real time communication security ipsec ssl issues n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Real-Time Communication Security IPsec & SSL Issues PowerPoint Presentation
Download Presentation
Real-Time Communication Security IPsec & SSL Issues

Loading in 2 Seconds...

play fullscreen
1 / 18

Real-Time Communication Security IPsec & SSL Issues - PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on

Real-Time Communication Security IPsec & SSL Issues. CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk. The Internet. A packet-switched network: Data to be transmitted is divided into “packets” Each packet is forwarded by “routers” towards the destination.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Real-Time Communication Security IPsec & SSL Issues


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
real time communication security ipsec ssl issues

Real-Time Communication SecurityIPsec & SSL Issues

CS 519

Cryptography and Network Security

Instructor: Ali Aydin Selcuk

Real-Time Communication Issues

the internet
The Internet

A packet-switched network:

  • Data to be transmitted is divided into “packets”
  • Each packet is forwarded by “routers” towards the destination

...

...

Real-Time Communication Issues

security of tcp ip communications
Security of TCP/IP Communications

The TCP/IP reference model:

IP: delivery of packets to the destination

TCP: reliability of the communication

  • ordering the packets
  • error detection & recovery
  • congestion control

UDP: basic transport protocol

Application Layer (HTTP, FTP, SMTP, etc.)

Transport Layer (TCP, UDP)

Network Layer (IP)

Data Link Layer (PPP, Ethernet, etc.)

Physical Layer

Real-Time Communication Issues

securing tcp ip
Securing TCP/IP

Layer 3:

  • can secure all IP comm., transparent to applications
  • must be built into the OS

Layer 4:

  • doesn’t require OS modification; deployment easy

Application L.

Layer 4 (SSL/TLS)

Transport L.

Layer 3 (IPsec)

Network L.

Data Link L.

Physical L.

Real-Time Communication Issues

real time protocol issues
Real-Time Protocol Issues
  • Interactive session security (unlike e-mail)
  • End-to-end security (encryption/authentication) requires layer 3 or 4 (or, layer 3.5 & 4.5) protection

Real-Time Communication Issues

ipv4 header
IPv4 Header

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

|Version| IHL |Type of Service| Total Length |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Identification |Flags| Fragment Offset |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Time to Live | Protocol | Header Checksum |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Source Address |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Destination Address |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Options | Padding |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Real-Time Communication Issues

tcp header
TCP Header

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Source Port | Destination Port |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Sequence Number |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Acknowledgment Number |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Data | |U|A|P|R|S|F| |

| Offset| Reserved |R|C|S|S|Y|I| Window |

| | |G|K|H|T|N|N| |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Checksum | Urgent Pointer |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Options | Padding |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| data |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Real-Time Communication Issues

udp header
UDP Header

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Source Port | Destination Port |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Length | Checksum |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Real-Time Communication Issues

layer 4 ssl
Layer 4 (SSL)
  • Implemented on top of layer 4, between TCP & application
  • Doesn’t require any modifications to OS(deployment made easy!)

Real-Time Communication Issues

layer 3 ipsec
Layer 3 (IPsec)
  • Implemented between IP & TCP
  • Each IP packet authenticated separately
  • Built in the OS
  • Can secure all IP communication
  • Host-to-host and network-to-networkapplication is common;process-to-process also possible

Real-Time Communication Issues

session key establishment
Session Key Establishment
  • Message authentication with a session key is needed against connection hijacking
  • Sequence numbers needed against packet replays (different from TCP seq.no.)
  • Session key reset before seq.no. wraps around
  • For freshness guarantee, both parties should contribute to the session key

Real-Time Communication Issues

perfect forward secrecy
Perfect Forward Secrecy
  • PFS: Compromise of long-term secrets doesn’t compromise session keys
  • Example: DH with RSA authentication
  • Non-PFS examples:
    • Kerberos
    • Session key transport with RSA encryption
  • By-product: Escrow preventionConversations can’t be decrypted by authorities holding copies of long-term private keys

Real-Time Communication Issues

dos protection
DoS Protection
  • If attacker can make server do DH exponentiation by just initiating a session, DoS is made easy
  • Protection:
    • cookies
    • puzzles

Real-Time Communication Issues

dos protection cookie solution
DoS Protection – Cookie Solution
  • Server responds to session requests with a random number (cookie).Initiator has to respond back with that cookie to continue
  • Attacker would either
    • reveal its address
    • or, abort the attack
  • Stateless cookies: cookie is H(IP address, secret); server doesn’t remember it.

Real-Time Communication Issues

dos protection puzzle solution
DoS Protection – Puzzle Solution
  • Server requires initiator to solve a puzzleE.g., MD5(x) = …, x = ?, for an n-bit x.
  • Solving is slow, verification fast.
  • Can be made adaptive to increasing load. (how?)
  • Can be made stateless. (how?)
  • Can be used against spam as well

Real-Time Communication Issues

identity hiding
Identity Hiding
  • Hiding the parties’ identities from eavesdroppers
  • Do DH without authentication.Then send the authentication info encrypted under the session key.
  • Passive attacker can’t learn identities

Real-Time Communication Issues

live partner assurance
Live Partner Assurance
  • Against replays, different DH exponents must be used in different sessions
  • DH exponentiation is expensive; problem for servers, low-end clients
  • Solution: Constant DH exponents, different nonces. Incorporate nonces into the session key. E.g., K = H(gab mod p, nonces)

Real-Time Communication Issues

other issues
Other Issues
  • Session resumption: Use previously established session keys to bypass public-key authentication
  • Deniability: Don’t use signatures for authentication. Use encryption with public keys. (e.g., the SKEME protocol)
  • Crypto negotiations: Key exchange protocols negotiate the algorithms to be used as well

Real-Time Communication Issues