Certificates Network Systems Security Mort Anvari Certificates    An instrument signed by an authority to certify something about a subject Original function is to bind names to keys or keys to names Now it can contain authorization, delegation, and validity conditions 10/26/2004 Types of Certificates  ID certificates name → key  Attribute certificates authorization → name  Authorization certificates authorization → key  An attribute certificate needs to combine with an ID certificate to be used for authorization 10/26/2004 X.509 Authentication Service  Part of CCITT X.500 directory service standards   Define framework for authentication services      distributed servers maintaining some info database directory may store public-key certificates with public key of user signed by certification authority Also define authentication protocols Use public-key cryptography and digital signatures  algorithms not standardised, but RSA recommended 10/26/2004 X.509 Certificates  Issued by a Certification Authority (CA), containing:             version (1, 2, or 3) serial number (unique within CA) identifying certificate signature algorithm identifier issuer X.500 name (CA) period of validity (from - to dates) subject X.500 name (name of owner) subject public-key info (algorithm, parameters, key) issuer unique identifier (v2+) subject unique identifier (v2+) extension fields (v3) signature (of hash of all fields in certificate) Notation CA denotes certificate for A signed by CA 10/26/2004 X.509 Certificates 10/26/2004 Obtaining a Certificate    Any user with access to CA can get any certificate from it Only the CA can modify a certificate Certificates can be placed in a public directory since they cannot be forged 10/26/2004 CA Hierarchy    If both users share a common CA then they are assumed to know its public key Otherwise CA's must form a hierarchy Use certificates linking members of hierarchy to validate other CA's    each CA has certificates for clients (forward) and parent (backward) each client trusts parents certificates enable verification of any certificate from one CA by users of all other CAs in hierarchy 10/26/2004 CA Hierarchy Use 10/26/2004 Certificate Revocation     certificates have a period of validity may need to revoke before expiry, eg: user's private key is compromised user is no longer certified by this CA CA's certificate is compromised CA’s maintain list of revoked certificates  the Certificate Revocation List (CRL) users should check certs with CA’s CRL 10/26/2004 10 Types of Firewalls  Three common types  Packet-filtering router  Application-level gateway  Circuit-level gateway 10/26/2004 21 Packet-filtering Router 10/26/2004 22 Packet-filtering Router     Foundation of any firewall system Examine each IP packet (no context) and permit or deny according to rules Restrict access to services (ports) Possible default policies  prohibited if not expressly permitted  permitted if not expressly prohibited 10/26/2004 23 Examples of Rule Sets 10/26/2004 24 Attacks on Packet Filters  IP address spoofing    Source routing attacks    fake source address to be trusted add filters on router to block attacker sets a route other than default block source routed packets Tiny fragment attacks   split header info over several tiny packets either discard or reassemble before check 10/26/2004 25 Stateful Packet Filters   Examine each IP packet in context  keep tracks of client-server sessions  check each packet validly belongs to one Better able to detect bogus packets out of context 10/26/2004 26 Application Level Gateway 10/26/2004 27 Application Level Gateway   Use an application specific gateway / proxy Has full access to protocol     user requests service from proxy proxy validates request as legal then actions request and returns result to user Need separate proxies for each service    some services naturally support proxying others are more problematic custom services generally not supported 10/26/2004 28 Circuit Level Gateway 10/26/2004 29 Circuit Level Gateway      Relay two TCP connections Impose security by limiting which such connections are allowed Once created, usually relays traffic without examining contents Typically used when trust internal users by allowing general outbound connections SOCKS commonly used for this 10/26/2004 30 Bastion Host      Highly secure host system Potentially exposed to "hostile" elements, so need to be secured to withstand this May support or more net connections May be trusted to enforce trusted separation between network connections Run circuit / application level gateways or provide externally accessible services 10/26/2004 31 Firewall Configurations 10/26/2004 32 Firewall Configurations 10/26/2004 33 Firewall Configurations 10/26/2004 34 Next Class   Presentation of paper “A Framework for Classifying Denial of Service Attack” Submit your review through dropbox before class 10/26/2004 35 ... constraints on use of certificates by other CA’s 10/26/2004 16 Need of Firewalls    Everyone want to be on the Internet and to interconnect networks Persistent security concerns  cannot easily... connections Impose security by limiting which such connections are allowed Once created, usually relays traffic without examining contents Typically used when trust internal users by allowing general... Firewalls    A choke point of control and monitoring Interconnect networks with differing trust Impose restrictions on network services   Auditing and controlling access    only authorized