Lectures on 18.10.2000
Information Security
1st lecture 12.15-13.00: Information Security by Openness
• Information Security
• Openness
• Security by Openness vs. Security by Obscurity
• GSM Security
• Trusted functionality
• Conclusions and Summary
2nd lecture 13.15-14.00: Internet Security
• How Secure is the Internet?
• Basic and Enhanced Security Level
• Threats against the Security of IP Networks
• Some Cryptographic Solutions: VPN, SSL, SSH, PGP
• IPSEC
• Some Guidelines for Security
Information Security
• Information security means the protection of valuable
information against unauthrorized disclosure, modification or deletion as well as guaranteeing their constant availability for legitimate use
• There are two basic philisophies for implementing security:
• Security by obscurity
• Security by openness
• The security of an information system should never be based on the secrecy of its design
• However, not disclosing all the details can add to the security of an otherwise secure system
Openness
• Openness has several aspects:
• Open specifications
• Open source code
• Open communications protocols
• Open application program interfaces (API)
• The major obstacles to openness are:
• Greed of vendors
• Stupidity of customers
• Tendency of governments to spy on and control foreign nations as well as their own citizens and companies
• Openness is a must if we ever want to get our increasingly complex information systems under control
Openness vs. Obscurity
• The only known way to gain assurance in the security of any system is to base its design on components and methods that are public and open for criticism
• Solutions that are not open are not topics for scientific discussion
• Not disclosing all the details of the design of a system may add to its security but the security of a system should not depend on the secrecy of its design
• Today even the most critical systems of administration and defense of the EU are based on US exports of unknown
design
• The reason for this (hopefully) is ignorance
• We need to do something about this fast
Security of Cryptosystems
• Cryptosystems can be either unconditionally or
computationally secure (some are not secure at all)
• An unconditionally secure cryptosystem cannot be broken by an attacker with any amount of collected information
• A computationally secure cryptosystem is believed to be so strong, that it cannot be broken within a resonable time with any possible means
• The only unconditionally secure cryptosystem is the one-time pad, which is impracticle
• All widely used cryptosystems are believed to be computationally secure
• A cryptosystem cannot be shown to be strong, only weak
• Therefore, openness of the design is a necessary condition for the security of a cryptosystem
GSM - a Case Study
• As a well known and widely used system the GSM and its
security solution provide a good example of security through obscurity
• The original goal of GSM security was to offer approximately the same level of security as does the fixed telecom network (at its best GSM may reach up to this level)
• The "secret" algorithms used in GSM have leaked out
• The authentication and key management protocols most widely used (i.e. COMP128) have been broken
• The encryption scheme used (i.e. A5) could be stronger
• Worst of all is the security architecture that provides no
symmetry between the customer and operator and assumes complete trust by the customer in all the operators
• With good will and an open design GSM security could have been made orders of magnitude stronger
GSM Security Mechanisms
• Security was designed into GSM from the beginning
• The security system is based on asymmetric encryption
• The cryptosystems specified by ETSI (A3, A5 and A8) are not public (and therefore cannot be considered strong)
• A5 was published in Bruce Schneier's book "Applied Cryptography"
• A3 and A8 are operator-specific and can be changed
• Currently almost all operators use the ”secret” COMP128 algorithm, whose C-code can be found in the Internet
• In a GSM network, the AUC of the user's HLR knows the
identifying key Ki, which is also stored on the user's SIM card
• The AUC generates a 128-bit random number (RAND), to be used as a challenge, and computes the response (SRES) and connection key Kc based on RAND
• The triplet: (RAND, SRES, Kc) is transferred through the fixed network to the visitor location register serving the user
GSM Terminology
Some concepts related to GSM authentication and encryption:
• AUC = Authentication Center
• HLR = Home Location Register
• VLR = Visitor Location Register
• BSS = Base Station Subsystem
• BTS = Base Tranceiver Subsystem
• MS = Mobile Station
• SIM = Subscriber Identity Module (smart card)
• A3 – a cryptosystem for authenticating the user
• A5 – a cryptosystem for encrypting the traffic
• A8 – a cryptosystem for generating the connection key Kc
• Ki – a 128-bit key identifying the user, used with A3 and A8
• Kc – a 64-bit connection key used with A5, Kc=A8(RAND, Ki)
• RAND, 128-bit random number generated by the AUC
• SRES, 32-bit response for authentication, SRES=A3(RAND, Ki)
GSM Authentication and Encryption
RAND SRES Kc
A3 A8
RNG AUC Ki
A5 A5
Kc
A5 A5
Kc RAND SRES Kc
RAND SRES Kc
compare
A3 Ki A8 RAND
SRES
voice/data
voice/data
SIM
HLR
VLR
MS
BSS/BTS
GSM Security
• GSM encryption only covers the radio link
• Practically all GSM operators have unencrypted radio links in their fixed networks
• Because GSM encryption is not end-to-end, software bugs in GSM switches constantly cause security problems, some
cases known by the author are:
• Switching a call over to another party in connection with a hand-over
• The unwanted joining of a third party into a phone call
• Local authorities can always connect to the fixed network
• Just anybody (e.g. foreign embassies) can listen to the radio link, which therefore should be strongly encrypted
• The officials of USA, France and many other countries are believed to easily break the safeguards of GSM
• The weakened cryptographic algorithms used make massive eavesdropping of the radio link possible
Trusted Functionality
• Implementing security in information systems requires some trusted functionality that we believe to behave well
• US made microprocessors, operating systems, applications and communications devices (such as routers) are the basis of practically all modern information systems
• The internal design of these components is secret
• Their exports are tightly controlled
• They are known to include undocumented features, such as:
• Undocumented instructions and unaccounted for areas of silicon in the Pentium processor
• Encryption keys in the MS WinNT operating system
• A demo version of Flight Simulator in Microsoft Excel and that of Doom in Microsoft Word
• The mission critical functions of the entire world are based on technologies coming from the world's only superpower and known to contain undocumented and undesirable features
Open Source Software
• Open source software (such as Linux and Free BSD) generally lies under the GNU or Berkeley license
• Open source software, like all software, has bugs, but it is possible for anybody to review and modify the source code and compile it in their own machine
• The critique of the world-wide software community is the best way to achieve software quality
• Therefore, open source software should be used at least in the critical parts of all information systems
Some Stuff Relevant to Data Security
• Key components of the network:
• Routers
• Firewalls
• Servers
• Use of encryption (IPSEC/ISAKMP)
• Public Key Infrastructure
• Trusted Computing Base (TCB)
• The software and hardware vital to the security of a system should be minimized
• The trusted user interface has to include a keyboard and a display - a smart card alone is not enough
• A great business opportunity for a company such as Nokia
• A working Public Key Infrastructure (PKI)
• The irrational concept of trust
Summary
• Data security is key requirement of the information society
• Openness is the best known way to achieve security
• GSM is a good example of security through obscurity (it gives you a warm fuzzy feeling with no real security)
• Some of the biggest single threats are constituted by the Wintel machines and other US exports of secret design
• At least the key components of an information network, central to its security, should be open source
• Internet is the core of modern information technologies
• Some amount of trusted computing base is allways needed
• Likewise a working PKI
• Some amount of trust is allways necessary for security
• Unfortunately we don't currently even have methods for describing and analyzing trust
How Secure is the Internet?
• Internet spans the entire world
• It has over 100,000,000 users
• It crosses geographic, national and cultural boundaries
• It was originally designed to facilitate communications between any two machines, not to implement security
• We can with reasonable certainty assume that:
• There are lots of crooked users connected to Internet
• Crooked parties are operating large parts of it
=> We have to assume the Internet to be totally untrustworthy
• However, there are ways of implementing secure communications over an untrusted network
• This can be achieved through the use of cryptography
• While encryption is not a solution to most security needs, it is an essential part of any solution in open information networks
Basic Security Level
Basic security level, which applies to the whole network and all of its applications, can be implemented by traditional means:
• Proxy based firewall between intranet and Internet
• Security features of routers (access control lists, filters etc.)
• Switched LANs
• Planning and documentation of the network and its cabling
• Authenticating the dial-up users (call-back and/or preferably RADIUS but also TACACS authentication server)
• Well chosen, sufficiently long and periodically changed passwords
• Proper care in authorization
• Motivation, training and education of the personnel
• Adequate physical security
• Encrypted tunneling (VPN) between the sites
Enhanced Security Level
• Where the basic security level is not adequate,
it can be enhanced by using strong cryptography:
• Secure E-mail (PGP)
• Secure WWW (HTTPS)
• Secure remote sessions (SSH)
• Secure IP (IPSEC)
• Strong cryptography can be used to achieve a very high level of security where needed
• IPSEC offers the most generic security protocol for a variety of need in the Internet, intranet and extranet
On the security of IP networks
• Modern routers often have extensive packet-filtering capabilities, such as Access Control Lists (ACL)
• The security level of a router network cannot be higher than that of the routing protocol used (e.g. OSPF, RIP or EIGRP)
• Current routing protocols are not safe
• Some typical attacks against the security of an internetwork:
• The use of source routing
• IP spoofing
• Spoofing the routing protocol
• The use of ICMP redirect
• Capturing a TCP connection
• Falsifying UDP messages
• Spoofing the DNS
• Denial-of-service attacks include the following:
• TCP syn flooding
• The "ping o´death" and other killer packets
Source routing in IP spoofing
R1
R3 R2 X
B
A A => X => B
B => X => A
• X uses source routing and IP spoofing to act as A towards B
• B replies to the request by using (loose) source routing
• B now thinks it is talking with A and A knows nothing of this
Spoofing the routing protocol
• X advertises a to routers R1 and R2 a free route to A and B
• All traffic between A and B now flows through X
• A and B do not notice anything
R1
R2 A
B
A =>B X
“to B via X free!”
B =>A
“to A via X free!”
Other attacks
• TCP capturing
• A TCP connection can be capture by using a readily available piece of software (such as the “Juggernaut”)
• UDP spoofing
• The spoofing of connectionless UDP is a lot easier
• Eavesdropping
• An ordinary PC can easily function as a network analyzer that can listen to all traffic in the local LAN segment
• ICMP redirect
• Much like the spoofing of a routing protocol, the ICMP redirect message can be used to reroute IP traffic
• DNS spoofing
• Domain Name Service (DNS) as such has no security
• False information can be fed into the DNS
• DSN messages can be changed in transit
• It is possible to masquerade as a domain name server
Cryptographically Secured Virtual Networks
• The concept depicted below can be used to securely transfer intranet traffic over an untrusted backbone (e.g. Internet)
• Despite the many benefits there doesn’t seem to be a market for this type of solution
untrusted backbone network (Internet)
Cryptographically Secured
Virtual Private Network
Crypto Server
"trusted"
LAN
"trusted"
LAN
"trusted"
LAN
Secure Socket Layer (SSL)
• Advocated and patented by Netscape
• Works with TCP (or a comparable transport protocol) under HTTP or another application layer protocol
• Facilitates authentication, integrity and confidentiality
• Allows the use of various cryptosystems
• Most implementations used outside the US use 40-bit keys which are easy to crack
• In March 2000, the US government eased on the export restrictions (should we trust them?)
• SSL v2 has security flaws
• With strong cryptography and full-length keys (e.g. RC-4 with 128-bit keys) SSL v3 is believed to be secure
• The Transport Layer Security (TLS) protocol of IETF (RFC- 2246, proposed standard, January 1999), is based on SSL
• An X.509 certificate (by Verisign Inc.!) is essential to SSL
Secure Shell (SSH)
• Finnish software package that implements secure
(authenticated, integral and confidential) login-sessions over the Internet or other untrusted network
• SSH can also be used to encrypt X-windows sessions
• Authentication based on RSA, integrity and confidentiality on symmetric encryption (IDEA, 3DES, DES, RC4,...)
• Cryptographic functions are unweakened (made entirely outside the US)
• Available for the most important environments (including Windows workstations and Unix servers/workstations)
• SSH is indispensable for remote administration of network servers
• It is also direly needed for management of routers & switches
IPSEC
• IP Security Architecture (IPSEC) is defined in RFC-2401
”Security Architecture for IP”, November, 1998
• RFC-2401 only deals with security of the IP layer and it covers the following:
• Security Protocols -- Authentication Header (AH) and Encapsulating Security Payload (ESP)
• Security Associations -- what they are and how they work, how they are managed, associated processing
• Key Management -- manual and automatic (The Internet Key Exchange, IKE)
• Algorithms for authentication and encryption
• IPSEC can be used with IPv4 and it is an integral part of IPv6
• IPSEC provides generic security at the IP level for the use of any IP application
• IPSEC will be the basis of Internet security
IPSEC
• IPSEC adds two new headers to the IP protocol:
• Authentication Header (AH) for purposes of message
authentication and integrity, RFC-2402 (November, 1998)
• Encapsulating Security Payload (ESP) header for
encryption of the user data, RFC-2406 (November, 1998)
• IPSEC can be used in several ways:
• host-to-host
• gateway-to-gateway
• host-to-gateway
• The Internet Security Association and Key Management
Protocol (ISAKMP) is defined in RFC-2408 (November, 1998)
• ISAKMP really is a complex framework for setting up and managing security associations rather than a protocol
• Internet Key Exchange (IKE, RFC-2409) is used with ISAKMP
• Once a security association is set up, IPSEC can operate
Some Guidelines for Security
• The pieces of critical functionality that could cause the security of large systems to fail must be minimized
• At least all these pieces have to be based on open designs and it must be possible to audit their security
• The defenses of information networks shall have adequate depth so that attackers can be stopped and eliminated before they reach their ultimate goals
• All systems with low security functionality or assurance shall be hidden from the intruder behind stronger defenses
• Critical systems shall be built with enough redundancy and technical variety so that they cannot reasonably fail totally
• Open protocols and document formats shall be used in all communications
• The encryption methods, their implementations and public key infrastructure used shall be trustworthy
• This is almost the exact opposite of the prevailing situation!