netprog 2002 - kerberos1 kerberos 雅典娜计划的一部分 (mit) 。...

Netprog 2002 - Kerberos 1

Kerberos

• 雅典娜计划的一部分 (MIT) 。• 可信的第三方认证方案。• 假定主机是不可信的• 要求每个 client ( 对每次业务请求 ) 证

明其身份 .• 不要求用户每次业务请求都输入密码 !


Kerberos Design

• 用户必须在工作站会话开始的时候验证自己 ( 登录会话 ).

• 密码永远不在网络中明文传输 ( 或在存储器中存储 )


Kerberos Design (cont.)

• 每个用户有一个口令 .

• 每个业务有一个口令 .

• 知道所有口令的唯一实体是认证服务器 .


ServerServerServerServerServerServerServerServer


KerberosKerberosDatabaseDatabase

Ticket GrantingTicket Granting ServerServer


AuthenticationAuthentication ServerServer


WorkstationWorkstationWorkstationWorkstation

Kerberos Key Distribution ServiceKerberos Key Distribution Service


Tickets

• 每个业务请求需要一个 ticket.

• 一个只能用于单个用户访问单个服务器 .


Tickets (cont.)

• Tickets 由 “ Ticket Granting Server” (TGS) 分发 ,TGS 有所有的加密密钥 .

• Tickets 对 clients 是无意义的 , clients 只是用他们接入服务器 .


Tickets (cont.)

• TGS 用服务器的加密密钥加密每个ticket

• 加密的 tickets 可在网上安全传输，只有服务器可以解密 .

• 每一 ticket 有有限的生存期 ( 几个小时 ).


Ticket Contents

• Client 名 ( 用户登陆名 )• Server 名• Client 主机网络地址• Client/Server 会话密钥• Ticket 生存期• 产生时戳


会话密钥

• 分配给会话的随机数 .• 会话密钥用于加密 client 和 server 间

的请求和响应


Authenticators

• 信任状证明 client 身份 .• 包括

Client 用户名 . Client 网络地址 . 时戳 .

• 信任状以 session key 加密 .


Bootstrap

• 每次 client 要访问要申请新的 ticket.• 为了从 TGS 获得 ticket, client 必须

已经有 TG ticket 和一个会话密钥与TGS 通信 !


Authentication Server• Client 向 AS 发送明文请求以获得一个

ticket 用于和 TGS 通信。• 请求 :

login name TGS name

由于这个请求只包括公开的名字，不需要加密 .


Authentication Server• AS 找到与登陆名和 TGS 名对应的密

钥 .• AS 生成一个 ticket:

login name TGS name Client 网络地址 TGS 会话密钥

• AS 以 TGS 秘密密钥加密此 ticket.


Authentication Server Response

• AS 同时产生一个随机会话密钥供client 和 TGS 使用 .

• 会话密钥和加密的 ticket 以用户的秘密密钥加密 .

TGS session key

Ticket:login nameTGS namenet addressTGS session key

Sealed with user keySealed with user key

Sealed with TGS keySealed with TGS key


Accessing the TGS

• Client 以用户口令作为秘密密钥解密消息 .

• Client 这时获得了会话密钥和与 TGS 通信的 ticket.

• Client 看不到 ticket 内部的内容 , 因为client 不知道 TGS 的秘密密钥 .


• 当 client 想开始使用服务 ,client 必须首先获得一个 ticket.

• Client 构造一个请求发送给 TGS:

Accessing a Server

TGS Ticket

Authenticator

Server Name

sealed withsealed withTGS keyTGS key

sealed withsession key


TGS response• TGS 用其秘密密钥解密 ticket 获得 TGS

会话密钥 .• TGS 用会话密钥解密信任状 .• TGS 检查验证登陆名， client 地址和

TGS server 名都正确 .• TGS 验证信任状是最新的 .


TGS Response一旦所有验证通过， TGS:• 产生一个 ticket 使 client 用于请求的

server. Ticket 用 server 密钥加密 .• 产生一个会话密钥• 以 TGS 会话密钥加密整个消息发回给

client.


Client accesses Server

• Client 以 TGS 会话密钥解密 TGS 响应 .

• Client 现在获得了与服务器通信的会话密钥和 ticket.

• client 用与和访问 TGS 一样格式的数据访问服务器。


Kerberos Summary

• 每业务请求需要一个 ticket.• Tickets 来源于 TGS ( 除了访问 TGS

的 ticket).• 工作站不能解密用服务器密钥加密的

tickets.• 每个 ticket 有个相应的 session key.• Tickets 不能重用 .


Kerberos Summary (cont.)

• Tickets 有有限的生命期 .• 信任状只能使用一次 .• 信任状失效的更快 !• 服务器维护一个信任状列表




KerberosKerberosDatabaseDatabase





WorkstationWorkstationWorkstationWorkstation

Kerberos Key Distribution ServiceKerberos Key Distribution Service


SSL Protocol Version 3.0 and OpenSSL-0.9.6a

Viraj Bhatmail :[email protected]


SSL Protocol

Goals of the SSL protocol v 3.0 in the order of their priority

Cryptographic security Interoperability Extensibility Relative Efficiency


SSL Protocol Layer

SSL protocol runs on the TCP/IP and below the HTTP and IMAP

HTTP LDAP IMAP

Secure Sockets Layer

TCP/IP Layer

Application Layer

Network Layer


SSL Handshake

CL

IEN

T

SE

RV

ER

1)Client sends SSL version number,Cipher Settings,randomly generated data

2)Server sends SSL version number,Cipher Settings,randomly generated data3)Client uses the info of STEP2 for SERVER AUTHENTICATION if Failed TERMINATE if Successful go to STEP 4

4)PreMaster Secret Generated for the session, encrypts it with the Server’s Public Key

5)If Server Requested for CLIENT AUTHENTICATION:Client Sends Signed Data & Encrypted PreMaster Secret (This is Optional)

6)Server Authenticates Client, if failure TERMINATE else decrypt PREMASTER SECRET to generate MASTER SECRET

7)Both the Client and Server use the Master Secret to Generate Session keys

8) and 9)Client and Server sends messages to each other that Handshake is finished


Handshake Protocol Implementation

Client ServerClientHello -------------------------------------------> ServerHello Certificate*

ServerKeyExchange*

CertificateRequest* <------------------------------------------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished ---------------------------------------------->

[ChangeCipherSpec] Finished Application Data <------------------------------------> Application Data


Server Authentication Step 3

CA=Certificate Authority

DN=Distinguished Name of the issuing CA

Figure shows how a Netscape Client authenticates the Server’s certificate Netscape specific


Client Authentication Step 5


Session and Connection States SSL Session is stateful it is the responsibility of

the Handshake Protocol to coordinate states of the client and server

Changes state when it receives the change cipher spec message

Client receives change cipher spec message it copies pending read state to current read state

Server receives change cipher spec message it copies pending write state to pending write state


SSL Session States SSL Session may include multiple secure connections.This

state includes the following elements: session identifier: an arbitrary byte sequence peer certificate:X509.v3 certificate of the peer compression method:compress data prior to

encryption cipher spec: specifies bulk data encryption

algorithm and a MAC(message authentication codes) algorithm

master secret : 48 byte secret is resumable : a flag to indicate whether a

new session can be instantiated


SSL Connection States The Connection State includes the following

server and client random : byte sequences server write MAC secret : secret in MAC operations client write MAC secret server write key : bulk cipher key client write key initialization vectors : initialized in the Handshake sequence numbers : for each connection, for

change cipher spec sequence no are set to 0(zero)


SSL Record Layer The SSL Record Layer receives data

from higher layers in non empty blocks of arbitrary size.The SSL Record Layer: Fragments : into SSLPlaintext records of

2^14 bytes Record Compression and Decompression:

The fragmented data is then compressed to to a length of not more than 1024 bytes and Decompressed to a length of 2^14 bytes at the receiving end


Change Cipher Spec Protocol Exists to Signal Transitions in ciphering

strategies.This is encrypted and compressed under the current CipherSpec Struct {

enum { change_cipher_spec(1), (255) } type;

}ChangeCipherSpec; Cipher Spec Message is sent by both client and

Server. Client sends one message after handshake and other

after certificate verify messages Server sends one after after is received successfully

processing the key exchange message from the client


Alert Protocol Alert Messages convey the severity of the

message and the description of the alert Fatal Level : Immediate termination of the Connection Warning Level :Connection is not affectedenum { warning(1), fatal(2), (255) } AlertLevel; enum { close_notify(0), unexpected_message(10),

bad_record_mac(20), decompression_failure(30), handshake_failure(40), no_certificate(41), bad_certificate(42), unsupported_certificate(43), unsupported_certificate(43), certificate_revoked(44), certificate_expired(45), certificate_unknown(46), illegal_parameter (47),(255)

} AlertDescription; struct { AlertLevel level; AlertDescription description; } Alert


Encryption and Decryption Encryption: Process of transforming

information so that is is unintelligible to anyone except the intended recipient

Cryptographic Algorithm/Cipher is a mathematical function used for encryption and decryption

Commonly used techniques for encryption and decryption are:

Symmetric Key Encryption Public Key Encryption(Asymmetric Encryption)


Encryption contd.. Symmetric Key Encryption:

Public Key Encryption:


RSA Public Cryptosystem It is based on the dramatic difference between

the ease of finding large prime numbers and difficulty of factoring the product of two large prime numbers

Algorithm for the RSA Public-key crypto system1)Select at random 2 large prime numbers p and q.p and q

are 100 decimal digits each2)Compute n = p * q3)Select small odd integer e relatively prime to (n) which

equals (p-1)(q-1)4)Compute d as multiplicative inverse of e, modulo (n)5)Publish pair P=(e,n) as his RSA public key6)Keep pair S=(d,n) as his RSA secret key


Digital Signatures Addresses problems of tampering and impersonation Relies on a 1 way Hash(message digest)

Value of the Hash is unique for the data The content cannot be deduced from the hash


Certificates and Authentication

Certificate based authentication: Figure below shows how to authenticate a client to a server


Contents of a Certificate Contents organized according to X.509 v3

certificate specification An X.509 v3 certificate binds a Distinguished

name(DN) to a public key uid=doe,[email protected],cn=John Doe,o=Netscape

Communications Corp.,c=US uid = user ID , e = email address, cn =users common name,o = organization,c=country

A typical certificate consists of 2 sections : Data Section Signature Section


Certificate Contents Data Section

Version Number of the X.509 standard Certificate’s Serial Number Information Info about users public key + algorithm + Rep of the key DN of the CA Validity Period DN of the certificate subject Optional Certificate Extensions

Signature Section Cryptographic Algorithm used by the issuing CA CA’s digital Signature = Data in Certificate+CA’s Private

key


How CA Certificates Are Used to Established the Truth ?

By the way of CA hierarchies and Certificate Chains Verifying a Certificate Chain


OpenSSL OpenSSL project is a collaborative effort

to develop a robust commercial grade,full featured Open Source toolkit Implementing the Secure Sockets Layer SSL

v2 and v3 Transport Layer Security v1 Full Strength general purpose cryptographic

libraries Based on the SSLeay library developed

by Eric A Young and Tim J Hudson


Features of OpenSSL Lib’s Portability

Supported on Unix,Windows 3.1 ,AIX 3.2, OSF 1.x, SunOS 5.x (gcc, cc) SPARC and INTEL and many more

Interface Description: Key Encoding Types :

DER - binary DER encoding PEM - base64 Privacy Enhanced Mail encoding

Error Handling void SSL_load_error_strings(void); unsigned long ERR_get_error(void); char *ERR_error_string(unsigned long error); void ERR_print_errors(FILE *fp);


Interface Descriptions Create SSL Context

SSL_CTX *SSL_CTX_new(void) Create SSL Handle

Create and initialize the data structure for SSL state using SSL_CTX_new() : SSL *SSL_new(SSL_CTX *ssl_ctx);

Establish Keys Call to function int SSL_useRSAPrivateKey(SSL *s, RSA

*key) Register Certificates

Server must have a certificate : int SSL_use_certificate(SSL *s, X509 *cert)

Client and Server Accept : int SSL_connect(SSL *s); Set Preferred Cipher:SSL_set_perf_cipher(SSL *s, char

*str)Ex:SSL_TXT_RC4_128_WITH_MD5 "RC4-MD5"


Cryptographic Algorithms Supported by SSLeay 0.9.0b

Defined in “crypto.h” Symmetric Ciphers

DES,RC2,RC4,Blowfish,IDEA,CAST,RC5 (RC4 = stream cipher)

Asymmetric Ciphers: Diffie-Hellman Key Exchange DSA RSA Algorithm


Client and Server application Main –ClientSSLeay_add_ssl_algorithms();meth = SSLv2_client_method()SSL_load_error_strings();ctx = SSL_CTX_new (meth);

ssl = SSL_new (ctx); /*Connect to a port of the server*/err = SSL_connect (ssl); --Check

errorserver_cert =

SSL_get_peer_certificate (ssl);str = X509_NAME_oneline

(X509_get_subject_name (server_cert),0,0);

/*after verifying certificate write to server*/

err = SSL_write (ssl, "Hello World!", strlen("Hello World!"));

SSL_shutdown (ssl);SSL_free (ssl)

Main– ServerSSL_load_error_strings();SSLeay_add_ssl_algorithms(); Meth SSLv23_server_method(); ctx = SSL_CTX_new (meth);/*Open a port in the server*/ssl = SSL_new (ctx); SSL_set_fd (ssl, sd);err = SSL_accept (ssl);client_cert =

SSL_get_peer_certificate (ssl);str = X509_NAME_oneline

(X509_get_subject_name (client_cert), 0, 0);

err = SSL_read (ssl, buf, sizeof(buf) - 1);

err = SSL_write (ssl, "I hear you.", strlen("I hear you."));

Cleanup same as client


References The SSL Protocol Version 3.0 Transport Layer

Security Working Group RFC-2246 http://developer.netscape.com/security OpenSSL website: www.openssl.org SSLeay Programmers Reference

http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html

Introduction to Algorithms by Thomas H Cormen,Charles E Leiserson & Ronald L Rivest

New Directions in Cryptography by Whitfield Diffie and Martin E.Hellman


IPsec 介绍


提要

• IPsec 概述• 安全关联 Security Associations (SA) &

SPI’s• 认证头 Authentication Header (AH) 协议• 封装安全载荷 --Encapsulating Security

Payload (ESP) 协议• 网间密钥交换 Internet Key Exchange (IKE)• IPsec 缺陷• IPsec 与隧道 (PPTP, L2TP)


虚拟专网 VPN (Virtual Private Network)

• 两个主机或网络间的安全通信

• VPN, 解决所有你安全问题的代名词

• 仍是一个比较新的技术

• IPsec 是众多流行的 VPN 技术之一


IPSEC 能做什么• 认证

• 完整性

• 接入控制

• 机密性

• 重放保护（部分 )


通信的类型• 主机到主机

• 主机到安全网关

• 安全网关到安全网关• 安全网关 = 防火墙• 也称为网络到网络


IPSEC 如何工作

• 主机到主机

Host A Host BIPsec (SA)

Other Hosts

No IPsec No IPsec


安全关联• 存储在 SPD 中 (Security Policy

Database)• 通过以下所述唯一标识 IPsec 会话

（ sessions ） :• SPI – Security Parameter Index,标识会

话的唯一数• 目的 IP 地址• 安全协议 (AH or ESP)


安全关联• Host A 安全关联 :# ipsecadm new esp -spi 1000 -src HostA \

-dst HostB -forcetunnel -enc 3des -auth sha1 \ -key 7762d8707255d974168cbb1d274f8bed4cbd3364 \-authkey 6a20367e21c66e5a40739db293cf2ef2a4e6659f

• Host B 安全关联 :# ipsecadm new esp -spi 1001 -src HostB \

-dst HostA -forcetunnel -enc 3des -auth sha1 \-key 7762d8707255d974168cbb1d274f8bed4cbd3364 \-authkey 6a20367e21c66e5a40739db293cf2ef2a4e6659f


主机到安全网关

Host A SecurityGatewayIPsec (SA)

Other Hosts IPC-NAT ROUTE

InternalNetwork

ORNo IPsec


安全网关到安全网关

SecurityGatewayIPsec (SA)

IPC-NAT ROUTE

InternalNetwork

OR

SecurityGateway

InternalNetwork


IPSEC 连接类型• 传输模式

• 不加密整个数据包• 采用原 IP 头• 较快

• 隧道模式• 加密整个包，包括 IP 头 (ESP)• 产生新的 IP 头• 较慢


通常的 TCP/IP 包

帧层 (Layer 2)

IP 头 (Layer 3)

TCP/UDP 头 (Layer 4)

应用层 (5-7) / 数据

IP 头 TCP/UDP 数据

或

帧头


AH ( 认证头 )

• IP 协议 51• 提供包的认证• 不加密载荷

IP Hdr AH TCP/UDP Data

传输模式

IP 头 AH TCP/UDP 数据

IP Hdr AH 数据新 IP 头 AH TCP/UDP原 IP 头

Tunnel Mode


ESP ( 封装安全载荷 )

• IP 协议 50• 加密载荷• 提供加密和认证

IP Hdr AH TCP/UDP Data

Transport Mode

IP 头 AH TCP/UDP 数据

数据新 IP 头 AH TCP/UDP原 IP 头

Tunnel Mode

ESP

ESP


IKE ( 网间密钥交换 )

• UDP 端口 500

• 协商连接参数

• 网际安全关联和密钥管理协议 ISAKMP (Internet Security Association and Key Management Protocol)

• Oakley (Diffie-Helmen 密钥交换 )


IKE 协商• 两个阶段

• 阶段 1 – 协商双向 SA• 利用证书或预先共享的密钥• 采用主模式或贪心模式

• 阶段 2 – 协商 IPSEC (AH, ESP, 隧道 , 传输 )• 今天是否加密你的数据 ?• 总是利用快速模式因为我们已经认证过了


IKE 协商

• 协商下列参数 :• SA 生存期• 加密算法 ( 不采用 DES,采用 3DES)• 认证算法 (MD5, SHA-1)• 密钥交换类型

Remember:# ipsecadm new esp -spi 1000 -src HostA \

-dst HostB -forcetunnel -enc 3des -auth sha1 \

-key 7762d8707255d974168cbb1d274f8bed4cbd3364 \

-authkey 6a20367e21c66e5a40739db293cf2ef2a4e6659f


IPSec 举例• 只使用 ESP

• 在同一网络的两个主机 :• Jerry 192.168.0.11 - OpenBSD 2.8• Tom 192.168.0.17 – OpenBSD 2.7


Jerry 配置 (192.168.0.11)

ipsecadm new esp -spi 1000 -src 192.168.0.11 -dst 192.168.0.17 -forcetunnel \-enc blf -auth sha1 -key b4bc9f7f37d09332ac95dd32223e685fe6aaa026 \-authkey d041653ae78a9fa5ca795df2a051102ec30b33aa


ipsecadm flow -proto esp -dst 192.168.0.17 -addr 192.168.0.11 255.255.255.255\ 192.168.0.17 255.255.255.255 -proto esp -acquire

Encap:Source Port Destination Port Proto SA(Addr/Proto/Type/Direction)192.168.0.11/32 0 192.168.0.17/32 0 0 192.168.0.17/50/acquire/out


Tom Configuration(192.168.0.17)



ipsecadm flow -proto esp -dst 192.168.0.11 -spi 1001 -addr 192.168.0.17 255.255.255.255 192.168.0.11 255.255.255.255

Encap:Source Port Destination Port Proto SA(Address/SPI/Proto) 192.168.0.17/32 0 192.168.0.11/32 0 0 192.168.0.11/00001001/50


封装前的包ICMP12:46:21.545929 192.168.0.11 > 192.168.0.17: icmp: echo request (ttl 255, id 29731) 0000: 4500 0054 7423 0000 ff01 c618 c0a8 000b E..Tt#.......... 0010: c0a8 0011 0800 09d8 9d66 0000 3b6d 104f .........f..;m.O 0020: 0008 19fa 0809 0a0b 0c0d 0e0f 1011 1213 ................ 0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 ............ !"# 0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123 0050: 3435 45

FTP12:47:42.431056 192.168.0.11.42261 > 192.168.0.17.21: P [tcp sum ok] 13:28(15) ack 98 win 17232 <nop,nop,timestamp 9663 9697> [tos 0x10] (ttl 64, id 44333) 0000: 4510 0043 ad2d 0000 4006 4c0b c0a8 000b [email protected]..... 0010: c0a8 0011 a515 0015 5062 b4c2 5d0f 41e7 ........Pb..].A. 0020: 8018 4350 a693 0000 0101 080a 0000 25bf ..CP..........%. 0030: 0000 25e1 5041 5353 2070 6173 7377 6f72 ..%.PASS passwor 0040: 640d 0a d..


Packets AfterICMP12:51:58.736930 esp 192.168.0.11 > 192.168.0.17 spi 0x00001001 seq 1 len 116 (ttl 64, id 16933) 0000: 4500 0088 4225 0000 4032 b6b2 c0a8 000b E...B%..@2...... 0010: c0a8 0011 0000 1001 0000 0001 b5c1 1de8 ................ 0020: 9e67 4463 cab1 f496 2970 e7d9 267c 0cef .gDc....)p..&|.. 0030: 6bfc a5d6 6f6a 9f51 0e95 20fe c930 0e77 k...oj.Q.. ..0.w 0040: 2918 6c92 d7ac 6c13 f9f1 de8b 1674 fd42 ).l...l......t.B 0050: be98 4a40 29e8 9ecb 6759 cfbe 993d 1001 ..J@)...gY...=.. 0060: 0f11 0b8b 5e93 8852 dc28 786b 2479 465d ....^..R.(xk$yF] 0070: 5a67 d503 6b51 ff0b 074c 0076 6d03 a1ec Zg..kQ...L.vm... 0080: 5b14 765f cb06 51f8 [.v_..Q.

FTP12:52:29.730868 esp 192.168.0.11 > 192.168.0.17 spi 0x00001001 seq 2 len 100 (ttl 64, id 28675) 0000: 4500 0078 7003 0000 4032 88e4 c0a8 000b E..xp...@2...... 0010: c0a8 0011 0000 1001 0000 0002 6b51 ff0b ............kQ.. 0020: 074c 0076 30fa 28c7 ef53 592a 7b13 a068 .L.v0.(..SY*{..h 0030: 06bf 071d 81a0 98de ddd8 0174 b637 2b9a ...........t.7+. 0040: f1d2 a36e d83a 08ec 59bf 5341 a4b3 7ae5 ...n.:..Y.SA..z. 0050: bbc3 000b d2b1 e93c e086 cf69 71d6 dcf5 .......<...iq... 0060: 8498 13d7 8930 2451 f43b b6fc 4abc da2c .....0$Q.;..J.., 0070: 77c5 91dd ab2e ba11 w.......


IPsec 缺点• 太复杂 , 有许多不同的配置方式• 可能配置的不安全• 客户端安全是个问题


IPSec 相对于 SSL/TLS 的优点

• 加密整个包，包括 IP 头

• 可以加密整个协议

• 当使用网关到网关方式时不影响用户

• 有独立的 IP 地址


支持 IPsec 的操作系统

• OpenBSD, FreeBSD, NetBSD• Linux• Solaris• Windows 2000 (Native)• Windows NT/95/98/Me (Add-on)• Cisco IOS (PIX and Routers)• Others as well....

netprog 2002 - kerberos1 kerberos 雅典娜计划的一部分 (mit) 。...

Documents