• No results found

, SNMP, Securing the Web: SSL

N/A
N/A
Protected

Academic year: 2021

Share ", SNMP, Securing the Web: SSL"

Copied!
32
0
0

Loading.... (view fulltext now)

Full text

(1)

4 Jan 2015 SE 428: Advanced Computer Networks 1

Email, SNMP, Securing the

Web: SSL

(2)

Topics for Today

• Email (SMTP, POP)

• Network Management (SNMP)

– ASN.1

(3)

Email

• Application Level Protocol (like HTTP)

• Distinguish

1. User interface (mail reader: Thunderbird, Outlook) 2. Message transfer protocol (SMTP, POP, IMAP)

3. Companion protocol (message formatting: RFC 822, MIME)

4 Jan 2015 SE 428: Advanced Computer Networks 3

sender’s mail server

SMTP SMTP mail access protocol

(4)

Simple Mail Transfer Protocol

• Used to move mail from sender to server and server to server

– Request/Reply conversation style (codes for replies) – Authentication possible (password, SSL/TLS)

Steps:

1. Greeting (HELO, EHLO) with name 2. Envelope headers

– RCPT TO – MAIL FROM

3. Data

– Formatted according to rules in RFC or MIME – Ends with a single period (.) on a line

(5)

SMTP Trace

(6)

SMTP Misc

• Verify mail address exists:

VRFY

– Can refuse to answer

– Can answer only locally or even check globally

– May be disabled for security

• Expand name: EXPN

– Expands a mailing list name to its full list of users

– Often disabled for security

• Only a few common

implementations

(7)

Post Office Protocol - POP

• Download emails from

server

– Can delete after

• USER

• PASS

• LIST

• RETR

• STAT

• DELE

• UIDL

Internet Message Access

Protocol - IMAP

• Designed to leave

messages on server

– Internal folders

– Move messages across folders

– Search folders

• More flexible retrieval

– Just mail headers

– Just single attachments

• Much more complicated

4 Jan 2015 SE 428: Advanced Computer Networks 7

(8)
(9)

POP Trace

(10)

RFC 5322 (822)

• Header lines

– From – To – Subject – Received – Date

• All mail is encoded in

ASCII (7bits)

Multipurpose Internet Mail

Extensions (MIME)

• Header lines: – Content-Description – Content-Type • image/gif • image/png • text/plain • text/richtext • application/postscript • application/msword – Content-Transfer-Encoding • ASCII or base64 • Encoding scheme

– Everything in ASCII characters – Use 64 values (A-Za-z0-9+/) – Encode 3B 4 chars in base64

(11)

MIME Example

(12)
(13)

So Far

• Email (SMTP, POP)

• Network Management (SNMP)

– ASN.1

• Secure Sockets Layer

(14)

Network Management

• When you have hundreds of servers and routers, it’s hard to

manage them all manually  remote protocol

– Lets network admin track status

• Simple Network Management Protocol (SNMP)

– Request/Reply protocol (GET/SET)

• Requests from network nodes information types (Management

Information Base – MIB):

– System: General parameters

– Interfaces: Physical addresses, packets sent on each interface – Address translation: ARP and translation tables

– IP: Routing table, number of successfully routed packets, reassembly, drops

(15)

Used to build dashboards

(16)

Abstract Syntax Notation

(ASN.1)

• Basic Encoding Rules (BER)

• Data items in the form: <tag, length, value>

– Tag: 8 bit field (can be multibyte) – Length: how many bytes follow

• Less than 127 B, length has the length • >127B, length has how many B in the

length

– Value can nest other data items

ASN.1 in SNMP

• Variables listed in dot

notation

– 1.3.6.1.2.1.4.3: IP field called ipInReceives

(number of IP datagrams received)

– 1.3.6.1.2.1: all MIB fields – 4 is the IP group

– 3 is the ipInReceives field

(17)

So Far

• Email (SMTP, POP)

• Network Management (SNMP)

– ASN.1

• Secure Sockets Layer

(18)

Secure Sockets Layer

• Secure Sockets Layer (SSL) for securing the Web

– Official Name: Transport Layer Security (TLS) Protocol

• Designed by Netscape in 1996

– Adapted by IETF

– Now in RFC 5246 – TLS 1.2 in Aug 2008 – Many extensions and outside applications

• Most important use is on the web (HTTP)

– Commonly called HTTPS

(19)

4 Jan 2015 SE 428: Advanced Computer Networks 19

Secure Sockets Layer

Main goal: Establish a secure communication channel between two computers

• Engineering security

– Different operating systems (easy)

– Different cryptographic services (harder) – Different versions (harder)

– No Trusted Third Party (?)

– One side may not have any authentication tokens (harder) • Also:

– It must be efficient – Must be flexible

(20)

Secure Sockets Layer

• Solution: Add another layer in the protocol stack on top of

TCP

(21)

4 Jan 2015 SE 428: Advanced Computer Networks 21

Sessions and Connections

• Setting up a secure conversation involves online

negotiation

– Expensive! 2 RTTs minimum…

• Web content is sent in a series of Requests

– Each request (connection) gets 1 item – HTTP 1.1 changes this a bit

– That shouldn’t mean we negotiate for each request!

• Solution: Long running

Sessions

and short lived

Connections

– Do the negotiation once for the session

(22)

The SSL Protocols

• SSL Record Protocol – Move data

• SSL Handshake Protocol – Negotiate security decisions • SSL Change Cipher Spec

– Activate the negotiated security decisions

(23)

4 Jan 2015 SE 428: Advanced Computer Networks 23

SSL Record Protocol

1. Fragment packets into 214 bytes or less (16,384) 2. Compress (if you want)

3. Message Authentication Code • (Keyed) Hash

4. Encrypt

5. Append Header

• Content Type (Protocol)

(24)

SSL Handshake Protocol

Does the negotiation

Four phases:

1. Establish client security capabilities 2. Establish server security tokens 3. Establish client security tokens

(25)

4 Jan 2015 SE 428: Advanced Computer Networks 25

SSL Handshake Protocol

• Phase 1: Client Starts – (Highest) SSL Version – Client Nonce: 𝑛𝑐

– Session Id

• If it’s 0 – a new session

• If it’s not – continue a session

– Cipher Suite

• List of crypto algorithms supported

• In order of preference

– Compression Method

• List of supported methods

(26)

SSL Handshake Protocol

• Phase 1: Server Responds – Chosen SSL Version

– Server nonce: 𝑛𝑠 – Session Id

• Old one if continuing

– Chosen Cipher Suite

– Chosen Compression Method • Phase 2: Server tokens

– Server Certificate

– (Optional) Request Client Certificate

(27)

4 Jan 2015 SE 428: Advanced Computer Networks 27

SSL Handshake Protocol

• Phase 3: Client tokens – Client verifies certificate

– Client sends security tokens • Certificate (Optional)

– Signs previous messages with Certificate private key (Client Verify)

• If no certificate: Pre-master secret (48 bits)

(28)

SSL Handshake Protocol

• Phase 4: Implement

– Client sends: Change Cipher Spec

– Server sends: Change Cipher Spec

(29)

4 Jan 2015 SE 428: Advanced Computer Networks 30

SSL Change Cipher Spec

• Simple protocol: 1 message with 1 byte of data

– Byte set to 1

(30)

SSL Alert Protocol

• Two bytes of data

• Byte 1: Severity of alert

– = 1: Warning

– = 2: Fatal (terminates connection)

• Byte 2: Alert Codes

(31)

4 Jan 2015 SE 428: Advanced Computer Networks 32

Reflection: SSL

• Enables secure communication over the internet

• Works even if only one side has a certificate (more on this later) – Client authentication must be done some other way

• Main application for certificates and PKI

– Has helped sell many certificates (more on this later)

• Secures the communication channel

– But not the data stored on the other side

(32)

Conclusion

• Email (SMTP, POP)

• Network Management (SNMP)

– ASN.1

References

Related documents

the corporate organisation have committed to finding work for a defined number of people at a distance from the labour market within their organisation, with the following

The iApp can create a new Client SSL profile, or if you have created a Client SSL profile which contains the appropriate SSL certificate and key for your implementation, you can

Select whether you want the iApp to create a new Client SSL profile, or if you have already created a Client SSL profile which contains the appropriate SSL certificate and

NOTE: all product views are illustrations and might not represent actual product screen shots.. Business Service Management (BSM) Software

1521 Identify the basic components of an e-commerce web site. client gateway, point of sale, shopping cart, security certificate, SSL) 1600 DEMONSTRATE KNOWLEDGE OF CASCADING

First Nations Manitobans who died due to injuries, lost on average 47.6 potential years of life (males 46.3, females 51.3), compared to an average of 27.1 potential years of life

Team boundary spanning represents a team’s actions to establish links and manage interactions with individuals and groups external to the team with the purpose of

Figure 6.11: Scenario A: O bjective video perform ance com parison for Forem an sequence o f proposed scheme w ith the H.264 standard at various channel conditions and