechanisms like digital signature
(offering non repudiation)
31
32. Public-Key Cryptography
x Disadvantages
x Not efficient (slow) to encrypt large volume of data
x Keys need to be much longer than with secret-key
encryption
x Impossible to encrypt a plaintext with size > key
Types of public-key algorithm
x A public-key algorithm is reversible if encryption
and decryption can be processed with either a
private or a public-key
x A public-key algorithm is irreversible if a private-
key is mandatory for encryption
x Key exchange algorithm: neither used for
encryption nor decryption (Diffie-Hellman)
32
33. RSA
x Inventors: Rivest, Shamir, Adleman in 1977
x Most popular
x Provide confidentiality, digital signature and
key exchange
x Key length up to 4096
x Plaintext length < Key length
x Ciphertext size = Key size
RSA
x RSA is protected by a patent. Patent expires
on 20th September 2000
x Relies on irreversible mathematics functions
(Prime numbers)
PDAs, WAPs: RSA Multi-Prime
33
34. Diffie-Hellman
x Published in 1976 by W. Diffie and M. Hellman
x Oldest known public-key cryptosystem
x Key agreement algorithm
x Enables secret-key exchange without prior
knowledge
x Agrees on shared secret used in conjunction with a
secret-key Cryptosystem (DES, 3DES, IDEA, etc.)
Diffie-Hellman: How it works ?
Alice’s Bob’s Alice’s Bob’s
private key public key public key private key
Share Secret Key
Share Secret Key
= Share Secret Key
Share Secret Key
34
35. DSA
x Compliant to Digital Signature Standard (DSS)
x Published in 1994
x Irreversible algorithm (encryption with private
key only)
x Used in Digital signature only
x Performance tuned for smart cards
Comparative Public-Key table
Algorithm Type
DSA Digital Signature
El-Gamal Digital Signature
RSA Confidentiality
Digital Signature
Key exchange
Diffie-Hellman Key exchange
35
36. Message-Digest Algorithms
x Take a variable-length message and produce
a fixed-length digest as output
x The fixed-length output is called the message
digest, a digest or a hash
x A message-digest algorithm is also called a
one-way hash algorithm or a hash algorithm
Message-Digest Algorithms
Input
Input
Message
Message
Hash Function
Fixed-length Digest
Fixed-length Digest
36
37. Message-Digest Algorithms
x Message-Digest Algorithms properties
required to be cryptographically secure
x It must not be feasible to determine the input
message based on its digest
x It must not be possible to find an arbitrary
message that has a particular, desired digest
x It should be impossible to find two messages that
have the same digest (collision)
x It should be very sensitive to input message
changes
Message-Digest Algorithms
x Some Common Message-Digest Algorithms
x MD2: 128-bit-output, deprecated, by Ronald Rivest
x MD4: 128-bit-output, broken, by Ronald Rivest
x MD5: 128-bit-output, weaknesses, by Ronald
Rivest
x SHA-1: 160-bit-output, NSA-Designed
x RIPEMD-160: 160-bit-output
x Haval: 128 to 256 bit-output (3 to 5 Passes)
x CRC-32: 32-bit-output
x Recommendation: Use SHA-1
37
38. Message-Digest Algorithms
x Message-Digest at work
x Creation of digital signatures
x Creation of MAC, HMAC
x Creation of secret-key with a passphrase
x File checksum (FTP server, Patches, etc.)
x FIA (File Integrity Assessment like Tripwire)
Powerful tool to detect small changes
Message-Digest Algorithms
x Use Message-Digest Algorithms to compute
a file’s digest (MD5 and SHA-1)
x Time: 15 minutes
x p.31
38
39. Random Numbers
x Random numbers are usually required to
generate cryptographic keys or challenge.
x Two main categories
x (PRNG) Pseudo Random Number Generator uses
a deterministic algorithm to generate a pseudo
random number based on a seed (mouse,
keyboard, etc..)
x A random number generator generates truly
unpredictable numbers. Based generally on
special hardware (white noise, radioactive-decay,
etc…)
Random Numbers
x A very secure cryptosystem can be broken if
it relies on random numbers that can be
guessed
x Netscape browser using SSL broken!
x Some PRNG
x Yarrow from B. Schneier
x CryptPack
x etc.
39
40. Keys Length
x To break a secret-key cryptosystem with “no
weakness”, an attacker must try each
possible key. This is called a brute force
attack
x To break a public-key cryptosystem an
attacker should use “smarter” brute force
attack based on mathematics
x Key space dimension = 2n (n:keylength)
What is the right key size ?
x The goals of cryptography are to make the
value of encrypted information less than the
money spent to decrypt it !
x the value of information usually decreases
over time
40
41. RSA’s Challenge on DES (III)
x Method: splitting the Key space for distributed
Brute Force Attack (space dimension = 2n ,
where n is the key-length)
x Starting date: 18.01.99. Ending: 22h15 min.
later…
x Brute Force Attack frequency: 245 Billions
keys/sec.
x Platforms: Cray/Sun/SGI/Pentium etc..
RSA’s Challenge on RSA-155
x Key-length: 512 bits = 155 digits
x Method: Prime number factorization
x Starting Date: August 99. Ending: 5 months
later
x Time: 35.7 CPU years
x Platforms: SGI/Sun/Pentium etc.
x 292 computers
41
42. Keys’ time of life
x Most of the time, session keys are changing
(IPSec, etc.)
x to enforce security
x Can be triggered by time or by encrypted data
quantity
Public-Key vs Secret-key
Secret-key (bits) Public-Key (bits)
40 274
56 384
64 512
80 768
96 1024
112 1792
120 2048
128 2304
42
43. Blowfish Advanced CS: How it works ?
Blowfish Advanced CS
x File encryption software using symmetric
encryption
x Used secret-key from a password or a “key-
disk”
x Support key splitting
x Wipes sensitive information
x Used secret-key ciphers like:
x Blowfish
x 3DES
x Twofish
43
44. Blowfish Advanced CS
x Use SHA-1 to generate secret-key from a
password
x Use random (PRNG) to create the key file and
to overwrite (wiping) data
File Encryption
x Setup a file’s encryption software to protect
sensitive information
x Time: 20 min
x p.38
44
45. Message Authentication Code
x MAC is a fixed-length data item that is send
together with a message to prove integrity and
origin
x Provide authentication and integrity without
confidentiality
x Also referred as message integrity code (MIC)
x Most common form is HMAC ( Hashed Mac)
x Example: HMAC-MD5
Message Authentication Code
Input
Input
Message
Message +
Secret-Key
Hash Function
HMAC
HMAC
45
46. Digital Signature
x Digital signature is a data item that guarantees
the origin and integrity of a message
x The signer of the message uses a signing key
x The recipient uses a verification key to verify
the origin and integrity
x Signing key = private-key
x Verification key = public-key
Digital Signature
x By using his own private key, the signer can not
repudiate the fact he has signed the message
x This mechanism provide non-repudiation
x Think about the difference with MAC …
46
47. Digital Signature: Basics
Simple signature using PRIVATE-key
Ciphertext
Ciphertext
Plaintext
Plaintext Plaintext
Plaintext
(Signature)
(Signature)
Alice’s private key Alice’s public key
Alice’s public key
Alice’s private key
Digital Signature: How it works?
Plaintext
Plaintext Plaintext
Plaintext
Alice’s
private key Digest MD1 = MD2 ???
MD1 = MD2 ???
Digest
Alice’s
Public key
Signature
Signature Signature
Signature
47
48. Digital Signature
x Why signing a message involves Hashing ?
x Signature (data item) is too big
x Performance (public-key is very slow)
x Possible attack (known plaintext attack)
Common Signature Algorithms
x RSA
x Well known
x Export limitation
x DSA
x Similar to RSA (algebraic properties of numbers)
x Non-reversible algorithm, suitable for digital
signature only
x ElGamal
x Another cipher for digital signature only
48
49. Hybrid Cryptosystems
x A Hybrid Cryptosystem combines the best
features of both Secret-Key and Public-Key
cryptography
x Used to exchange session key to initiate a
symmetric encryption
x Example: PGP, SSL, IPSEC using Diffie-Hellman
or RSA
Example: Diffie-Hellman and Secret-Key
cryptosystem
Asymmetric
Share Secret Key
Share Secret Key
= Share Secret Key
Share Secret Key
Symmetric
Plaintext
Plaintext Ciphertext
Ciphertext Plaintext
Plaintext
49
50. RSA Key wrapping encryption
x Suppose Alice wants to send an encrypted
text to Bob across the Internet , using RSA
key wrapping
RSA Key wrapping encryption
x How it works ?
x Alice creates a session key, which is a one-time-
only secret-key
x Alice encrypts the data with the session key
x Alice encrypts the session key with Bob’s public-
key
x Alice sends the ciphertext + the encrypted session
key to Bob
50
51. RSA Key wrapping encryption
RSA Key wrapping decryption
x How it works ?
x Bob receives the message from Alice
x Bob uses his private-key to recover the temporary
session key
x Bob uses the session key to decrypt the ciphertext
51
52. RSA Key wrapping decryption
RSA Key wrapping question ?
How sure can Alice be about Bob’s
presumed public-key ?
52
53. Man in the Middle Attack!
PGP: How it works ?
53
54. PGP: introduction
x Stands for Pretty Good Privacy
x By Phil Zimmerman (1991)
x Worldwide distributed in 1991
x Provides mail and file encryption/signature
x Today: PGP 6.5.2
x Available on many platforms like:
x Unix
x Windows
x Linux
x Atari, Macintosh, OS/2 etc.
PGP Introduction
x Contains a set of algorithms for
x Message digest:
x MD5, SHA1 and RIPEMD
x Public-key:
x RSA, DSA
x Secret-key:
x DES, 3DES, CAST-128 and IDEA
x Data compression: LZH
54
56. Original PGP encryption
x Encryption based on RSA key wrapping
Original PGP decryption
x Decryption based on RSA key wrapping
56
57. Quiz!
PGP today
x To enforce security, PGP offers today DSS
and DH key exchange
x Support for x.509 certificate as well
57
58. PGP Trust model
x Originally, PGP trust models were:
x Direct trust (hosts mutually and directly trusted)
x “Web-of-Trust”
x If Alice trusts Bob and Bob trusts Charlie, then Alice
will trust Charlie
x In other words…friends of my friends are my friends
x Today, hierarchical trust is also possible
Other PGP products
x PGP Phone
x to transform a desktop into a secure phone via
real-time encryption
x PGP disk
x offering privacy to file system
x PGP SDK
x development kit
58
59. PGP
x Use PGP for sending a signed and encrypted
e-mail
x Time: 40 min
x P.49
SSH: How it works ?
59
60. SSH
x SSH = Secure Shell
x Originally developed in 1995 as a secure
replacement for rsh, rlogin,rcp, ftp, telnet
x Originally implemented in Finland
x Available worldwide
x About 3’000’000 users around the world
Http://www.cs.hut.fi/ssh
SSH
x Also allows port forwarding (tunneling over
SSH)
x X11 connection forwarding
x SSH v2 submitted to IETF
x Can be run and used in a short space of time
x Many SSH clients available
x Secure CRT
x F-Secure
x Java Client
x etc.
60
61. SSH: Why ?
Unix Host
Unix Host
Login: rome
Password: abc123
Network
Attacker with sniffer
Original TCP Packet
Telnet to Unix Host
Telnet to Unix Host
SSH-1 Protocol (Hybrid Crypto)
Client performs TCP handshake with the server at
port 22 for SSH standard port
Client Server
TCP Start authentication process. Client send
authentication request
22
The server responds with two keys. Host key 1024
Auth request bit RSA and a Server key 768 bit RSA (Generated
hourly)
SSH
S Client verify host key and generate a secret key
S Handshake that is used for bulk encryption then encrypt this
Session Public Key secret key twice with Host and Server public keys
and send it to the server SSH
SSH
Server decrypt the session key with the two
DATA private keys. Begin bulk encrypted data exchange.
Client encrypts
Symmetric Encrypted
Server decrypts request, encrypts and sends
data response
61
62. SSH Ciphers
x SSH v1
x RSA
x DES, 3DES, Blowfish, IDEA
x SSH v2
x Diffie-Hellman for key exchange algorithm
x DSA, RSA
x 3DES, Blowfish, IDEA, Twofish, Arcfour, Cast-128
SSH Authentication
x Multiple Authentication mechanisms
x Static password (protected by SSH encryption)
x RSA or DSA authentication (client decrypts challenge
from server)
x Plug-in authentication (Securid, Radius, ldap, PAM *)
x “.rhosts or /etc/hosts.equiv” (Based on IP address)
* http://www.bg.kernel.org/pub/linux/libs/pam/index.html
62
63. SSH Authentication (RSA/DSA)
x Client decrypts “challenge” from server
x Provides “strong” authentication (client uses
his private-key plus a PIN code)
Server sends encrypted challenge with client’s public key
Client decrypts challenge and sends it to the server
The challenge is chosen randomly
SSH Tunneling mode
SSH
SSH
Client
Client
Corporate Net
HTTP 127.0.0.1 1999
HTTP 127.0.0.1 1999
Web server
Web server
Encrypted SSH tunnel Clear text
SSH
SSH
Server
Server
DMZ
63
64. SSH
x Setup a SSH client to replace Telnet. Use two
authentication mechanisms.
x Setup a SSH tunnel
x Time: 60 min
x p. 64
PKCS
x Public Key Cryptographic Standard (PKCS)
x Standardization of public-key algorithmic, in order to
maintain interoperability
x Developed by RSA Laboratories, a consortium of
information technology vendors and academic
institutions.
x Apple
x Microsoft
x Compaq
x Lotus
x Sun
x MIT etc.
64
65. PKCS list
x #1: Encrypting and signing using RSA public key cryptosystem
x #3: Key agreement with Diffie-Hellman key exchange
x #5: Encrypting with a secret key derived from a password
x #7: Syntax for message with digital signature
x #8: Format for private key information
x #9: Attribute type for use in other PKCS standard
x #10: Syntax for certification request
x #11: Define a cryptoki programming interface (API for smart cards)
x #12: Portable format for storing and transporting private keys
x #13: Encrypting and signing data using elliptic curves cryptography
x #14: Standard for pseudo number generation
x #15: Standard to store credentials on tokens
Smart Card
x Smart Cards consist of a chip (processor or/and
memory), a contact plate and a piece of plastic
(ISO 7810 - 54x85x0.8 mm)
x Smart Cards are used for multi-applications
x GSM, Banking, Medical, E-Commerce, Pay TV, etc…
65
66. Smart Card and PKI
x Storing the private-key and/or X.509 certificate
on the Smart Card
x Provide Strong Authentication
x Something you have, Something you know
x Access protected by a PIN (like credit card)
x Types of Smart Card
x Memory Cards
x PKI smart cards using Crypto-processor (RSA, etc.)
x Some Smart Card are “brute force” protected
Smart Card Standard (interface)
x PKCS #11 also call Cryptoki
x Interface for the communication to Smart Card
x Netscape, RSA
x PC/SC and their Crypto API
x http://www.pcscworkgroup.com/
x Bull, Gemplus, HP, Intel, Microsoft, Schlumberger
Siemens, SUN, Toshiba
66
67. Smart Card Reader
x Keyboard
x USB
x Serial
x PCMCIA
x Diskette reader
x SCSI
Today’s Smart Card Drawbacks
x Hardware...
x Multi-Services rarely used
x Users leave Smart Card on the reader
67
69. Quiz!
x Describe Secret-Key ?
x Advantages / Disadvantages
x Describe Public-Key ?
x Advantages / Disadvantages
x Describe Messages Digest ?
x Describe Digital Signature and verification ?
x Differences between MAC and signature?
x Describe two Hybrid Cryptosystems ?
x Describe a challenge response based
authentication?
PKI introduction
x The aim of PKI is to integrate all the previous
mechanisms and algorithms into a coherent and
efficient structure.
x It will answer the following fundamental security
needs:
x Authentication
x Confidentiality
x Non-Repudiation
x Integrity
x The basis of PKI relies on the concept of
certificates
69
70. PKI basis function
x PKI will include at least:
x One Certificate Authority who delivers certificates
x One Directory who stores active Certificates and/or
Revoked Certificates
x One Registration Authority who allows certificates’
enrollment
x One centralized Management
Remember Alice, Bob and Charlie...
Bob has no proof of the “link” between
Alice’s public-keys and her identities
So What ?
70
71. Third Trusted Party
Trusted Authority
Direct Trust Direct Trust
No more
Charly
Implicit Trust
Digital Certificates
x A public-key certificate is a bond between an
entity’s public-key and one entity
x The entity can be:
x A person
x A role (Manager Director)
x An organization
x A piece of hardware (Router, Server, IPSEC, SSL,
etc.)
x A software process (JAVA Applet)
x A file (Image, Databases, etc.)
x etc.
71
72. Digital Certificates
x A Public-key certificate provides assurance that
the public-key belongs to the identified entity
x A Public-key certificate is also called a digital
certificate, digital ID or certificate
x The entity identified is referred to as the
certificate subject
x If the certificate subject is a person, it is referred
to as a subscriber
Digital Certificates
x A certificate is like a passport ...
72
73. How to obtain a certificate
x As with passports, you give proof of your
identity to an official (or trusted) authority.
x The authority checks this proof.
x The authority delivers a signed passport .
x This procedure is defined as an “enrollment”
x Instead of “enrolling” for a passport we’ll
enroll for digital certificate.
Digital Certificates
x Graphical representation of a certificate
73
74. Demo: certificate view
X.509 Certificate Standard
x X.509 is a standard for digital certificate by
International Telecommunications Union (ITU)
x First published in 1988 (V1.0)
x Version 2.0 (1993) adds two new fields
x Current version is v3.0 (1996) and allows
additional extension fields
74
75. X.509 Basic Certificate Fields
x Version: X509 version 1,2 and 3
x Certificate serial number: Integer assigned by
the CA (unique)
x Signature algorithm identifier: RSA/MD5 etc.
x Issuer name: name of CA having signed and
issued the certificate
x Validity period: time interval
x Subject name: the entity name (this name must
be unique = distinguished name (DN) )
X.509 Basic Certificate Fields
x Subject public-key information: contains the
public-key plus the parameters
x Issuer unique identifier: optional field
x Subject unique identifier: optional field
x Extensions: may provide additional data for
specific applications.
And the Certification
Authority's Digital Signature
75
76. SSL X.509 example
Data and Signature section in human-readable format!
SSL X.509 example
Here is the same certificate in the 64-byte-encoded
format interpreted by a software
76
77. How to build a Certificate
CA
X.509
Fields
Public key Digital
Identity Signature
X.509 etc.
Process
Certificate
CA’s
Signature
Think of it like a credit card…
Digital Credit Union
Validity
DCU Period
Signature
5867 9506 3461 1920
GOOD THRU
LAST DAY OF 06/98
Andrew Nash Issuer Name
Subject Name
AUTHORIZED
Andrew K Nash Public Key
SIGNATURE
77
78. How to verify a certificate ?
x Obtain the Signer’s (CA) public-key
x Pass the X.509 fields into the message digest
algorithm and keep the digest (= your digest 1)
x Decrypt the Certificate signature with the
Signer’s (CA) public-key. The decrypting
plaintext will be the digest (= your digest 2)
x Compare the digest 1 with the digest 2
x Does this match together?
Verifying a certificate?
X.509
Fields
Public key
Identity
etc.
CA’s MD1 = MD2 ???
MD1 = MD2 ???
Signature
CA’s public key
CA’s public key
78
79. A few words about CAs
x Entities that issue and manage digital
certificates including
x maintaining
x revoking
x publishing status information
x CAs’ security policy defined in CPS
(Certification Practice Statement)
x Security measures to guarantee CA’s integrity
x Security measures to check enrollment’s identity
x Trust level relies upon CPS and not
technology
Few words about CAs
x PKI security relies on CA’s private-key
secrecy
x Should never be acceded
x Should be backed-up
x Solution: store it inside dedicated tamperproof
hardware
79
80. Type of CAs
x Private CAs:
x Hold by a private entity (Company, Administration,
the Military)
x Public CAs:
x Verisign, Swisskey, GTE, Thawte, Global-sign,
Certplus, etc.
A CA can be hybrid as for instance
“On-site services” of Verisign
Registration Authority (RA)
x A Registration Authority is the entity receiving
the certification requests and managing them
before sending them to the CA. RA acts as a
front end.
x As in hybrid CAs, the registration authority
can be separate from the CA itself. In this case
we talk about Local Registration Authority
(LRA)
x Multiple sites for big companies
x Distributed environment
80
81. (L)RA Front End
LDAP
x X.500 Directories required more effort and
complexity than most companies were
prepared to invest
x Lightweight Directory Access Protocol was
proposed by the Internet community
x LDAP uses the X.500 naming conventions but
simplifies the way you interact with a directory
81
82. LDAP
x LDAP is a “front end” that is used to
implement simple directory services
x An LDAP Server may be implemented over:
x a full X.500 Directory
x a database
x a flat file
x Most of structured data set
x CA will use LDAP to publish
certificates and CRLs
Demo: browsing ldap
http://www.iit.edu/~gawojar/ldap/
82
83. Certificate Revocation
x Certificate Revocation:
x Mechanism used by the CA to publish and
disseminate revoked certificates
x Revocation is triggered in the following cases:
x Key compromise
x CA compromise
x Cessation of operation
x Affiliation change
x etc...
Certificate Revocation
x Several data structures exist to publish
revocation
x CRL (Certificate Revocation List)
x ARL (Authority Revocation List)
x CRT (Certificate Revocation Trees) by Valicert
x Also Online query mechanisms
x OCSP (Online Certificate Status Protocol)
83
84. CRL’s publication and retrieval
x Certificate-using applications must be aware
of revoked certificates
x Get CRL via ldap
x Get CRL via FTP, Http, Https, etc.
x Check certificate status via OCSP
x Etc.
x Problem to solve: Revocation delay !
x Not yet fully standardized (Delta CRLs, OCSP
etc.)
CRL Version 2 structure
Signature Next List of revoked certificates
Version Issuer Update Extensions
algorithm Update per-certificates extensions
DN Date
Date
84
85. CRL Version 1 view (text)
CRL Version 1 view (PEM)
85
86. Demo: get a CRL
OSCP
Pushing Revocation
CA
LDAP
OCSP
OCSP over
http FTP, http
PKI enable Backend
Applications OCSP
others
Responder
86
87. Distinguish Names
x X.509 certificates bind a Distinguish Name
(DN) to a public-key
x A DN is a set of name-value pairs, such as
uid=cenzler, that uniquely identify an entity
x Example: a typical DN of a Datelec employee:
x C=CH, O=Datelec, OU=Engineering,
L=Geneva, CN=Cedric Enzler,
E=cenzler@datelec.com
Distinguish Names
x DNs may include a variety of other name-value
pairs (see X.500 standard)
x Most CAs are LDAP compliant. Thus, DNs will
be used as entries in Directories that support
LDAP
87
88. Single CA
x Until now, we assumed the presence of a
unique CA certifying all users. Thus, there’s a
direct relation between users and their CA
X509
X509
X509
X509
X509
X509
Multiple CAs top-down
x Typical CA implementation for large companies
Root CA
X509
Trust relation
Subordinate CAs X509
X509
Subordinate CAs
X509 X509
Certificates
X509 X509 X509
X509 X509
88
89. Trust
x Because a CA has a certificate itself and
represents the highest possible trust level, the
CA has its self-signed certificate
x A self-signed certificate is a Root Certificate
or Meta-Introducer
x A certificate-using application (any X.509
holders) must trust the Root certificate
x Importing a Root certificate into such an
application is called Bootstrapping a CA
Bootstrapping must be considered
as a very critical operation!
Trusted Root certificates
x Many applications (as http browsers) have
already embedded root certificates
89
90. Demo: Bootstrap Swisskey
Trust architecture
Assume Alice, Bob and Charly are exchanging e-mails
Root CA
X509
CA3 CA1
X509
X509
CA2
X509 X509
X509 X509 X509 X509 X509
A B C
90
91. Simple Case
x Alice receives Bob’s e-mail and the X.509
certificate
x How can Alice check Bob’s certificate?
x She looks at Bob’s signer
x Does she know the signer?
x Yes: Is it a self-signed? X509
x No: Is the upper level CA trusted?
Root
3
X509
CA3 2
X509
Bob
1
More complicated...
x Alice receives Charly e-mail and the X.509 certificate
x How can Alice check Charly certificate?
x Charly sent intermediary CAs certificates along with
his own certificate. This is the “chain of certificates”
x Thus, the validation process will be...
X509
Root
X509 4
X509
CA1
CA2
X509 3
Charly
2
1
91
92. Cross certification
A typical case: merging of Certification Islands:
X509 X509
X509 X509 X509 X509
X509 X509 X509 X509
X509X509 X509X509 X509 X509X509 X509X509 X509
Let’s be practical!
User enrolls for
certificate
Admin mailed
http://www...
http://www... notification
User mailed
acknowledgement
RA
Security
User mailed Officer
retrieval PIN
User
Admin Approves request
User retrieves
http://www...
http://www...
certificate
http://www...
http://www...
CA
Certificate installed
LDAP
92
93. Some X.509 certificate types
x CA certificate (Root)
x S/MIME
x SSL server/client
x IPSec gateway/client
x Object signing certificates
x Java script
x Image signature for copyright
x File detection intrusion (binary certifications)
x etc.
PKI Standards
x Some standard organizations:
x IETF PKI Working Group (PKIX)
x ITU
x SPKI
x RSA with PKCS
93
95. PKI Summary
x Based on Certificates (X.509)
x Trusted third party (CA)
x (L)RA
x CRL
x Data repositories
x Mechanisms and protocols between all these
elements
S/MIME: How it works ?
95
96. S/MIME
x Secure Multipurpose Internet Mail Exchange
x Developed by RSA, Microsoft, Lotus, Banyan, and
Connectsoft in 1995
x Implemented at application layer
x Build on top of PKCS #7 and PKCS #10
x Very strong commercial vendor acceptance
x Netscape, Microsoft, Lotus, etc.
x IETF developed S/MIME v3 (last version)
x Use X.509 certificates
S/MIME
x S/MIME provides four services:
Security Services Security Mechanism
Message origin authentication Digital Signature
Message integrity Digital Signature
Non-repudiation of origin Digital Signature
Message confidentiality Encryption
96
97. S/MIME Ciphers
x Symmetric encryption
x 3DES 168 bit
x DES 56 bit
x RC2 128, 64 and 40 bit
x Public-Key
x RSA 512 to 1024 bit
S/MIME Signature
Suppose Alice sends a S/MIME signed e-mail to Bob
Alice’s Private
Mime Key
format
MIME
Digest encoded
format
97
98. S/MIME Encryption
Suppose Alice sends a S/MIME encrypted e-mail to Bob
Bob’s Public
Key
Random
Session Key
Ciphertext
MIME
Mime encoded
Format Encoding
format
Plaintext
S/MIME dual Key ?
x Dual Key Pair
x One key pair for encryption
x One key pair for signature and non repudiation
x CA must support key backup and recovery
x Key pair for encryption generated on the CA
itself !
x Draw back:
x Not all Email client support Dual Key Pair
98
99. S/MIME
x The student will setup an e-mail system using
S/MIME. He will use digital signature and
encryption. Certificates retrieval done by ldap.
x Time: 45 min
x p.77
SSL: How it works ?
99
100. SSL
x Secure Sockets Layer TCP/IP socket encryption
x Provides end-to-end protection of
communications sections
x Confidentiality protection via encryption
x Integrity protection with MAC’s
x Usually authenticates server using a digital
signature (option)
x Can authenticate client (option)
SSL History
x SSL v1 designed by Netscape in 1994
x Netscape internal usage
x SSL v2 shipped with Navigator 1.0 and 2.0
x Microsoft proposed PCT (Private Communications
Technology), which overcame some SSL v2
shortcomings
x SSL v3 latest version
x The progresses of PCT were echoed in SSL v3
x TLS v1 developed by IETF
100
101. SSL Protocol
x The SSL protocol runs above TCP/IP
x The SSL protocol runs below higher-level
protocols such as HTTP or IMAP
SSL Ports from IANA
x nsiiops 261/tcp # IIOP Name Service over TLS/SSL
x https 443/tcp # http protocol over TLS/SSL
x smtps 465/tcp # smtp protocol over TLS/SSL (was ssmtp)
x nntps 563/tcp # nntp protocol over TLS/SSL (was snntp)
x imap4-ssl 585/tcp # IMAP4+SSL (use 993 instead)
x sshell 614/tcp # SSLshell
x ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap)
x ftps-data 989/tcp # ftp protocol, data, over TLS/SSL
x ftps 990/tcp # ftp protocol, control, over TLS/SSL
x telnets 992/tcp # telnet protocol over TLS/SSL
x imaps 993/tcp # imap4 protocol over TLS/SSL
x ircs 994/tcp # irc protocol over TLS/SSL
x pop3s 995/tcp # pop3 protocol over TLS/SSL (was spop3)
x msft-gc-ssl 3269/tcp # Microsoft Global Catalog with LDAP
101
102. SSL Ciphers
x The SSL protocol supports the use of a variety of
different cryptographic algorithms or ciphers
x DES (56)
x 3DES (168)
x RC4 (40 or 128)
x RC2 (40)
x Fortezza (96)
x IDEA (128)
x SHA-1, MD5
x DSA
x RSA (Key exchange)
SSL Handshake
x Negotiate the cipher suite
x Establish a shared session key
x Authenticate the server (Optional)
x Authenticate the client (Optional)
102
103. SSL Handshake
Client performs TCP handshake with the server at
port 443 for HTTPS which is HTTP in SSL
Start Cipher negotiation. Client sends SSL HELLO
Client Server containing ciphers supported by the client and a
TCP random number.
443 The server responds with a HELLO containing the
ciphers to use and a random number. Note the
Hello server selects the ciphers to be used. RSA, RC4
and MD5 are most common.
Cert SSL Start pass secret. Server sends it’s CERTIFICATE.
S Handshake
S Asymmetric
Client uses certificate to encrypt the pre-master
Secret and sends to Server. Both compute bulk
0.2 - 4 KB encryption KEYS from secret and random
numbers.
GET URL
Client and Server exchange CHANGE CIPHER
SPEC and FINISH messages.
DATA
Begin bulk encrypted data exchange. Client
encrypts and sends HTTP GET.
Bulk Encrypted
Server decrypts request, encrypts and sends
HTTP Protocol response
Symmetric Server sends FINISH and closes with TCP
handshake
A SSL connection consists of an SSL handshake
followed by bulk encrypted protocol
Client authenticate server
x Is today's date within
the validity period?
x Is the issuing CA a
trusted CA?
x Does the issuing CA's
public-key validate the
issuer's digital
signature?
x Does the domain name
in the server's certificate
match the domain name
of the server itself?
103
104. Demo: Wrong URL !
Server authenticate client
x Does the client's public-
key validate its digital
signature ? (challenge)
x Is today's date within the
validity period?
x Is the issuing CA a
trusted CA?
x Does the issuing CA's
public-key validate the
issuer's digital signature?
x Is the user's certificate
listed in a CRL?
104
105. SSL Tunneling
x SSL can provide tunneling to transport TCP port
over an encrypted channel
x Some tunneling software can use client and
server authentication using Certificates X.509
x Some tunneling programs
x Webtop (Sun/Netscape)
x Stunnel
x bjorb, Jonama
x SSLProxy
x Celo Communicationss (SSR)
http://www.openssl.org/related/apps.html
SSL Tunneling mode
XX
Corporate Net
pop3 127.0.0.1 1234
pop3 127.0.0.1 1234
ZZ
POP3 server
POP3 server
Encrypted SSL tunnel Clear text
YY
DMZ
105
106. SSL Hardware accelerator
x RSA key exchange is very CPU Intensive
x 200 Mhz NT box allows about a dozen concurrent SSL
handshakes
x Use Multiple server
x Use Hardware encryption (Intel-IPIVOT, Ncipher,
Rainbow, etc.)
SGC
x Server Gated Cryptography
x Allows strong encryption on a server basis
x Originally available only to “qualified financial
institutions”
x Requires a special SGC server certificate
from:
x Verisign Global-ID
x Thawte SuperCert
x GlobalSign HyperSign128
x Etc.
http://www.modssl.org/related/gid.html
106
107. SGC
x Enables strong encryption for export’s browser
x Procedure:
x Browser is export version: 40 bit cipher only !
x Browser connect to SGC-enabled server with 40 bits
cipher
x Server send his SGC-tagged certificate to browser
x Browser verifies server certificate and detect that is
issued by a CA root certificate which is tagged to
enable SGC
x Browser enabled 128 bit ciphers and force a SSL/TLS
renegotiation with the stronger cipher suite.
TLS
x Transport Layer Security
x IETF standardized evolution of SSL v3
x Update Mac layer to HMAC
x Updated for newer algorithms
x Substantially similar to SSL v3
x Cleanup of SSL v3
x Aka SSL v3.1
x Standardized by RFC 2246 (Jan 1999)
107
108. Installing a SSL Web Server
x Create the key-pair: Public and Private-Keys
x Each server includes programs to generate these
x Generate a CSR (Certificate Signing Request)
x This adds Information about your server and yourself
x Send the CSR to a CA (Certificate Authority) and
wait for your Certificate
x For instance Verisign, or a internal CA
x Install the Certificate
If you do not hold a Certificate signed by a well known CA,
your client’s browser will display warning messages that
the Certificate is from and Unknown CA
Demo: unknown certificate
108
109. Setup a SSL web server
x The student will setup a SSL web server using
Netscape Enterprise Server
x Time: 1 hour
x p.100
Setup a SSL Client Authentication
x The student will setup a SSL client
authentication to protect the access to
Intranet Server
x Time: 1 hour
x p.121
109
110. PKCS#11 Smartcard installation
x The student will connect and install a
smartcard on his PC following PKCS#11
standard
x Time: 15 min.
x p.136
Playing the security officer...
x The student plays the security officer
character
x Time: 30 min.
x p.138
110
111. Revocation with client SSL authentication
x The student will revoke himself and interpret
the results
x Time: 30 min.
x p.141
IPSec: How it works ?
111
112. IPSec
Remember!
Application
S/MIME, PGP Application
Presentation Presentation
Session SSL, TLS, SSH Session
Transport Transport
IPSEC
Network Network
DataLink
Hardware link encryption
DataLink
Physical Physical
IPSec will integrate PKI at layer 3
IPSec introduction
x Stands for IP Security
x Provide site-to-site and/or host-to-site
encryption and/or authentication
x Driven by the IETF
x Mandatory for IPv6, optional for IPv4
112
113. IPSec: two main ”Blocks”
x IPSec deals with two main “blocks”
x IPSec - Encryption and Authentication
x ESP - Encapsulating Security Payload
x AH - Authentication Header
x Two modes: Tunnel and transport
x IPSec - Key management
x IKE, Skip, Manual IPSEC
IPSec: ESP and AH
x The AH (Authentication Header) is a protocol
providing authentication only
x The ESP (Encapsulation Protocol) is an IPSEC
protocol for packet encryption and encapsulation.
x Both protocols offer integrity check with
authentication
IP TCP/UDP Payload IP AH TCP/UDP Payload
IP TCP/UDP Payload IP ESP TCP/UDP Payload
IP TCP/UDP Payload IP ESP AH TCP/UDP Payload
113
114. IPSec Tunnel mode
x Each datagram is captured by the security
gateway, encapsulated inside an IPSEC
packet and sent to a remote security gateway,
which “decapsulates” it, and sends the
original datagram to its original destination
x The two security gateways create a ‘tunnel’
through which data is passed
x The two hosts (and their applications) are
unaware of the encapsulation process
IPSec Tunnel mode
IPSec
Hosts
gateway
Application Application
Protected Protected
TCP UDP TCP UDP
Data Data
IP IP
Protected Traffic
AH/ESP AH/ESP
IP IP
114
115. IPSec Transport mode
x In transport mode, the two hosts serve as a
security gateway and encrypt their own data
x In this case, there is no need for a tunnel, nor
for the double IP header
x The two hosts are aware of the encapsulation
(since they perform it)
Transport mode
Application Application
TCP UDP TCP UDP
IP
IP Protected Traffic
115
116. Security Associations (SA)
x The SA is shared by the two communicating
parties - it provides indications on the
algorithms, the keys, the lifetimes and other
algorithm dependant information
x The SPI (Security Parameter Index) is a
number and serves as an index to the SA
x Each SA has two SPIs: incoming & outgoing
SPI and SA (Basics)
SPI:
0x1234567
SA
SPI: 0x1234567
Encryption (ESP): DES
Authentication (AH): SHA-1
DES Key: 0x1615613651365365326536
SHA-1: 0x32676362736347672672644
116
117. IPSec Key management
x In order to create the SA, the two parties need to
exchange all the security parameters, as well as
the keys.
x Several methods of key management:
x Manual keying or manual IPSec (statically defining SPI
and SA).
x SKIP (Simple Key Interchange Protocol by SUN
Microsystems)
x ISAKMP/OAKLEY or IKE: automatic key management
using DH
x Photuris alternative to IKE using DH
Practically IKE and manual
IPSec is prevalent
Manual IPSec
x On each gateway a specific SA is defined
(according S/WAN) for each remote gateway
(SPI, Cipher, Keys, Hash etc.)
x Drawback:
x Very heavy management
x Static keys: less security
x Often used between different IPSec vendors
x Cisco to Check Point for instance
117
118. Manual IPSec
SPI SPI
S S
A A
IKE Key management
x IKE is widely used (OSPF, IPSec etc..)
x SA proposal and negotiation is done using IKE
x Peers may be authenticated using X.509
certificate
x Each IPSec gateway holds a X.509 certificate
x SA negotiation starts after cross authentication
x Alternate method for authentication:
x Authentication is provided by pre-shared secrets
x Drawback: heavy key management etc.
118
119. IKE Key management using PKI
Negotiation with
Automatic
Key Management
SPI SPI
X509
X509
SA SA
Hardware implementation...
x Tamper proof design
x Full integration of IPSec for high/slow
bandwidth encryption
x Centralized management
x Vendors
x Radguard, Cisco, Checkpoint, etc.
119
120. Demo IPSEC with SecuRemote
Checkpoint architecture
Account Management
GUI
te VPN-1
ora k
orp twor
C e SecuRemote
N
client
Certificate VPN-1 /
Authority FireWall-1
ISP ISP
LDAP-based
Internet
Directory
Server
CRL X.509
Certificates
VPN-1 /
FireWall-1
120
121. Creation of the CA Certificate
•Create CA server object in VPN-1 /
Firewall-1
•Define where to retrieve CRL’s
•Get the CA certificate
Obtain CA certificate from a file
View the CA’s certificate
Save it, allow read by another
Mgt station
•Create a ldap server for CRL
Creation of Certificate for Firewall-1
•Define a nickname for the certificate
•Generate a PKCS#10 certificate
request.
•VIEW to display certificate
•Select the text in the window and
copy it to the clipboard.
121
122. Creation of Certificate for Firewall-1
•GET the certificate from the CA
Creation of Certificate for Secure Remote
x Importing PKCS#12 Certificates
x Import from a browser
x Save it as a P12 format
122
123. Using Certificates with SecureRemote
x IKE Authentication.
x Specify a profile file (.EPF file)
or select a hardware token from
the drop-down list.
x Enter password for accessing
the profile.
Using Certificates with SecureRemote
x View the certificate
by clicking on View
Certificate
x User’s certificate
x CA’s certificate
123
124. IPSEC
x The student will setup an IPSec link between a
client and a GW Checkpoint using X.509
certificates
x Time: 1h30
x p. 155
CEP: How it works ?
124
125. CEP
x Certificate Enrollment Protocol (CEP)
x A certificate management protocol jointly
developed by Cisco Systems and VeriSign, Inc.
x CEP is an early implementation of Certificate
Request Syntax (CRS), a standard proposed to
the Internet Engineering Task Force (IETF).
CEP
x CEP specifies how a device communicates
with a CA including:
x how to retrieve the CA's public key
x how to enroll a device with the CA
x how to retrieve a Certificate revocation list (CRL)
x CEP uses RSA's PKCS 7 and 10 as key
component technologies
125
127. Cases Studies !
Encryption references sites
x SSL
x http://www.openssl.org/
x http://developer.netscape.com/docs/manuals/security/sslin/
index.htm
x http://www.ultranet.com/~fhirsch/Papers/wwwj/article.html
x SSH
x http://www.ssh.org/
x http://www.Datafellows.com/
x http://wwwfg.rz.uni-karlsruhe.de/~ig25/ssh-faq/
127
128. Encryption references sites
x IPSEC
x http://web.mit.edu/network/isakmp/
x http://www.data.com/tutorials/bullet_online.html
x PGP
x http://www.pgp.com
x http://web.mit.edu/network/pgp.html
x S/MIME
x http://www.rsasecurity.com/standards/smime
Encryption references sites
x Miscellaneous
x Crypto-Gram:
x http://www.counterpane.com/crypto-gram.html
x CryptoBytes:
x http://www.rsasecurity.com/rsalabs/cryptobytes/
x Crypto FAQ V.4.0:
x http://www.rsasecurity.com/rsalabs/faq/
x http://www.datelec.com/~maret
128