This document introduces the Secure Sockets Layer (SSL) protocol. Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers.
The new Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL. This was recently published as an IETF Internet-Draft, The TLS Protocol Version 1.0. Netscape products will fully support TLS.
This document is primarily intended for administrators of Netscape server products, but the information it contains may also be useful for developers of applications that support SSL.
The technique involves sending fake or 'spoofed' ARP messages to the Ethernet LAN. The aim is to have devices on the network associate the attacker's MAC address with the IP address of another host on the network, which diverts traffic intended for the target to the attacker's machine. In many cases the attacker will target a specific service or piece of network infrastructure such as a default gateway or proxy server. If successful any traffic meant for the targeted IP address ends up at the attacker's host instead. The attacker would then choose to forward the traffic to the actual host, having recorded the data intercepted or potentially modified it. ARP spoofing could also be used for an effective denial of service attack by associating a nonexistent MAC address with the targeted IP address.
Most people see the risk from ARP spoofing as one of the insider trying to sniff for login details, or intercept web traffic over SSL. But something that is starting to rear its ugly little head is malware that uses ARP Spoofing as a means to inject code into web traffic and compromise user login information.
THE SSL PROTOCOL:
The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP. It uses TCP/IP on behalf of the higher-level protocols, and in the process allows an SSL-enabled server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection.
These capabilities address fundamental concerns about communication over the Internet and other TCP/IP networks:
- SSL server authentication allows a user to confirm a server's identity. SSL-enabled client software can use standard techniques of public-key cryptography to check that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the client's list of trusted CAs. This confirmation might be important if the user, for example, is sending a credit card number over the network and wants to check the receiving server's identity.
- SSL client authentication allows a server to confirm a user's identity. Using the same techniques as those used for server authentication, SSL-enabled server software can check that a client's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the server's list of trusted CAs. This confirmation might be important if the server, for example, is a bank sending confidential financial information to a customer and wants to check the recipient's identity.
- An encrypted SSL connection requires all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software, thus providing a high degree of confidentiality. Confidentiality is important for both parties to any private transaction. In addition, all data sent over an encrypted SSL connection is protected with a mechanism for detecting tampering--that is, for automatically determining whether the data has been altered in transit.
Netscape's SSL-enabled client software always requires server authentication, or cryptographic validation by a client of the server's identity. As explained in The SSL Handshake, the server sends the client a certificate to authenticate itself. The client uses the certificate to authenticate the identity the certificate claims to represent.
To authenticate the binding between a public key and the server identified by the certificate that contains the public key, an SSL-enabled client must receive a "yes" answer to the four questions shown in Figure 2. Although the fourth question is not technically part of the SSL protocol, it is the client's responsibility to support this requirement, which provides some assurance of the server's identity and thus helps protect against a form of security attack known as "man in the middle."
An SSL-enabled client goes through these steps to authenticate a server's identity:
- Is today's date within the validity period? The client checks the server certificate's validity period. If the current date and time are outside of that range, the authentication process won't go any further. If the current date and time are within the certificate's validity period, the client goes on to Step2.
- Is the issuing CA a trusted CA?Each SSL-enabled client maintains a list of trusted CA certificates, represented by the shaded area on the right side of Figure 2. This list determines which server certificates the client will accept. If the distinguished name (DN) of the issuing CA matches the DN of a CA on the client's list of trusted CAs, the answer to this question is yes, and the client goes on to Step3. If the issuing CA is not on the list, the server will not be authenticated unless the client can verify a certificate chain ending in a CA that is on the list (see CA Hierarchies for details).
- Does the issuing CA's public key validate the issuer's digital signature? The client uses the public key from the CA's certificate to validate the CA's digital signature on the server certificate being presented. If the information in the server certificate has changed since it was signed by the CA or if the CA certificate's public key doesn't correspond to the private key used by the CA to sign the server certificate, the client won't authenticate the server's identity. If the CA's digital signature can be validated, the server treats the user's certificate as a valid "letter of introduction" from that CA and proceeds. At this point, the client has determined that the server certificate is valid. It is the client's responsibility to take Step4 before Step5.
- Does the domain name in the server's certificate match the domain name of the server itself? This step confirms that the server is actually located at the same network address specified by the domain name in the server certificate. Although step 4 is not technically part of the SSL protocol, it provides the only protection against a form of security attack known as a Man-in-the-Middle Attack. Clients must perform this step and must refuse to authenticate the server or establish a connection if the domain names don't match. If the server's actual domain name matches the domain name in the server certificate, the client goes on to Step5.
- The server is authenticated. The client proceeds with the SSL handshake. If the client doesn't get to step 5 for any reason, the server identified by the certificate cannot be authenticated, and the user will be warned of the problem and informed that an encrypted and authenticated connection cannot be established. If the server requires client authentication, the server performs the steps described in Client Authentication.
After the steps described here, the server must successfully use its private key to decrypt the premaster secret the client sends in Step4 of The SSL Handshake. Otherwise, the SSL session will be terminated. This provides additional assurance that the identity associated with the public key in the server's certificate is in fact the server with which the client is connected.
The "man in the middle" is a rogue program that intercepts all communication between the client and a server with which the client is attempting to communicate via SSL. The rogue program intercepts the legitimate keys that are passed back and forth during the SSL handshake, substitutes its own, and makes it appear to the client that it is the server, and to the server that it is the client.
The encrypted information exchanged at the beginning of the SSL handshake is actually encrypted with the rogue program's public key or private key, rather than the client's or server's real keys. The rogue program ends up establishing one set of session keys for use with the real server, and a different set of session keys for use with the client. This allows the rogue program not only to read all the data that flows between the client and the real server, but also to change the data without being detected. Therefore, it is extremely important for the client to check that the domain name in the server certificate corresponds to the domain name of the server with which a client is attempting to communicate--in addition to checking the validity of the certificate by performing the other steps described in Server Authentication.
SSL-enabled servers can be configured to require client authentication, or cryptographic validation by the server of the client's identity. When a server configured this way requests client authentication (see Step6 of The SSL Handshake), the client sends the server both a certificate and a separate piece of digitally signed data to authenticate itself. The server uses the digitally signed data to validate the public key in the certificate and to authenticate the identity the certificate claims to represent.
The SSL protocol requires the client to create a digital signature by creating a one-way hash from data generated randomly during the handshake and known only to the client and server. The hash of the data is then encrypted with the private key that corresponds to the public key in the certificate being presented to the server.
To authenticate the binding between the public key and the person or other entity identified by the certificate that contains the public key, an SSL-enabled server must receive a "yes" answer to the first four questions shown in Figure 3. Although the fifth question is not part of the SSL protocol, Netscape servers can be configured to support this requirement to take advantage of the user's entry in an LDAP directory as part of the authentication process.
An SSL-enabled server goes through these steps to authenticate a user's identity:
- Does the user's public key validate the user's digital signature? The server checks that the user's digital signature can be validated with the public key in the certificate. If so, the server has established that the public key asserted to belong to John Doe matches the private key used to create the signature and that the data has not been tampered with since it was signed.
- Is today's date within the validity period? The server checks the certificate's validity period. If the current date and time are outside of that range, the authentication process won't go any further. If the current date and time are within the certificate's validity period, the server goes on to Step3.
- Does the issuing CA's public key validate the issuer's digital signature? The server uses the public key from the CA's certificate (which it found in its list of trusted CAs in Step3) to validate the CA's digital signature on the certificate being presented. If the information in the certificate has changed since it was signed by the CA or if the public key in the CA certificate doesn't correspond to the private key used by the CA to sign the certificate, the server won't authenticate the user's identity. If the CA's digital signature can be validated, the server treats the user's certificate as a valid "letter of introduction" from that CA and proceeds. At this point, the SSL protocol allows the server to consider the client authenticated and proceed with the connection as described in Step6. Netscape servers may optionally be configured to take Step5 before Step6.
- Is the user's certificate listed in the LDAP entry for the user? This optional step provides one way for a system administrator to revoke a user's certificate even if it passes the tests in all the other steps. The Netscape Certificate Server can automatically remove a revoked certificate from the user's entry in the LDAP directory. All servers that are set up to perform this step will then refuse to authenticate that certificate or establish a connection. If the user's certificate in the directory is identical to the user's certificate presented in the SSL handshake, the server goes on to step 6.
- Is the authenticated client authorized to access the requested resources? The server checks what resources the client is permitted to access according to the server's access control lists (ACLs) and establishes a connection with appropriate access. If the server doesn't get to step 6 for any reason, the user identified by the certificate cannot be authenticated, and the user is not allowed to access any server resources that require authentication.
At this point, however, the binding between the public key and the DN specified in the certificate has not yet been established. The certificate might have been created by someone attempting to impersonate the user. To validate the binding between the public key and the DN, the server must also complete Step3 and Step4.
Is the issuing CA a trusted CA? Each SSL-enabled server maintains a list of trusted CA certificates, represented by the shaded area on the right side of Figure 3. This list determines which certificates the server will accept. If the DN of the issuing CA matches the DN of a CA on the server's list of trusted CAs, the answer to this question is yes, and the server goes on to Step4. If the issuing CA is not on the list, the client will not be authenticated unless the server can verify a certificate chain ending in a CA that is on the list (see CA Hierarchies for details). Administrators can control which certificates are trusted or not trusted within their organizations by controlling the lists of CA certificates maintained by clients and servers.
ARP Spoofing Malware
Earlier in the year Neil Carpenterbloggedabout an incident he was involved with where a peice of malware was using ARP Spoofing on a customer's network to intercept and modify web traffic by inserting a malicious IFRAME into every web page visited. In this instance the malware would direct the victim to a page that exploited MS07-017, better known as the Animated Cusor Vulnerability. Now this wasn't the first time ARP Spoofing has been used by malware, for exampleW32/Snow.aused it to attempt a denial of service attack during early 2006. More recently, in October 2007 the Chinese Internet Security Response Team (C.I.S.R.T)reportedthat they suspected that a similar attack had been used to compromise user session to their web sites. The possibilities of a successful ARP spoofing attack are significant, and its use for injection is has great potential for further attacks. For example, you can not only inject any HTML you like into any web page the user downloads, but you could infect any executable the user copies or downloads over the network. Barnaby Jack showed a neat trick with compromised D-Link routers using firmware at EuSecWest in 2006 that allowed the injection of modified executables, this attack would provide an ideal mechanism to allow this style of injection into anything downloaded with potentially serious results.
Then when used for sniffing nothing is safe on the network, any clear text login request or session token sent over the network is ripe for stealing. The classic man in the middle attack may consultants warn about for SSL sessions is a possibility, as we all know that only a small number of users actually check the SSL certificate warnings before pressing 'Yes' to allow the connection, they have all be conditioned to check for the little lock, so if you've got the connection between them and the compromised host all SSL'd up they are probably not going to notice.
However, all this said there are issues, ARP spoofing does have its problems. As discussed it can act as an effective denial of service, and if something messes up the end user will often notice it. On a large network successfully attempting an ARP spoofing attack could result in a lot of traffic heading through one host, it could well result in massive degradation in performance of that host. This style of attack would probably have more success within a smaller networking environment. In any environment with network switching equipment that has features like 'Port Security' in place ARP spoofing attacks are unlikely to work as directed as these technologies have been developed to help address this well known problem.
There are various ways to defend against ARP Spoofing attacks. The first obvious thing, which is specific to malware that uses this style of attack, is to ensure that anything you download is scanned using an up to date anti-virus scanner, and that the file you download comes from a legitimate source.
There is no magic bullet for ARP Spoofing, the best defense is to have static ARP entries for every machine on a network. Unfortunately that is not practical for most corporate environments. So as a result there are various technologies that have been developed to help fight this. The first of these technologies is something called 'Port Security'. Port Security is something that is part of the firmware that runs on network switching infrastructure, what it does is it prevents changes to the MAC address tables on the switch, depending on the implementation the firmware could also include the ability to lock a switch port if it sees too many MAC Addresses on the port and if the MAC address changes frequently. This in itself is not a cure all but will hamper an ARP spoofing attack.
MAC address cloning can be detected by using something called RARP (Reverse ARP), in which a system will perform a look up a known MAC address and request the associated IP address. If the requesting machine gets multiple responses for a single MAC address then you could have an instance of MAC cloning, which could allow you to detect when a piece of infrastructure like a router or proxy is targeted on a network for ARP Spoofing.
There are detection technologies such as ARPwatch that monitor the a network for ARP address requests and will generate alerts when it detects suspicious ARP traffic, and is probably the best method for combating ARP Spoofing attacks. Many IDS systems have this same capability however, just how many people actually implement IDS on internal networks?
SSL VULNERABiLiTY :
Black Hat: new ways to attack SSL
Moxie Marlinspike has told the ongoing Black Hat security conference of a new way to attack browser connections with secure sockets layer (SSL) protection, enabling him to steal login data from users of Yahoo, Google and Paypal. Moxie's method is not aimed directly at cracking an SSL connection, but exploits the fact that users rarely call up a page with an https:// prefix. What they do in practice is first call up the unencrypted page, and then click a button to take them to a (supposedly) encrypted page, to log-in.
To exploit this. Marlinspike has developed SSLstrip, a man-in-the-middle proxy that, in principle, changes all the user's https requests into http requests. The proxy then connects to the server called up by the victim, and grabs all of its content. Where necessary, say during log-in, the proxy communicates with the server in encrypted form, but sends all the data it got from the server back to the client, unencrypted, so no SSL connection whatsoever is made, and no error message appears in the browser to report an invalid certificate. A vigilant user may of course observe that the browser isn't indicating a secure connection, with only http:// showing in the address line, but the sight of a padlock icon is enough to persuade most users that nothing dodgy is going on.
Marlinspike showed other methods that enable an attacker's own certificates to display all security features in the browser, without provoking an error message. Among these are certificates for internationalized domain names (those containing special characters), and some others, that at first glance don't look like domain names at all. An example quoted by Marlinspike is .ijjk.cn in the URL https://www.gmail.com/accounts/ServiceLogin?!f.ijjk.cn, which most users would probably take to be a parameter for a Gmail account. Although this isn't really a new method, combining it with SSLstrip would make attacks on connections considerably more successful.
However, this only works as a man-in-the-middle attack, so the attacker has to divert his victim's connections through his proxy. While this isn't a big problem on a LAN, say using address resolution protocol (ARP) spoofing, attacks on home users normally require the manipulation of network or router settings, or DNS cache poisoning.
The attack doesn't exploit any vulnerability in the SSL protocol, or in the validation of certificates. The vulnerability lies rather, in the interfaces between protocols, user interfaces, and the users themselves - and that's nothing new.
Method for securing authorized data entry and the device to perform this method
The invention relates to a method of securing authorized data entry and securing the authenticity of such data when entering cryptographic operations which are performed by external cryptographic tokens connected to the PC and, in addition, it relates to a device to perform the method.
The current state of the art describes methods of performing security schemes based upon conventional computer architecture which utilize cryptographic methods. These methods are usually based upon the usage of HW secure tokens (smart cards, secure USB devices). This ensures high security of cryptographic key storage and the authorized use of cryptographic keys (PIN entry required to access token-based operations). Securing the authenticity of data entering token operations causes bigger problems. Applications utilizing external cryptographic tokens to secure data can show the client the correct data intended to be processed (such as a payment order to the client's bank), however, an unreliable computer environment cannot guarantee that the data will actually be sent to the token and processed therein in their identical form. Harmful software can modify the data and thus damage the client's interests (e.g. modify the receipient's account in the payment order or alter the amount).
Disclosure of Invention
The afore-said problem can be eliminated if the input data entering cryptographic operations (or at least their informatively significant section) are sent, using a special module, directly from the input device (of Human Interface Device type, i.e. typically a keyboard) to the token in a method preventing any modification of the data, enabling the control system (typically a computer) to display the data at the utmost.
It is advantageous if the input device is a conventional keyboard or a keyboard with an integrated smart card reader.
Advantageously, the STM module is equipped with a signalling means to signal the initiation and the end of the secure typing mode and the success of cryptographic verification of the integrity of the input data template.
The method for authorized typing of data entering cryptographic operations performed in an external HW token according to the present invention is an industrially applicable solution which can be used especially in electronic banking applications (with a small volume of typed data) where it is vital to implement a strong principle of non-repudiation and, furthermore, where it is advisable to secure the PIN code value against its capturing by the computer's harmful software equipment. Essential disclosures of the present solution includes significant strengthening of security, low costs to achieve this security and the fact that the solution does not change ergonomic methods used by external tokens's users.
ARP Spoofing is an attack that is often underestimated, yet if successful has far reaching consequences. ARP Spoofing Malware is a growing problem and malware Authors are beginning to implement this technique to steal information and inject malicious traffic. So don't expect to see the threat go away.
There are technologies out there which can defend against ARP Spoofing attacks, however they are often limited to higher end network Infrastructure so the protection will be out of reach of most home users and probably many small businesses, so for that end of the market the best defense is an up to date virus scanner and personal firewall, and setting up static ARP entries for your router/firewall and other key resources. For enterprises, implementing port security across network switching infrastructure is a key defence, along with implementing ARP monitoring and detection technologies.