Transcript Security

An Introduction
to
Computer Networks
Lecture 16: Security
I have used slides from Mackeown, Stanford, Raj
Jain, WuStl, etc, to prepare these slides
University of Tehran
Dept. of EE and Computer Engineering
Univ. of Tehran
By:
Introduction to Computer Network
1
Outline






Why Network security
Network Security Goals
Security vs. Internet Design
Attacks
Defenses
Encryption
Univ. of Tehran
Introduction to Computer Network
2
Life Just Before Slammer
Univ. of Tehran
Introduction to Computer Network
3
Life Just After Slammer
Univ. of Tehran
Introduction to Computer Network
4
A Lesson in Economy


Slammer exploited connectionless UDP service,
rather than connection-oriented TCP.
Entire worm fit in a single packet! (376 bytes)


Worm infected 75,000+ hosts in 10 minutes
(despite broken random number generator).


When scanning, worm could “fire and
forget”.
Stateless!
At its peak, doubled every 8.5 seconds
Progress limited by the Internet’s carrying
capacity
Univ. of Tehran
Introduction to Computer Network
5
Why Security?







First victim at 12:15am
By 12:45, transcontinental links starting to
fail
300,000 access points downed in Portugal
All cell and Internet in Korea failed (27
million people)
5 root name servers were knocked offline
911 didn’t respond (Seattle)
Flights canceled
Univ. of Tehran
Introduction to Computer Network
6
Witty Worm
Univ. of Tehran
Introduction to Computer Network
7
Network Security Goals

Availability
(everyone can reach all network resources all the time)

Protection
(protect users from interactions they don’t want)

Authenticity
(know who you are speaking with)

Data Integrity
(protect data en-route)


Privacy, Confidentiality
Confidentiality, Integrity and Availability
(CIA)
Univ. of Tehran
Introduction to Computer Network
8
Threats





Disclosure, alteration, and denial (DAD)
Disclosure or unauthorized access: snooping,
passive wiretapping,
Deception or acceptance of false data: active
wiretapping (data modified), man-in-the-middle
attack, spoofing (impersonation), repudiation of
origin (denying sending), denial of receipt
Disruption or prevention of correct operation
unauthorized control of some part of a
system: Delay, Infinite delay
Denial of
service
Univ. of Tehran
Introduction to Computer Network
9
Steps in Cracking a Network







Information Gathering: Public sources/tools.
Port Scanning: Find open TCP ports.
Network Enumeration: Map the network.
Servers and workstations. Routers, switches,
firewalls.
Gaining Access: Keeping root/administrator
access
Modifying: Using access and modifying
information
Leaving a backdoor: To return at a later date.
Covering tracks
Univ. of Tehran
Introduction to Computer Network
10
Types of Malware








Viruses: Code that attaches itself to programs, disks, or
memory to propagate itself.
Worms: Installs copies of itself on other machines on a
network, e.g., by finding user names and passwords
Trojan horses: Pretend to be a utility. Convince users to
install on PC.
Spyware: Collect personal information
Hoax: Use emotion to propagate, e.g., child's last wish.
Trap Door: Undocumented entry point for debugging
purposes
Logic Bomb: Instructions that trigger on some event in
the future
Zombie: Malicious instructions that can be triggered
remotely. The attacks seem to come from other victims.
Univ. of Tehran
Introduction to Computer Network
11
Types of Attacks





Denial of Service (DoS): Flooding with
traffic/requests
Buffer Overflows: Error in system programs.
Allows hacker to insert his code in to a program.
Malware
Brute Force: Try all passwords.
Port Scanning:


Disable unnecessary services and close ports
Network Mapping
Univ. of Tehran
Introduction to Computer Network
12
Internet Design








Internet has been designed for connectivity
Initially, anybody is good, Not true anymore
Destination routing
Packet based (statistical multiplexing)
Global addressing (IP addresses)
Simple to join (as infrastructure)
Power in end hosts (end-to-end argument)
“Ad hoc” naming system
Univ. of Tehran
Introduction to Computer Network
13
Internet Design vs. Security

Destination routing
Keeps forwarding tables small
 Simple to maintain forwarding tables
 How do we know where packets are coming
from?


Probably simple fix to spoofing, why isn’t it in
place?
Packet based (statistical multiplexing)
 Global addressing (IP addresses)
 Simple to join (as infrastructure)
 Power in end hosts (end-to-end arg)
of Tehran
Introduction
to Computer Network
 Univ.
“Ad
hoc” naming
system

14
Internet Design vs. Security


Destination Routing
Packet Based (statistical multiplexing)
 Simple + Efficient
 Difficult resource bound per-communication

How to keep someone from hogging?
(remember, we can’t rely on source addresses)

Global Addressing (IP addresses)
Simple to join (as infrastructure)
Power in End Hosts (end-to-end arg)

“Ad hoc” naming system


Univ. of Tehran
Introduction to Computer Network
15
Internet Design vs. Security



Destination routing
Packet based (statistical multiplexing)
Global Addressing (IP addresses)
 Very democratic
 Even people who don’t necessarily want to be
talked to

(“every psychopath is your next door neighbor” –
Dan Geer)
Simple to join (as infrastructure)
Power in end hosts (end-to-end arg)

“Ad hoc” naming system

Univ. of Tehran
Introduction to Computer Network
16
Internet Design vs. Security

Destination routing
Packet based (statistical multiplexing)
Global addressing (IP addresses)

Simple to join (as infrastructure)


Very democratic
 Misbehaving routers can do very bad things
 No model of trust between routers


Power in End Hosts (end-to-end arg)

“Ad hoc” naming system
Univ. of Tehran
Introduction to Computer Network
17
Internet Design vs. Security

Destination routing
Packet based (statistical multiplexing)
Global addressing (IP addresses)
Simple to join (as infrastructure)

Power in end-hosts (end-to-end arg)



Decouple hosts and infrastructure = innovation
at the edge!
 Giving power to least trusted actors



How to guarantee good behavior?
“Ad hoc” naming system
Univ. of Tehran
Introduction to Computer Network
18
Internet Design vs. Security

Packet Based (statistical multiplexing)
Destination Routing
Global Addressing (IP addresses)
Simple to join (as infrastructure)
Power in End Hosts (end-to-end arg)

“Ad hoc” naming system




Seems to work OK
 Fate sharing w/ hierarchical system
 Off route = more trusted elements

Univ. of Tehran
Introduction to Computer Network
19
IP-level vulnerabilities

IP addresses are specified by the source


Use of IP address for authentication


Spoofing attacks!
e.g., .rhosts, some web sites
Some IP features that have been
exploited


Fragmentation Attacks
Smurf Attacks
Univ. of Tehran
Introduction to Computer Network
20
Routing attacks

Divert traffic to malicious nodes



Black-hole attack
Dropping or Eavesdropping
How to implement routing attacks?

Distance-Vector


Announce low-cost routes
BGP vulnerabilities


Prefix hijacking
Path alteration
Univ. of Tehran
Introduction to Computer Network
21
Denial of Service



Make a service unusable, usually by
overloading the server or network
Disrupt service by taking down hosts
Consume host-level resources


E.g., SYN-floods
Consume network resources

E.g., UDP/ICMP floods
Univ. of Tehran
Introduction to Computer Network
22
DoS: Via Resource Exhaustion
CPU
User-time
Uplink
bandwidth
Downlink
bandwidth
Univ. of Tehran
Memory
(e.g. TCP TCB
exhaustion)
Introduction to Computer Network
23
DoS: Via Resource Exhaustion

Uplink bandwidth




Saturate uplink bandwidth using legitimate
requests (e.g. download large image)
Solution: admission control at the server
(not a network problem ??)
CPU time similar to above
Victim Memory


TCP connections require state, can try to exhaust
E.g. SYN Flood (next few slides)
Univ. of Tehran
Introduction to Computer Network
24
TCP Handshake
C
S
SYNC
Listening
SYNS, ACKC
Store data
Wait
ACKS
Connected
Univ. of Tehran
Introduction to Computer Network
25
Example: SYN Flooding
C
S
SYNC1
SYNC2
SYNC3
Listening
Store data
SYNC4
SYNC5
Univ. of Tehran
Introduction to Computer Network
26
Protection against SYN Attacks

SYN Cookies


Client sends SYN
Server responds to Client with SYN-ACK cookie




sqn = f(src addr, src port, dest addr, dest port, rand)
Server does not save state
Honest client responds with ACK(sqn)
Server checks response


[Bernstein, Schenk]
If matches SYN-ACK, establishes connection
Drop Random TCB in SYN_RCVD state
(likely to be attackers)
Univ. of Tehran
Introduction to Computer Network
27
Simple DoS
• Attacker generates lots of traffic
Lots of traffic
Attacker
Victim
• Think of a simple solution?
• Attacker usually spoofs source address
to hide origin
Univ. of Tehran
Introduction to Computer Network
28
Distributed DoS (DDoS)




Attacker compromises multiple hosts
Installs malicious program to do her biding
(bots)
Bots flood (or otherwise attack) victims on
command; Attack is coordinated
Bot-networks of 80k to 100k have been
seen in the wild

Aggregate bandwidth > 20Gbps (probably
more)
Univ. of Tehran
Introduction to Computer Network
29
Distributed DoS
Attacker
Handler
Agent
Handler
Agent
Agent
Agent
Agent
Victim
Univ. of Tehran
Introduction to Computer Network
30
Distributed DoS

Handlers are usually high volume servers


Agents are usually home users with DSL/Cable


Already infected and the agent installed
Very difficult to track down the attacker


Easy to hide the attack packets
Multiple levels of indirection!
Aside: How to distinguish DDoS from a
Flash Crowd?

Flash Crowd  Many clients using a service

Slashdot Effect
Univ. of Tehran
Introduction to Computer Network
31
Smurf
Attack
Ping to a broadcast IP from the (spoofed) source address of
ICMP Ping
the victim
Dst: bcast addr of remote net
Src: Victim
Internet
Attacking System
Broadcast
Enabled
Network
Victim System
Univ. of Tehran
Introduction to Computer Network
32
DNS Vulnerability



Users/hosts typically trust the hostaddress mapping provided by DNS
Give somebody else IP address
Redirect all following traffics
Univ. of Tehran
Introduction to Computer Network
33
Firewalls


Lots of vulnerabilities on hosts in network
Users don’t keep systems up to date


Lots of patches
Solution


Limit access to the network
Put firewalls across the perimeter of the
network
Univ. of Tehran
Introduction to Computer Network
34
Firewalls (contd…)




Firewall inspects traffic through it
Allows traffic specified in the policy
Drops everything else
Two Types

Packet Filters, Proxies
Internal Network
Firewall
Internet
Univ. of Tehran
Introduction to Computer Network
35
Packet Filters



Selectively passes packets from one network
interface to another
Usually done within a router between external
and internal network
What to filter based on?

Packet Header Fields




IP source and destination addresses
Application port numbers
ICMP message types/ Protocol options etc.
Packet contents (payloads)
Univ. of Tehran
Introduction to Computer Network
36
Packet Filters: Possible Actions

Allow the packet to go through

Drop the packet (Notify Sender/Drop Silently)

Alter the packet (NAT?)

Log information about the packet
Univ. of Tehran
Introduction to Computer Network
37
Some examples



Block all packets from outside except for
SMTP servers
Block all traffic to/from a list of domains
Ingress filtering


Drop all packets from outside with addresses
inside the network
Egress filtering

Drop all packets from inside with addresses
outside the network
Univ. of Tehran
Introduction to Computer Network
38
Firewall implementation



Stateless packet filtering firewall
Rule  (Condition, Action)
Rules are processed in top-down order

If a condition satisfied – action is taken
Univ. of Tehran
Introduction to Computer Network
39
Packet Filters

Advantages



Transparent to application/user
Simple packet filters can be efficient
Disadvantages



Security
Overhead (speed)
Usability


Very hard to configure the rules
Doesn’t have enough information to take actions
(Does port 22 always mean SSH? Who is the user
accessing the SSH?)
Univ. of Tehran
Introduction to Computer Network
41
Alternatives

Stateful packet filters



Keep the connection states
Easier to specify rules
Problems?



State explosion
State for UDP/ICMP?
Proxy Firewalls


Two connections instead of one
Either at transport level


SOCKS proxy
Or at application level

HTTP proxy
Univ. of Tehran
Introduction to Computer Network
42
Proxies

Want to look “deeper” into packets
Application type
 Content


Can do by reconstructing TCP flows
and “peering” in, however this is
really hard
Univ. of Tehran
Introduction to Computer Network
44
Final Comments


Internet not designed for security
Many, many attacks



Retrofitting solutions often break original
design principles



Defense is very difficult
Attackers are smart; Broken network aids them!
Some of these solutions work, some of the time
Some make the network inflexible, brittle
Time to go back to the drawing board?
(see Nick for details  )
Univ. of Tehran
Introduction to Computer Network
45
A general view

Cryptography functions




Secret key (e.g., DES)
Public key (e.g., RSA)
Message digest (e.g., MD5)
Security services



Privacy: preventing unauthorized release of information
Authentication: verifying identity of the remote participant
Integrity: making sure message has not been altered
Security
Cryptography Algorithm
Secret Key
(e.g., DES)
Univ. of Tehran
Public key Message digest Privacy
(e.g., RSA)
(e.g., MD5)
Introduction to Computer Network
Security Services
Authentication
integrity
46
Encryption

Change the message such that others can
not understand it except those who knows
mechanism.
Univ. of Tehran
Introduction to Computer Network
47
Encryption elements

Encryption/Decryption function: It usually
permute bit/characters

Ex. – move characters, Cesar Method


Permute character




Can be solved in at most 25 steps.
Needs 26! Step to solve
But it can be solved more easily by analyzing/guessing
the content
Key:
Cipher: the result after encryption
cipher
E(message, Key)
Univ.message
of Tehran
Introduction
to Computer
Network
D(cipher,
key)
48
Encryption





Symmetric = 1 Key/2 users = Secret Key
Asymmetric = Public Key = Public and Private Keys
Block: Message broken in to fixed size blocks
Synchronous: Key stream depends on the key and IV
Asynchronous: Key stream depends on key, IV, and previous
Introduction to Computer Network
49
cipher text
Secret Key (DES)
•Published by National Bureau of Standards in 1977 For
commercial and unclassified government applications
•8 octet (64 bit) key.
•Each octet with 1 odd parity bit ⇒ 56-bit key
•Efficient hardware implementation
•Used in most financial transactions
•56-bit was secure in 1977 but is not secure today
•Now we use DES three times ⇒ Triple DES = 3DES
Plaintext
Plaintext
Encrypt with
secret key
Spring 2000
Decrypt with
secret key
Ciphertext
CS 461
50

64-bit key (56-bits + 8-bit parity)

16 rounds
• Each Round
Initial permutation
L
i– 1
R
i– 1
Round 1
K
F
+
Round 2
…
56-bit key
Round 16
i
L
i
R
i
•Documents only specify how to encrypt/
decrypt not why?
Final permutation
Other DES variants

International Data Encryption Algorithm (IDEA)




Designed for software implementation
Encryption and Decryption are identical as in DES Key:
Use 128 bit key
Advanced Encryption Standard (AES)



Published by NIST in Nov 2001
Based on a competition won by Rijmen and Daemen
(Rijndael)
Rijndael allows many block sizes and key sizes



AES restricts it to:
Block Size: 128 bits
Key sizes: 128, 192, 256 (AES-128, AES-192,AES-256)
Introduction to Computer Network
52
Operation mode


How to generate cipher
Different Operation modes



Electronic Code Book (ECB)
Cipher Block Chaining (CBC)
Cipher Feedback Mode (CFB)
Electronic Code Book (ECB)
Plaintext
Block 1 Block 2 Block 3 Block 4 Block 5
Block
Encryption
E(block)
Ciphertext
Block 1 Block 2 Block 3 Block 4 Block 5
• Pad
E(block)
E(block)
E(block)
E(block)
…
E(block)
last block, if necessary
•Problem: One specific message always creates the
same cipher
…
Cipher Block Chaining (CBC)
Plaintext
Random Block 1 Block 2 Block 3 Block 4
…
XOR
XOR
XOR
XOR
XOR
Block
Encryption
E(block)
E(block)
E(block)
E(block)
E(block)
Ciphertext
Block 2 Block 3 Block 4 Block 5
• Pad
…
last block, if necessary
• Random Block called IV can be sent in plain text. Not a secret –
just prevents a codebook. Often times a timestamp.
Cipher Feedback Mode (CFB)
1 unit is 1/N block
Shift Register
(1 Block wide)
C I-6
Block
Encryption
Encrypted
Register
Next unit of
Plaintext
C I-5
C I-4
C I-3
C I-2
C I-1
E(register)
Leftmost
XOR
Next unit of
Ciphertext
output
After each unit, shift
input register and
insert the most
recently generated
unit of ciphertext
Public Key cipher

Use two key for encryption and
decryption, public key and private key.
Public Key cipher




It is a one way channel. Anybody can
encrypt and send data but only the owner
of the private key can decrypt it.
It is symmetric meaning E(KS, M) = C =>
D(KP, C) =M
It is based on the number theory
It is used for authentication and
symmetric key distribution
Authentication by Public Key

It is assumed that anybody who has the
private key has done the encryption.
RSA

(A Public Key Encryption Scheme)
Proposed by Rivest, Shamir, Adleman, 1977

Later known that British knew it around 1970

NASA (American) knew it around mid 60’s.

It is build on the factoring numbers

It uses relatively large keys 1024 bits

It is very hard to break but it is very slow
compared to symmetric keys.
RSA









(Procedure)
Select two large prime numbers at random p , q
Compute
N=p*q
ø(N) = (p-1)*(q-1)
Discard p and q COMPLETELY!
Select an e < N such that e ,ø(N) relatively prime
Find 0  d  N such that
e*d = 1 mod ø(N)
Public encryption key is
K = { e ,N }
Encryption Algorithm is
c = me mod N
Private decryption key is K-1 = { d, N }
Decryption Algorithm is
m = cd mod N
RSA Example (simple)
p = 5 and q = 11 (destroy after computing e , d )
N = p*q = 55
modulus
ø(N) = 4*10 = 40
e=3
public exponent relatively prime to 40
d = 27
private exponent 3*27 = 1 mod 40
Say we want to transmit the message
m=4
E(4) = (43) mod 55 = 64 mod 55 = 9
D(4) = 927 mod 55 =
= 58149737003040059690390169 mod 55 = 4
RSA Example (not so simple)
p = 61 and q = 53
(destroy after computing e , d )
N = p*q = 3233
modulus
ø(N) = 60*52 = 3120
e = 17 public exponent relatively prime to 3120
d = 2753 private exponent 17*2753 = 1 mod 3120
Say we want to transmit the message m = 123
E(123) = (12317) mod 3233
= 337587917446653715596592958817679803 mod 3233 = 855
D(855) = 8552753 mod 3233
= (‘eight thousand digit plus’ number) mod 3233 = 123
THE POINT:
It is VERY DIFFICULT to compute ‘d’ from ‘e’ and ‘N’ .
Factoring large numbers is a computation intensive
process.
Data integrity



It is possible to send cipher which sounds OK.
How do we know we get the message from the
right person.
 We need athuntication
We append some redundant information like
CRC, message digest.
We do so by cryptographic Hash functions
Hash Functions


Usually operate on an arbitrary length
message to give a fixed length message
digest.
Properties of a good hash function:
1.
2.
3.

Pre-image Resistant: given f(x) cannot find x
2nd Pre-image Resistant: given x and f(x), it is difficult to
find x’ x such that that f(x) = f(x’)
Collision Resistant: it is difficult to find any x’, x such that
that x’ x and f(x) = f(x’)
If 1,2 are satisfied, the function is said to be
one way
Hash Collisions
Arbitrary length message => Fixed length hash
=>Many messages will map to the same hash
 Given 1000 bit messages => 21000 messages
 128 bit hash => 2128 possible hashes
=>21000/2128 = 2872 messages/hash value
 n-bit hash => Need avg 2n/2 tries to find two
messages with same hash


64 bit hash => 232 tries (feasible)

128 bit hash => 264 tries (not feasible)
Hash functions

MD5






128-bit hash using 512 bit blocks
Invented by Ron Rivest in 1991
Described in RFC 1321
Commonly used to check the integrity of files
(easy to fudge message and the checksum)
Also used to store passwords
March 2006: collisions within 1 minute on a
single notebook
Hash functions

Secure Hash Algorithm (SHA)

SHA-1 is used in TLS, SSL, PGP, SSH,
S/MIME, and IPsec
Data integrity


MAC: Message Authentication code
They use only Hash function instead of
encrypting hash
Why Hash and One Way
Functions?



Message Authentication
Password Storage ?
Key Generation
Digital Signatures


Authenticity & non-repudiation
Which cryptographic protocol could you use for this
purpose?
Alice signs the document with her private
key
SA(m)
Alice sends the signed document to Bob
Bob verifies the signature by decrypting it
with Alice’s public key
VA(SA(m)) = m
– Only Alice knows her private key. This
proves that:
m is from Alice
Alice can’t deny she sent m
Key Distribution


Have network with n entities
Add one more




Must generate n new keys
Each other entity must securely get its new
key
Big headache managing n2 keys!
One solution: use a central keyserver



Needs n secret keys between entities and
keyserver
Generates session keys as needed
Downsides

Only scales to single organization level
How Useful is a KDC?



Must always be online to support secure
communication
KDC can expose our session keys to
others!
Centralized trust and point of failure.
In practice, the KDC model is mostly used
within single organizations (e.g.
Kerberos) but not more widely.