11. If PKI is the answer then… What is the question? On the Internet no one knows you're a dog!
12.
13.
14.
15.
16.
17.
18. Services, Mechanisms, Algorithms A typical security protocol provides one or more services Services Mechanisms Algorithms Services are built from Mechanisms Mechanisms are implemented using Algorithms SSL, IPSEC, TLS, SSH, etc... Signatures Encryption Hashing DSA RSA RSA DES SHA MD5
19. Security Protocol Layers The further down you go, the more transparent it is The further up you go, the easier it is to deploy Application Presentation Session Transport DataLink Physical Application Presentation Session Transport Network DataLink Physical Network S/MIME, PGP SSL, TLS, SSH IPSEC Hardware link encryption
104. SSH: Why ? Attacker with sniffer Network Original TCP Packet Login: rome Password: abc123 Unix Host Telnet to Unix Host
105. SSH-1 Protocol (Hybrid Crypto) TCP Auth request SSH Client Server DATA Client performs TCP handshake with the server at port 22 for SSH standard port Start authentication process. Client send authentication request Server decrypt the session key with the two private keys. Begin bulk encrypted data exchange. Client encrypts Server decrypts request, encrypts and sends response S S 22 Session The server responds with two keys. Host key 1024 bit RSA and a Server key 768 bit RSA (Generated hourly) Client verify host key and generate a secret key that is used for bulk encryption then encrypt this secret key twice with Host and Server public keys and send it to the server SSH Symmetric Encrypted data SSH Handshake Public Key
106.
107.
108.
109. SSH Tunneling mode SSH Server HTTP 127.0.0.1 1999 Encrypted SSH tunnel Clear text Web server DMZ Corporate Net SSH Client
135. How to build a Certificate X.509 Certificate CA’s Signature X.509 Fields Public key Identity etc. Digital Signature Process CA
136.
137. Verifying a certificate? MD1 = MD2 ??? CA’s public key CA’s Signature X.509 Fields Public key Identity etc.
138.
139.
140.
141.
142.
143.
144.
145.
146.
147. OSCP LDAP OCSP FTP, http others OCSP over http PKI enable Applications Pushing Revocation OCSP Responder CA Backend
148.
149.
150. Let’s be practical! User enrolls for certificate http://www... User mailed retrieval PIN User retrieves certificate http://www... Admin Approves request http://www... User mailed acknowledgement Admin mailed notification RA CA User Security Officer LDAP Certificate installed
165. SSL Handshake TCP Hello GET URL Client Server DATA Client performs TCP handshake with the server at port 443 for HTTPS which is HTTP in SSL Start Cipher negotiation. Client sends SSL HELLO containing ciphers supported by the client and a random number. Start pass secret. Server sends it’s CERTIFICATE. Client and Server exchange CHANGE CIPHER SPEC and FINISH messages. Begin bulk encrypted data exchange. Client encrypts and sends HTTP GET. Server decrypts request, encrypts and sends response Server sends FINISH and closes with TCP handshake S A SSL connection consists of an SSL handshake followed by bulk encrypted protocol S 443 Cert The server responds with a HELLO containing the ciphers to use and a random number. Note the server selects the ciphers to be used. RSA, RC4 and MD5 are most common. Client uses certificate to encrypt the pre-master Secret and sends to Server. Both compute bulk encryption KEYS from secret and random numbers. Bulk Encrypted HTTP Protocol Symmetric SSL Handshake Asymmetric 0.2 - 4 KB
181. IPSec Tunnel mode IP TCP Application UDP IP TCP Application UDP IP AH/ESP Protected Data IP AH/ESP Protected Data Protected Traffic Hosts IPSec gateway
185. SPI and SA (Basics) SPI: 0x1234567 Encryption (ESP): DES Authentication (AH): SHA-1 DES Key: 0x1615613651365365326536 SHA-1: 0x32676362736347672672644 SPI: 0x1234567 SA