Announcements No office hours this week Next week by appointment as I m giving a lecture on network security research next Weds Attacks Defenses Reminder particular topics for next Monday s lecture or for next Wednesday s review EE 122 Intro to Communication Networks Guest lecture Weds Nov 29 Prof Ion Stoica Fall 2006 MW 4 5 30 in Donner 155 Vern Paxson TAs Dilip Antony Joseph and Sukun Kim http inst eecs berkeley edu ee122 Materials with thanks to Jennifer Rexford Ion Stoica and colleagues at Princeton and UC Berkeley 1 2 Public Key Infrastructure PKI Goals of Today s Lecture Public Key Infrastructure PKI Public key crypto is very powerful Putting it all together how does https work but the realities of distributing the public keys turn out to be quite hard Attacks compromising systems Buffer overflows Logic errors Social engineering Automated attacks worms bots PKI System managing public key distribution on a wide scale Attacks denial of service DoS Network layer DDoS Transport layer SYN flooding Application layer one defense CAPTCHAs 3 Managing Trust Trust distribution mechanism Confidentiality via Encryption Integrity via Digital Signatures Non Repudiation via Digital Signature Authentication via Digital Certificates 4 Managing Trust con t The most solid level of trust is rooted in our direct personal experience Trust is not particularly transitive Should Alice trust Bob because she trusts Charlie and Charlie vouches for Donna and Donna says Eve is trustworthy and Eve vouches for Bob s identity E g Alice s trust that Bob is who they say they are Clearly doesn t scale to a global network In its absence we rely on delegation Alice trusts Bob s identity because Charlie attests to it and Alice trusts Charlie Two models of delegating trust Rely on your set of friends and their friends Web of trust e g PGP Rely on trusted well known authorities and their minions 5 Trusted root e g HTTPS 6 1 PKI Conceptual Framework Components of a PKI Trusted Root PKI Basis well known public key serves as root of a hierarchy Managed by a Certificate Authority CA To publish a public key ask the CA to digitally sign a statement indicating that they agree certify that it s indeed your key This is a certificate for your key certificate bunch of bits Includes both your public key and the signed statement Anyone can verify the signature Delegation of trust to the CA They d better not screw up duped into signing bogus key They d better have procedures for dealing with stolen keys Note can build up a hierarchy of signing 7 Digital Certificate 8 Certification Authority Signed data structure that binds an entity with its corresponding public key People processes responsible for creation delivery and management of digital certificates Signed by a recognized and trusted authority i e Certification Authority CA Provide assurance that a particular public key belongs to a specific entity Organized in an hierarchy To verify signature chain follow hierarchy up to root Root CA Example certificate of entity E E nameE Kepublic KCAprivate KCAprivate private key of Certificate Authority KEpublic public key of entity E CA 1 CA 2 Actually they ll sign whatever glob of bits you give them nameE name of entity E Your browser has a bunch of CAs wired into it 9 Registration Authority 10 Certificate Repository A database accessible to all users of a PKI People processes responsible for Authenticating the identity of new entities users or computing devices e g Contains Digital certificates Policy information associated with certs Certificate revocation information By phone or physical presence ID Issuing requests to CA for certificates The CA must trust the Registration Authority Vital to be able to identify certs that have been compromised Usually done via a revocation list 11 12 2 Putting It All Together HTTPS HTTPS Connection SSL TLS con t What happens when you click on https www amazon com Browser client connects Browser via TCP to Amazon s HTTPS server https Use HTTP over SSL TLS Client sends over list of crypto protocols it supports SSL Secure Socket Layer TLS Transport Layer Security Successor to SSL and compatible with it RFC 4346 Server picks protocols to use for this session Provides security layer authentication encryption on top of TCP Server sends over its certificate Fairly transparent to the app 13 Inside the Server s Certificate A bunch of auxiliary info physical address type of cert expiration time See homework 4 URL to revocation center to check for revoked keys Name of certificate s signatory who signed it 15 HTTPS Connection SSL TLS con t Browser displays All subsequent communication encrypted w symmetric cipher e g AES128 using key K E g client can authenticate using a password what step is missing Amazon Agreed These are hardwired into the browser If it can t find the cert then warns the user that site has not been verified And may ask whether to continue Note can still proceed just without authentication Browser uses public key in signatory s cert to decrypt signature assuming signatory is trustworthy 16 Tricking a host into executing on your behalf Can consider what is attacked server or client and the semantic level at which it is attacked ta of da 1 KB E K n e onse E resp 14 Host Compromise my cert Here s E pas sword ta of da 1 KB Assuming signature matches now have high confidence it s indeed Amazon Constructed using the signatory s private RSA key K e A1 Let s us AES128 SH SA TLS R rt ce y m Here s Compares with its own MD5 hash of Amazon s cert A public key signature of a hash MD5 of all this Browser sends E K n e to server ACK Hell o TLS I suppo r SSL RSA A t E RS A 3 S128 S DES H MD A1 or 5 or Browser retrieves cert belonging to the signatory Amazon s public key RSA exponent e modulus n Browser encrypts K using Amazon s public key CK SYN A Validating Amazon s Identity Name associated with cert e g Amazon Browser constructs a random Browser session key K all of this is in the clear Amazon SYN Attacks on servers client sends subversive requests K Happens at attacker s choosing Some hosts are servers unknowingly Attacks on clients server attacker waits for client to connect sends it a subversive reply K K 17 E g drive by spyware E g recent study found 15 of popular KaZaA files infected by one of 52 different viruses 18 3 Semantic Level of Compromise E g buffer overflows 200 bytes of local vars into buffer server uses to hold it Spills over into memory beyond the buffer Allows remote attacker to
View Full Document
Unlocking...