, SNMP, Securing the Web: SSL

Full text

(1)

4 Jan 2015 SE 428: Advanced Computer Networks 1

Email, SNMP, Securing the

Web: SSL

(2)

Topics for Today

• Email (SMTP, POP)

• Network Management (SNMP)

– ASN.1

(3)

Email

• Application Level Protocol (like HTTP)

• Distinguish

1. User interface (mail reader: Thunderbird, Outlook) 2. Message transfer protocol (SMTP, POP, IMAP)

3. Companion protocol (message formatting: RFC 822, MIME)

4 Jan 2015 SE 428: Advanced Computer Networks 3

sender’s mail server

SMTP SMTP mail access protocol

(4)

Simple Mail Transfer Protocol

• Used to move mail from sender to server and server to server

– Request/Reply conversation style (codes for replies) – Authentication possible (password, SSL/TLS)

Steps:

1. Greeting (HELO, EHLO) with name 2. Envelope headers

– RCPT TO – MAIL FROM

3. Data

– Formatted according to rules in RFC or MIME – Ends with a single period (.) on a line

(5)

SMTP Trace

(6)

SMTP Misc

• Verify mail address exists:

VRFY

– Can refuse to answer

– Can answer only locally or even check globally

– May be disabled for security

• Expand name: EXPN

– Expands a mailing list name to its full list of users

– Often disabled for security

• Only a few common

implementations

(7)

Post Office Protocol - POP

• Download emails from

server

– Can delete after

• USER

• PASS

• LIST

• RETR

• STAT

• DELE

• UIDL

Internet Message Access

Protocol - IMAP

• Designed to leave

messages on server

– Internal folders

– Move messages across folders

– Search folders

• More flexible retrieval

– Just mail headers

– Just single attachments

• Much more complicated

4 Jan 2015 SE 428: Advanced Computer Networks 7

(8)
(9)

POP Trace

(10)

RFC 5322 (822)

• Header lines

– From – To – Subject – Received – Date

• All mail is encoded in

ASCII (7bits)

Multipurpose Internet Mail

Extensions (MIME)

• Header lines: – Content-Description – Content-Type • image/gif • image/png • text/plain • text/richtext • application/postscript • application/msword – Content-Transfer-Encoding • ASCII or base64 • Encoding scheme

– Everything in ASCII characters – Use 64 values (A-Za-z0-9+/) – Encode 3B 4 chars in base64

(11)

MIME Example

(12)
(13)

So Far

• Email (SMTP, POP)

• Network Management (SNMP)

– ASN.1

• Secure Sockets Layer

(14)

Network Management

• When you have hundreds of servers and routers, it’s hard to

manage them all manually  remote protocol

– Lets network admin track status

• Simple Network Management Protocol (SNMP)

– Request/Reply protocol (GET/SET)

• Requests from network nodes information types (Management

Information Base – MIB):

– System: General parameters

– Interfaces: Physical addresses, packets sent on each interface – Address translation: ARP and translation tables

– IP: Routing table, number of successfully routed packets, reassembly, drops

(15)

Used to build dashboards

(16)

Abstract Syntax Notation

(ASN.1)

• Basic Encoding Rules (BER)

• Data items in the form: <tag, length, value>

– Tag: 8 bit field (can be multibyte) – Length: how many bytes follow

• Less than 127 B, length has the length • >127B, length has how many B in the

length

– Value can nest other data items

ASN.1 in SNMP

• Variables listed in dot

notation

– 1.3.6.1.2.1.4.3: IP field called ipInReceives

(number of IP datagrams received)

– 1.3.6.1.2.1: all MIB fields – 4 is the IP group

– 3 is the ipInReceives field

(17)

So Far

• Email (SMTP, POP)

• Network Management (SNMP)

– ASN.1

• Secure Sockets Layer

(18)

Secure Sockets Layer

• Secure Sockets Layer (SSL) for securing the Web

– Official Name: Transport Layer Security (TLS) Protocol

• Designed by Netscape in 1996

– Adapted by IETF

– Now in RFC 5246 – TLS 1.2 in Aug 2008 – Many extensions and outside applications

• Most important use is on the web (HTTP)

– Commonly called HTTPS

(19)

4 Jan 2015 SE 428: Advanced Computer Networks 19

Secure Sockets Layer

Main goal: Establish a secure communication channel between two computers

• Engineering security

– Different operating systems (easy)

– Different cryptographic services (harder) – Different versions (harder)

– No Trusted Third Party (?)

– One side may not have any authentication tokens (harder) • Also:

– It must be efficient – Must be flexible

(20)

Secure Sockets Layer

• Solution: Add another layer in the protocol stack on top of

TCP

(21)

4 Jan 2015 SE 428: Advanced Computer Networks 21

Sessions and Connections

• Setting up a secure conversation involves online

negotiation

– Expensive! 2 RTTs minimum…

• Web content is sent in a series of Requests

– Each request (connection) gets 1 item – HTTP 1.1 changes this a bit

– That shouldn’t mean we negotiate for each request!

• Solution: Long running

Sessions

and short lived

Connections

– Do the negotiation once for the session

(22)

The SSL Protocols

• SSL Record Protocol – Move data

• SSL Handshake Protocol – Negotiate security decisions • SSL Change Cipher Spec

– Activate the negotiated security decisions

(23)

4 Jan 2015 SE 428: Advanced Computer Networks 23

SSL Record Protocol

1. Fragment packets into 214 bytes or less (16,384) 2. Compress (if you want)

3. Message Authentication Code • (Keyed) Hash

4. Encrypt

5. Append Header

• Content Type (Protocol)

(24)

SSL Handshake Protocol

Does the negotiation

Four phases:

1. Establish client security capabilities 2. Establish server security tokens 3. Establish client security tokens

(25)

4 Jan 2015 SE 428: Advanced Computer Networks 25

SSL Handshake Protocol

• Phase 1: Client Starts – (Highest) SSL Version – Client Nonce: 𝑛𝑐

– Session Id

• If it’s 0 – a new session

• If it’s not – continue a session

– Cipher Suite

• List of crypto algorithms supported

• In order of preference

– Compression Method

• List of supported methods

(26)

SSL Handshake Protocol

• Phase 1: Server Responds – Chosen SSL Version

– Server nonce: 𝑛𝑠 – Session Id

• Old one if continuing

– Chosen Cipher Suite

– Chosen Compression Method • Phase 2: Server tokens

– Server Certificate

– (Optional) Request Client Certificate

(27)

4 Jan 2015 SE 428: Advanced Computer Networks 27

SSL Handshake Protocol

• Phase 3: Client tokens – Client verifies certificate

– Client sends security tokens • Certificate (Optional)

– Signs previous messages with Certificate private key (Client Verify)

• If no certificate: Pre-master secret (48 bits)

(28)

SSL Handshake Protocol

• Phase 4: Implement

– Client sends: Change Cipher Spec

– Server sends: Change Cipher Spec

(29)

4 Jan 2015 SE 428: Advanced Computer Networks 30

SSL Change Cipher Spec

• Simple protocol: 1 message with 1 byte of data

– Byte set to 1

(30)

SSL Alert Protocol

• Two bytes of data

• Byte 1: Severity of alert

– = 1: Warning

– = 2: Fatal (terminates connection)

• Byte 2: Alert Codes

(31)

4 Jan 2015 SE 428: Advanced Computer Networks 32

Reflection: SSL

• Enables secure communication over the internet

• Works even if only one side has a certificate (more on this later) – Client authentication must be done some other way

• Main application for certificates and PKI

– Has helped sell many certificates (more on this later)

• Secures the communication channel

– But not the data stored on the other side

(32)

Conclusion

• Email (SMTP, POP)

• Network Management (SNMP)

– ASN.1

Figure

Updating...

References

Updating...

Related subjects :