CS 494/594 Computer and Network Security

Similar documents
Real-time protocol. Chapter 16: Real-Time Communication Security

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Introduction to IPsec. Charlie Kaufman

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

Key Establishment and Authentication Protocols EECE 412

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Outline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection

Outline. Key Management. CSCI 454/554 Computer and Network Security. Key Management

CSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management

Security Handshake Pitfalls

Authentication Handshakes

CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

CSC 474/574 Information Systems Security

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Cryptographic Protocols 1

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

IP Security IK2218/EP2120

David Wetherall, with some slides from Radia Perlman s security lectures.

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Securing Internet Communication: TLS

Session key establishment protocols

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Spring 2010: CS419 Computer Security

Session key establishment protocols

Security Handshake Pitfalls

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Chapter 9 Public Key Cryptography. WANG YANG

Password. authentication through passwords

CS Computer Networks 1: Authentication

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Security Handshake Pitfalls

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Chapter 4: Securing TCP connections

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

IP Security II. Overview

CSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management

Outline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management

Network Security Chapter 8

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Verification of Security Protocols

CS 161 Computer Security

An Executable Model for JFKr

Strong Password Protocols

Analysis of the IPSec Key Exchange Standard

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Proceedings of the 10 th USENIX Security Symposium

AIT 682: Network and Systems Security

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Key Encryption as per T10/06-103

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

CIS 6930/4930 Computer and Network Security. Final exam review

Computer Networks & Security 2016/2017

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

More Attacks on Cryptography 3/12/2010

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

6. Security Handshake Pitfalls Contents

Information Security CS 526

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Diffie-Hellman. Part 1 Cryptography 136

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Computer Networks. Wenzhong Li. Nanjing University

Internet security and privacy

EEC-682/782 Computer Networks I

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Kurose & Ross, Chapters (5 th ed.)

Encryption. INST 346, Section 0201 April 3, 2018

Chapter 9: Key Management

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Applied Cryptography and Computer Security CSE 664 Spring 2017

CSC 474/574 Information Systems Security

CIS 4360 Secure Computer Systems Applied Cryptography

Security Handshake Pitfalls

Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II

(2½ hours) Total Marks: 75

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

SSL/TLS. How to send your credit card number securely over the internet

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Public Key Algorithms

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Firewalls, Tunnels, and Network Intrusion Detection

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Key Management and Distribution

Network Security (NetSec)

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Exercises with solutions, Set 3

14. Internet Security (J. Kurose)

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Network Encryption 3 4/20/17

Secure Internet Communication

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

CSC/ECE 774 Advanced Network Security

Transcription:

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1

Real-Time Communication Security Network layers Session key establishment Perfect forward secrecy (PFS) Escrow-foilage Clogging protection Identifier hiding Live partner reassurance

Network Basics - Headers

An example

What Layer? Application layer security Client/Server (Kerberos) E-mail (PEM, PGP) Web access (SSL) Transport Layer SSL/TLS IP layer IPSec OS application insert SSL (TLS or SSH) TCP replace IP with IPsec lower layers

Real-time protocol Parties negotiate interactively (Mutual) Authentication Session key establishment Security association: the conversation protected by the session key Perfect forward secrecy Clogging protection Escrow-foilage Endpoint identity hiding IPsec, SSL/TLS, SSH

Session Key Establishment Issues message authentication with a session key establishment is needed against connection hijacking sequence numbers needed against packet replays (different from TCP seq.no.) session key reset before SN wrap around for freshness guarantee, both parties should contribute to the session key less likely to attacks when someone impersonate one party to the other good key even if only one party has access to random key generator

Perfect Forward Secrecy PFS An eavesdropper cannot decrypt a session after the session concludes, even if the eavesdropper records the entire encrypted session and subsequently obtains the two parties long-term secrets. How to achieve PFS Generate a temporary session key, not derivable from information stored at the node after the session concludes, and then forget it after the session. Check the following Kerberos Alice Chooses the session key, and sends it to Bob, encrypted with Bob s public key.

PFS protocol

Escrow-Foilage Protection key escrow communicating parties have to store their long-term keys with a third-party (authorities, etc.) escrow-foilage key stored at the third party is used maliciously;

Escrow-Foilage Protection (Cont d) Escrow-foilage protection: A third party (e.g., a trustworthy organization) may know Alice and Bob s long-term keys. However, the conversation between Alice and Bob can still be made secret against a passive eavesdropper with prior knowledge of Alice and Bob s long-term keys. Anything with PFS will also have escrow-foilage against a passive attacker. Active attackers with the long-term keys, they can impersonate Alice or Bob.

Denial-of of-service Protection DoS attacks: the imposter launches DoS attacks with forged IP addresses. The purpose is to use up Bob s resources so he cannot serve the legitimate users. TCP SYN attack

Denial of Service/Clogging Protection Cookies server responds to a session request with a random number (cookie), initiator has to reply back with that cookie to continue attacker have to either reveal its address or, abort the attack stateless cookies: cookie is H(IP address, server s secret); server doesn t have to remember it Stateless Cookies Bob does not need to keep state The cookie is a function of the IP address and a secret known to Bob It is easy to forge a source IP address but it is difficult to receive the packet sent back to the forged address.

Stateless Cookie Protocol

Puzzle puzzles to continue authentication server requires initiator to solve a puzzle: e.g. MD5(x) =, x =? solving is slow (depends on the size of x), verification fast can be made stateless, how? client s computation power varies, not useful against coordinated distributed DoS attack

Endpoint Identifier Hiding some apps require identity protection against eavesdropper parties can use Diffie-Hellman anonymously and then use shared key to encrypt the rest of the session (including authentication) passive attacker will not know the identities active attacker may still learn one or both identities, because of man-in-the-middle attack

Endpoint Identifier Hiding (Cont d) Which identity is more valuable to protect? two opinions initiator (Alice) Bob s identity is probably already known responder (Bob) if Bob s id is harder to impersonate (Alice initiates the conversation) In the protocol below, whose id is protected against active attack?

Homework 16.4 Referring to 16.6 Endpoint Identifier Hiding, modify Protocol 16-4 to hide the initiator's identity rather than the target's identity.

Homework 16.5 As mentioned in 16.6 Endpoint Identifier Hiding, it is possible to design a protocol that will hide both identifiers from an active attacker, assuming that Alice (the initiator) already knows Bob's public key. Show such a protocol.

Homework 16.6 Also as mentioned in 16.6 Endpoint Identifier Hiding, it is possible to hide both identities from active attackers if Alice and Bob share a secret key and there is a small set of entities that might initiate a connection to Bob. Show such a protocol.

Endpoint Identifier Hiding (Cont d) Hide the identifiers of the two communicating parties Hide both parties identifiers from a passive attacker. Hide one party s identifier from an active attacker (man-in-the-middle) Hide both parties identifiers from both passive and active attackers The two parties need to know who they are talking to. Use some pre-established secret, such as pre-shared secret key, other party s public key.

Live Partner Reassurance Bob is vulnerable to replays can use different D-H exponents for different sessions DH exponentiation is expensive: problem for servers, low-end clients solution: same DH exponents, different nonces Incorporate nonces into the session key. E.g., K = H(g ab mod p, nonces) how would these nonces be exchanged?

Live Partner Reassurance (Cont d) Due to computation complexity, it might be nice to reuse some public key values, such as DH values.

Live Partner Reassurance (Cont d)

Parallel Key Computation Computing D-H exponents is expensive. May do it in advance in the protocol below, why is Bob sending two messages in sequence rather than combining them?

Other Issues Session resumption: use previously established session keys to bypass public-key authentication one solution: share a key medium term (derive the session key from it) and request knowledge on resumption Deniability: leave a proof that Alice talked to Bob: ex: Bob s name signed by Alice s key, what does this message prove? solution: don t use signatures for authentication, use shared secret or public encryption keys

Other Issues (Cont d) Crypto negotiation: key exchange protocols negotiate the algorithms to be used as well (ex: key size, compression, prime (p) to use for D-H) problem: Trudy may force Alice and Bob to use weak crypto (if it is available as an option for both parties by tampering with messages and removing stronger options) solution?

Reading Assignment [Kaufman] Chapter 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback