ssh ssl and ipsec wtf
play

SSH, SSL, and IPsec: wtf? Eric Rescorla RTFM, Inc. ekr@rtfm.com - PowerPoint PPT Presentation

Jun 07, 2023 •424 likes •1k views

SSH, SSL, and IPsec: wtf? Eric Rescorla RTFM, Inc. ekr@rtfm.com Eric Rescorla SSH, SSL, and IPsec 1 What are we trying to accomplish? Alice, Bob want to talk to each other But theyre worried about attack How do you know

  1. SSH, SSL, and IPsec: wtf? Eric Rescorla RTFM, Inc. ekr@rtfm.com Eric Rescorla SSH, SSL, and IPsec 1

  2. What are we trying to accomplish? • Alice, Bob want to talk to each other • But they’re worried about attack – How do you know you’re talking to the right person? – How do you know people can’t listen to your conversation – How do you know people can’t change your conversation? • We want to build a system that protects against these attacks Eric Rescorla SSH, SSL, and IPsec 2

  3. Terminology Dump 1: Attacker Capabilities Passive Attacker doesn’t send anything. Active Attacker is allowed to send tra ffi c. On-path Attacker is on the communications path between A and B. • Sees all tra ffi c • Can seamlessly impersonate either side O ff -path Attacker is not on communications path between A and B • Can’t see tra ffi c between A and B. • Can sometimes send tra ffi c as either (subject to address filtering). Eric Rescorla SSH, SSL, and IPsec 3

  4. Terminology Dump 2: Security Properties Confidentiality Information being transmitted is kept secret from attackers Data Origin Authentication Receivers can determine the origin of tra ffi c. Message Integrity Tampering of tra ffi c can be detected. Third-party Verifiability A party not involved in the initial communication can verify what happened. (Often misleadingly called non-repudiation ) Eric Rescorla SSH, SSL, and IPsec 4

  5. A simple problem: remote authentication • You’re a Web server – X connects to you claiming to be Alice – How can you tell? • Assumptions: – All you have is the network tra ffi c ∗ Can send messages to X ∗ Receive X’s response – Attackers can forge but not view, intercept, or modify tra ffi c – You have some prior relationship with Alice Eric Rescorla SSH, SSL, and IPsec 5

  6. Remote authentication: basic ideas • Alice needs to be able to do something others can’t do – Generally, compute some function ∗ But why can’t X do that? • How do we break the symmetry? – Give Alice more resources – Give Alice some secret Eric Rescorla SSH, SSL, and IPsec 6

  7. One-sided authentication with shared secrets • Assume Alice and Bob share a secret S ab – Alice needs to prove possession of S ab – (Assume Alice authenticates Bob some other way) • Simple approach: – Bob and Alice both store S ab – Alice sends Bob S ab – Bob does memcmp() . Eric Rescorla SSH, SSL, and IPsec 7

  8. Problems with the previous scheme Snooping. an attacker who is on-path can capture the password and replay it Hijacking. an attacker can wait for you to exchange the password and then take over the connection One-way authentication. how does Alice authenticate Bob? Eric Rescorla SSH, SSL, and IPsec 8

  9. Fixing snooping • Alice doesn’t send S ab over the wire – Instead she computes some function f – And sends f ( S ab ) • What properties does f need? 1st Preimage Resistant hard to compute S ab from f ( S ab ) 2nd Preimage Resistant hard to find S 0 st f ( S 0 ) = f ( S ab ) • Luckily, we have such functions Eric Rescorla SSH, SSL, and IPsec 9

  10. Cryptographic hash functions • Basic idea: one-way function (also called message digests ) – Take an arbitrary length bit string m and reduce it to 100-200 ( b ) bits – H ( m ) = h • Hash functions are preimage resistant – Takes approximately 2 b operations to find m given h • Hash functions are collision resistant – Takes approximately 2 b/ 2 operations to find m, m 0 st. H ( m ) = H ( m 0 ) • Popular algorithms: MD5, SHA-1, SHA-256 Eric Rescorla SSH, SSL, and IPsec 10

  11. / o Challenge-Response • So, Alice just sends H ( S ab ) , right? – Wrong – This becomes the new secret – So we still have a replay attack problem • Bob needs to force Alice to compute a new function each time Alice Bob Challenge H ( S ab + Challenge ) • Challenge needs to be unique for every exchange – Does not need to be unpredictable Eric Rescorla SSH, SSL, and IPsec 11

  12. o o / / / Why mutual authentication? • We assumed that Alice was talking to Bob – But how does Alice know that? – She can’t trust the network – What if she’s connecting to the attacker Alice Attacker Bob Challenge Challenge H ( S ab + Challenge ) H ( S ab + Challenge ) Attack Commands • Alice has just logged in for the attacker – He can issue any commands he wants (oops!) Eric Rescorla SSH, SSL, and IPsec 12

  13. o o / Adding mutual authentication • We already know how to authenticate Alice – Now we need to authenticate Bob – Just reverse the procedure Alice Bob Challenge 1 Challenge 2 H ( S ab + Challenge 1+ Challenge 2) H ( S ab + Challenge 2+ Challenge 1) • Each side needs to control its own challenges – Otherwise we have replay issues again Eric Rescorla SSH, SSL, and IPsec 13

  14. / o / o o / o Hijacking • This protocol still has a hijacking problem Alice Attacker Bob Challenge 1 Challenge 1 Challenge 2 Challenge 2 H ( S ab + Challenge 1+ Challenge 1) H ( S ab + Challenge 1+ Challenge 1) 2 2 H ( S ab + Challenge 2+ Challenge 1) H ( S ab + Challenge 2+ Challenge 1) Attack commands • We need to authenticate the data – Not just the initial handshake Eric Rescorla SSH, SSL, and IPsec 14

  15. Authenticating data • Break the data into records – Attach a message authentication code (MAC) to each record – Receiver verifies MACs on record Length Data MAC Eric Rescorla SSH, SSL, and IPsec 15

  16. A message authentication code? Dude, wait, what? • What’s a MAC? – A one-way function of the key and some data – F ( k, data ) = x ∗ x is short (80-200 bits) ∗ Hard to compute x without k ∗ Hard to compute data even with k, x • This sounds kinda like a hash – MACs are usually built from hashes ∗ World’s simplest MAC: H ( k + data ) (this has problems) • Popular MACs: HMAC Eric Rescorla SSH, SSL, and IPsec 16

  17. Where does the key come from? • We want a key that’s unique to this connection – And tied to both sides – Get it from the challenge-response handshake • First attempt: K = H ( S ab + Challenge 1 + Challenge 2) – But now the key is the same in both directions – And the same as the challenge response! – Allows reflection attacks • Second attempt – K a ! b = H ( S ab + ” AB ” + Challenge 1 + Challenge 2) – K b ! a = H ( S ab + ” BA ” + Challenge 1 + Challenge 2) Eric Rescorla SSH, SSL, and IPsec 17

  18. o o / o / World’s simplest security protocol Alice Bob Challenge 1 Challenge 2 H ( S ab + Challenge 1+ Challenge 2) H ( S ab + Challenge 2+ Challenge 1) Message 1 ,MAC Message 2 ,MAC • Each side knows who the other is • All messages are authenticated – But they’re not confidential – So don’t send any secret information Eric Rescorla SSH, SSL, and IPsec 18

  19. Symmetric Encryption • We have two functions E, D st. – E ( k, Plaintext ) = Ciphertext – D ( k, Ciphertext ) = Plaintext – These are easy to compute – Either function is hard to compute without k • Popular encryption algorithms: DES, 3DES, AES, RC4 Eric Rescorla SSH, SSL, and IPsec 19

  20. o / o / o A (mostly) complete channel security protocol Alice Bob Challenge 1 Challenge 2 H ( S ab + Challenge 1+ Challenge 2) H ( S ab + Challenge 2+ Challenge 1) Rather than encrypting the E ( k a → b , ( Message 1 ,MAC )) MAC, we should encrypt the message and MAC the ciphertext E ( k b → a , ( Message 2 ,MAC )) • Each side knows who the other is • All messages are authenticated • All messages are confidential Eric Rescorla SSH, SSL, and IPsec 20

  21. So, we’re done, right? • How do Alice and Bob get S ab ? • Some out of band channel – Send a letter—do you trust USPS? – Meet in person—airplane tickets are expensive – Guys with briefcases handcu ff ed to their wrists? • All of these are pretty inconvenient – We can do better Eric Rescorla SSH, SSL, and IPsec 21

  22. Di ffi e-Hellman Key Agreement • Each side has two keys (“public” and “private”) – You publish the public key but the private key is secret – F ( K a pub , K b priv ) = F ( K b pub , K a pub ) = ZZ priv – You need at least one private key to compute ZZ • This is crypto rocket science–but you don’t need to understand how it works Not actually true. Di ffj e–Hellman is not that complicated and you do need to understand how it works! Eric Rescorla SSH, SSL, and IPsec 22

  23. o / o / Using Di ffi e-Hellman Alice Bob Random 1 ,K a pub Random 2 ,K b pub E ( k a → b , ( Message 1 ,MAC )) E ( k b → a , ( Message 2 ,MAC )) • Each side sends its public key • The other side combines its private key with the other side’s public key to compute ZZ • The tra ffi c keys are generated from ZZ We need four di fg erent keys: — Encryption keys Alice -> Bob and Bob -> Alice; — MAC keys Alice -> Bob and Bob -> Alice Eric Rescorla SSH, SSL, and IPsec 23

  24. o / o o / / / o Man-in-the-middle attack Alice Attacker Bob Random 1 ,K a Random 1 ,K A pub pub Random 2 ,K A Random 2 ,K b pub pub E ( k a → A , ( Message 1 ,MAC )) E ( k A → b , ( Message 1 ,MAC )) E ( k A → a , ( Message 2 ,MAC )) E ( k b → A , ( Message 2 ,MAC )) • Each side thinks it’s talking to the other – This is what happens when you don’t authenticate • Alice and Bob need some way to authenticate each other’s public keys Eric Rescorla SSH, SSL, and IPsec 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC can be used with VPNs Identify areas where extensions to IPSEC could be useful Bryan Gleeson, Page-1 VPN Reference Model CE CE PE

352 views • 9 slides
IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE PE CPE/CLE Host PE CPE to CPE IPSEC can be used for : PE to PE PE to CPE Bryan Gleeson, Page-1 CPE to CPE IPSEC tunnels

680 views • 8 slides
Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab Version 2.5.47 basiert auf dem USAGI Projekt. Hierbei handelt es sich um eine alternative Implementierung des IPsec Stacks zum FreeS/WAN Projekt.

610 views • 8 slides
THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution Make encryption the default mode of communication Certifjcations (FIPS, Common Criteria, USGv6, etc.)

917 views • 25 slides
Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality

818 views • 37 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by Paul Wouters, RHEL Security THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution

736 views • 32 slides
Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework draft-saito-mmusic-ipsec-negotiation-req-00.txt August 1, 2005 Makoto Saito (ma.saito@ntt.com) Shingo Fujimoto (shingo_fujimoto@jp.fujitsu.com) 1 Motivation To secure communication

83 views • 6 slides
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine to firewall Done at

868 views • 51 slides
IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

702 views • 26 slides
iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 18ss 1 / 29 Outline Overview IPsec databases

563 views • 29 slides
IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network Security, Principles and Practice,2nd Ed. : http://www.fata.ir

567 views • 23 slides
IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22 1 / 22 Introduction 2 / 22 ESP and IKE Components of the IPsec protocol suite ESP Encapsulating Security Payload AH Authentication Header IKE

478 views • 22 slides
Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of course IKE/IPsec can be configured on routers to provide transport security for BGP and other similar control plane protocols. And certainly

480 views • 16 slides
for Constrained Environments dra%-raza-6lo-ipsec-02 {shahid.raza, simon.duquennoy}@sics.se

for Constrained Environments dra%-raza-6lo-ipsec-02 {shahid.raza, simon.duquennoy}@sics.se

Compression of IPsec AH and ESP Headers for Constrained Environments dra%-raza-6lo-ipsec-02 {shahid.raza, simon.duquennoy}@sics.se goran.selandaer@ericsson.com 1 Status of the Document First submi<ed as a posi=on paper to the Smart

209 views • 18 slides
Authentication and Secure Communication Jeff Chase Duke University technology people Where

Authentication and Secure Communication Jeff Chase Duke University technology people Where

Authentication and Secure Communication Jeff Chase Duke University technology people Where are the boundaries of the system that you would like to secure? Where is the weakest link? What happens when the weakest link fails? The First

1.19k views • 60 slides
Gursharan Singh Tatla 27-Mar-2011 Data Link Layer in Internet We know that Internet consists

Gursharan Singh Tatla 27-Mar-2011 Data Link Layer in Internet We know that Internet consists

Gursharan Singh Tatla 27-Mar-2011 Data Link Layer in Internet We know that Internet consists of individual systems that are connected to each other. SLIP and PPP Basically, it is wide are network that is built up from point-to-point

412 views • 4 slides
Wireless Networks and Protocols MAP-TELE Jaime Dias, Manuel Ricardo Faculdade de Engenharia da

Wireless Networks and Protocols MAP-TELE Jaime Dias, Manuel Ricardo Faculdade de Engenharia da

WNP-MPR-Sec 1 Wireless Networks and Protocols MAP-TELE Jaime Dias, Manuel Ricardo Faculdade de Engenharia da Universidade do Porto WNP-MPR-Sec 2 Topics Scheduled for Today Authentication and access control Security basic

775 views • 49 slides
the Diameter Protocol Ahana Mallik Department of Informatics University of Zurich May 26,

the Diameter Protocol Ahana Mallik Department of Informatics University of Zurich May 26,

AAA Support by the RADIUS and the Diameter Protocol Ahana Mallik Department of Informatics University of Zurich May 26, 2016 Overview 1. Authentication, Authorization and Accounting (AAA). 2. AAA Services, Protocols and Architecture. 3.

1.7k views • 40 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Messaging Layer Security The Beginning Richard Barnes , Benjamin Beurdouche, Karthik Bhargavan,

Messaging Layer Security The Beginning Richard Barnes , Benjamin Beurdouche, Karthik Bhargavan,

Messaging Layer Security The Beginning Richard Barnes , Benjamin Beurdouche, Karthik Bhargavan, Katriel Cohn-Gordon, Cas Cremers, Jon Millican, Emad Omara, Eric Rescorla, Raphael Robert RWC 2019, San Jose, CA YOUR NAME / LOGO HERE Objectives

673 views • 33 slides
Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g ,

Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g ,

handshake 1 Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g , where K fg can be hash AB authentication not mutual connection hijacking off-line password attack compromise of database

424 views • 16 slides
EAP-TLS Smartcards, from Dream to Reality Pascal Urien, Mohamed Badra, Mesmin Dandjinou 4th

EAP-TLS Smartcards, from Dream to Reality Pascal Urien, Mohamed Badra, Mesmin Dandjinou 4th

EAP-TLS Smartcards, from Dream to Reality Pascal Urien, Mohamed Badra, Mesmin Dandjinou 4th Workshop on Applications and Services in Wireless Networks Boston University Massachusetts, USA August 9th, 2004 1 Pascal URIEN, Boston University,

219 views • 19 slides

More recommend