JOURNAL OF COMPUTER SCIENCE AND ENGINEERING (ISSN: 2043-9091), VOLUME 10, ISSUE 2, DECEMBER 2011 17
User Secure Tunnel over a Non-Secure Internet based on Cryptography Ghossoon. M. W. Al-Saadoon Ass. Professor, College of Administrative Science, Applied Science University Manama, Kingdom of Bahrain Abstract - A Virtual Private Network (VPN) is a secure private communication tunnel between two or more devices across a public network such as the Internet. These devices may be either computers running VPN software or special devices such as VPN-enabled routers. VPN allows home computers to be connected to an office network or two home computers to be connected over the Internet. A major security problem faced by administrators in an enterprise is the ability of an eavesdropper to monitor the network. Without strong encryption services, data can be read by others when it traverses the network. This is also known as data interception, in which an attacker can modify the data in the packet without the knowledge of the sender or receiver during the packet transit. Most network communications occur in an unsecured or "clear text" format, which allows an attacker who has gained access to data paths in a network to "listen in" or interpret (read) the traffic. When an attacker eavesdrops on communications, it is referred to as sniffing or snooping. This paper describes how to ensure the privacy and confidentiality of a user’s message when it is transmitted over the Internet. Given the ubiquity of the Internet, and the considerable expense of private leased lines, many organisations build VPNs (Virtual Private Networks). The objective of this paper was to create a secure passage (tunnel) for the user’s data to travel over the nonsecure internet using OpenVPN. Data were encrypted to provide privacy and security using Gnu Privacy Guard (GPG) and then decrypted to check whether the correct message has been safely received.
Index Terms- Encryption ,Gnu Privacy Guard, Privacy, Security and Virtual Private Network. —————————— ——————————
1.
INTRODUCTION
Network security refers to any activities that are designed to protect the usability, reliability, integrity, and safety of a network and data. Effective network security targets a variety of threats and stops them from entering or spreading on a network [1,3]. The networks in question are computer networks, both public and private, that are used daily to conduct transactions and communications among businesses, government agencies and individuals. The networks are comprised of "client" terminals (individual user PCs) and one or more "servers" and/or "host" computers. They are linked by communication systems, some of which might be private, such as within a company, and others that may be open to public access [2]. In many networking protocols, transmitted data is split into small segments, or packets, with the Internet Protocol address of the destination computer written into the header of each packet. These packets are then passed around by routers and eventually return to the network segment that contains the address of the destination computer. As each packet travels around that destination segment, the network card on each computer on the segment examines the address in the header. If the destination address matches the computer IP address, the network card grabs the packet and passes it on to its host [15]. Packet filtering is a security firewall that examines all data
packets [12,13]. Individual packets are forwarded or dropped based on predefined rules that specify where a packet is permitted to go, with consideration of both the authenticated identification of the user and the originating address of the request [14].
2. METHODOLOGY The methodology is divided into four stages. These stages are: VPN is configured using OpenVPN, Encryption is undertaken using GnuPG Encryption method, Capture and Analysis of Packets and Decryption. In the first stage, VPN is configured using OpenVPN, an open source, cross-platform, SSL-based VPN solution capable of accommodating a number of situations, including both remote access and site-to-site secure communication (for example a remote office). This method is used to create a private tunnel between two laptops to provide secure passage over which data can travel. The Second stage, Encryption, is undertaken using the GnuPG Encryption method. The document file (.txt) is encrypted and then
© 2012 JCSE www.journalcse.co.uk
18
sent via email using VPN as an interface. VPN is used to provide a secured passage for the email to pass through the network. The third stage includes sniffing, capturing and analysing the packets. In this stage, packets are used to detect the SMTP protocol [9,10], while the encrypted attachment is sent through the OpenVPN interface. This can be achieved by using Libpcap programming to examine the network traffic data packets coming into port 25, the well-known Simple Mail Transport Protocol (SMTP) port. Packet sniffing originated with the need to obtain raw packets across the several layers beneath the application protocol. The packets or data frames are normally stripped of their headers and passed to the upper layers. However, in promiscuous mode, raw packets of lower layers can be directly obtained alongside their headers. This paper checks email headers. Figure 1. System Design For VPN Data Security using GPG
The final stage is Decryption. This method is done using the secret
Encryption
key which is owned by the receiver.
2.1 SYSTEM REQUIREMENTS
2.2.1 OPENVPN SETUP BETWEEN TWO HOST PCS
Three important software requirements are used as tools:
The configuration is based on two PCs running Ubuntu. The Server
a.
The Operating System Ubuntu is based on the Debian Linux
and
distribution. It is distributed as free and open source software
The client1.Private network is the network created for the VPN by
[15].
using 10.172.0.0 and IPs such as 10.172.0.1 and 10.172.0.2, etc. All
OpenVPN Implementation uses the Internet as its transport
commands must be run as root. Root gives access as a super user.
mechanism, while maintaining the security of the data on the
The main steps are as follows:-
VPN. OpenVPN was used in this research to make an
1.
Installation of OpenVPN on both Server and Client.
OpenVPN a secure tunnel between the two networks with IP
2.
Creation of keys and certificates: the purpose of these keys is
b.
are
used
to
create
an
OpenVPN
tunnel.
to provide security.
routed through it [4]. c.
Clients
Gnu Privacy Guard (GPG) is a command line tool without
3.
Creation of configuration files for server and client.
any graphical features. GnuPG allows data and communication
4.
Configuration of IPTables and IP forwarding for performing NAT on the server.
to be encrypted and signed and features a versatile key management system as well as access modules for various
5.
Restarting OpenVPN in both client and server.
public key directories [7].
2.2.2 GPG ENCRYPTION TOOL IMPLEMENTATION
2.2 SYSTEM DESIGN
The GPG encryption tool is used to encrypt a file and send it to
The system design is shown in Figure 1. This includes
another computer where the decryption process will be undertaken.
development by protecting a type of document using an encryption
Two computers are therefore needed in this process: the Sender and
method after filtering has taken place. The process includes the
Receiver. The Sender is the PC on which the encryption is carried
following main steps:
out. The Receiver is the PC on which decryption is carried out. All
OpenVPN Setup between two Host PCs
commands must be run as root.
GPG Encryption Tool Implementation
Generating GPG/PGP keys on Ubuntu Linux
Using Libpcap Library package to Sniff SMTP packets
19
GPG/PGP keys have to be generated in both the Sender’s and
difficult to guess as if it they are known by another user, he or she
Receiver’s PCs. The Sender must encrypt a file using the Receiver’s
would be able to imitate the impostor and send out malicious
public key, with the decryption process done by the Receiver using
messages.
his or her secret/private key, or vice versa.
The secret key is then generated.
7.
A series of questions are presented to generate the private key, as 8.
The generated keys.
follows:
After generating a private key, the public version of the private key
1. Please select a kind of encryption:
is generated.
a. DSA (default)
Sending and Receiving encrypted files using GPG keys.
b. DSA (sign only)
The private and public keys that have been created are used to
c. RSA (sign only)
encrypt and decrypt a file. The sender encrypts a file using the
The above option shows several public encryption types. The DSA
receiver’s public key and sends it to the receiver. The receiver
and ElGamal method is the default method chosen to encrypt the
receives the encrypted file and decrypts it using his or her private
secret key.
key.
2. The DSA key pair has 1024 bits. 3. ELG-E keys may be between 1024 and 4096 bits long. What key
Steps for Sender
size do you want? (2048); recommended key size would be 1024
1. Import receiver’s key.
bits long.
2. Verify the imported public key.
4. Please specify the length of time for which the key should be valid.
3. Encrypt a file using Receiver’s public key. 4. Send the encrypted file to Receiver.
0 = key does not expire
Steps for Receiver
= key expires in n days
A. Decryption of the file: this includes two phases SendEmail
w = key expires in n weeks
Implementation and Sending email using SendEmail.
m = key expires in n months
SendEmail Implementation: SendEmail is a command line tool used
y = key expires in n years
to send email. All fields of the sent e-mails (such as the sender and
Key is valid for? (0)
reply-to
addresses,
recipients,
message
body,
subject and
5. A user ID to identify the key: the software constructs the user ID
attachments) are specified as command-line arguments, as well as
from the Real Name, Comment and Email Address in this form, for
other parameters (such as the SMTP server name, user and
example:
Dichter)
passphrase for SMTP account and network timeouts). Several
” Real name, Email address, and
common requirements which are used to send emails are shown in
Comment.
Figure 2:
“Heinrich
Heine
(Der
In this section, name, email address and comment are requested. Any of this information can be used to encrypt, decrypt or publish the private key. 6. A passphrase is required to protect the secret key. Enter passphrase: A brown lazy fox jumps over the wall on a lazy dog. A passphrase is now needed to protect the secret key that has been created. This passphrase is equivalent to a password. It is used for authentication purposes. Passphrases should be long and
Figure 2. Options in SendEmail Sending email using SendEmail: The SendEmail command must first be installed on the Ubuntu system. It can then be called from
20
the command line: for example # sendEmail -f
[email protected] t
[email protected] -u hi -m Hi there, how are u doing?.
connected across the Internet, requiring the use of public IP rather
2.2.3 USING LIBPCAP LIBRARY PACKAGE TO SNIFF SMTP
offers two types of interfaces for networking via the Universal
than the internal private address of the OpenVPN server. OpenVPN
TUN/TAP drivers. In this paper, TUN is used with routing.
PACKETS
Libpcap provides
implementation-independent
access
to
the
underlying packet capture facility provided by the operating system. This is achieved by programming using pcap library to sniff and display some packet information. This enables specific information on the packets, such as packet number, source/destination port, payload, and listing down the protocol involved in a network to be
OpenVPN uses the LZO compression library to compress the data stream. Figure 4 shows the OpenVPN configuration file for OpenVPN server. The IP address used here is, for example, 10.172.1.0. This IP address is used to create the virtual private network [3] where the IP address will be similar to 10.172.1.1 and 10.172.1.2.
printed out.
3. EXPERIENCES OF CONNECTING The connection includes two phases (OpenVPN and GPG Encryption Method).
First Phase
Private IP is assigned
A. OpenVPN: In the OpenVPN Server, listing the generated keys is performed using the Diffie-Hellman and Elgamal methods to secure the secret key. The important certificates and keys are shown in Figure 3.
Figure 4. OpenVPN Server Configuration file Lastly, IP forwarding and IPTables configuration are done when running NAT on the server. Network Address Translation (NAT) is the process of modifying network address information in datagram (IP) packet headers while in transit across a traffic routing device for the purpose of remapping a given address space into another. NAT is used in conjunction with IP masquerading. From this pinging result, the eth0 interface with the IP address of 10.172.1.22 is unable to ping, whereas the newly created interface tun0 with the private IP address of 10.172.1.2 can respond to the pinging command. The ability to ping shows whether or not a
Figure 3. Certificates and keys for OpenVPN
particular host is reachable across an Internet Protocol (IP) network.
There are three import certificates and keys: ca.crt, client1.crt and
Since the virtual private network that is created is reachable across
client1.key. These files are sent to client1 to configure the client
the IP network, the OpenVPN tunnel may be considered a success,
OpenVPN using scp function with RSA authentication. Secure
as shown in Figure 5.
Copy or SCP is
a
means
of
securely
transferring computer
files between a local and a remote host or between two remote hosts. It is based on the Secure Shell (SSH) protocol. B.OpenVPN Configuration files (Client and Server) The certificates and keys are used in the openvpn.conf file in the client1. This configuration file defines the role of each PC, for example client or server. Public IP is used when the OpenVpn is
21
automatically created. This file is the encrypted file, as shown in
Previou sly configu red IP
Figure 5. Checking OpenVPN tunnel IP
Figure 7.
Encry pted file
VPN tunnel IP
Figure 7. Listing Encrypted File Second phase
C. Sending Encrypted Attachment using SendEmail
A. Experiences on GPG Encryption Method
The SendEmail program is used to send the encrypted email
Secret keys on both the Sender and Receiver PCs are generated. The receiver’s private key and the process of listing generated private keys by the receiver and the process of creating the public version of the private key are developed. The public key may be exported in public. The exported public key is used by others to encrypt a message for the receiver.
attachment from the command line. D. Decryption Method on a Receiver’s PC. It is difficult to open the encrypted file that was sent by sender as the file has yet to be decrypted. The unreadable form of the message in the encrypted file is shown in Figure 8. When data interception occurs, the intruder will not be
B. Encrypting a file
able to read the message in the file as it is encrypted. To decrypt the
To encrypt a file, the sender must first have information on the receiver’s public key. The public key can be obtained from the
message, a passphrase is required to unlock the secret key of the receiver. This is to verify the identity of the owner of the secret key.
Receiver by email or by taking it from the server. The information shows that the public key of the Receiver is being imported to the Sender’s system to verify whether the right key is imported. The Receiver’s key ID - 506ABCA1 - is the same as the Receiver’s key ID generated in the receiver’s PC. The next step is to verify whether or not the public key has been successfully imported into the sender’s system. This can be demonstrated by listing the keys as in Figure 6. Figure 8. Unreadable form of encrypted message
Import ed key Receiver’s key ID
Figure 6. Verifying the imported Public Key The receiver’s public key will then be used to encrypt the file. The signature of the receiver is required for authentication purposes. After encryption has taken place, the file “Test1.c.gpg” is
If a wrong passphrase were used, a notification would be given to the receiver informing him or her that an invalid passphrase had been entered. If a wrong password is entered three times, the decryption shows a fail notification.
22
message is encrypted, it cannot be read or have its contents
Decrypting with the correct passphrase
altered by an intruder.
Authentication is achieved through assurance of the identity of the originator of data. Using the GPG encryption method, authentication verifies the identity of the secret key’s owner, allowing only the owner of the message to read it.
Decryption failed
Decrypt ed file
Non-Repudiation: the originator of the communication cannot later deny it as it is achieved when a public key encryption is used.
However, there are certain disadvantages to the encryption method used in this paper. The public key encryption method has a number
Figure 9. Decryption with the correct passphrase Figure 9 shows the decryption performed with the correct passphrase entered. This will output the decrypted file in the same directory. As shown above, the Test1.c appeared and this file may
of vulnerabilities, such as speed. Public key systems are much slower than secret key systems. If the message sent is too big, public key systems will need to encrypt large amounts (for example megabytes) of data, which will prove time-consuming. Public key
then be open with any editor.
systems are therefore more suitable for encrypting small amounts of
4. CONCLUSION
data, such as messages sent via email. Another disadvantage is that
In the past, an organisation wishing to provide connectivity between a main office and a satellite one had to lease an expensive data line in order to provide direct connectivity between the two offices. A
the receiver's public key will be known to everyone. Anyone can pretend to be another sender and send a forged message to the receiver, encrypted with his or her public key.
more economical solution is to provide both offices with connectivity to the Internet, enabling them to use this to communicate. Using the same idea, two computers have been connected via OpenVPN in order to provide a private passageway
REFERENCES
that only the users of these two computers can use. GPG encryption
[1] What is Network Security? cited; Available from: http://www.ciscosystems.com/cisco/web/solutions/small_business/resource
method was carried out on a file sent over the OpenVPN tunnel to
_center/articles/secure_my_business/what_is_network_security/index.html
strengthen security. The conclusions of this paper are summarised below:
. [2]
How
LAN
Switches
Work.
cited;
The encrypted text file is sent in an encrypted form through the
http://computer.howstuffworks.com/lan-switch1.htm.
OpenVPN tunnel.
[3] Virtual Local Area Network, cited; Available from:
Security
requirements
Confidentiality,
achieved
Integrity,
in
this
Authentication
paper and
are: Non-
Available
from:
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci213299,00.h tml. [4] Firewalls and Virtual Private Networks, cited; Available from:
Repudiation.
http://www.wiley.com/legacy/compbooks/press/0471348201_09.pdf.
Confidentiality is achieved through protection of data from exposure to unauthorised persons, use of OpenVPN where only
http://www.encryptionanddecryption.com/encryption/.
owned users are able to communicate in the network and
[6] Koch, W. Gnu Privacy Guar, 2007-02-01, cited; Available from:
through the Encryption method, in which data is not readable
http://www.gnupg.org/features.en.html. [7] Email Applications, cited; Available from:
to an intruder.
[5] Encryption and Decryption Encyclopedi,. 2002-2010, cited; Available from:
Integrity
and
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/getting-started-
maintenance
of
data
consistency
is
accomplished using the GPG encryption method. Once a
guide/ch-emailclients.html. [8] Understand SMTP Protocol,cited; Available from:
23
http://www.windowsnetworking.com/articles_tutorials/Understanding-
[12] The OpenBSD Packet Filtering. 2009/10/19 [cited; Available from:
SMTP-Protocol.html.
http://www.openbsd.org/faq/pf/filter.html.
[9] Internet Protocol Suite,[cited; Available from:
[13] Niphadkar, S. Analysis of Packet Sniffers.
http://en.wikipedia.org/wiki/Internet_Protocol_Suite.
http://mason.gmu.edu/~sniphadk/sniffer.pdf.
[10] Zehm, B. An Email Program for Sending SMTP Mail from a Command Line,cited; Available from:
Transport
Layer
Security.
[cited;
[15] Available
http://en.wikipedia.org/wiki/Transport_Layer_Security.
Ghossoon. M. W. Al-Saadoon is an Ass. Professor at College
of
[14] Russell, R. Packet Filtering HOWTO. 2002/01/24 [cited; Available from: http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-3.html.
http://caspian.dotconf.net/menu/Software/SendEmail/. [11]
[cited; Available from:
Administrative
Science,
University Manama, Kingdom of Bahrain
Applied
Science
from:
Ubuntu(Operating
System).
[cited;
http://en.wikipedia.org/wiki/Ubuntu_(operating_system).
Available
from:
