A Study of Strengths and Weaknesses between Network Security Protocols

1
Group 6

• A Study of Strengths and Weaknesses between
  Network Security Protocols

Jolie Beckner Aaron Hayner Jared Kozel Jordan
Redman Justin Redman
2
Open System Interconnection Model

• Defines an intense networking framework

3
Application Set

• Layer 7 Application Layer
• Layer 6 Presentation Layer
• Layer 5 Session Layer

4
Transport Set

• Layer 4 Transport Layer
• Layer 3 Network Layer
• Layer 2 Data Link Layer
• Layer 1 Physical Layer

5
Secure Sockets Layer/Transport Layer Security
6
Secure Socket Layer/Transport Layer Security

• Internet Age in the 1990s brought demand for
  protection of information
• Implemented by Netscape in 1996
• Essentially a cryptography protocol

7
Encryption Protocols

• Key agreements or establishment
• Entity authentication
• Symmetric encryption
• Secured application-layer data transportation
• Non-repudiation methodologies

8
Encrypting Data on Internet
9
SSL Advantages

• Point authentication
• Message integrity
• Confidentiality

10
Point Authentication

• Process of determining the identity of a user
  that is attempting to access a network

11
Message Integrity

• SSL sends a message digest fixed-length
  representation of the message, along with the
  message itself

12
Confidentiality

• Uses encryption algorithms during the SSL
  handshake

13
Disadvantages

• Early weak keys could be brute forced

14
SSL Proxy Servers

• Information unencrypted the moment after leaving
  the proxy server

15
SSL/TLS Conclusion

• But although SSL/TLS do have disadvantages, we
  should not toss out the protocol all together. As
  a user of the Internet, one has to be aware that
  just because they see the padlock in the lower
  right hand corner and https as a tag prefix, it
  does not mean their information is incapable of
  getting into the wrong hands. It simply means
  that you can hope the data security transferred
  to the appropriate server, unaltered and has not
  been intercepted.

16
Secure Shell (SSH)
17
Why do we need SSH?

• Computer networks are common.
• It is common for people to have multiple computer
  accounts.
• Naturally, user wants a way to be able to connect
  to them all.
• Functions copying files, logging into computers
  remotely, transmitting commands, running
  programs.

18
Why do we need SSH?

• Could use FTP, Telnet, and rsh, however, these
  protocols lack network security.
• Example If a sensitive file is transmitted
  across the Internet, an intruder could intercept
  the file.
• Approaches Firewall, encryption, SSH.

19
SSH History

• SSH was developed in 1995 by Tatu Ylönen at
  Helsinki University of Technology.
• Goal To replace more archaic protocols at the
  time (rlogin, Telnet, rsh), which did not
  guarantee confidentiality or strong
  authentication.
• This version, named SSH-1, was released in the
  summer of 1995, and 20,000 people in 50 countries
  used it by the end of the year.

20
SSH History

• In 1996, a revised version, SSH-2, was developed,
  and it was incompatible with SSH-1.
• SSH-2 improved upon SSH-1, because SSH-1 had
  security, performance, and portability
  weaknesses.
• Today, SSH is used by over two million people in
  60 countries.

21
What is SSH?

• Widely-popular, powerful, software-based approach
  to network security.
• Network protocol and program that allows users to
  establish a secure channel between a local and
  remote computer over an insecure network.

22
How to use SSH

• Typically run over UNIX environments.
• Windows based apps, such as Putty, provide a
  UNIX-style terminal for SSHing to remote
  machines.
• Commonly used commands
• ssh hostname // to log
  into a machine
• ssh hostname command // execute command on
  machine hostname
• ssh v hostname // login to
  machine hostname and print debug

23
Benefits

• Encryption Data being sent by a computer to the
  network is automatically encrypted by SSH, then
  decrypted by SSH when it reaches the destination-
  results in Transparent Encryption.
• Public-key cryptography

24
Benefits

• Prevents
• Man-in-the-middle attacks
• Manipulation of data
• Interception of data
• IP spoofing
• IP source routing
• Prompts for password three times, then does not
  allow anymore tries, and contacts network admin.

25
Weaknesses

• SSH is dependent on TRUST. As with any encrypted
  protocol, if the people inside do not responsibly
  use SSH, the system can be compromised.
• SSH-1 did not protect against man-in-the-middle
  attacks and brute force attacks. These issues
  were addressed in SSH-2.

26
Weaknesses

• Brute force attacks, although supposedly
  protected in SSH-2, have been recently performed
  with much success.
• Sebastain Krahmer wrote a threaded SSH-2 brute
  force tool named guess-who, which allows up to
  30 username/password attempts every second!

27
Secure Copy Protocol (SCP)
28
What is SCP?

• Securely copies computer files between hosts on a
  network.
• Available with UNIX or Linux OS.
• SCP uses SSH to provide security and
  authentication.

29
How to use SCP

• Use the scp command to copy files between system.
• Use the following command
• scp filename1 userid_at_hostnamefilename2

30
Kerberos
31
Kerberos

• Developed at MIT as part of project Athena.
• Kerberos main goal is to make a simple secure
  authentication process through
• Single Sign On Access
• By using a secret key that is never transferred
  over any network.

32
Kerberos

• Kerberos uses a trusted third party, the Key
  Distribution Center, and has three major parts to
  contribute to its success.
• Authentication Server (AS)
• Authenticates Server to Client
• Ticket Granting Server (TGS)
• Provides extra protection so the user password is
  only entered once
• Service Server (SS)
• Allows client to access service.

33
A Visual Representation
34
Application Server

• User enters in user name and password
• Request is sent to AS requesting services
• AS checks database for user
• AS returns a random key with service name, and
  users long term key
• Calls the Ticket Granting Server

35
Ticket Granting Server

• Generates an initial ticket or a Ticket Granting
  Ticket (TGT) for the user.
• The session for the TGT is encrypted using the
  users long term key.
• Now that the user has a TGT the user will not
  need their password again, instead they will just
  have to contact AS for a ticket but will never
  need to call the TGS again.

36
The Service Server

• Takes in the users encrypted session key (called
  the authenticator), and the ticket.
• The service server then decrypts the session key
  with its long term key.
• The authentication from the user to the service
  is now completed

37
Advantages

• Password is never sent over the network
• In order to gain access the ticket, and the
  authenticator are both needed, so if the ticket
  is stolen, it can not be used on its own.
• Kerberos is widely used by programmers,
  cryptologist, and security experts, so if there
  is any weakness in the process, it is found and
  fixed quickly.
• Kerberos is freely available from MIT

38
Disadvantages

• The once considered unbreakable DES algorithm
  that Kerberos uses, is now believed to be able to
  be cracked.
• Being that Kerberos uses the Key Distribution
  Center, if someone gains administrative access to
  the KDC, then they have just gained access to the
  entire Kerberos system.
• Kerberos was only created for a single user
  system, in the case of a multi-user system it
  becomes highly vulnerable.
• In the case of using a UNIX based operating
  system it is a very tedious process to transfer
  password from a UNIX database to a Kerberos
  database.

39
IPSec
40
IPSec

• What is IPSec?
• Protocol used with IP to deliver data privacy,
  integrity, authenticity, and anti-replay
  protection
• Devices must share a public key
• Allows the implementation of VPNs (Virtual
  Private Networks)
• Has two different types of modes
• Tunnel
• Transport

41
VPN

• Virtual Private Networks are established by using
  the IPSec protocol to provide only authorized
  access to a network

42
Networks

• When setting up networks, it is important to
  apply the security features that IPSec has to
  make the network more secure

43
Transport Mode

• Used for LANs
• Sending UDPs (User Datagram Protocol)
• Header is not encrypted, only payload

44
Tunnel Mode

• Used for large networks
• Allows a tunnel to be created between a host or
  network and a user
• Entire IP packet is encapsulated into a new
  packet (including header)

45
Transport vs. Tunnel Modes

• Transport Mode
• Encrypts just the payload
• Tunnel Mode
• Encrypts the entire IP Packet

46
Security Provided

• Provides authentication of another user over the
  network
• Encrypting traffic sent and received
• Integrity validation for unmodified packets
• Anti-Replay, for session looping

47
Strengths

• Provided the first security for the IP datagram
• Best available IP security protocol
• Low cost for extra security
• Reduces congestion at Hubs due to VPN tunneling

48
Weaknesses

• Too much flexibility
• Ambiguities in definitions
• Multiple ways to invoke functions
• Main algorithm involved DES (Data Encryption
  Standard) has finite amount of encryptions

49
Internet Key Exchange
50
Internet Key Exchange

• Why IKE?
• Network vulnerability
• Inadequacy of previous methods
• Satisfy level 3 of OSI model

51

• Combination of Older Security Methods
• ISAKMP
• Oakley
• SKEME

52
IKE Diagram

• Two Step Implementation
• One Encapsulate/Encryption of Header,
  Authentication
• Two Manage Information Using Predefined Protocol

53
Message Transfer Main Mode
Abbreviation definitions i initiator r
responder hdr ISAKMP Header hdrc ISAKMP
Header followed by encrypted payloads sa
security association payload ke key exchange
payload nonce nonce payload id
identification payload hash hash payload
54
Message Transfer Aggressive/Quick Modes
55
Advantages of IKE

• Excellent for Peer-to-Peer Transfer Security
• Encryption Ensures Only Sender/Receiver Have
  Access

56
Disadvantages of IKE

• Unable to Secure Large Scale Traffic
• Users Not Required to Identify Selves
• Creates Uncertainty and Security Vulnerabilities

57
Questions?