security of network applicationssecurity.polito.it/~lioy/02krq/remote_en_2x.pdf · © antonio lioy...
TRANSCRIPT
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 1
Security of network applications
Antonio Lioy
< lioy @ polito.it >
Politecnico di Torino
Dip. Automatica e Informatica
Standard situation
weak authentication:
username and password
problem: password snooping
IP address (server web; R commands = rsh, rlogin, rcp, ...)
problem: IP spoofing
other frquent problems:
data snooping / forging
shadow server / MITM
replay, filtering
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 2
Channel security
authentication (single or mutual), integrity and privacy only during the transit inside the communication channel
no possibility of non repudiation requires no (or small) modification of applications
. . . 01 00 11 . . .
01 00 01 00
01 00
Message / data security
authentication (single), integrity and privacy self-contained in the message
possibility of non repudiation
requires modification of applications
01
01 00
00 11
01 00
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 3
Security internal to applications
each application implements security internally
the common part is limited to the communication channels (socket)
possible implementation errors (inventing security protocols is not simple!)
does not guarantee interoperability
logical channel (socket)
TCP
IP
sec
APP #1
sec
APP #N. . .
network
Security external to applications the session level would be the
ideal one to be used to implement many security functions
… but it does not exist in TCP/IP!
a “secure session” level was proposed:
it simplifies the work of application developers
it avoids implementation errors
it is up to the application to select it (or not)
logical channel (socket)
TCP
IP
secure logical channel
APP #1 . . .
network
sec
APP #N
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 4
Secure channel protocols
SSL / TLS
the most widely used !
SSH
it was a successful product (especially in the period when export of USA crypto products was restricted), but today it is a niche product
PCT
proposed by MS as an alternative to SSL
one of the few fiascos of MS!
SSL (Secure Socket Layer)
proposed by Netscape Communications
secure transport channel (session level):
peer authentication (server, server+client)
message confidentiality
message authentication and integrity
protection against replay and filtering attacks
easily applicable to all protocols based on TCP:
HTTP, SMTP, NNTP, FTP, TELNET, ...
e.g. the famous secure HTTP (https://....) = 443/TCP
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 5
Official ports for SSL applications
nsiiops 261/tcp # IIOP Name Service over TLS/SSLhttps 443/tcp # http protocol over TLS/SSLsmtps 465/tcp # smtp protocol over TLS/SSL (was ssmtp)nntps 563/tcp # nntp protocol over TLS/SSL (was snntp)imap4-ssl 585/tcp # IMAP4+SSL (use 993 instead)sshell 614/tcp # SSLshellldaps 636/tcp # ldap protocol over TLS/SSL (was sldap)ftps-data 989/tcp # ftp protocol, data, over TLS/SSLftps 990/tcp # ftp protocol, control, over TLS/SSLtelnets 992/tcp # telnet protocol over TLS/SSLimaps 993/tcp # imap4 protocol over TLS/SSLircs 994/tcp # irc protocol over TLS/SSLpop3s 995/tcp # pop3 protocol over TLS/SSL (was spop3)msft-gc-ssl 3269/tcp # MS Global Catalog with LDAP/SSL
SSL – authentication and integrity
peer authentication at channel setup:
the server authenticates itself by sending its public key (X.509 certificate) and by responding to an implicit asymmetric challenge
the client authentication (with public key, X.509 certificate, and explicit challenge) is optional
for authentication and integrity of the data exchanged over the channel the protocol uses:
a keyed digest (MD5 or SHA-1)
an MID to avoid replay and cancellation
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 6
SSL - confidentiality
the client generates a session key used for symmetric encryption of data (RC2, RC4, DES, 3DES, IDEA, AES, …)
key exchange with the server occurs via public key cryptography (RSA, Diffie-Hellman or Fortezza-KEA)
TLS
(1) https://www.polito.it/
(3) cert (www.polito.it)
(4) cert (user)
(2) security configuration
secureWeb
serverbrowser(3bis) server challenge / response
(4bis) client challenge / response
(5) secure channel (TLS)
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 7
SSL-3 architecture
SSL record protocol
reliable transport protocol (e.g. TCP)
network protocol (e.g. IP)
SSLhandshake
protocol
SSLchange cipherspec protocol
SSLalert
protocol
applicationprotocol
(e.g. HTTP)
Session-id
Tipical web transaction:
1. open, 2. GET page.htm, 3. page.htm, 4. close
1. open, 2. GET home.gif, 3. home.gif, 4. close
1. open, 2. GET logo.gif, 3. logo.gif, 4. close
1. open, 2. GET back.jpg, 3. back.jpg, 4. close
1. open, 2. GET music.mid, 3. music.mid, 4. close
If the SSL cryptographic parameters must be negotiated every time, then the computational load becomes high.
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 8
Session-id
in order to avoid re-negotiation of the cryptographic parameters for each SSL connection, the SSL server can send a sessionidentifier (that is, more connections can be part of the same logical session)
if the client, when opening the SSL connection, sends a valid session-id then the negotiation part is skipped and data are immediately exchanged over the secure channel
the server can reject the use of session-id (always or after a time passed after its issuance)
SSL with session-ID
(1) https://www.polito.it/
(1bis) session-ID
(5) secure channel (SSL)
secureWeb
serverbrowser
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 9
SSL / TLS sessions and connections
SSL session
a logical association between client and server
created by the Handshake Protocol
defines a set of cryptographic parameters
is shared by one or more SSL connections (1:N)
SSL connection
a transient SSL channel between client and server
associated to one specific SSL session (1:1)
sessions connections
SSL-3 / TLS record protocol
application data
compression
F1 F2fragmentation
header H
encryption
padding MAC P
computation of MAC MAC
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 10
TLS-1.0 record format
uint8 type = change_cipher_spec (20), alert (21), handshake (22), application_data (23)
uint16 version = major (uint8) + minor (uint8)
uint16 length:
<= 2**14(record not compressed)for compatibility with SSL-2
<= 2**14 + 1024(compressed records)
major minor
type
length
. . .fragment [ length ]
. . .
SSL – computation of MAC
MAC = message_digest ( key, seq_number || type || version || length || fragment )
message_digest
depends on the chosen algorithm
key
sender-write-key or receiver-read-key
seq_number
64-bit integer (never transmitted but computed implicitly)
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 11
SSL-2 problems
P1) in export version, unnecessarily weakens the authentication keys to 40 bits (same as encryption keys)
P2) weak MAC (custom keyed-digest)
P3) padding bytes are included into the MAC computation … but the padding length is not!
this allows an active attacker to selectively delete bytes from the end of messages
P4) ciphersuite rollback attack – as the handshake is not authenticated, an active attacker can change the ciphersuites in the Hello messages to force the use of weak encryption (40 bits minimum, as encryption is mandatory in SSL-2)
SSL-3: solutions to SSL-2 problems
S1) use 128 bits authentication keys, even with 40 bits encryption keys
S2) use HMAC (stronger than the custom keyed digest used in SSL-2)
S3) change the sequence of MAC and padding
S4) handshake is authenticated (but the Change Cipher Spec message) via the Finished message
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 12
SSL-3: new features with respect to SSL-2
data compression:
optional
before encryption (after it’s not useful anymore …)
data encryption is optional:
in order to have only authentication and integrity
possibility to re-negotiate the SSL connection:
periodical change of keys
change of the algorithms
SSL-3 handshake protocol
agree on a set of algorithms for confidentiality and integrity
exchange random numbers between the client and the server to be used for the subsequent generation of the keys
establish a symmetric key by means of public key operations (RSA, DH or Fortezza)
negotiate the session-id
exchange the necessary certificates
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 13
Data protectionkey
for MAC
sequencenumber(implicit)
data[ compressed ]
protecteddata
MAC
IV
key forencryption
generationof MAC
symmetricencryption
padding
Relationship among keys and sessions(between a server and the same client)
pre-master secret( established with PKC )
master secret
client randomserver random
keys for MACkeys for encryption
IV for encryption
generatedfor each connection
common to several connections
differentfor each connection
common to several connections
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 14
“Ephemeral ” mechanisms
one-time keys generated on the fly:
to provide authentication they must be signed (e.g. an X.509 certificate must be available)
DH suitable, RSA slow
compromise for RSA = re-use N times
perfect forward secrecy:
who knows the private key can decrypt all the SSL sessions
with ephemeral mechanisms the server’s private key is used only for signing
CLIENT
SERVER
client hello
server key exchange
certificate request
certificate
server hello
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 15
CLIENT
SERVER
certificate
client key exchange
certificate verify
change cipher spec
change cipher spec
finished
finished
Client hello
SSL version preferred by the client
28 pseudo-random bytes (Client Random)
a session identifier (session-id)
0 to start a new session
different from 0 to ask to resume a previous session
list of “cipher suite” (=alg of encryption + key exchange + integrity) supported by the client
list of compression methods supported by the client
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 16
Server hello
SSL version chosen by the server
28 pseudo-random bytes (Server Random)
a session identifier (session-id)
new session-id if session-id=0 in the client-hello or reject the session-id proposed by the client
session-id proposed by the client if the server accepts to resume the session
“cipher suite” chosen by the server
should be the strongest one in common with the client
compression method chosen by the server
Cipher suite
key exchange algorithm
symmetric encryption algorithm
hash algorithm (for MAC)
examples:
SSL_NULL_WITH_NULL_NULL
SSL_RSA_WITH_NULL_SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_RSA_WITH_3DES_EDE_CBC_SHA
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 17
Certificate (server)
certificate for server authentication
the subject / subjectAltName must be the same as the identity of the server (DNS name, IP address, ...)
can be used only for signing or (in addition) also for encryption
described in the field keyUsage
if it is only for signing then it is required also the phase for server-key exchange
Certificate request
used for client authentication
specifies also the list of CAs considered trusted by the server
the browsers show to the users (for a connection) only the certificates issued by trusted CAs
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 18
Server key exchange
carries the server public key for key exchange
needed only in the following cases:
the RSA server certificate is usable only for signature
anonymous or ephemeral DH is used to establish the pre-master secret
there are export problems that force the use of ephemeral RSA/DH keys
Fortezza
important: this is the only message esplicitly signed by the server
Certificate (client)
carries the certificate for client authentication
the certificate must have been issued from one CA in the trusted CA list in the Certificate Request message
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 19
Client key exchange
the client generates symmetric keys and send them to the server
various ways
pre-master secret encrypted with the server RSA public key (ephemeral or from its X.509 certificate)
public part of DH
Fortezza
Certificate verify
explicit test signature done by the client
hash computed over all the handshake messages before this one and encrypted with the client private key
used only with client authentication (to identify and reject fake clients)
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 20
Change cipher spec
trigger the change of the algorithms to be used for message protection
allows to pass from the previous unprotected messages to the protection of the next messages with algorithms and keys just negotiated
theoretically is a protocol on its own and not part of the handshake
some analysis suggest that it could be eliminated
Finished
first message protected with the negotiated algorithms
very important to authenticate the whole handshake sequence:
contains a MAC computed over all the previous handshake messages (but change cipher spec) using as a key the master secret
prevents rollback man-in-the-middle attacks (version downgrade or ciphersuite downgrade)
different for client and server
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 21
TLS, no ephemeral key, no client auth
CLIENT SERVER
1. client hello (ciphersuite list, client random)
2. server hello (ciphersuite, server random)
3. certificate (keyEncipherment)
4. client key exchange (key encrypted for server)
5. change cipher spec (activate protection on client side)
6. finished (MAC of all previous messages)
7. change cipher spec (activate protection on server side)
8. finished (MAC of all previous messages)
TLS, no ephemeral key, client auth
CLIENT SERVER
1. client hello (ciphersuite list, client random)
2. server hello (ciphersuite, server random)
3. certificate (keyEncipherment)
4*. certificate request (cert type, list of trusted CAs)
5*. certificate (client cert chain)
6. client key exchange (encrypted key)
7*. certificate verify (signed hash of previous messages)
8+9. change cipher spec + finished
10+11. change cipher spec + finished
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 22
TLS, ephemeral key, no client auth
CLIENT SERVER
1. client hello (ciphersuite list, client random)
2. server hello (ciphersuite, server random)
3*. certificate (digitalSignature)
4*. server key exchange (signed RSA key or DH exponent)
5. client key exchange (encrypted key or client exponent)
6. change cipher spec (activate protection on client side)
7. finished (MAC of all previous messages)
8. change cipher spec (activate protection on server side)
9. finished (MAC of all previous messages)
TLS, data exchange and link teardown
CLIENT SERVER
(… handshake …)
N. client data (MAC, [ encryption ] )
N+1. server data (MAC, [ encryption ] )
… … …
LAST-1. alert close notify
LAST. alert close notify
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 23
TLS, resumed session
CLIENT SERVER
1*. client hello (…, session-id X)
2*. server hello (…, session-id X)
3. change cipher spec (activate protection on client side)
4. finished (MAC of all previous messages)
5. change cipher spec (activate protection on server side)
6. finished (MAC of all previous messages)
TLS 1.0 (SSL 3.1)
Transport Layer Security
standard IETF:
TLS-1.0 = RFC-2246 (jan 1999)
TLS-1.0 = SSL-3.1 (99% coincident with SSL-3)
emphasis on standard (i.e. not proprietary) digest and asymmetric crypto algorithms; mandatory:
DH + DSA + 3DES
HMAC-SHA1
... that is the ciphersuite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 24
TLS 1.1 (SSL 3.2)
RFC-4346 (april 2006)
to protect against CBC attacks
the implicit IV is replaced with an explicit IV
padding errors now use the bad_record_mac alert message (rather than the decryption_failed one)
IANA registries defined for protocol parameters
premature closes no longer cause a session to be non-resumable
additional notes added for various new attacks
TLS 1.2 (SSL 3.3)
RFC-5246 (august 2008)
ciphersuite specifies also the PRF(pseudo-random function)
extensive use of SHA-256 (e.g. in Finished, HMAC)
support for authenticated encryption(AES in GCM or CCM mode)
incorporates the protocol extensions (RFC-4366) and the AES ciphersuite (RFC-3268)
default ciphersuite TLS_RSA_WITH_AES_128_CBC_SHA
IDEA and DES ciphersuites deprecated
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 25
TLS evolution (I)
ciphersuites / encryption:
(RFC-3268) AES
(RFC-4492) ECC
(RFC-4132) Camellia
(RFC-4162) SEED
(RFC-6209) ARIA
ciphersuites / authentication:
(RFC-2712) Kerberos
(RFC-4279) pre-shared key (secret, DH, RSA)
(RFC-5054) SRP (Secure Remote Password)
(RFC-6091) OpenPGP
TLS evolution (II)
compression:
(RFC-3749) compression methods + Deflate
(RFC-3943) protocol compression using LZS
other:
(RFC-4366) extensions (specific and generic)
(RFC-4681) user mapping extensions
(RFC-5746) renegotiation indication extensions
(RFC-5878) authorization extensions
(RFC-6176) prohibiting SSL-2
(RFC-4507) session resumption w/o server state
(RFC-4680) handshake with supplemental data
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 26
TLS and virtual servers: the problem
virtual server (frequent case with web hosting)
different logical names associated to the same IP address
e.g. home.myweb.it=1.2.3.4, food.myweb.it=1.2.3.4
easy in HTTP/1.1
the client uses the Host header to specify the server it wants to connect to
… but difficult in HTTPS
because TLS is activated before HTTP
which certificate should be provided? (must contain the server’s name)
TLS and virtual servers: solutions
collective (wildcard) certificate
e.g. CN=*.myweb.it
private key shared by all servers
different treatment by different browsers
certificate with a list of servers in subjectAltName
private key shared by all servers
need to re-issue the certificate at any addition or cancellation of a server
use the SNI (Server Name Indication) extension
in ClientHello (permitted by RFC-4366)
limited support by browsers and servers
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 27
ALPN extension(Application–Layer Protocol Negotiation) RFC-7301
application protocol negotiation (for TLS-then-proto) to speed up the connection creation, avoiding additional round-trips for application negotiation
(ClientHello) ALPN=true + list of supported application protocols
(ServerHello) ALPN=true + selected app. protocol
important to negotiate HTTP/2 and QUIC
Chrome & Firefox support HTTP/2 only over TLS
useful also for those servers that use different certificates for the different application protocols
DTLS
Datagram Transport Layer Security (RFC-4347)
applies the TLS concepts to datagram security (e.g. UDP)
doesn’t offer the same properties as TLS
competition with IPsec and application security
example – SIP security:
with IPsec
with TLS (only for SIP_over_TCP)
with DTLS (only for SIP_over_UDP)
with secure SIP
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 28
Heartbleed
RFC6520 = TLS/DTLS heartbeat extension
to keep a connection alive without the need to constantly renegotiate the SSL session (DTLS!)
also useful in PMTU discovery
CVE-2014-0160 = openssl bug (buffer over-read)
TLS server sends back more data(up to 64kB) than in the heartbeat request
see http://xkcd.com/1354/
attacker can get sensitive data storedin RAM, such as user+pwd and/or serverprivate key (if not using HSM)
Other attacks against SSL/TLS (1)
CRIME (2012) an attacker able to
(a) inject chosen plaintext in the user requests(b) measure the size of the encrypted traffic
may recover specific plaintext parts exploiting information leaked from the compression
BREACH (2013) deduces a secret within HTTP responses provided by a server that
(a) uses HTTP compression (b) inserts user input into HTTP responses (c) contains a secret (e.g. a CSRF token) in the HTTP responses
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 29
Other attacks against SSL/TLS (2)
BEAST (Browser Exploit Against SSL/TLS) 2011
SSL channel using CBC with IV concatenation
a MITM may decrypt HTTP headers with a blockwise-adaptive chosen-plaintext attack
the attacker may decrypt HTTPS requests and steal information such as session cookies
POODLE (Padding Oracle On Downgraded Legacy Encryption) is a MITM attack that exploits SSL3 fallback to decrypt data
POODLE, dec-2014 variant, exploits CBC errors in TLS1.0-1.2 (so it works even if SSL3 is disabled)
Other attacks against SSL/TLS (3)
FREAK (Factoring RSA Export Keys) 2015
downgrade to export-level RSA keys
then factorization and channel decryption
SSLv3 has been disabled on most browsers (e.g. since FX34) or may be disabled
FX/SM : security.tls.version.min = 1(i.e. TLS1.0, alias SSL3.1)
… but SSL3 needed by IE6 (last version available for Windows-XP) and TLS cannot be disabled
test browser/server with Qualys SSL labs tests
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 30
The TLS downgrade problem (I)
client sends (in ClientHello) the highest supported version
server notifies (in ServerHello) the version to be used (highest in common with client)
normal version negotiation:
agreement on TLS-1.2
(C > S) 3,3
(S > C) 3,3
fallback to TLS-1.1 (e.g. no TLS-1.2 at server)
(C > S) 3,3
(S > C) 3,2
The TLS downgrade problem (II)
(insecure) downgrade:
some servers do not send the correct response, rather they close the connection …
then the client has no choice but to try again with a lower protocol version
downgrade attack:
attacker sends fake server response, to force repeated downgrade until reaching a vulnerable version (e.g. SSL-3) …
then execute a suitable attack (e.g. Poodle)
not always an attack (e.g. connection with the server closed due to a network problem)
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 31
TLS Fallback SignalingCipher Suite Value (SCSV)
RFC-7507
to prevent protocol downgrade attacks
new (dummy) ciphersuite TLS_FALLBACK_SCSV
SHOULD be sent by the client when opening a downgraded connection (as last in ciphersuite list)
new fatal Alert value "inappropriate_fallback"
MUST be sent by the server when receiving TLS_FALLBACK_SCSV and a version lower than the highest one supported
then the channel is closed and the client should retry with its highest protocol version
SCSV - notes
many servers do not yet support SCSV
… but most servers have fixed their bad behaviour when the client requests a version higher than the supported one
… so browsers can now disable insecure downgrade
Firefox (from 2015) and Chrome (from 2016)
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 32
HTTP security
security mechanisms defined in HTTP/1.0:
“address-based” = the server performs access control based on the IP address of the client
“password-based” (or Basic Authentication Scheme) = access control based on username and password, Base64 encoded
both schemas are highly insecure (because HTTP assumes a secure channel!)
HTTP/1.1 introduces “digest authentication” based on a symmetric challenge
RFC-2617 “HTTP authentication: basic and digestaccess authentication”
HTTP digest authentication
RFC-2069
technically obsoleted
but considered as base case in RFC-2617
keyed-digest computation:
HA1 = md5 ( A1 ) = md5 ( user ":" realm ":" pwd )
HA2 = md5 ( A2 ) = md5 ( method ":" URI )
response = md5 ( HA1 ":" nonce ":" HA2 )
server uses a nonce to avoid replay attacks
the authentication server may insert a field "opaque" to transport state informations (e.g. a SAML token) towards the content server
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 33
HTTP - Basic Authentication
GET /path/alla/pagina/protetta
HTTP/1.0 401 Unauthorized - authentication failed
WWW-Authenticate: Basic realm="POLITO – didattica"
Authorization: Basic czEyMzQ1NjpTZWdyZXRpc3NpbWE=
HTTP/1.0 200 OKServer: Apache/1.3Content-type: text/html
<html> ... protected page ... </html>
$ echo czEyMzQ1NjpTZWdyZXRpc3NpbWE= | openssl enc –a –d
s123456:Segretissima
HTTP Digest AuthenticationGET /private/index.html HTTP/1.1
HTTP/1.0 401 Unauthorized - authentication failed
WWW-Authenticate: Digest realm="POLITO",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
Authorization: Digest username="lioy",realm="POLITO",nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",uri="/private/index.html",response="32a8177578c39b4a5080607453865edf",opaque="5ccc069c403ebaf9f0171e9517f40e41"
HTTP/1.1 200 OKServer: NCSA/1.3Content-type: text/html
<HTML> pagina protetta ... </HTML>
pwd=antonio
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 34
HTTP and SSL/TLS
two approaches:
“TLS then HTTP”(RFC-2818 – HTTP over TLS)
“HTTP then TLS”(RFC-2817 – upgrading to TLS within HTTP/1.1)
note: “SSL then HTTP” is in widespread use but it is undocumented
the two approaches are not equivalent and have an impact over applications, firewall and IDS
concepts generally applicable to all protocols:
“SSL/TLS then proto” vs. “proto then TLS”
SSL client authentication at the application level
via client authentication it’s possible to identify the user that opened the channel (without asking for his username and password)
some web servers support a (semi-)automatic mapping between the credentials extracted from the X.509 certificate and the users of the HTTP service and/or the OS
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 35
Authentication in web applications
the earlier the access control, the smaller the attack surface
no need to repeat the authentication (the id may be propagated)
ASP, PHP, JSP application(application server)
HTTP channel(web server)
SSL channel(library)
SSL client-auth. (X.509)
HTTP basic/digestauthentication
application-levelauthentication
mapping
What about forms requesting user/pwd?
technically speaking, it’s not important the security of the page containing the form
http://www.ecomm.it/login.html
… because the actual security depends on the URI of the method used to send username and password to the server
<form … action=“https://www.ecomm.it/login.asp”>
… but psicologically, it is very important the security of the page containing the form because few users have the technical knowledge to verify the URI of the HTTP method used to send user/pwd
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 36
HTTP Strict Transport Security (HSTS)
RFC-6797
HTTP server declares that its interaction with UA must only be via HTTPS
prevents protocol downgrade and cookie hijacking
valid only in HTTPS response
expiration renewed at eve access
may include ssubdomains (recommended)
may be pre-loaded
dangerous (HTTPS or nothing) and difficult removal
preload list maintained by Google and used by many browsers = https://hstspreload.org/
HSTS – syntax and examplesStrict-Transport-Security:
max-age = <expire-time-in-seconds>
[ ; includeSubDomains ]
[ ; preload ]
$ curl –s –D- https://www.paypal.com/ | fgrep –i strict
strict-transport-security: max-age=63072000
$ curl –s –D- https://accounts.google.com/ | grep –istrict
strict-transport-security: max-age=31536000; includeSubDomains
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 37
HTTP Public Key Pinning (HPKP)
RFC-7469
HTTPS site specifies the digest of its own public key and/or one or more CAs in its chain (but the root!)
UA notes this and refuses connecting to a site with a different key
dangerous when lossing control of the key
problems with key updates
always include at least one backup key
URI to report violations
enforcing or report-only mode
HPKP – syntax and examplesPublic-Key-Pins:
pin-sha256 = " <base64-sha256-of-public-key> ";
max-age = <expireTime-in-seconds>
[; includeSubDomains]
[; report-uri = " <reportURI> "]
Public-Key-Pins-Report-Only:
pin-sha256 = " <base64-sha256-of-public-key> ";
max-age = <expireTime-in-seconds>
[; includeSubDomains]
[; report-uri = " <reportURI> "]
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 38
$ $ curl -s -D - https://scotthelme.co.uk/| fgrep -i public-key
public-key-pins:pin-sha256="9dNiZZueNZmyaf3pTkXxDgOzLkjKvI+Nza0ACF5IDwg="; pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; pin-sha256="V+J+7lHvE6X0pqGKVqLtxuvk+0f+xowyr3obtq8tbSw="; pin-sha256="9lBW+k9EF6yyG9413/fPiHhQy5Ok4UI5sBpBTuOaa/U="; pin-sha256="ipMu2Xu72A086/35thucbjLfrPaSjuw4HIjSWsxqkb8="; pin-sha256="+5JdLySIa9rS6xJM+2KHN9CatGKln78GjnDpf4WmI3g="; pin-sha256="MWfCxyqG2b5RBmYFQuLllhQvYZ3mjZghXTRn9BL9q10="; includeSubDomains; max-age=2592000;report-uri="https://scotthelme.report-uri.com/r/d/hpkp/
enforce"
public-key-pins-report-only:pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; max-age=2592000;report-uri="https://scotthelme.report-uri.com/r/d/hpkp/
reportOnly"
E-payment systems
failure of the digital cash, for technical and political problems (e.g. the DigiCash failure)
failure of a dedicated payment protocol (SET, Secure Electronic Transactions) due to technical and organizational problems
currently the most widely used approach is transmitting a credit card number over a TLS channel ...
... but this is no guarantee against fraud: in the past VISA Europe declared that Internet transactions generate about 50% of the fraud attempts, although they are just 2% of its total transaction amount!
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 39
A web-based payment architecture
cardholder merchant
virtualPOS
paymentnetwork
1. offer
2. order
Internet
financialworld
paymentgateway
Web-based payment architecture
baseline:
the buyer owns a credit card
the buyer has a TLS-enabled browser
consequences:
the effective security depends upon the configuration of both the server and the client
the payment gateway has all the information (payment + goods) while merchant knows only info about the goods
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 40
PCI DSS Payment Card Industry Data Security Standard
required by all credit card issuers for Internet-based transactions
very detailed technical prescriptions compared to other security standards (e.g. HIPAA = Health Insurance Portability and Accountability Act)
https://www.pcisecuritystandards.org
v2.0 = oct 2010
v3.0 = nov 2013
v3.1 = apr 2015 (no SSL or "old" TLS)
v3.2 = apr 2016 (MFA, test functions/procedures, describe architecture, …)
PCI DSS prescriptions (I)
design, build and operate a protected network:
R1 = install and maintain a configuration with firewall to protect access to the cardholders’ data
R2 = don’t use pre-defined system passwords or other security parameters set by the manufacturer
protect the cardholders’ data:
R3 = protect the stored cardholders’ data
R4 = encrypt the cardholders’ data when transmitted across an open public network
Security of network applications (remote - nov'18)
© Antonio Lioy - Politecnico di Torino (1995-2018) 41
PCI DSS prescriptions (II)
establish and follow a program for vulnerability management
R5 = use an antivirus and regularly update it
R6 = develop and maintain protected applications and systems
implement strong access control
R7 = limit the access to the cardholders’ data only to those needed for a specific task
R8 = assign a single unique ID to each user
R9 = limit physical access to the cardholders’ data
PCI DSS prescriptions (III)
regularly monitor and test the networks
R10 = monitor and track all accesses to network resources and cardholders’ data
R11 = periodically test the protection systems and procedures
adopt a Security Policy
R12 = adopt a Security Policy