Lecture 03 (Auth Protocols IPsec SSL-TLS) (1)

CT-541
Network Security
Network Authentication Protocols
Lecture 3-5
Dr. Muhammad Mubashir Khan

mmkhan@neduet.edu.pk
Jan 2018
Department of Computer Science & IT, NED University of Engineering & Technology
Authentication
• Authentication is the act of confirming the truth of an
attribute of an entity.
• In windows networks we have two options for
implementing Network Authentication Services
1. NTLM (NT LAN Manager) Protocol
– Microsoft security protocol that provides authentication,
integrity, and confidentiality to users
– Is the successor to the authentication protocol in Microsoft
LAN Manager (LANMAN), an older Microsoft product
– Not Recommended by Microsoft (does not support any
recent cryptographic methods, such as AES or SHA-256)
2. KERBEROS
– Recommended by Microsoft
Dr. Muhammad Mubashir Khan, Department of Computer Science & IT, NED University of Engineering & Technology
Why NTLM is still provided?
NTLM may still be used in the following situations:
• The client is authenticating to a server that doesn't
belong to a Windows Server Domain.
• Because Kerberos is typically used when a Server belongs to
a Windows Server domain.
• No Active Directory domain exists (commonly referred
to as "workgroup" or "peer-to-peer").
• Because Microsoft adopted Kerberos as the preferred
authentication protocol for Windows 2000 and subsequent
Active Directory domains.
• Where a firewall would otherwise restrict the ports
required by Kerberos (Kerberos uses port 88 by default)
Microsoft Authentication
• GSS-API (Generic Security Support API)
• an IETF standard that addresses the problem of many similar
but incompatible security services in use today.
• SSPI (Security Support Provider Interface)
• Microsoft implementation of GSS-API
• Its Win-32 API
• Microsoft recommends to use Negotiate security
package for using appropriate authentication protocol
i.e. Kerberos or NTLM
SSPI
Negotiate
KERBEROS NTLM
Kerberos - Background
• Developed at MIT to protect network services provided
by a Project Athena
• a joint project of MIT, Digital Equipment Corporation, and
IBM to produce a campus-wide distributed computing
environment for educational use.
• The protocol is based on the earlier Needham–
Schroeder symmetric key protocol.
• A key transport protocol over insecure channel
• Steve Miller and Clifford Neuman, the primary
designers of Kerberos version 4, published that version
in the late 1980s
• Current version 5 was designed by John Kohl and
Clifford Neuman
Kerberos - Background
• Initially its export was banned by US
• Classified Kerberos as "Auxiliary Military Equipment" on the
US Munitions List
• because it used the Data Encryption Standard (DES)
encryption algorithm (with 56-bit keys).
• A non-US Kerberos 4 implementation, KTH-KRB
developed at the Royal Institute of Technology in
Sweden, made the system available outside the US
• In 2005 IETF established Kerberos Working Group and
made a freely available implementation with following
updates
• New V 5 with updated encryption and checksum specs.
• Replaced DES with AES
• New GSS-API specification
Kerberos
• Trusted key server system
http://web.mit.edu/kerberos/
• Provides centralized private-key third-party
authentication in a distributed network
• Allows users access to services distributed through
network without needing to trust all workstations
• All entities trust a central authentication server
• Two versions in use: 4 & 5
• Now version 4 is no longer supported by MIT
• Last stable release krb5-1.16 ... 5 December 2017
• Uses UDP port 88 by default
• Features:
– Secure, Reliable, Transparent, Scalable
Main Entities in Kerberos
• Kerberos is a basic third-party authentication scheme
consists of two main entities
1. Authentication Server (AS)
– users initially negotiate with AS for identification
– AS provides a non-corruptible authentication credential
Ticket Granting Ticket (TGT)
2. Ticket Granting Server (TGS)
– users subsequently request access to other services from
TGS on the basis of their TGT
• Dialogue
– Client requests TGT from AS (once per session)
– Client requests Service Granting Ticket (SGT) from TGS
(requires for using every distinct service)
– Client/Server exchange for obtaining/providing service
Kerberos Protocol
KERBEROS also provides
Confidentiality and Integrity in the Key Distribution Center
(KDC)
whole communication process
1. Client requests a ticket to get tickets for different services

Authentication
AS Server
2. AS sends Ticker Granting Ticket (TGT) after authentication
Client
3. Client requests Service Granting Ticket (SGT) from TGS
by showing his TGT
Ticket Granting
4. TGS issues SGT for specific service after verifying TGT TGS Server
5. Client requests a service for which

the TGS was issues
6. Server verifies the TGS and provides Server Network Services Provider
the requested service to Client
Initial Authentication Kerberos V4
Kerberos server
doesn’t check if user
is who he says he is.
Attacker can intercept the

encrypted TGT and mount a
dictionary attack to guess the
password.
Initial Authentication Kerberos V5
Kerberos server makes sure that user’s
password is valid before sending the
TGT back to the user.
(Time Stamp)
Consists of
1. The session key: Kses
2. A ticket for the Kerberos TGS, encrypted
with both the session key and TGS’s key
Initial Authentication
• Authentication is by password
• User’s password is never transmitted
• Users know their own password & Kerberos Server
has a copy stored in it’s database in encrypted form
• Password is used to encrypt the Ticket Granting
Ticket to secure from eavesdropper.
Shared Keys in Kerberos
• The KDC has access to information about each
security principal (user, computer or service) and a
cryptographic key known only to the KDC and the
security principal.
• This key is commonly known as a long-term key and
is used in exchanges between the Key Distribution
Center and the security principal.
TGT Consists of two parts
1. The session key: Kses
2. A ticket for the Kerberos TGS, encrypted with both:
1. the session key and
2. the TGS’s key: E Ktgs { E Kses {Ttgs} }
Using the TGT
Includes Kerberos ID of Requested Service,

Time Stamp, Client ID …
Service Ticket Tx Encrypted by File Server’s Key
Tx contains UID, IPAddr, Expiration Time
How is identity established
• TGS can establish user identity because the request
is encrypted using the session key (available only if
user can decrypt the TGT from the AS)
• File Server Service can establish user’s identity
because the ticket (encrypted with File Server
Service’s key) contains the user’s info – put in there
by TGS.
Shared Keys in Kerberos
• Client’s copy of the long-term key
– When a user logs on the Kerberos client (on the
workstation) converts the user’s password to an
encryption key by entering the password into a one-way
hashing function.
– The Kerberos client saves the long-term key in volatile
memory (not on disk).
– Once the client has a long-term key, it sends the KDC a
message consisting of:
1. User ID and request for TGS for specific service
2. A timestamp encrypted with the user’s copy of the long-term
key.
Defense Against Attacks
Risk: A session ticket or the corresponding session key
may be compromised because of long time interval.
• Two ways to defend
1. Have tickets renewed at relatively short intervals.
– When tickets are renewed, a new session key is issued,
minimizing the worth of a compromised key.
2. Have session keys refreshed periodically
– The session keys, in a renewable ticket, can be
refreshed periodically without issuing a completely new
ticket.
Drawbacks & Limitations
• Single point of failure:
• It requires continuous availability of a central server. When
the Kerberos server is down, new users cannot log in. This
can be mitigated by using multiple Kerberos servers and
(alternative) fallback authentication mechanisms.
• Strict time requirements:
• If the host clock is not synchronized with the Kerberos server
clock, the authentication will fail.
• The default configuration per MIT requires that clock times
be no more than five minutes apart.
• Requires trust relationship:
• Not suitable for unknown/untrusted clients as in a typical
Internet or cloud computer scenario, where the
authentication provider typically does not have knowledge
about the users client system.
References
• https://docstore.mik.ua/orelly/networking/pu
is/ch19_06.htm
• https://ocw.mit.edu/courses/electrical-
engineering-and-computer-science/6-858-
computer-systems-security-fall-2014/video-
lectures/lecture-13-network-protocols/
Detailed Description
Security Schemes in OSI Layers
OSI Layers Security Schemes
Application Layer KERBEROS

SSL/TLS
Transport Layer
Network Layer IPsec
Physical Layer Quantum Communication

SSL/TLS - Background
• Dr. Taher Elgamal, chief scientist at
Netscape Communications from 1995
to 1998, is recognized as the
"father of SSL”.
• Became Internet standard as TLS (Transport Layer
Security) in 1999.
• Aims primarily to provide privacy and data integrity
between two communicating computer
applications, such as, web browsing, email, Internet
faxing, instant messaging, and voice-over-IP (VoIP).
SSL/TLS … What is the difference?
• Protocol Versions in Messages
• Message Authentication
• TLS implements a standardized MAC (H-MAC) that has
been proven in many other implementations.
• The main benefit to this change is that H-MAC operates
with any hash function, not just MD5 or SHA, as
explicitly stated by the SSL protocol.
SSL/TLS … What is the difference?
• Key Material Generation
• TLS uses the HMAC standard and its pseudorandom
function (PRF) output to generate key material while SSL
uses RSA, Diffie-Hellman
• Certificate Verify
• In SSL, the CertificateVerify message requires a complex
procedure of messages.
• In TLS the verified information is completely contained
in the handshake messages previously exchanged during
the session.
• Alert Protocol Message Types (some modifications)
SSL/TLS
• TCP: provides a reliable end-to-end service.
• TCP + SSL: provides a reliable & secure end-to-end
service.
• HTTPS: HTTP over SSL (or TLS)
• Typically on port 443 (regular http on port 80)
• SSL has two layers of protocols
• TLS Handshake
• TLS Record
SSL Connection
Icons Description
The site isn't using SSL.
Google Chrome has successfully established a secure connection with the site.
The site uses SSL, but Google Chrome has detected insecure content on the page.
The site uses SSL, but Google Chrome has detected either high-risk insecure content on the
page or problems with the site’s certificate.
Applications:
Web browsing, Electronic mail, Internet faxing, Instant

messaging and Voice-over-IP (VoIP).
SSL/TLS-Connection Properties
• When secured by TLS, connections between a client
(e.g., a web browser) and a server have one or
more of the following properties:
1. The connection is private (or secure)
2. The identity of the communicating parties can be
authenticated using public-key cryptography.
3. The connection ensures integrity
(e.g., a web browser) and a server (e.g., gmail.org) have
one or more of the following properties:
• The connection is private (or secure)
• because symmetric cryptography is used to encrypt the data
transmitted.
• The keys for this symmetric encryption are generated
uniquely for each connection and are based on a shared
secret negotiated at the start of the session.
• The server and client negotiate the details of which
encryption algorithm and cryptographic keys to use before
the first byte of data is transmitted
• The identity of the communicating parties can be
• The connection ensures integrity
(e.g., a web browser) and a server (e.g., gmail.org)
have one or more of the following properties:
• This authentication can be made optional, but is
generally required for at least one of the parties
(typically the server).
(e.g., a web browser) and a server (e.g., gmail.org)
have one or more of the following properties:
• because each message transmitted includes a message
integrity check using a message authentication code
(MAC) to prevent undetected loss or alteration of the
data during transmission.
Protocol Phases
SSL Architecture
• SSL itself is not a single layer protocol and is
composed of two sub-layers.
• Lower sub-layer: SSL Record Protocol provides integrity
and confidentiality services.
• Upper sub-layer:
• SSL Handshake Protocol
• Change Cipher Spec Protocol
• Alert Protocol.
(These 3 protocols manage all of SSL message exchanges)
SSL Handshake Protocol
• It creates SSL sessions between the client and the
server.
• A session is identified by unique set of cryptographic
security parameters.
• Allows server & client to:
• authenticate each other
• to negotiate encryption & MAC algorithms and keys
• Comprises a series of messages exchanged in phases:
1. Establish Security Capabilities (to agree on encryption,
MAC, and key-exchange algorithms)
2. Server Authentication and Key Exchange
3. Client Authentication and Key Exchange
4. Finish
SSL Session- Created by the Handshake Protocol
• A session is identified by unique set of
cryptographic security parameters, such as
• Session ID: An arbitrary byte sequence chosen by the server to identify an active
or resumable session state.
• Peer Certificate: certificate of the peer.

• Compression method: The algorithm to compress data prior to
encryption.
• Cipher spec: encryption and hash algorithm

• Master secret: 48-byte secret shared between the client and server.
• Is resumable: A flag indicating whether the session can be used to initiate
new connections.
ChangeCipherSpec Protocol
• Simplest part of SSL protocol.
• It comprises of a single message exchanged
between two communicating entities, the client
and the server.
• As each entity sends the ChangeCipherSpec
message, it changes its side of the connection into
the secure state as agreed upon.
"Everything I tell you from now on will be authenticated
(and encrypted, if encryption was negotiated)”
• Exchange of this Message indicates all future data
exchanges are encrypted and integrity is protected.
SSL Alert Protocol
• This protocol is used to report errors – such as:
• unexpected message,
• bad record MAC,
• security parameters negotiation failed, etc.
• It is also used for other purposes – such as:
• notify closure of the TCP connection,
• notify receipt of bad or unknown certificate, etc.
SSL Record Protocol
• It formats the upper layer protocol messages.
• It fragments the data into manageable blocks (max
length 16 KB).
• It optionally compresses the data.
• Encrypts the data.
• Provides a header for each message and a hash
(Message Authentication Code (MAC)) at the end.
• Hands over the formatted blocks to TCP layer for
transmission.
SSL Record Protocol
16 KB 16 KB
SSL Record Protocol
• Provides two services.
1. Message integrity
• using a MAC with a shared secret key
• similar to HMAC but with different padding
• hash functions: MD5, SHA-1
2. Message confidentiality
• using symmetric encryption with a shared secret key
• Encryption algorithms: AES, IDEA, RC2-40, DES-40, DES, 3DES,
RC4-40, RC4-128
SSL Secure Tunnel Establishment
Heartbleed
• A security bug in the OpenSSL cryptography library
OpenSSL contains
an open-source
implementation of
the SSL and TLS
protocols.
• Publicly disclosed on April 7, 2014

• A fixed version of OpenSSL was released on the same
day
• The affected versions:
• OpenSSL 1.0.1 à 1.0.1f
• All versions before and after are safe
Heartbleed
• 17% (around half a million) of the Internet's secure
web servers certified by trusted authorities were
believed to be vulnerable to the attack.
• Other implementations of TLS were not affected
• GnuTLS,
• Mozilla's Network Security Services,
• Windows platform implementation of TLS
• etc …
• The actual bug was not in TLS but in its openSSL
implementation
Heartbeat
• TLS secure communication link is tested by allowing
a computer at one end of a connection to send a
Heartbeat Request message
• Heartbeat Request consists of a payload, typically a text
string, along with the payload's length as a 16-bit
integer.
• The receiving computer then must send exactly the
same payload back to the sender.
Heartbeat - TLS Record
Heartbleed
• The affected versions of OpenSSL allocate a
memory buffer for the message to be returned
based on the length field in the requesting
message, without regard to the actual size of that
message's payload.
• No proper bounds checking
• Returned message may include the payload,
followed by whatever else happened to be in the
allocated memory buffer.
Heartbleed
• A malformed Heartbeat Request is sent with a small
payload and large length field to the other party
• For Example:
• Heartbeat Request might ask a party to "send back the four-
letter word ‘#987’ ", resulting in a response of ‘#987’
• Heartbleed Request "send back the 500-letter word ‘#987’ "
• Would cause the victim to return “#987" followed by
whatever 496 characters the victim happened to have in
active memory.
• Attackers in this way could receive sensitive data,
compromising the confidentiality of the victim's
communications.
Heartbleed: Attacker’s Control
• Attacker has
• Some control over the disclosed memory block's size,
• No control over its location, and therefore cannot
choose what content is revealed.
Possible Consequences
• The data obtained by a Heartbleed attack may:
• include unencrypted exchanges between TLS parties
likely to be confidential.
• reveal private keys of compromised parties.
• include users' session cookies and passwords.
• reveal authentication material to possibly launch a
replay attack.
IPSec
IPSec
• Developed by Wei Xu for providing IP level security,
under the funding of Clinton Administration for
hosting whitehouse.gov email during 1993-1995.
• IPSec is not a single security protocol
• IPSec provides
– a set of security algorithms plus
– a general framework that allows a pair of
communicating entities to use whichever algorithms are
appropriate
IPSec
• IP layer / OSI layer 3 / Network layer protocol
for securely sending/receiving IP or upper layer
traffic
• IPsec can protect data flows between a pair of hosts
(host-to-host), between a pair of security gateways
(network-to-network), or between a security
gateway and a host (network-to-host).
• Provides two kind of services/protocols
1. ESP (Encapsulating Security Payload)
• Confidentiality, Authenticity and Integrity
2. AH (Authentication Header)
• Authenticity and Integrity
Cryptographic Algorithms: IPSec
• HMAC-SHA1/SHA2
• for integrity protection and authenticity.
• TripleDES-CBC
• for confidentiality
• AES-CBC
• for confidentiality.
• AES-GCM
• providing confidentiality and authentication together
efficiently.
Security Association (SA)
• A Security Association (SA) is the establishment of
shared security attributes between two network
entities to support secure communication.
• SA includes attributes such as:
• cryptographic algorithm and mode;
• traffic encryption key; and
• parameters for the network data to be passed over the
connection.
• The framework for establishing security
associations is provided by the Internet Security
Association and Key Management Protocol
(ISAKMP).
Security Association (SA)
• Protocols such as Internet Key Exchange and
Kerberized Internet Negotiation of Keys provide
authenticated keying material.
• This connection is unidirectional and provides
security services to the traffic carried by it.
• To secure typical bidirectional communication between
two IPsec-enabled systems, a pair of SAs (one in each
direction) is required.
• Each SA has its own ID called SAID.
• So both parties will share the SAID, and they will derive
all the security parameters.
• The SA uses one of the security protocols AH or ESP.
IPSec
• IPSec uses two different protocols to encapsulate
the data over a VPN tunnel
1. AH (Authentication Header)
• Authenticity and Integrity
2. ESP (Encapsulating Security Payload)
• Confidentiality, Authenticity and Integrity
• Next Header (8 bits)
• Type of the next header, indicating what upper-layer
protocol was protected. The value is taken from the list
of IP protocol numbers.
• Payload Len (8 bits)
• The length of this Authentication Header
• Reserved (16 bits)
• Reserved for future use (all zeroes until then).
• Security Parameters Index (32 bits)
• Arbitrary value which is used (together with the
destination IP address) to identify the security
association of the receiving party.
• Sequence Number (32 bits)
• A monotonic strictly increasing sequence number
(incremented by 1 for every packet sent) to prevent
replay attacks.
• Integrity Check Value (multiple of 32 bits)
• Variable length check value.
• Security Parameters Index (32 bits)
• Arbitrary value used (together with the destination IP address) to identify the
security association of the receiving party.
• Sequence Number (32 bits)
• A monotonically increasing sequence number (incremented by 1 for every
packet sent) to protect against replay attacks. There is a separate counter kept
for every security association.
• Payload data (variable)
• The protected contents of the original IP packet, including any data used to
protect the contents (e.g. an Initialisation Vector for the cryptographic
algorithm). The type of content that was protected is indicated by the Next
Header field.
• Padding (0-255 octets)
• Padding for encryption, to extend the payload data to a size that fits the
encryption's cipher block size, and to align the next field.
• Pad Length (8 bits)
• Size of the padding (in octets).
• Next Header (8 bits)
• Type of the next header. The value is taken from the list of IP protocol
numbers.
• Integrity Check Value (multiple of 32 bits)
• Variable length check value.
IPSec Connection Establishment
• Consists of two phases:

Security associations are
– Phase 1: ISAKMP SA established using the Internet
Security Association and Key
• Performs mutual authentication Management Protocol (ISAKMP)
• Produces encryption key for Phase 2
– Phase 2: SA (Security Association)
• Negotiates cipher & authentication algorithms for further
transactions
IPSec Modes
• IPSec provides two modes of Encryption
– Transport Mode (Encrypts only data)
IP header data
IP header ESP/AH data
– Tunnel Modes (Encrypts both header and data)

• Attacker does not know which end users are communicating
because the original IP header is encrypted by IPSec and a new
header is added between the two intermediate nodes
(firewalls) IP header data
new IP hdr ESP/AH IP header data

IPSec Benefits
• In a router/firewall provides strong security to all
traffic crossing the perimeter
• Not easy to bypass
• Is below transport layer, hence transparent to
applications
• Can be transparent to end users
• Can provide security between two gateways /
routers or for individual users if desired
IPSec Security Services
• The set of security services offered by IPSec
includes:
• Access Control IPsec is an
open
• Connectionless Integrity standard,
these
• Data Origin Authentication services can
• Anti-replay Services be achieved
in an
• Confidentiality (via encryption) interoperable
manner.
• Traffic Flow Confidentiality.
• These services are provided by either of the two
traffic security protocols:
• Authentication Header
• Encapsulating Security Payload.
Access Control: IPSec
• Access control is achieved by specifying what
outgoing traffic should be protected and what
incoming traffic should be received.
• Traffic selectors are used to define the traffic that
each SA protects.
• It should be noted that access control is not a
firewall function but allows for defined traffic to be
discarded.
Anti-Replay Service: IPSec
• The method to mitigate an attacker replaying traffic
is achieved using sequence numbering of traffic.
• Once a packet has been successfully verified, the
sequence number cannot be received again.
• A window of sequence numbers is permitted, with
only packets falling within this window being
processed.
Confidentiality: IPSec
• Confidentiality is achieved by transforming data
from an intelligible form (plaintext) into an
unintelligible form (ciphertext).
• This is achieved by using Encapsulated Security
Payload, which provides confidentiality services
when the sending host encrypts data and a
receiving host decrypts it, which turns ciphertext
back into plaintext.
Connectionless integrity: IPSec
• Connectionless integrity is a service that detects
modification of an individual IP datagram, without
regard to the ordering of the datagram in a stream of
traffic.
• This is provided by both Authentication Header and
Encapsulated Security Payload services.
• Hashed Message Authentication Code (HMAC) provides
connectionless integrity by way of an Integrity Check
Value (ICV).
• This differs from connection-oriented integrity, which
has the ability to detect packet loss and includes the
ability to re-sequence received packets.
Data Origin Authentication: IPSec
• Data origin authentication verifies the identity of
the claimed source of data.
• The Internet Key Exchange (IKE) provides a method
of authentication.
• Both Authentication Header and Encapsulated
Security Payload services provide connectionless
integrity, which integrates with data origin
authentication.
Traffic Flow Confidentiality : IPSec
• Traffic Flow Confidentiality (TFC) is the ability to
conceal source and destination addresses, message
length, or frequency of packets sent.
• The use of Tunnel Mode allows the inner IP headers
to be encrypted, concealing the identities of the
(inner) traffic source and destination.
IPSec vs SSL
• SSL (and IEEE standard TLS)
– Lives at socket layer (part of user space)
– Has encryption, integrity, authentication, etc.
– Is a relatively simple specification
• IPSec
– Lives at the network layer (part of the OS)
– Has encryption, integrity, authentication, etc.
– Is complex (general framework specification)
– Algorithm-Independent:
• Different user communities may select different sets of
algorithms
Assignment / Homework
• Explore latest security attacks and
vulnerabilities identified for
– KERBEROS
– IPsec
– TLS
• Perform SEED Heartbleed attack LAB

Lecture 03 (Auth Protocols IPsec SSL-TLS) (1)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 03 (Auth Protocols IPsec SSL-TLS) (1)

Uploaded by

Copyright:

Available Formats

CT-541

Network Authentication Protocols

Dr. Muhammad Mubashir Khan

1. Client requests a ticket to get tickets for different services

5. Client requests a service for which

Attacker can intercept the

Includes Kerberos ID of Requested Service,

Service Ticket Tx Encrypted by File Server’s Key

Tx contains UID, IPAddr, Expiration Time

Application Layer KERBEROS

Network Layer IPsec

Physical Layer Quantum Communication

Web browsing, Electronic mail, Internet faxing, Instant

• Peer Certificate: certificate of the peer.

• Cipher spec: encryption and hash algorithm

• Publicly disclosed on April 7, 2014

• Consists of two phases:

IP header ESP/AH data

– Tunnel Modes (Encrypts both header and data)

new IP hdr ESP/AH IP header data

You might also like