an MS Powerpoint file Ellipsis

Document Sample
an MS Powerpoint file Ellipsis Powered By Docstoc
					SSH & SSL

 Peter Burkholder
14 November 2001
                Why this talk
} Co-SAGE interest in SSH and security:
 } 5: Security or security tool usage
 } 2: Configuring SSH
 } 3: VPN (1 specifically VPN tunneling via SSH)
} Added SSL since it fits some niches better
 Layer model: insecure protocols
 } Application layer:   RSH, Telnet, FTP
 } Transport layer:     TCP, UDP
 } Network layer:            IP, IPX, EtherTalk
 } Link layer:              Ethernet, PPP
 } Physical layer:          CAT-5 cable,
} Network security? Confidentiality, Integrity,
  and Endpoint Authentication
 Layer model: secured protocols
 "   Application layer:   SSH, PGP, Kerberos, S-
 "   Transport layer:     SSL/TLS as extension of
     TCP                                  socket
 "   Network layer:       IPSec, IPv6
 "   Link Layer:          WEP, PPP/ECP
 "   Physical layer:      Alarmed, pressurized
The two approaches we will look at today are
  using SSL(TLS) and SSH.
                 SSL Overview
} SSL (Secure Sockets Layer)
 } Protocol built on top of TCP
 } Encryption, Host Authentication, Integrity
 } Applications can be SSL-enabled
 } SSL ports
  }   https (443), smtps (465), nntps (563), ldaps (636),
      imaps (993), pop3s (995), ftps (989&990).
 } Netscape: SSLv2 in 1994. SSLv3 in 1995. TLS
   (RFC2246) completed in January, 1999.
               SSH Overview
} SSH: Secure SHell
 } Application-level protocol (v1&v2)
 } Encryption, Host & user authentication, Integrity
 } Port 22 (w/ port tunneling, X-forwarding)
 } Designed to replace rsh/rcp
 } Tatu Ylonen, first publicly released in July, 1995.
   SSHv2 (SECSH) IETF draft published February
 }   Reportedly 2 million users by late 2000
  Network Encryption primitives
Symmetric encryption: shared session keys,
  e.g.: DES, 3DES, AES-Rijndael, Blowfish
Asymmetric or public-key encryption: RSA,
Message digest: one-way hash: MD5, SHA
Digital signatures: DSS, RSA
Key Exchange: Diffie-Helman
            SSL, PKI, and Authentication
    "   The trickiest part of network security is proving
         the identity of the other end of the connection.
"       For example, I can say that I'm Bill Gates, here's
          my public key, anything I send you with my
         digital signature, you can verify that it is from
        "True, it is from "me", but a) there's no linkage
        between my public key and my claimed identity,
        and b) anyone else who has that private key can
                       also claim to be "me".
   PKI: Public Key Infrastructure
} PKI relies on "God" to prove identities, where
  "God" is a Certificate Authority (CA). If I can
  prove my identity to a CA (and pay), I'll be
  issued a Digital Certificate: my public key
  signed by the CA's private key + identifying
} If my private key is compromised (or if I
  fooled the CA about my identity), then the
  CA can add the corresponding certificate to
  a Certificate Revocation List (CRL).
      PKI 2: Certificate & Clients
Certificates are accepted if signed by a root CA. CA
  root certs are often encoded in the client software
  (IE, Netscape, Opera).
Certificates may also be self-signed or signed by an
  unknown CA. The user must exercise discretion in
  accepting or adding certificates.
Uses: SSL, S/MIME, Signed Software, IpSec/IPv6
Failure points: Issuing CRL's and "user discretion"
Netcraft: 1.5 million servers run SSL, but only 60,000
  have 3rd-party signed certificates
       OpenSSL: Introduction
SSL: RSA's BSAFE, Netscape, Certicom,
OpenSSL is based on Eric A. Young's SSLeay.
Both a cryptographic library and an SSL
  implemention. BSD-style license.
"Solid package...[but] serious lack of
  documentation....SSL implementation is
  quite complex to use properly"
      OpenSSL: Generate Keys
Generate keys
 Only certificate owner knows private key
 Make RSA key pair, and encrypt
   $ openssl genrsa -des3 1024 > privkey.pem
   # using -des|-des3 will encrypt key
Generate certificate request
Sign certificate
Present certificate
   OpenSSL: Certificate Request
Generate keys
Generate certificate request
 $ openssl req -new -key ../private/privkey.pem >
 # enter identifying information when prompted -- the
    Common Name must match DNS name
Sign certificate
Present certificate
          CA-signed Certificates
Generate keys
Generate certificate request
Certificate signing
 CAs require documentation. E.g.,
   Letter of Authorization
   Proof of Organizational Name / Domain Name
   Money: $125 - $895 per year per server
 Test certs (free) signed by untrusted root CA
Present certificate
SSL: The Client Perspective
OpenSSL: Self-signed Certificate
Generate keys
Generate certificate request
Certificate signing
 $ openssl req -x509 -key ../private/privkey.pem -in >
 I am who I am claim to be
 Clients will generate warnings
Present certificate
SSL Client: Unknown Root Cert
      OpenSSL: Using Certificates
Generate keys
Generate certificate request
Certificate signing
Present certificate
 Modify httpd.conf directives:
   SSLCertificateFile $SSL/certs/
   SSLCertificateKeyFile $SSL/private/privkey.pem
 If encrypted private key, need passphrase on start
 Spoofing only requires private key and certificate
       OpenSSL: Roll-your own CA
} For developing own software, or small
} Install root certificate on client browsers
 } To Apache httpd.conf add line
   }    AddType application/x-x509-ca-cert .cacert
 } Copy cacert.pem to a web-accessible file, e.g,
 } Point browser to URL. Browser will prompt to
Installing a Root Certificate
  SSL Attacks: Dug Song's dsniff
 dnsspoof: /etc/dnspoof.hosts
 webmitm -d #make
Server                                 Client
https:/ /


              SSL             SSL

                           Spoof DNS
} STunnel wrapper for SSL services.
} Sslwrap -same idea, not as actively
} As with all SSL services, STunnel needs a
 } $ openssl req -new -x509 -days 365 -nodes -out
   stunnel.pem -keyout stunnel.pem
STunnel POP3 Server & Client

HOST A           HOST B
    Client                   POP3
    POP3         port 110    Server


                 port 995
  STUNNEL                   STUNNEL
 STunnel: POP3 server example
} On Server, an inetd entry to provide pop3
  service may be something like:
   pop3 stream tcp nowait root /usr/sbin/tcpd
} You can instead put a service on pop3s
   /usr/sbin/stunnel -r localhost:pop3 \
   -p /path/to/stunnel.pem
} STunnel will SSL-encrypt on port 995
  (pop3s), and tunnel the unencrypted traffic to
         STunnel on Windows
} Download openssl.dll and ssleay.dll to
  $WIN/system; stunnel.exe to a convenient
} Test: "stunnel -c -d 110 -r mail.server:995"
} As service? Easiest is to create stunnel.bat
   START stunnel -c -d 110 -r mail:995
  and run stunnel.bat from Scheduled Tasks at
  user login. But must contend with Command
} Running as a real service requires add'l
          STunnel: Debugging
Run STunnel with -D 6 (debug level 6) and -f
Use Eric Rescorla's SSLDUMP (
 $ ssldump -k ./stunnel.pem -d -i vmnet1 port 995
 # see all traffic decrypted
Note: STunnel by default not picky about
} If SSL is a toolbox, SSH is a Leatherman
} Features
 } Encryption: AES, ARC4, Blowfish,...
 } Secure logins, remote command, file transfer
 } Authentication: Password, PubKey, Host-
 } Access control by host, user
 } Key management
 } Port-forwarding
       SSH Protocol Version 1
} Monolithic protocol
} Authentication by: KerberosIV, Rhosts,
  RhostsRSA, Public-Key, TIS/SecureID,
  Password (many flavors)
} RSA for authentication and key exchange
} Weaknesses
 }   CRC-32 integrity, attacks, keystroke monitoring (sshow)
} SSH-1 still common: Licensing, Cost, and First to
  Market. 2 million users estimated
        SSH Protocol Version 2
 } DSS for authentication, Diffie-Hellman keys
 } Supports x.509 PKI certificates

            Server                 Client
  SSH Connection                       SSH Connection
 SSH Authentication                  SSH Authentication
  SSH Transport                         SSH Transport
TCP/IP, IPX/SPX, etc.                TCP/IP, IPX/SPX, etc.
                    Ethernet, etc...

   Packet Padding      Payload    Random Integrity
   Length Length                  Padding Data (MAC)
   SSH Server implementations
} OpenSSH (v 3.0 released Nov. 6)
 } SSHv2 and SSHv1
 } Standard implementation for this talk
} SSH Communications Security: SSH3.0.1
 } *nix Servers: $475 / Windows Servers: $565
 } Free servers for non-commercial use
} F-Secure SSH 2.4.0 (Unix server & client)
 } *nix Server: $594/Windows: $834
         Compiling & Installing
/dev/random or EGD
./configure, make, make install...
 Requires: zlib, OpenSSL
 ./configure --disable-suid-ssh --with-tcp-wrappers --
Potential SetUID binaries for host-base auth
 OSSH: ssh
 SSH2: ssh-signer
         Server Configuration
Command-line opts      Host Access
Compile-time flags      ssh_known_hosts
Configuration file
   /etc/shosts.equiv   User authentication
key files in $CONF/
   moduli; <key>.pub
  sshd_config - typical settings
PermitRootLogin (yes|(without-
StrictModes yes
PubkeyAuthentication yes
HostbasedAuthentication no # v2 /etc/hosts.equiv
PasswordAuthentication yes
PermitEmptyPasswords no
X11Forwarding no ## ???
{Allow,Deny}{Users,Groups} #luser@rem_machine
Protocol 2
             Running Server
Make install runs key generation
$ sshd # detaches and forks daemons
$ sshd -d -p <some-port> # is great for testing,
  messages to stderr, doesn't fork
$ sshd2 -v -p <some-port>
        Client: basic operation
SSH: remote logins, remote commands
 $ ssh
 $ ssh user@remotehost "command to run"
 # -v option provides connection details
SCP: secure copy
 $ scp user@remote:remote/file ./local/file
SFTP: secure file transfer (a al FTP)
 $ sftp user@remote
Clients try public-key, then password fallback
 Using Public-key Authentication
} ssh client sends public key
} if server finds key in .ssh(2)/<file>, encrypts
  a challenge to client
} client with private key, proving ID
} .ssh/.ssh2 path permissions
$ ssh pb@remote host
 Enter passphrase for key '/home/peter/.ssh/id_dsa':
      Generate Public-key Pairs
Generate a key-pair for each identity
$ ssh-keygen -t dsa # (enter passphrase for
  default id )
# use '-f file' to save to different identity files
Concatenate public part of key-pair to remote
  account's .ssh/authorized_keys2
Place <public-key-file> in .ssh2/; Add "Key
  <public-key-file" line to .ssh2/authorization
OpenSSH's ssh-keygen translates SSH2
          Forced commands:
$ ssh -keygen -f pb_command -t dsa
 from=<host>, command="/bin/cat
    $SSH_ORIGINAL_COMMAND" ...key...
 Key pb_command_pubkey #no pass-phrase
 Command "/bin/cat
$ ssh -i path/to/pb_command_id pb@remote
   Forced commands continued
} Command gets: stdin, args in $SSH2_... env
} Can also set "environment=", "from=host",
} Enviroment, host restrictions only if script
} Command executes in user shell, after
} Unencrypted private keys and forced
              SSH Key Agents
An ssh-agent process stores keys in memory,
  and clients use it to sign authenticators
 $ ssh-agent $SHELL           # invoke a subshell -- shell
    dies if agent dies
 $ eval 'ssh-agent' # process sets env and
    detaches, doesn't die on logout
   $ ssh-agent startx
   .xsession: exec ssh-agent ./.xsession-stuff
 $ ssh-add # loads identity files, connect at will!
        Remote Agent Forwarding

 ZERO                   ONE                     TWO
                        # no private keys        # pubkey
$ eval `ssh-agent` SSH                       SSH
                        # pubkey authorized      # authorized
# $SSH_AUTH_..
                          for pb@one             # for pb@zero
$ ssh-add
$ ssh pb@one      Agent # $SSH_AUTH_..           $ I'm in!
                        $ ssh pb@two
                        # client uses socket
                        # to [zero] for auth
         SSH Port Forwarding
MYHOST                REMOTEHOST
   POP3                         POP3
   Client                       Server


   SSH                port 22   SSH
   Client                       Server
             Port Forwarding
If the TCP client application (whose conx you
    want to forward) is running on local machine,
    use local forwarding. If client is on remote
    machine, use remote forwarding.
 $ ssh -L<localport>:localhost:<remport>
 $ ssh -R<
X-forwarding: happens automatically if server
  accepts local host connections
            Windows Servers
"   SSH2, F-Secure, and OpenSSH (& Cygwin)
"   SSH2: command line only, ~10 sessions
"   VNC: server port 5800, runs under Win2k
"   Set VNC registry to allow loopback connect
$ ssh -L5801:localhost:5800 peter@win2k
$ vncviewer localhost:5801
   Windows, Mac & Java Clients
See Free Mac clients are weak
My favorites are PuTTY for Windows and Mindterm
  ( for anything else
          File Transfer: SFTP
} Handy interface, but s...l...o...w
} netcat 100Mb random data: 35s
} sftp 100Mb random data 10m51s
} Barrett & Silverman claim 1/4 speed of scp
} I've seen 1/10 of FTP speed
 SSL & SSH: Recommendations
} SSH is an essential tool for remote
  administration. OpenSSH excellent; SSH2
  has some better configuration options and
  more advanced features. X-forwarding a
  great feature. ssh-agent/forced-command a
  boon for scripting
} SSL-enabled apps and PKI becoming
  ubiquitous. A better choice for securing
  particular apps, especially with STunnel
        Web SSL References
} Thawte:
} Thawte:.Apache SSL Key and CSR
  Generation Instructions.\
} Frederick Hirsch, SSLeay Certificate
} Dug Song's dsniff.