• No results found

Security of information systems secure file transfer

N/A
N/A
Protected

Academic year: 2021

Share "Security of information systems secure file transfer"

Copied!
20
0
0

Loading.... (view fulltext now)

Full text

(1)

Security of information systems

secure file transfer

Who? Mateusz Grotek, 186816 Paweł Tarasiuk, 186875

(2)

Table of contents

Introduction

Problem statement

Different aspects of security Possible approaches

SSH

Why SSH? SSH protocols

How to transfer files through SSH? Different solutions FTPS NFS SMB Summary Questions

(3)

Problem statement

The meaning of the term file transfer in general refers to downloading/uploading a file from/to an external filesystem. While the definition applies e.g. to file transfer between a computer and a USB memory stick, we are going to focus on transferring files in computer networks.

The problem of file transfer security is related to both the processes of user authentication and authorization, and to a method of encryption of the transferred data (so sniffing would not reveal the file contents).

(4)

Authentication and authorization

It is possible to distinguish some important aspects of file transfer security. The most important distinction is the distinction between authentication and

authorization.

Authentication Authentication is a process, which shows that the claimed identity of a user matches the actual identity.

Authorisation Authorization is a process, which checks if a user is allowed to perform some actions.

(5)

Filesystem access vs. single file access

It is important to distinguish different sorts of access.

Filesystem Which users are allowed to access which filesystems and how can they do it (read, write, execute)?

Files/Directories Which users are allowed to access which files/directories and how can they do it (read, write, execute)?

As far as remote execution has nothing to do with file transfer we are going to focus on the read/write access. Filesystem access and single file access can be separated. E.g. in FTP after authenticating successfully we are allowed to access the filesystem, but it does not mean we are automatically allowed to access all files in the filesystem. In NFS we may mount a filesystem, but it does not mean we can automatically access all its files and directories.

(6)

Possible approaches

We can use a dedicated secure protocol (e.g. SSH File Transfer Protocol).

We can use a non-secure protocol over a secure

connection (e.g. FTP over SSL/TLS, or HTTP through an IPSec tunnel/VPN).

(7)

Many different solutions of the problem

X over SSL/TLS (X ∈ {HTTP, FTP, . . .})

X over IPSec/VPN (X ∈ {HTTP, FTP, rsync, . . .}) X over SSH tunnel (X ∈ {HTTP, FTP, rsync, . . .}) native SSH protocols

NFS version 4 (thanks to RPCSEC_GSS) SMB version 3

(8)

What is good about SSH?

Open standards (RFC) and open source implementations Implementations exist for almost every platform

It is a mature, well understood technology Many authentication options

host

challenge-response (including simple password-based) public key

GSSAPI

PAM (Pluggable Authentication Modules) Many additional features including:

file transfer

tunneling and port forwarding (including X Window System support)

(9)

Key properties of how SSH works

RFC4251 states three key properties of how SSH works: All encryption, integrity, and public key algorithms used are well-known, well-established algorithms.

All algorithms are used with cryptographically sound key sizes that are believed to provide protection against even the strongest cryptanalytic attacks for decades.

All algorithms are negotiated, and in case some algorithm is broken, it is easy to switch to some other algorithm without modifying the base protocol.

(10)

SSH and its protocols

SSH consists of 3 protocols: transport layer protocol user authentication protocol connection protocol

(11)

FISH

Just use unix commands, that’s how simple it is!

Pros

conceptually simple easy to implement

Cons

available only on unices it is just a hack

(12)

SCP

It is just a specific way of doing FISH

Pros

conceptually simple

Cons

it is just a hack no standard

(13)

FTP over SSH tunnel

Just use SSH tunnels for FTP

Pros

conceptually simple

both SSH and FTP have RFC documents there are many FTP clients to choose

Cons

(14)

SFTP

This is the secure file transfer protocol. Do not confuse it with:

FTPS (FTP over SSL)

SFTP (simple file transfer protocol)

Pros

dedicated solution for file transfer extension of SSH, not just a hack documented in the IETF drafts

Cons

you need a whole SSH server to use it

(15)

FTP or HTTP over SSL/TLS (FTPS)

Just use FTP or HTTP over SSL/TLS

Pros

there are many FTP/HTTP clients to choose readily available in browsers

you can use the same SSL/TLS infrastructure for all services

documented in RFCs

Cons

certificates nightmare

(16)

NFS version 4 with RPCSEC_GSS

It is possible to secure NFS by using RPCSEC_GSS module. The solution is based on Kerberos.

Pros

documented in RFCs

all file operations of the OS available

Cons

Unix centric

(17)

SMB version 3

SMB (Server Message Block) version 3 added

AES-CCM encryption. It can use either NTLM version 2 or Kerberos.

Pros

available in Windows, which is popular

Cons

Windows-centric solution

available only since 2012, not available in previous versions of Windows

(18)

And the winner is...

In our opinion there are three winners of the comparison. One of them is SFTP. It is included in most SSH clients and very easy to use. Another winner is FTP over SSH, because it allows people to choose any client they want (FTP is implemented in most file transfer programs). The last winner is FTPS, because it is implemented in browsers and also very easy to use. All of these

technologies are platform agnostic. We do not think it is useful to use platform specific technologies. All of these technologies have open standards (or drafts of these) and open source clients. Therefore after deploying one of these solutions it is easy to switch to other software if the chosen one does not work as expected.

(19)

Our idea for the practical task

Out idea of practical task consists of showing all SSH based solutions. The most important of them is SFTP and we will focus on this one. We would like to focus on public key authentication and password authentication, but we will also briefly investigate PAM.

The second technology we would like to use is FTPS, which is very popular and it is important to understand how to use it and how it works.

After configuring both of the solutions we would like to benchmark them in terms of the amount of generated network traffic and used system resources.

(20)

Questions

References

Related documents

A statistically significant negative correlation was dem- onstrated in the study cohort between the maternal serum PIGF levels, foetal heart rate (FHR), birth weight and length,

Marie Laure Suites (Self Catering) Self Catering 14 Mr. Richard Naya Mahe Belombre 2516591 [email protected] 61 Metcalfe Villas Self Catering 6 Ms Loulou Metcalfe

The corona radiata consists of one or more layers of follicular cells that surround the zona pellucida, the polar body, and the secondary oocyte.. The corona radiata is dispersed

During the inspection of the core compliance and special emphasis items you will make notes and start categorizing your notes into deficiencies, observations, and government

The CEPS load application case study demonstrates that specification-based se- curity testing based on a security-enriched model can indeed be successfully applied for the

Its indication is compared with that of another instrument whose accuracy is at least an order magnitude better than the instrument being calibrated.. ERROR = ACTUAL READING

5.4 ISO SETUP menu: Setting of the basic ISOMETER® functions The response values (Alarm 1/2, prewarning and main alarm), the operating principle of the alarm relays K1 and K2 (N.O

Odds ratios for educational trajectories compared to entering university based on individuals’ genome-wide polygenic score, socioeconomic status and past academic achievement..