Protocols PK Encr./Auth.
PK Key EstablishmentSecure Comm. in Open Networks
SSL/TLS
Nicolas T. Courtois - University College London
Security Notions
Nicolas T. Courtois, 2006-20102
3 Stages
CompSec COMPGA01
Nicolas T. Courtois, January 20093
Three Stages in Information Security [Courtois]
3 degrees of evolution:1.Protections that are secret.
2.Based on a secret key.
3.Private-public key solutions.
CompSec COMPGA01
Nicolas T. Courtois, January 20094
PK Crypto
Public-Key Cryptography == Asymmetric Cryptography
CompSec COMPGA01
Nicolas T. Courtois, January 20095
3d Stage – Public Key Cryptography
No shared key, One private and
one public key.Private key:
generated and stored securely…
CompSec COMPGA01
Nicolas T. Courtois, January 20096
Third Stage – Public Key Cryptography
Public key: can be distributed to
many parties. Does not have to be public (but the system remains secure when it is).
CompSec COMPGA01
Nicolas T. Courtois, January 20097
Public Key Schemes
Symmetric == Conventional Schemes = 1 algorithm.
Asymmetric == Public-Key Cryptography = 3 algorithms:
• Key Generation Algorithm• Encryption / Signature Verification Algorithm.• Decryption / Signature Algorithm.
CompSec COMPGA01
Nicolas T. Courtois, January 20098
*Traditional Secret-Key Encryption
Alice
Bob
CompSec COMPGA01
Nicolas T. Courtois, January 20099
Public Key Encryption
encryption algorithm
m
pk
(public key)
decryption algorithm
sk
(private key)
c
m or invalid
Eve
key generation algorithm
c
past: setup phase
r
CompSec COMPGA01
Nicolas T. Courtois, January 200910
MACs = “Secret-Key Signatures”
MAC algorithm
m
sk
(secret key)
MAC algorithm
sk
(secret key)
(m,)
yes/no
forgery
CompSec COMPGA01
Nicolas T. Courtois, January 200911
Digital Signatures
signing algorithm
m
sk
(private key)
verification algorithm
pk
(public key)
(m,)
yes/no
forgery
CompSec COMPGA01
Nicolas T. Courtois, January 200912
Signatures - Requirements
1. Authenticity –2. Non-repudiation – 3. Public verify-ability -
CompSec COMPGA01
Nicolas T. Courtois, January 200913
Protocols:
Security of Email
CompSec COMPGA01
Nicolas T. Courtois, January 200914
SMTP Protocol
THE original email protocol.Plaintext commands in a telnet session.Access: No authentication or basic password-based
authentication, Emails: no encryption (in cleartext) no authentication.
In addition everybody can send email => epidemics of spam!!!!
CompSec COMPGA01
Nicolas T. Courtois, January 200915
Standards for Secure Email
Two main open standards:• PGP
– [Phil Zimmerman, US activist, 1991], – much later became open standard GnuPG [RFC2440]– some PGP products are certified by US gov NIST
• S/MIME [RSA Labs]– free implementation in Open SSL
same general method called hybrid encryption:
CompSec COMPGA01
Nicolas T. Courtois, January 200916
Hybrid Encryption
PK encryption algorithm +
“good” padding
mi
pk
(public key)
sk
(private key)
ci
mi
Eve
key generation algorithm
ci
past: setup phase
block cipher + mode
block cipher + mode
randomkey K
K
K
PK decryption algorithm +
verif. padding
encapsulated key
Key Encapsulation Module
K
K
IV
r
Data Encapsulation Module
CompSec COMPGA01
Nicolas T. Courtois, January 200917
PKI Comparison• PGP
– web of trust, totally decentralized system• users can chose how much they trust each key• is trust transitive? not really• in particular, can also implement normal hierarchical PKI.
• S/MIME [RSA Labs]– uses the same standard PKI as SSL: X.509 certificates.
In both cases organisations can implement their own closed PKI.
CompSec COMPGA01
Nicolas T. Courtois, January 200918
Problems with PK crypto and email encryption
CompSec COMPGA01
Nicolas T. Courtois, January 200919
* Problems with the PKI Systems• Cf. Ellison and Schneier:
“Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure”http://www.schneier.com/paper-pki.pdf
• Ben Laurie: Seven and a Half Non-risks of PKI.http://www.apache-ssl.org/7.5things.txt
Problem 373:
once done it can hardly be
undone…
CompSec COMPGA01
Nicolas T. Courtois, January 200920
Main Risks / Pitfalls1. Bugs? Backdoors? Source code? People/country
trusted?2. Is it really the key of Bob?
• Certificates: trusting third parties in foreign countries
3. Was his real key lost or stolen (e.g. virus)?• Revocation Lists: lists of blacklisted keys stored on an
Internet server
4. Was my key of good quality?• size (1024 bit: expired 2010)• strength (RSA-PSS 2048 bits)• randomness (mouse keyboard…)
5. Was the message changed at signing time? • Real-time substitution
6. Did parties perform all the checks?7. Shall I save the message?
CompSec COMPGA01
Nicolas T. Courtois, January 200921
**Attack Tree for PGP
© Bruce Schneier
CompSec COMPGA01
Nicolas T. Courtois, January 200922
Email Storage
Questions: • should received and decrypted email be stored
encrypted? • why when sending a message we sometimes need
to add ourselves to the recipient list?
CompSec COMPGA01
Nicolas T. Courtois, January 200923
Happy with Secure Email?
Problems kind of solved:• confidentiality• authenticity
Unsolved problems: • privacy of the recipient• privacy of the sender• hiding the existence of the message (=>
Steganography).
CompSec COMPGA01
Nicolas T. Courtois, January 200924
Key Establishment
CompSec COMPGA01
Nicolas T. Courtois, January 200925
The Need
Need for a session key (a short term key):
CompSec COMPGA01
Nicolas T. Courtois, January 200926
What PK Encryption Can/Cannot Achieve and
What Kind of Setup is Needed (PKI=Public Key Infrastructure)
CompSec COMPGA01
Nicolas T. Courtois, January 200927
What Is Achieved by PK Crypto ?
Fact: There is no security possible to two parties that do not know each other and communicate via a public channel.
[Man in the Middle]
Alice
Bob
CompSec COMPGA01
Nicolas T. Courtois, January 200928
But…
Security is however possible if there is “some authenticity” available.
CompSec COMPGA01
Nicolas T. Courtois, January 200929
Authentic Channel PK Crypto
For example, if the channel is authentic:
Alice
Bobpassive eavesdropping
CompSec COMPGA01
Nicolas T. Courtois, January 200930
Can be done With Even Less (!)
Security is however possible • [stronger] when the channel is authentic /
authenticated (!!!).• [weaker] when a public key of Alice
is securely hold by Bob. • [even weaker] when at least one authentic
public key is hold by all parties. Can be used to certify other keys with digital signatures. ROOT OF TRUST
Bob
Alice
CompSec COMPGA01
Nicolas T. Courtois, January 200931
ROOT of TRUST
PK Crypto is ALL ABOUT trading security for authenticity.
(and there is no security without an authentic public key.)
=> Example: If Windows is hacked and there is no TPM/smart card, there is no security for e-Commerce or e-Banking.
CompSec COMPGA01
Nicolas T. Courtois, January 200932
Asymmetric Techniques for Key Establishment
CompSec COMPGA01
Nicolas T. Courtois, January 200933
Key Exchange by Public Discussion
CompSec COMPGA01
Nicolas T. Courtois, January 200934
Diffie-Hellman Setup
Diffie-Hellman Exponential Key Exchange.
(brilliant idea unique in its kind…)
Setup: (done once, can be the same for all users).
g, a generator of Zp*.
(DH works also in many other groups).also works mod n, composite n.
CompSec COMPGA01
Nicolas T. Courtois, January 200935
Diffie-Hellman Exponential Key Exchange
Alice a Bob bga mod p
gb mod pshared key:gab mod p
CompSec COMPGA01
Nicolas T. Courtois, January 200936
Diffie-Hellman Exponential Key Exchange
Alice a Bob bga mod p
gb mod pshared key:gab mod p
Alice computation: (gb)a=gab mod p. Bob’s computation: (ga)b mod p.
CompSec COMPGA01
Nicolas T. Courtois, January 200937
MIM Attack
ga mod p
gb mod p
gc mod p
gc mod p
Alice computes gac mod p Bob computes gbc mod p
CAlice, ga mod p, SignAlice(ga mod p)
CBob, gb mod p, SignBob(gb mod p)
Man In the Middle
Fix: Authenticated Diffie-HellmanPKCertPKCert
CompSec COMPGA01
Nicolas T. Courtois, January 200938
Protocols:
Electronic Commerce:SET vs. SSL
or let the worse candidate win…
CompSec COMPGA01
Nicolas T. Courtois, January 200939
History
See Ross Anderson, chapter 10.
Secure Electronic Transaction (SET) protocol was designed by VISA and MasterCard [1996].
• Required installation of a software on each computer.
• Very nice system – credit card numbers would never be known to merchants.– the bank doesn’t need to know what people buy
• Failed to become widely adopted, – higher cost burden on merchants– also because of much simpler SSL alternative available.
CompSec COMPGA01
Nicolas T. Courtois, January 200940
TLS = Transport Layer SecurityGoals: • two parties not knowing each other want to communicate• more, they want to involve in business/commerce
– confidentiality: protect your credit card number• also protect your privacy (what I’m buying)
– integrity => authenticity• Am I really talking to Amazon.com?
• Key problem: MIM Attacks.
What is TLS? In a nutshell it is a standard and practical way of doing authenticated Diffie-Hellman + extra bits and pieces
that were required to make it work in the real life…
Originally developed by Netscape as SSL=Secure Socket Layer and
patented(!) – 1994.Now open standard renamed TLS = Transport Layer Security.
CompSec COMPGA01
Nicolas T. Courtois, January 200941
MIM Attack
ga mod p
gb mod p
gc mod p
gc mod p
Alice computes gac mod p Bob computes gbc mod p
CAlice, ga mod p, SignAlice(ga mod p)
CBob, gb mod p, SignBob(gb mod p)
Man In the Middle
Fix: Authenticated Diffie-HellmanPKCertPKCert
CompSec COMPGA01
Nicolas T. Courtois, January 200942
Revision: How Kerberos solved the n2 problem…
CompSec COMPGA01
Nicolas T. Courtois, January 200943
TTP vs. CA, Kerberos vs. TLSAs in Kerberos we need trusted parties (unless we adopt web of trust
model, PGP, very hard to imagine in e-commerce).
Differences:Kerberos is a symmetric system.• TTP must be online.• The TTP has all keys and must be trusted to keep them secret. • Future compromise of TTP can compromise all past sessions.
TLS uses asymmetric cryptography. Much more powerful: less “exposure”.
• CA is offline. Most of the time not needed at all.– Even CRLs can be distributed in asynchronous offline way
(e.g..updates).
• We only need CA to be trusted for authenticity • and only in the past. No compromise of past sessions.
CompSec COMPGA01
Nicolas T. Courtois, January 200944
TLS = Transport Layer Security
Two Stages:1. TLS Handshake:
– Establish a shared key using PK crypto.• e.g. Authenticated DH• PKs are authenticated with certificates.
2. Encrypted and Authenticated Communication
E + A
CompSec COMPGA01
Nicolas T. Courtois, January 200945
TLS = Transport Layer Security
Contains lots of options for cryptographic implementation of these: negotiated crypto suite, compatibility and exportability. Example:
1. Establish shared key with authenticated D-H.
2. Encrypt + Authenticate with AES128 + SHA_1-based MAC.
E + A
CompSec COMPGA01
Nicolas T. Courtois, January 200946
Trouble:
SSL Certificates1) technical side
CompSec COMPGA01
Nicolas T. Courtois, January 200947
Is TLS Secure?
Should be…
Oops, most current implementations are insecure, as it seems,
due to issues with X509 certificates, as shown at Black Hat 2009 (July
2009).
CompSec COMPGA01
Nicolas T. Courtois, January 200948
Trouble:
SSL Certificates2) human and practical side
CompSec COMPGA01
Nicolas T. Courtois, January 200949
Main Certificate Errors• Expired certificate:
– OK if the key sizes are OK and the key was not revoked or compromised.
• Self-signed certificate: – The certificate's issuer is itself.
• common in test servers, and on intranets.• Banks and online businesses should never use it.
• Incomplete certificate chain: – can be OK, information missing to connect.
• Domain mismatch: – can be OK after inspection, example:
• gmail.com redirected to mail.google.com
CompSec COMPGA01
Nicolas T. Courtois, January 200950
Main Weakness of SSL
People ignore warnings, say YES.
A study by Carnegie Mellon university, 409 participants, The researchers found that the majority of respondents
would ignore warnings about an expired SSL certificate.
– MOREVOER: The more tech-savvy the user, the more likely they would be to ignore it, the study found.
– Respondents were able to identify other risks indicated by browser certificate notifications.
• Of the 59 percent of Firefox 2 users who understood the significance of a "domain mismatch" warning, 19 percent said they would ignore the hazard (!!!!).
CompSec COMPGA01
Nicolas T. Courtois, January 200951
Solutions?
Block completely all invalid certificates!
Yes, but not so easy: People will • switch to a different browser, • or hack the browser, • or downgrade it • etc…
CompSec COMPGA01
Nicolas T. Courtois, January 200952
Server Side:
Not a joke: frequent question on Internet forums.
Q: Does anyone know where I can get a free legitimate SSL certificate for my website? Otherwise, rather than having a SSL certificate on the site, is there some sort of JAVA code which makes the site look secure?
Any comments?
CompSec COMPGA01
Nicolas T. Courtois, January 200953
Has Been DoneCut-&-paste attacks with JAVA, Serge LEFRANC and David NACCACHE
in ICISC 2002http://citeseer.ist.psu.edu/old/737003.html
This paper describes malicious applets that use Java's sophisticated graphic features to rectify the browser's padlock area and cover the address bar with a false https domain name. The attack was successfully tested on Netscape's Navigator and Microsoft's Internet Explorer; we consequently recommend to neutralize Java whenever funds or private data transit via these browsers and patch the flaw in the coming releases.
CompSec COMPGA01
Nicolas T. Courtois, January 200954
Corrupting the CA
Emerged around 2010.REAL certificates issued to…
• maybe the government spooks (can implement man-in-the middle, can forge the web site, can eavesdrop?, etc…
– a bank can buy equipment to intercept the SSL traffic of employees…
• maybe criminals (not caught yet, no evidence yet)• ‘somebody’ in Iran for sure…
CompSec COMPGA01
Nicolas T. Courtois, January 200955
Quiz• What is a session key? • What is the minimum integrity/authenticity requirement so that two
computers can securely establish a private channel, by using standard public key cryptography (e.g. SSL).
• Why do we need an authenticated Diffie-Hellman?