Sunday, October 25, 2009

Lecture 6 - Security in Applications & Lab 6 - Security in Applications (Review Questions)


Electronic Mail Security

E-mail – what it is and how it works.

E-mail security threats.

Secure e-mail standards and products - PGP and S/MIME.


E-mail – what it is and how it works

What is an e-mail?

An e-mail is a message made up of a string of ASCII characters in a format specified by RFC 822

Two parts, separated by blank line:

The header: sender, recipient, date, subject, delivery path,…

The body: containing the actual message content.

Example

From:zaki.masud@utem.edu.my

To: mothman@utem.edu.my

Cc: shahrinsahib@utem.edu.my

Subject: RFC 822 example

Date: Fri, 25 Aug 2008 13:58:49

This is just a test message to illustrate RFC 822. It’s not very long and it’s not very exciting. But you get the point.


Security provided in E-mail

Confidentiality

Data origin authentication

Message integrity

Non-repudiation of origin

Key management


MIME = Multipurpose Internet Mail Extensions

Extends the capabilities of RFC 822 to allow e-mail to carry non-textual content, non-ASCII character sets, long messages.

Uses extra header fields in RFC 822 e-mails to specify form and content of extensions.

Supports a variety of content types, but e-mail still ASCII-coded for compatibility.

Specified in RFCs 2045-2049.


Example of MIME message

From: j.bloggs@rhul.ac.uk

To: Kenny.Paterson@rhul.ac.uk

Subject: That document

Date: Wed, 13 Nov 2002 19:55:47 -0000

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="---next part"

------next part

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

Kenny, here’s that document I said I’d send. Regards, Joe

------next part

Content-Type: application/x-zip-compressed; name=“report.zip"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename= “report.zip"

rfvbnj756tbGHUSISyuhssia9982372SHHS3717277vsgGJ77JS77HFyt6GS8

------next part


How E-mails Transported?


MUA: Mail User Agent (Mail Client)

MTA: Mail Transport Agent (Mail Server)




E-mail Security Threats

Two main group:

Threats to the security of e-mail itself

Threats to an organisation that are enabled by the use of e-mail.

Loss of confidentiality.

E-mails are sent in clear over open networks.

E-mails stored on potentially insecure clients and mail servers.

Ensuring confidentiality may be important for e-mails sent within an organisation.

Loss of integrity.

No integrity protection on e-mails; body can be altered in transit or on mail server.

Lack of data origin authentication.

Is this e-mail really from the person named in the From: field?

How many Kenny.Paterson’s are there?

Recall SMTP directly over telnet allows forgery of all e-mail fields!

E-mail could also be altered in transit.

Even if the From: field looks fine, who was logged in as Kenny.Paterson when the e-mail was composed?

Sharing of e-mail passwords common.

Lack of non-repudiation.

Can I rely and act on the content? (integrity)

If so, can the sender later deny having sent it? Who is liable if I have acted?

Example of stock-trading via e-mail.

Lack of notification of receipt.

Has the intended recipient received my e-mail and acted on it?

A message locally marked as ‘sent’ may not have been delivered.


Threats Enabled by E-mail

Disclosure of sensitive information

It’s easier to distribute information by e-mail than it is by paper and snail mail.

Disclosure may be deliberate (and malicious) or unintentional.

Disclosure may be internal or external (e-mail crosses LANs as well as the Internet).

Disclosure may be of personal, inappropriate, commercially sensitive or proprietary information.

Can lead to loss of reputation and ultimately dismissal of staff.


S/MIME

Originated from RSA Data Security Inc. in 1995.

Further development by IETF S/MIME working group at:

www.ietf.org/html.charters/smime-charter.html.

Version 3 specified in RFCs 2630-2634.

Allows flexible client-client security through encryption and signatures.

Widely supported, e.g. in Microsoft Outlook, Netscape Messenger, Lotus Notes.


PGP

PGP=“Pretty Good Privacy”

First released in 1991, developed by Phil Zimmerman, provoked export control and patent infringement controversy.

Freeware: OpenPGP and variants:

www.openpgp.org, www.gnupg.org

Commercial: formerly Network Associates International, now PGP Corporation at www.pgp.com

OpenPGP specified in RFC 2440 and defined by IETF OpenPGP working group.

www.ietf.org/html.charters/openpgp-charter.html

Available as plug-in for popular e-mail clients, can also be used as stand-alone software.

Functionality similar to S/MIME:

encryption for confidentiality.

signature for non-repudiation/authenticity.

One level of processing only, so less flexible than S/MIME.

Sign before encrypt, so signatures on unencrypted data.

Sigs can be detached and stored separately.

PGP-processed data is base64 encoded and carried inside RFC822 message body.


Web Security


Web security includes:

Security of server

Security of client

Network traffic security between a browser and a server

SSL/TLS

SSH

SET


SSL/TLS

SSL/TLS widely used in Web browsers and servers to support ‘secure e-commerce’ over HTTP.

Built into Microsoft IE, Netscape, Mozilla, Apache, IIS

The (in)famous browser lock.

SSL architecture provides two layers:

SSL Record Protocol

Provides secure, reliable channel to upper layer.

Upper layer carrying:

SSL Handshake Protocol, Change Cipher Spec. Protocol, Alert Protocol, HTTP, any other application protocols.


SSL/TLS Applications

Secure e-commerce using SSL/TLS.

Client authentication not needed until client decides to buy something.

SSL provides secure channel for sending credit card information, personal details, etc.

Client authenticated using credit card information, merchant bears (most of) risk.

Very successful (amazon.com, on-line supermarkets, airlines,…)

Secure e-commerce: some issues.

No guarantees about what happens to client data (including credit card details) after session: may be stored on insecure server.

Does client understand meaning of certificate expiry and other security warnings?

Does client software actually check complete certificate chain?

Does the name in certificate match the URL of e-commerce site? Does the user check this?

Is the site the one the client thinks it is?

Is the client software proposing appropriate ciphersuites?


SSH – Secure Shell


Initially designed to replace insecure rsh, telnet utilities.

Secure remote administration (mostly of Unix systems).

Extended to support secure file transfer and e-mail.

Latterly, provide a general secure channel for network applications.

SSH-1 flawed, SSH-2 better security (and different architecture).


SSH provides security at Application layer.

Only covers traffic explicitly protected.

Applications need modification, but port-forwarding eases some of this (see later).

Built on top of TCP, reliable transport layer protocol.


SSH Applications


Anonymous ftp for software updates, patches...

No client authentication needed, but clients want to be sure of origin and integrity of software.


Secure ftp.

E.g.upload of webpages to webserver using sftp.

Server now needs to authenticate clients.

Username and password may be sufficient, transmitted over secure SSH transport layer protocol.

Secure remote administration.

SysAdmin (client) sets up terminal on remote machine.

SysAdmin password protected by SSH transport layer protocol.

SysAdmin commands protected by SSH connection protocol.

Guerilla Virtual Private Network.

E.g. use SSH + port forwarding to secure e-mail communications.


SET


SET = an open encryption and security specification designed to protect credit card transactions on the internet

Use SSL to secure the communication links

Main requirements

Confidentiality of payment and ordering information

Integrity of all transmitted data

Authentication of cardholder

Authentication of merchant




SET Security Issues


Two pairs of PKs per entity

One pair for signing

One pair for exchanging keys

Assumes full PKI is available

Including revocation

Merchant does not see payment instrument used


How the Web Works – HTTP

Hypertext transfer protocol (http).

Clients request “documents” (or scripts) through URL.

Server response with “documents”.

Documents are not interpreted by http.

Stateless protocol, request are independent.


Web Vulnerabilities


http://www.w3.org/Security/Faq

Revealing private information on server

Intercept of client information

Execute unauthorized programs

Denial of service


How to Secure the Web

Authentication:

Basic (username, password)

Can be used along with cookie

Digest

Access control via addresses

Multi-layered:

S-http (secure http), just for http

Proposed by CommerceNet, pretty much dead

SSL (TLS), generic for TCP

https: http over SSL

IPSec


HTTP Authentication – Basic


Client doesn’t know which method

Client attempts access (GET, PUT, …) normally

Server returns

“401 unauthorized”

Realm: protection space

Client tries again with (user:password)

Passwords in the clear

Repeated for each access


From Basic Authentication to Forms and Cookies


Not all sites use basic authentication

Many instead ask the user to type username/password into a HTML form

Server looks up the user and sends back a cookie

The browser (client) resends the cookie on subsequent requests


HTTP Access Control - Digest


Server sends www-authenticate parameters:

Realm

Domain

Nonce, new for each 401 response

E.G. H(client-IP:timestamp:server-secret)

Algorithm

E.G., MD5

Client sends authorization response:

Same nonce

H(A1), where a1=user:realm:password, and other information

Steal H(A1)

Only good for realm


HTTPS


HTTPS = Secure Hypertext Transfer Protocol

HTTPS is a communications protocol designed to transfer encrypted information between computers over the World Wide Web (WWW)

Essentially an implementation of HTTP

Commonly used Internet protocol using an SSL

Used to enable online purchasing or the exchange of private information and resources over insecure networks


Why HTTPS combines with SSL and How?


HTTPS combines with SSL to enable secure communication between a client and a server

Steps:

Client requests a secure transaction and informs the encryption algorithms and key sizes that it support (by assessing a URL with HTTPS)

Server sends the requested server certificate (encrypted server’s public key, list of supported ciphers and key sizes in order of priority)

Client then generates a new secret symmetric session key based on the priority list sent by the server. Client compares the certificate issued by CA and confirmed that certificate is belongs to the server intended for communication

If valid and certificate confirmed, client encrypts a copy of the new session key it generated with the server public key obtained from the certificate. Then, client sends the new encrypted key to server

Server decrypts the new session key with its own private key.

Upon completed, both client and server have the same secret session key and use to secure communication and data transport.


Secure File Transfer Protocol (S/FTP)


S/FTP is an interactive file transfer program

Similar to ftp

Performs all operations over an encrypted ssh transport

Use many features of ssh such as public key authentication and compression

S/FTP connects and logs into the specified host, then enters an interactive command mode


END OF LECTURE 6


Review Question ( Lab 6 )

1. Discuss the potential perpetrators that can threaten Network security and it goal for attacking network services.

In general network security can been said as a prevention from nosy people from getting data they are not authorized or worse yet, modify messages intended for other recipients. It is concerned with people trying to access remote services that are not authorized to use. Most problems are intentionally caused by malicious people trying to gain some benefit or bring harm to someone else.

2. Network security problems can be divided roughly into FOUR (4) intertwined areas, List and explain in details each area.

· Secrecy, also called confidentiality, has to do with keeping information out of the hands of unauthorized users. It protects against disclosure of information to entities not authorized to have that information. Entities might be people or organization.

· Authentication deals with determining whom you are talking to before revealing sensitive information or entering into a business deal.

· Non-Repudiation deals with signatures. It protects user against the threat that the value or existence of the data might be changed in a way inconsistent with the recognized security policy.

· Integrity control how can you be sure that a message you received was really the one sent and not something that a malicious adversary modified in transit.

3. What is the significance difference between the wireshark output in Task 1 and Task 2; explain in detail the function of IPSec in Task 2?

During Task 1, wireshark successful captured both username and password in File Transfer Protocol (FTP). Username = ‘administrator’ and Password = ‘abc123’. But all these things not happen in Task 2, this is because both username and password are already encrypted even the data are captured. This is because in the Task 2, we using IPSec to secure FTP Transaction. IPSec is one of the solutions to safeguard the transmission of data over FTP from being seen by an unauthorized user. It will protect the information from being manipulated.

4. What is the benefit of using IPSec?

IPSec is typically used to attain confidentiality, integrity, and authentication in the transport of data across insecure channels. Though it's original purpose was to secure traffic across public networks, it's implementations are often used to increase the security of private networks as well, since organizations cannot always be sure if weaknesses in their own private networks are susceptible to exploitation. If implemented properly, IPSec provides a private channel for sending and exchanging vulnerable data whether the data is email, ftp traffic, news feeds, partner and supply chain data, medical records, or any other type of TCP/IP based data.

5. Explain what are AH and ESP in IPSec protocol suite?

· Authentication Header (AH): ties data in each packet to a verifiable signature (similar to PGP email signatures) that allows you to verify both the identity of the person sending the data and that the data has not been altered.

· Encapsulation Payload (ESP): scrambles the data (and even certain sensitive IP addresses) in each packet using hard core encryption. So a sniffer somewhere on the network doesn’t get anything usable.

6. Explain in detail how to enable IPSec option in a Linux environment.

There are different methods in order to enable IPSec in Linux platform. One of the simplest methods to is installing and enables a program named ipsec-tools. IPSec-tools is a package that based on Kame Project’s OpenBSD tools. The newest stable versions 0.72 that can be download at

http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/0.7.2/.

Methods of Installation:

1) Firstly download ipsec-tools-0.7.2.tar.gz or other version of ipsec-tools from http://sourceforge.net/projects/ipsec-tools/files/ . After download, saves the file on any folder in hard drive and open the terminal and targeted the folder where the ipsec-tools is saved.

2) Make sure that the current user have privilage as root. Switch user to root with “#su root” and includes the password in order to access root account.

3) Extract the file by using command “# tar zxf ipsec-tools-x.y.z.tar.gz” with the x.y.z as the version of the ipsec tools. Example: “# tar zxf ipsec-tools-0.7.2.tar.gz”

4) Next, target the terminal to ipsec-tools-x.y.z (x.y.z = version of ipsec-tools) by using “# cd (location of ipsec-tools folder)”

5) Proceed to install ipsec-tools by using command:

# ./configure --prefix=/usr --sysconfdir=/etc

# make

# make install


6) Wait until installation of ipsec-tools complete

7) For Ubuntu user, user can automatically download and install ipsec-tools by using “sudo apt-get install ipsec-tools” command

Writing the configuration file:

1) Before running ipsec-tools, configuration file must be writing first. The configuration should be name as /etc/ipsec.conf

2) Below is the example of ipsec.conf:

# Configuration for 192.168.1.100

# Flush the SAD and SPD

flush;

spdflush;

# Attention: Use this keys only for testing purposes!

# Generate your own keys!

# AH SAs using 128 bit long keys

add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5

0xc0291ff014dccdd03874d9e8e4cdf3e6;

add 192.168.2.100 192.168.1.100 ah 0x300 -A hmac-md5

0x96358c90783bbfa3d7b196ceabe0536b;

# Security policies

spdadd 192.168.1.100 192.168.2.100 any -P out ipsec

esp/transport//require

ah/transport//require;

spdadd 192.168.2.100 192.168.1.100 any -P in ipsec

esp/transport//require

ah/transport//require;


3) For the example configuration above, the configuration are made for host that using 192.168.1.100 address that interconnect with host that use 192.168.2.100 address. The configuration implements MD5 type encryption that uses 0xc0291ff014dccdd03874d9e8e4cdf3e6 key for connection from 192.168.1.100 to 192.168.2.100 and using 0x96358c90783bbfa3d7b196ceabe0536b key from incoming connection from 192.168.2.100 to 192.168.1.100. Make notes that, the key above are for experiment purposed, make sure that user generated other key for actual use. Next, user need to add security policy that allows outgoing and incoming connection by using #spdadd command.

4) After finish writing configuration, make sure that user change access control of the configuration file in order to been unreadable by other person by using #chmod command. For save use, “chmod 750 ipsec-tools.conf” which allowing full control for owner and only read and execute access for group use while the other should not be able to see the configuration file.

Enabling the IPSec-tools program

1) After finishing writing the configuration, user can enable the IPSec-tools which following the configuration file by using “# setkey -f /etc/ipsec.conf” commands.

2) User also can enable permanently the ipsec-tools by adding “/usr/sbin/setkey -f /etc/ipsec.conf” on /etc/rc.d/rc.local file

7. Are there any other methods to secure FTP connection other than using IPSec? (List at least 3 methods)

i. SQL Server Integration Services)

ii. SFTP (secure FTP with SSH2 protocol)

iii. FTPS (FTP over SSL) site




No comments:

Post a Comment