CSC 8560 Computer Networks: Security Protocols Professor Henry Carter Fall 2017
CATS Reports Now available online! Go to MyNova -> Blackboard Learn -> Course Evaluations Take 10 minutes Will not be visible to me until after grades are submitted Help me improve the course!
Last Time Trying to prove who you are simply by saying your name is an example of...? How are MACs and Digital Signatures Different? What algorithms used to implement them? Diffie-Hellman key exchanges are vulnerable to what kind of attack? 3
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication 8.5 Securing e-mail 8.6 Securing TCP connections: SSL 8.7 Network layer security: IPsec 8.8 Securing wireless LANs 8.9 Operational security: firewalls and IDS 4
Email Security Transmission is often not the only place crypto needs to be used to protect your email. Some system administrators, service providers and (if you re unlucky) law enforcement agencies read your email when it sits on the server. e.g., GMail Advertisements How can you protect the confidentiality and integrity of your communications? 5
Secure e-mail Alice wants to send confidential e-mail, m, to Bob. K S m. K S ( ) K S (m ) K S (m ). K S ( ) m + - Internet K S K S K +. B ( ) + K B (K S ) + K B (K S ) -. K B ( ) K B + K B - Alice: generates random symmetric private key, K S. encrypts message with K S (for efficiency) also encrypts K S with Bob s public key. sends both K S (m) and K B (K S ) to Bob. 6
Secure e-mail Alice wants to send confidential e-mail, m, to Bob. K S m. K S ( ) K S (m ) K S (m ). K S ( ) m + - Internet K S K S K +. B ( ) + K B (K S ) + K B (K S ) -. K B ( ) K B + K B - Bob: uses his private key to decrypt and recover K S uses K S to decrypt K S (m) to recover m 7
Secure e-mail (continued) Alice wants to provide sender authentication message integrity. K Ā K A + m. - H( ) K A (. ) - K A (H(m)) - K A (H(m)) +. K A ( ) H(m ) + - Internet compare m m. H( ) H(m ) Alice digitally signs message. sends both message (in the clear) and digital signature. 8
Secure e-mail (continued) Alice wants to provide secrecy, sender authentication, message integrity. K Ā m H( ). -. K A ( ) - K A (H(m)) K S +. K S ( ) m + Internet K S +. K B ( ) K B + + K B (K S ) Alice uses three keys: her private key, Bob s public key, newly created symmetric key 9
Pretty good privacy (PGP) Internet e-mail encryption scheme, de-facto standard. uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described. provides secrecy, sender authentication, integrity. inventor, Phil Zimmerman, was target of 3-year federal investigation. A PGP signed message: ---BEGIN PGP SIGNED MESSAGE--- Hash: SHA1 Bob:My husband is out of town tonight.passionately yours, Alice ---BEGIN PGP SIGNATURE--- Version: PGP 5.0 Charset: noconv yhhjrhhgjghgg/12epj+lo8ge4vb3mqjhfevz P9t6n7G6m5Gw2 ---END PGP SIGNATURE--- pgp.mit.edu 10
PGP: A Web of Trust Instead of relying on a CA, PGP uses social relationships to verify a key. If you know a friend of mine and they signed my key (and you can verify their signature), you are more likely to believe the key belongs to me. 11
Using PGP For Mac users, download MacGPG. Windows users should get GPG4win. Linux users can download GPG. These are all free versions of PGP based on RFC4880. From the command-line: gpg -c filename.txt (encrypt a file using a symmetric key generated from a passphrase) gpg -e filename.txt (encrypt a file using the public key of the intended reader). 12
Public Key 13
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication 8.5 Securing e-mail 8.6 Securing TCP connections: SSL 8.7 Network layer security: IPsec 8.8 Securing wireless LANs 8.9 Operational security: firewalls and IDS 14
How do we get secure communications? We now have an idea of how cryptographic algorithms work (and what they try to guarantee). We also know how to ensure integrity of our communications. How do we actually use this stuff? Are we using it on a daily basis? 15
Secure Sockets Layer (SSL) Provides transport layer security to any TCP-based application using SSL services. e.g., between Web browsers, servers for e-commerce (https) security services: server authentication, data encryption, client authentication (optional) TCP socket Application TCP IP Application SSL sublayer TCP IP SSL socket TCP API TCP enhanced with SSL 16
SSL: Three Phases 1. Handshake: Bob establishes TCP connection to Alice authenticates Alice via CA signed certificate creates, encrypts (using Alice s public key), sends master secret key to Alice nonce exchange not shown create Master Secret (MS) decrypt using K A - to get MS 17
SSL: Three Phases 2. Key Derivation: Alice, Bob use shared secret (MS) to generate 4 keys: EB: Bob->Alice data encryption key EA: Alice->Bob data encryption key MB: Bob->Alice MAC key MA: Alice->Bob MAC key encryption and MAC algorithms negotiable between Bob, Alice why 4 keys? 18
SSL: Three Phases 3. Data Transfer TCP byte stream b 1 b 2 b 3 b n block n bytes together d. H( ) M B compute MAC d d H(d) H(d). H( ) E B SSL seq. # encrypt d, MAC, SSL seq. # SSL record format Type Ver Len d H(d) unencrypted encrypted using E B 19
What does that little lock mean? What does this lock actually mean? Are you secure? It really depends... Some websites used negotiate the use of the null cipher. So even with the lock icon, no crypto was being used. Attackers can launch SSL downgrade attacks against older browsers. Commonly misspelled websites might make you think you are connected securely to the right page. 20
Steve Bellovin Long time researcher at AT&T Research/Bell Labs. Member of the National Academy of Engineering Professor at Columbia University Credited as one of the Fathers of the firewall One of the originators of USENET The precursor to World Wide Web, allowed people to view and exchange content in newsgroups. 21
Security Problems in the TCP/IP Protocol Suite This is one of the classics of Network Security literature. Although written in 1989, many of the protocols discussed here are still widely used today. This is a nice overview of why security research is necessary. It is hard to build secure systems when the infrastructure supporting them was never designed to consider security. Attacks on specific implementations not discussed. Three general attack categories: TCP/IP Attacks, Routing Attacks, and Abusing Common Protocols. 22
TCP/IP Sequence Number Guessing TCP connects are established by the 3-way handshake: What do the three messages look like? Each client keeps a unique sequence number to order packets and prevent against loss. An attacker can spoof an IP address, but attempting to carry out a conversation when you don t know the correct responses is hard. If you can guess the response, you can establish a connection. 23
How This Attack Works C SYN, ACK, ACK, SYN, SeqA+1, SeqA+1, SeqB+1 SeqB S C A SYN, ACK, SeqA+1, SeqB ACK, SeqA+1, SeqB+1 SYN, SeqA S 24
What Can You Do With This? On Christmas Day 1994, Kevin Mitnick used this attack to break into Tsuomo Shimamura s machine. Claimed to be from a trusted IP address, added himself to rhosts file, gained full access. Unfortunately for Mitnick, Tsutomu Shimomura caught him in the act (saw the logs). Ultimately, this incident helped the FBI track down and arrest Mitnick in Raleigh, NC. 25
Defense Against SNG Attack Make the initial sequence number hard to guess. Most systems now use a PRNG, but they re not great. Most implementations of TCP will accept RST packets with a sequence number anywhere within their window. For a 32Kb window, 2 17 attempts is enough to get it right. Actively monitor your logs. But you need to be on top of this as an attacker is likely to delete or modify them once they get access. 26
Real-World Routing Attacks AS7007 (1997) YouTube hijacked by Pakistan (2008) 27
ICMP Attacks Examples ICMP Redirect ICMP Destination Unreachable ICMP Time to Live Exceeded Defense Filtering 28
Other Protocols Finger Directory-like service. Can this help with identity theft? Password cracking? Electronic Mail We have already shown how to spoof email. Until recently, even retrieving mail from your server used cleartext passwords. 29
Other Protocols (2) DNS Sequence number guessing and response spoofing thought to be potentially serious attacks in 1989. These are major issues today... why? ARP A local attacker could similarly siphon off all your traffic. 30
General Defenses Authentication Authentication by assertion repeatedly gets us into trouble. Why do we still do it? Encryption End-to-End Link-layer 31
Conclusions IP addresses are meaningless as an authentication token. Use random numbers whenever knowledge of that number may open your system to attack. The core of the network is based on algorithms that fall over pretty easily, making the Internet very fragile. 32
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication 8.5 Securing e-mail 8.6 Securing TCP connections: SSL 8.7 Network layer security: IPsec 8.8 Securing wireless LANs 8.9 Operational security: firewalls and IDS 33
What is network-layer confidentiality? between two network entities: sending entity encrypts datagram payload, payload could be: TCP or UDP segment, ICMP message, OSPF message. all data sent from one entity to other would be hidden: web pages, e-mail, P2P file transfers, TCP SYN packets blanket coverage 34
Virtual Private Networks (VPNs) motivation: institutions often want private networks for security. costly: separate routers, links, DNS infrastructure. VPN: institution s inter-office traffic is sent over public Internet instead encrypted before entering public Internet logically separate from other traffic 35
Virtual Private Networks (VPNs) public Internet laptop w/ IPsec salesperson in hotel router w/ IPv4 and IPsec router w/ IPv4 and IPsec headquarters branch office 36
IPsec services data integrity origin authentication replay attack prevention confidentiality two protocols providing different service models: AH ESP 37
Two IPsec protocols Authentication Header (AH) protocol provides source authentication & data integrity but not confidentiality Encapsulation Security Protocol (ESP) provides source authentication, data integrity, and confidentiality more widely used than AH 38
Security associations (SAs) before sending data, security association (SA) established from sending to receiving entity SAs are simplex: for only one direction ending, receiving entitles maintain state information about SA recall: TCP endpoints also maintain state info IP is connectionless; IPsec is connection-oriented! how many SAs in VPN w/ headquarters, branch office, and n traveling salespeople? 39
Example SA from R1 to R2 R1 Stores: 32-bit SA identifier: Security Parameter Index (SPI) origin SA interface (200.168.1.100) destination SA interface (193.68.2.23) type of encryption used (e.g., 3DES with CBC) encryption key type of integrity check used (e.g., HMAC with MD5) authentication key headquarters Internet branch office 200.168.1.100 193.68.2.23 172.16.1/24 R1 security association R2 172.16.2/24 40
IPsec datagram focus for now on tunnel mode with ESP 41
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication 8.5 Securing e-mail 8.6 Securing TCP connections: SSL 8.7 Network layer security: IPsec 8.8 Securing wireless LANs 8.9 Operational security: firewalls and IDS 42
IEEE 802.11 Security war-driving: drive around Bay area, see what 802.11 networks available? More than 9000 accessible from public roadways 85% use no encryption/authentication packet-sniffing and various attacks easy! securing 802.11 encryption, authentication first attempt at 802.11 security: Wired Equivalent Privacy (WEP): a failure current attempt: 802.11i 43
Wired Equivalent Privacy (WEP) authentication as in protocol ap4.0 host requests authentication from access point access point sends 128 bit nonce host encrypts nonce using shared symmetric key access point decrypts nonce, authenticates host no key distribution mechanism authentication: knowing the shared key is enough 44
WEP Encryption Sender-side WEP encryption 45
Breaking WEP security hole: 24-bit IV, one IV per frame, -> IV s eventually reused IV transmitted in plaintext -> IV reuse detected attack: Trudy causes Alice to encrypt known plaintext d 1 d 2 d 3 d 4 IV Trudy sees: c i = d i XOR k i IV Trudy knows c i d i, so can compute k i IV IV IV Trudy knows encrypting key sequence k 1 k 2 k 3 Next time IV is used, Trudy can decrypt! 46
802.11i: Improved Security numerous (stronger) forms of encryption possible provides key distribution uses authentication server separate from access point Common implementation: WPA2 47
Four phases 48
EAP: extensible authentication protocol EAP: end-end client (mobile) to authentication server protocol EAP sent over separate links mobile-to-ap (EAP over LAN) AP to authentication server (RADIUS over UDP) EAP TLS EAP EAP over LAN (EAPoL) IEEE 802.11 RADIUS UDP/IP 49
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication 8.5 Securing e-mail 8.6 Securing TCP connections: SSL 8.7 Network layer security: IPsec 8.8 Securing wireless LANs 8.9 Operational security: firewalls and IDS 50
Firewalls firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others. 51
Firewalls: why prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no resources left for real connections prevent illegal modification/access of internal data e.g., attacker replaces CIA s homepage with something else allow only authorized access to inside network set of authenticated users/hosts three types of firewalls: stateless packet filters, stateful packet filters, application gateways 52
Stateless Packet Filtering internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits 53
Stateless Packet Filtering: Example example 1: block incoming and outgoing datagrams with IP Protocol field = 17 and with either source or dest port = 23. result: all incoming, outgoing UDP flows and telnet connections are blocked. example 2: Block inbound TCP segments with ACK=0. result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. 54
Stateless packet filtering: more examples 55
Access Control Lists ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs: looks like OpenFlow forwarding (Ch. 4)! action source address dest address protocol source port dest port flag bit allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- deny all all all all all all 56
Stateful Packet Filtering stateless packet filter: heavy handed tool admits packets that make no sense, e.g., dest port = 80, ACK bit set, even though no TCP connection established: action source address dest address protocol source port dest port flag bit allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets makes sense timeout inactive connections at firewall: no longer admit packets 57
Stateful Packet Filtering ACL augmented to indicate need to check connection state table before admitting packet action source address dest address proto source port dest port flag bit check conxion allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK x allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- x deny all all all all all all 58
Application gateways filter packets on application data as well as on IP/TCP/UDP fields. host-to-gateway telnet session application gateway example: allow select internal users to telnet outside router and filter gateway-to-remote host telnet session 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway. 59
Limitations of Firewalls and Gateways IP spoofing: router can t know if data really comes from claimed source if multiple apps need special treatment, each has own app gateway client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser filters often use all or nothing policy for UDP tradeoff: degree of communication with outside world, level of security many highly protected sites still suffer from attacks 60
Intrusion Detection Systems packet filtering: operates on TCP/IP headers only no correlation check among sessions IDS: intrusion detection system deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) examine correlation among multiple packets port scanning network mapping DoS attack 61
Intrusion Detection Systems multiple IDSs: different types of checking at different locations 62
Network Security Summary Basic techniques... cryptography (symmetric and public) message integrity end-point authentication. used in many different security scenarios secure email secure transport (SSL) IP sec 802.11 Operational Security: firewalls and IDS 63
Next Time... Textbook Chapter 9.1-9.4 Remember, you need to read it BEFORE you come to class! Homework: Project 4 presentations NEXT WEEK! 64