PGP, Net Scanning, Wireless Network Security SPRING 2018: GANG WANG

Size: px

Start display at page:

Download "PGP, Net Scanning, Wireless Network Security SPRING 2018: GANG WANG"

Thomasina Gregory
5 years ago
Views:

1 PGP, Net Scanning, Wireless Network Security SPRING 2018: GANG WANG

2 Outline Pretty Good Privacy Network Scanning (ZMap) Wifi Security

3 More on Security Security problem: Spoofing PGP (pretty good privacy) 3

4 Recap: SMTP Three major components: Client User agents (client) Mail servers Simple mail transfer protocol: SMTP mail server SMTP SMTP mail server Clients mail server SMTP Composing, editing, reading mail messages Retrieve and send through mail servers 4

5 So much can be done by service providers How to do end-to-end security for our own s? 5

6 PGP: Pretty Good Privacy Encryption for confidentiality Signature for non-repudiation/authenticity Sign before encrypt, so signatures on unencrypted First released in 1991 developed by Phil Zimmerman Free software: OpenPGP and variants 6

7 PGP Services PGP supplies 5 basic services: 1. Authentication 2. Confidentiality 3. Compression 4. compatibility 5. Segmentation Actually, only authentication and confidentiality are really services. The others are engineering features designed to make PGP efficient and robust. 7

8 PGP Authentication This is a digital signature function. 1. Sender creates a message M. 2. Sender generates a hash of M. 3. Sender signs the hash using private key and prepends the result to the message 4. Receiver uses the sender s public key to verify the signature and recover the hash code. 5. Receiver generates a new hash code for M and compares it with the decrypted hash code. Abstractly: S R :{h(m )} Ks 1, M 8

9 PGP Confidentiality PGP provides encryption for messages sent or stored as files 1. Sender generates a message M and a random session key K. 2. M is encrypted using key K. 3. K is encrypted using the recipient s public key, and prepended to the message. 4. Receiver uses his private key to recover the session key. 5. The session key is used to decrypt the message. Abstractly: S R :{K} Kr,{M} K But why? Why not just use public key to encrypt the message instead of session key? 9

10 Confidentiality and Authentication Both authentication and confidentiality may be combined for a given message. 1. Apply the authentication step to the original message. 2. Apply the confidentiality step to the resulting message. Should we sign-then-encrypt or encrypt-then-sign? 10

11 Key Management PGP makes use of four types of keys: one-time session symmetric keys, public keys, private keys, passphrase-based symmetric keys. Session keys: used once and generated for each new message Public keys: used in asymmetric encryption Private keys: also used in asymmetric encryption Passphrase-based keys: used to protect private keys A single user can have multiple public/private key pairs. 11

12 Why So Many Keys? PGP uses four kinds of keys: session keys, public and private keys, and passphrase generated keys. Public / private key pairs are the most expensive to generate. Since the security of the system depends on protecting private keys, these are encrypted using a passphrase system In PGP, session keys and passphrase-based keys are generated on the fly, used once and discarded. 12

13 One more thing about Keys Each PGP user must manage his own private keys and the public keys of others. These are stored on separate keys rings. Private keys are protected by encryption; public keys are stored with certificates attesting to their trustworthiness. Keys can be revoked. 13

14 More on Network Scanning

15 What does the Internet look like?

16 We want ecosystem details, not shape e.g., Carna botnet Internet Census 2012

17 How can we identify at Internet scale? Methodology: 1) Collect public data from the network (public keys, signatures, ciphertext, ) 2) Mine the data for evidence of vulnerabilities 3) Investigate causes in representative implementations

18 Barriers to using Internet-wide scans? Census and Survey of the VisibleInternet (2008) 3 monthsto complete ICMP census (2200 CPU-hours) EFF SSL Observatory: A glimpse at the CA ecosystem (2010) 3 months on 3 Linux desktop machines (6500 CPU-hours) MiningPs and Qs: Widespread weak keys in network devices (2012) 25 hours acoss 25 AmazonEC2 Instances (625 CPU-hours) Carna botnetinternet Census (2012) 420,000 usurped hosts

19 What if...? What if Internet-wide surveys didn t require heroic effort? What if scanning the IPv4 address space took under an hour? What if we wrote a whole-internet scanner from scratch?

20 an open-source tool that can port scan the entire IPv4 address space from just one machine in minutes With ZMap, an Internet-wide TCP SYN scan on port 443 is as easy as: $ sudo apt-get install zmap $ zmap p 443 o results.csv found 34,132,693 listening hosts (took 44m12s) Gigabit Ethernet linespeed(1200 x NMap)

21 ZMap Architecture Conventional Scanners Reduce state by scanning in batches - Time lost due to blocking - Results lost due to timeouts Track individual hosts and retransmit - Most hosts will not respond Avoid flooding through timing - Time lost waiting Utilize existing OS network stack - Not optimized for immense number of connections ZMap Approach Eliminate local per-connection state - Fully asynchronous components - No blocking except for network Shotgun scanning approach - Always send n probes per host Scan widely dispersed targets - Send as fast as network allows Probe-optimized network stack - Bypass inefficiencies by generating Ethernet frames

22 Addressing Probes How do we randomly scan addresses without excessive state? Scan hosts according to random permutation. Iterate over multiplicative group of integers modulo p. see Number Theory

23 Validating Responses How do we validate responses without local per-target state? Hint: How do servers do this to prevent SYN floods?

24 Validating Responses How do we validate responses without local per-target state? Encode secrets into mutable fields of probe packets that will have recognizable effect on responses. Ethernet receiver MAC address sender MAC address length data IP V IHL sender IP address receiver IP address data TCP sender port receiver port sequence number ack. number data

Output Modules allow follow-up or further processing 1.

25 Packet Transmission and Receipt How to make processing probes easy and fast? 1. ZMap Framework handles the hard work 2. Probe Modules fill in packet details, interpret responses 3. Output Modules allow follow-up or further processing 1.4 million pkts/second Configuration, Addressing, and Timing Probe Generation Packet Tx (raw socket) Output Handler Response Interpretation Packet Rx (libpcap) << 1.4 million pkts/second

26 Scan Rate Up to 1GigE How fast is too fast? No meaningful correlation between speed and response rate. Slower scanning does not reveal additional hosts. Hit Rate (percent) Hitrate maximum Scan Rate (packets per second)

27 ZMap: Applications > 500 Internet-wide scans over 3 years (> 2 trillion probes). What can researchers do with ZMap? Track Adoption of Defenses Trusted Certificates HTTPS Hosts Unique Certificates Trusted Certificates Alexa Top 1 Mil. Domains E.V. Certificates Netcraft HTTP Hosts Fine-grained analysis of HTTPS ecosystem. > 200 full scans over a year Many vulnerabilities! 10% growth in HTTPS sites 23% among Alexa Top 1 M. Historical data useful for tracking botnets and APTs /13 04/13 03/13 02/13 01/13 12/12 11/12 10/12 09/12 08/12 07/12 06/12

28 ZMap: Applications Discover Hidden Services Single scan reveals 86% of Tor bridge nodes Historical scan data reveals hidden Silk Road servers

29 ZMap: Applications Detect Service Disruptions Areas with >30% decrease in listening hosts, port 443 October 29 31, 2013

30 ZMap: Applications Learn about what's connected to the Internet Expose and Fix Vulnerable Hosts If it has an IP address, it is visible on the Internet

31 Heartbleed Vulnerability

32 Heartbleed Vulnerability In April 2014, OpenSSL disclosed a catastrophic bug in their implementation of the TLS Heartbeat Extension Vulnerability allowed attackers to dump private cryptographic keys, logins, and other private user data Potentially effected any service that used OpenSSL for TLS including web, mail, messaging and database servers An estimated 24-55% of HTTPS websites were initially vulnerable

33 Patching Over Time Heartbleed Vulnerability

34 Patching Heartbleed Over Time Vulnerability 3% of Top 1M sites still vulnerable 50 days later First Evidence of Attacks

35 Wireless Security Slides credit to Kurose & Ross 35

36 Wireless Security WEP security vulnerability i improved security 36

37 IEEE wireless LANs (Wi-Fi) Network infrastructure wireless hosts Laptop, phone tablet Run applications Stationary or mobile Wireless does not always mean mobility 37 Link layer on the network stack Same layer as Ethernet

38 Elements in Wireless Network Ad-hoc mode no base stations nodes can only transmit to other nodes within link coverage nodes organize themselves into a network: route among themselves Applications: battlefield networks, networks in undeveloped countries Vehicular networks 38

39 One Laptop Per Child (OLPC) Ad hoc networking among laptops with a few satellite connections 39 Nepal

802.11 Frame: Addressing H1 R1 router Internet AP R1 MAC addr H1 MAC addr dest.

40 Frame: Addressing H1 R1 router Internet AP R1 MAC addr H1 MAC addr dest. address source address frame AP MAC addr H1 MAC addr R1 MAC addr address 1 address 2 address frame 40

41 IEEE security War driving: drive around, see what networks available? More than 9000 accessible from public roadways, 85% use no encryption/authentication Packet-sniffing and various attacks easy! TJX data breach started from war driving (read P&P for more info) Securing encryption, authentication first attempt at security Wired Equivalent Privacy (WEP): a failure New attempt: i (WAP) 41

WEP data encryption WEP is based on RC4 (Rivest Cipher 4, designed in 87) RC4 is a stream cipher Host/AP share 40 bit symmetric key (semi-permanent) Append 24-bit initialization vector (IV)

42 WEP data encryption WEP is based on RC4 (Rivest Cipher 4, designed in 87) RC4 is a stream cipher Host/AP share 40 bit symmetric key (semi-permanent) Append 24-bit initialization vector (IV) to create 64-bit key 64 bit key used to generate stream of keys, k IV i k IV i used to encrypt the i-th byte, d i, in frame: c i = d i XOR k IV i IV and encrypted bytes {c i } sent in frame 42

43 Risk of Re-used Keys in Stream Cipher Ciphertext1 XOR Cophertext2 = plaintext1 XOR plaintext2 Plaintext can be recovered through statistical analysis 43

44 Fundamental problem: k i IV should never be reused WEP is based on RC4 that is secure if keys are used just once 24 bit IV: 2 24 = 16,777,216 possible combinations However, because of birthday paradox, we know collision with >= 50% after seeing about 2 12 = 4096 IVs a coarse estimation Breaking 104 bit WEP in less than 60 seconds By Tews, et al. at TU Darmstadt, Germany (2007) Recovered a 104-bit WEP key using less than 40,000 frames, success probability of 50% To succeed in 95% of all cases, 85,000 packets are needed. 44

45 Vulnerable Integrity Verification Checking (ICV) Cyclic redundancy code (CRC) CRC is designed for error detection (0à1?) Not secure against intentional manipulations CRC-32 ICV is a linear function. Attacker can manipulate the stream cipher encrypted CRC without the knowledge of the key 45

46 Summary of WEP Weaknesses Weakness: Key Management and Key Size (40-bit) IEEE standard written in 1997, underestimated attackers power Weakness: The Initialization Vector (IV) is Too Small (24-bit) Choosing IV randomly: (B-day paradox) 50% chance of reuse after less than 5000 frames Choosing IV sequentially: when IV is reused, the keys are the same (predictable) Weakness: Integrity Check Value is not appropriate (CRC-32) CRC-32 is for detecting inadvertent transmission errors (not for malicious attack models) Forging ICV on tampered messages is possible 46

47 Wi-Fi Protected Access (WPA) 128 bit key and 48 bit initialization vector Still uses RC4 For backward compatibility purposes, re-use existing hardware implementation Uses TKIP (temporal key integrity protocol) TKIP implements a sequence number for each frame to prevent replay attacks A key derivation function to generate per-frame key A stronger Message integrity checking (MIC) than CRC32 47

48 WPA2 WPA2 is an improvement over WPA No longer back-ward compatible, requires new hardware! WPA2 uses AES (a block cipher) instead of RC4 (a stream cipher) + TKIP AES encryption not compatible with legacy devices; 128, 192, or 256 bit keys Either needs new chipset to work, or introduce an authentication server Same authentication mechanism 48

49 WPA3 WPA2: recently identified vulnerability (2017) WPA3 is coming soon 49

Chapter 8 Network Security

Chapter 8 Network Security A note on the use of these ppt slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you can add, modify, and