Skip section 32.1 (IPSec and Virtual Private Network-VPN) – They require information on IP that I’ve not yet covered.

Possible paper topic Will cover after TCP/IP, if time, but probably

won’t have it.

X.509 certificate (end of chapter 31) identifies a server site and verifies it is who it says it is. It’s like an ID card stored electronically. Used for Internet transactions as part of a security

protocol Issued by a trusted Certification Authority (CA) Examples: thawte, verisign, entrust, godaddy.

EV (Extended validation) certificates http://en.wikipedia.org/wiki/Extended_Validation_C

ertificate I will not distinguish X.509 and EV but could be a

paper topic that gets into more detail than I will

CA’s responsibilities Verify the entity is who they say they are.

This is an investigative procedure into the entity requesting the certificate.

Create a certificate (and issue to the entity) to contain the following information:

Certificate Contains:

Owner's public key (and algorithm) Owner's name Expiration date of the public key Name of the issuer (the CA that issued the Digital

Certificate) Serial number of the Digital Certificate Certificate thumbprint calculated with the CA’s private

key. This establishes the authenticity of the certificate and guarantees the certificate cannot be tampered with

Version # more

SSL/TLS – 32.2 TCP establishes a connection between two sites. SSL-Secure Sockets Layer End-to-end security protocols Authenticate server and client to each other Message integrity Originally designed by Netscape Used by virtually every Internet commerce site

TLS-Transport Layer Security TLS is the IETF version of SSL Openssl. For those of you with Linux accounts –

man openssl or man x509. Won’t distinguish here but plenty of room for a

paper topic.

32.8

Figure 32.14 Location of SSL and TLS in the Internet model

Possible sequence of steps for SSL is. Client sends info to server

SSL or TLS version # list of compression/encryption techniques key exchange algorithms supported session ID random data.

Server sends info to client what it supports and wants to use random data certificate

Both sides now know what the other can do.

Authenticate the server Client verifies certificate it received from the server

Check certificate expiration date Check certificate authority (is it in a list of trusted CAs

maintained by the client) use CA’s public key and apply it to the digital signature

(fingerprint, thumbprint) to get the digest value and authenticate – is this a valid certificate?

compare domain name in certificate w/ domain name of server (to prevent man-in-the-middle attack)

Client creates pre-master secret key and encrypts using server’s public key (obtained from the certificate); sends to server. Server gets it and decrypts using its private key.

Server may authenticate client. Client and server feed random data from both sides and

premaster secret into a hash algorithm to generate a session key.

Exchange information securely

32.13

Figure 32.15 Creation of cryptographic secrets in SSL

Some other references [http://support.microsoft.com/kb/257591] [http://msdn2.microsoft.com/en-us/library/aa380513.aspx] [

http://www.cisco.com/en/US/tech/tk583/tk618/tsd_technology_support_protocol_home.html]

You can see certificates connect to an https site (e.g. www.bankmutual.com

and select customer login) Note the lock icon at the top next to the URL). click on the icon and select view certificates and

select various tabs and options. DO NOT ASSUME sites are secure Look for the lock icon or https as opposed to http in

the URL.

To see trusted CAs: Tools Internet Options and select Content tab Select Certificates button followed by one of the tabs. Select a CA and click the View button. Explore various tabs.

Book has a little more on SSL and TLS and could be used as part of a paper topic.

What if the certificate does not check out?

PGP (Pretty good Privacy) In the early 1990s, encryption algorithms were in the

same category as weapons and were declared as a munitions – making them subject to strict export laws.

PGP was developed by Phillip Zimmerman Putting it on the Internet was akin to exporting it,

according to the State dept. Subject of a 3-year criminal investigation Since then, export laws governing encryption have

been relaxed. Another reference at www.pgpi.org (trial versions

used to be available but are hard to find now-at least for more recent OS’s)

32.19

Figure 32.19 Position of PGP in the TCP/IP protocol suite

32.20

Table 32.4 PGP Algorithms

Example use of PGP (run on an older environment)

When the message is open the receiver sees:---BEGIN PGP SIGNED MESSAGE---Hash: SHA1this is a test message---BEGIN PGP SIGNATURE---Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>iQA/AwUBPVHAkz012x9/

xPKqEQL7UQCg65yJ8I4c5o7s37iMvLcqqRtokhAAn3E2EzQd3vhFE41QGj3O8zvDSawR=knKs---END PGP SIGNATURE---

With the message open the user can select decrypt/verify from the PGP dropdown menu*** PGP Signature Status: good*** Signer: William Shay ,shayw@uwgb.edu.*** Signed: 8/7/02 7:51:31 PM*** Verified: 8/7/02 8:50:46 PM*** BEGIN PGP VERIFIED MESSAGE ***this is a test message*** END PGP VERIFIED MESSAGE ***

Textbook covers a bit more and gets into key rings and such. I will skip that but this a possible paper topic.

Firewalls. - 32.4 Allows or disallows data to pass through. How does it decide?

Packet filtering IP packet format

May accept or reject a packet based on its IP address and/or port number

For example, the client/server project works, in theory, if one machine is on campus and the other is off.

It is, however, subject to firewall rules.

Examples

Disallow incoming packets with port # 23 (disables telnet).

Disallow outgoing packets with specified destination addresses. Could be used to restrict employees from access certain external sites (competitors or game playing sites) during work hours.

Example: Some businesses disallow employees to access youtube, facebook, or similar sites.

Disallow outgoing with specified source addresses (to prevent address spoofing – a form of attack discussed later)

Initial firewall setup. Can allow all by default then specify which to reject

Runs the risk of missing something that should be rejected

Can reject all by default and then specify which to allow Runs the risk of people getting PO’d if you miss an

application that should pass

Possible policies: firewall setting (from Kurose & Ross) No outside web access: Drop all outgoing packets to an IP

address, port 80 (HTTP). No incoming TCP connections, except those for

organization's public Web server (130.207.244.203): Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80.

Prevent web-radios from eating up the available bandwidth: Drop all incoming UDP packets – except DNS packets.

Prevent network from being used for a smurf DoS attack: drop all ICMP ping packets going to a broadcast address.

Prevent your network from being tracerouted: drop all outgoing ICMP TTL expired traffic.

Application level gateway (proxy server) Packet filtering uses layer 3/4 information Book example:

Only those Internet users who have previously established business relations with the company can have access to certain web pages.

Packet filtering won’t work Cannot distinguish the above cases

Runs a program for each type of application Intercepts all requests at a high layer and forwards (or rejects)

them as needed. More overhead than packet filtering (firewall must run

duplicate apps) Increased flexibility based on intent of applications

Stateful inspection (not in text) Packets examined based on contents AND context

(i.e. what has happened previously). Admin defines a rule base that determines course of

action. Example: a ping packet sends an echo-request packet Example: type ping url in a dos window – or in Linux

Could reject an echo-response packet if there was no previous echo-request packet in the other direction.

Deny an incoming acknowledgment to a request that never happened. Client established a ftp connection and server

attempts to initiate a file transfer before the client has requested it. Denied.

Maybe client tries to sneak a packet with a different port # through the existing connection. Denied.

Refs: [http://en.wikipedia.org/wiki/Stateful_firewall] [

http://www.webopedia.com/TERM/S/stateful_inspection.html]

Can purchase different levels of firewall protection. Can install on your machine. Can specify which apps can access the Internet or which

sources from the Internet can access your computer. Administrator defines a rule base defining actions. Firewalls can also restrict # packets per second (prevent

student from setting up game servers on campus)

Attacks (not in text) – I will provide an overview only – a possible paper topic Smurf (DoS) attack:

send a ping packet but falsify the source and use a broadcast address for the destination.

All nodes in the broadcast group reply to the “source” inundating it with traffic.

Presumably the attacker creates an infinite loop sending such packets.

[http://www.cert.org/advisories/CA-1998-01.html] [http://en.wikipedia.org/wiki/Denial-of-service_attack]

SYN flood send connection requests (with a false source) to a site. Site waits for a confirmation and times out if it does not

arrive. If requests are sent faster than timeouts occur, problems

occur. [http://www.cert.org/advisories/CA-1996-21.html]

Slowloris attack Utilizes legitimate HTTP traffic Sends partial http requests Sends additional information periodically to keep

socket connections open Ties up connections making them unavailable to

legitimate use Like SYN flood but over http http://www.funtoo.org/en/security/slowloris/ and

http://en.wikipedia.org/wiki/Slowloris

There are bad things are out there Malware – a generic term covering a wide variety of

bad things. Virus – program attached to another that does

unintended things May be destructive May not be (technically) All are disruptive and cause loss or work or trust

Worm: a program that can invade a computer but is NOT attached to another program. Might be running something that’s prone to accepting a

worm from the internet and run it. Might access your outlook contacts and send a copy of

itself to everyone there. Blaster worm: allow others to control your computer.

Trojan Horse: hidden part of other useful program Typically doesn’t replicate like worms and viruses

Summary

Packet sniffer: records copies of packets that it sees A good reason to secure wireless connections

Spyware: watch what you do and perhaps report it to someone else. You may be completely unaware

Botnet: collection of computers working together for a purpose

Clipper Chip (of historical interest): [http://en.wikipedia.org/wiki/Clipper_chip] [http://www.epic.org/crypto/clipper/]

For wiretapping (provided by a court order), each clipper chip has encryption algorithm in a chip inserted into a phone. Press button & security devices exchange encryption

keys. Designed by engineers at NSA w/ no input from private

industry in response to private sectors developing their own to combat business and industrial espionage.

K = 80-bit session key to encrypt – needed for wiretap F = 80-bit family key (all chips in a group have the same one) N = 30-bit serial # (unique to a chip) S = 80-bit secret key – unique to each chip, used by law

enforcement

V = voice message – Ek(V) is the transmitted voice message Clipper chip also generates EF(ES(K)+N) (+ is concatenate

here)

Suppose a wiretap is approved; Apply DF to above to get ES(K)+N. Easy since F is not secret S IS secret so cannot apply DS easily. Need to use N to get S

but first need to know how S is formed and stored.

Two parties – each generates one 80-bit string. Call them S1 and S2.

Calculate S= S1 S2

Each of S1 and S2 are maintained by separate key escrow agencies along with chip serial number. Who the agencies are and who they report to is an issue.

Officials get N and, with a court order, get S1 and S2 from each agency.

Apply DS to get K and then apply DK to get V