Transcript Slide 1

INFO 331
Computer Networking
Technology II
Chapter 8
Security
Dr. Jennifer Booker
INFO 331 Chapter 8
1
www.ischool.drexel.edu
Security in Networks
• Any two nodes (hosts, routers, etc.) might
need to exchange data securely
– Secure email, transfer routing tables, military
secrets, private data (SSN, Visa), DNS
servers, etc. all need secure communication
• Security has many aspects
– End-point Authentication: If Bob and Carol
are communicating, how do they know it’s
really Bob and Carol?
INFO 331 Chapter 8
2
www.ischool.drexel.edu
Security in Networks
– Confidentiality: How do we keep others from
reading their exchange? Encrypted content.
– Message integrity: How do we ensure a
message isn’t changed en route?
– Nonrepudiation: How can we prove a
message was sent be a specific sender?
– Operational security: How do we protect the
network infrastructure from things like denial
of service (DoS) attacks or hackers?
INFO 331 Chapter 8
3
www.ischool.drexel.edu
Basic Defense Strategy
• In any kind of security approach, we need
to consider three aspects in our strategy
– Prevent: Protect the network to make it
harder for an attack to take place
– Detect: How do you know if you’ve
been attacked?
• Often very difficult in networking
– Mitigate: As or after an attack happens,
how do you minimize the damage it did?
INFO 331 Chapter 8
4
www.ischool.drexel.edu
Non-network Example
• Consider the problem of a bomb on a plane
– Prevent: might prevent the problem by 1) scanning
luggage and passengers, 2) requiring security checks
for airport employees, and 3) controlling access to
planes on the ground
– Detect: detect the problem by 1) a bomb going off, or
2) someone identifying they have a bomb
– Mitigate: Reduce damage by 1) reducing altitude
before the bomb goes off, 2) design the plane to
avoid duplicate systems next to each other
INFO 331 Chapter 8
5
www.ischool.drexel.edu
Non-network Example
• This illustrates some important principles
– Security costs effort and money
– Security is often inconvenient, even annoying
• Security measures often directly reduce
productivity
– Security often affects systems beyond the
immediately obvious ones
– Design of the system is often affected by
security risks, even if they are rare events
INFO 331 Chapter 8
6
www.ischool.drexel.edu
Security vs classification
• In discussing security, the notion of
classification (e.g. Confidential, Secret,
Top Secret, etc.) can emerge
• Systems to handle classified material are
known as ‘trusted’ systems – look for that
keyword
– Often based on old standards such as the
Rainbow Series’ Orange Book
INFO 331 Chapter 8
7
www.ischool.drexel.edu
Passive Intruder
• Going back to Bob and Carol, what happens if
someone is listening to their exchange?
• A passive intruder could
– Eavesdrop – listen to and record the
secure exchange
– Modify, insert, or delete messages that
Bob and Carol were trying to exchange
– Could lead to stealing data, impersonating another
user, hijacking a session or causing DoS
INFO 331 Chapter 8
8
www.ischool.drexel.edu
Cryptography
• Codes for communication go back millennia
• There are tons of resources on the subject:
– RSA, NIST Computer Security Resource Center
– The CERT Coordination Center
• A plain (or clear) text message (e.g. “Sell IBM
stock now!”) is encrypted into cipher text (which
is illegible) using an encryption algorithm, KA
– The key is an input to the algorithm (= cipher)
– (Plain text + key)  via algorithm  ciphertext
INFO 331 Chapter 8
9
www.ischool.drexel.edu
Cryptography
• At the receiving end, the cipher text is
turned back into plain text using a
decryption algorithm, KB)
INFO 331 Chapter 8
10
www.ischool.drexel.edu
Keys
• A key is a string of characters, numbers, and
other ASCII symbols that feeds into the
encryption and decryption algorithms
• The longer the key (in bits), the harder it is
to break
–
–
–
–
DES uses a 56-bit key (obsolete)
Triple DES uses 168-bit
AES use up to 256-bit keys
RSA and PGP use up to 4096-bit keys
INFO 331 Chapter 8
11
www.ischool.drexel.edu
Keys
• There are two major encryption approaches –
symmetric key and public key
• Symmetric key means that KA = KB
– The same key is used by both sender
and receiver
• Public key encryption requires a public key that
anyone can know, plus different private keys for
sender and receiver
– Public key requires longer keys for equal security
INFO 331 Chapter 8
12
www.ischool.drexel.edu
Block vs Stream
• Another is whether each character is
coded individually (stream cipher), or a
group of characters are coded together
(block cipher)
– Stream cipher examples include Caesar’s
code, the WWII Enigma machine, and WEP
(Wired Equivalent Privacy)
– Block ciphers are very common (AES, RSA,
etc.)
• Block sizes are typically 64 or 128 bits
INFO 331 Chapter 8
13
www.ischool.drexel.edu
Cipher-Block Chaining (CBC)
• Repeated phrases, like ‘HTTP/1.1’
produce the same string when encrypted,
making it easier to guess their meaning
– Send a 64-bit Initialization Vector (IV) first
– Encrypt and send (first block of text XOR IV)
– For each subsequent block, encrypt and send
(previous block XOR current clear text)
• This keeps duplicate blocks from
appearing that way
INFO 331 Chapter 8
14
www.ischool.drexel.edu
Key Breaking Approaches
• There are three ways to approach
breaking an encrypted message
– Cipher-text-only attack – you only have the
ciphertext, and little or no clue what it contains
– Known-plaintext attack – when some of the
message contents are known, such as certain
names, words or phrases that should appear
– Chosen-plaintext attack – when you can feed
text (‘The quick brown fox jumps over the lazy
dog’) into the cipher, and see what it produces
INFO 331 Chapter 8
15
www.ischool.drexel.edu
Symmetric Key Crypto
• The Caesar cipher was very simple
• Just move the alphabet down some
number of characters, ‘k’
– A  G (for k = 6)
– Then B  H, C  I, D  J, etc.
– Wrap around when you get to T  Z, U  A
• If you know this is the type of cipher, there
are only 25 different possible keys!
INFO 331 Chapter 8
16
www.ischool.drexel.edu
Symmetric Key Crypto
• Improve on this with a monoalphabetic
cipher
• Each letter corresponds to some other
letter, but they aren’t in order
– A  V, B  L, C  R, or whatever
• This makes 26! (= 4.03E26 or 4.03x1026)
key combinations in theory, but patterns of
common words make it a lot easier to
break than that would suggest
INFO 331 Chapter 8
17
www.ischool.drexel.edu
Symmetric Key Crypto
• Improve on the Caesar cipher with a
polyalphabetic cipher (encryption)
• Use multiple ciphers in a fixed pattern
throughout the message, such as two
Caesar ciphers with different offsets (k
values)
– E.g. follow a pattern of “C1 C2 C2 C1 C2”
where C1 uses k=5 and C2 uses k=19
– Hence need to know pattern and k values
INFO 331 Chapter 8
18
www.ischool.drexel.edu
DES
• The Data Encryption Standard (DES) was
invented in 1977, and updated in 1993
– It is symmetric, uses 64-bit blocks, and nominally
a 64-bit key
– Ok, only 56 bits of the key are usable – the rest is
for parity checks 2^56 = 72E15 possible keys
• How DES works is very messy
– The 64 bits in a block are permuted, go through 16
cycles of math operations, and get permuted again
at the end
INFO 331 Chapter 8
19
www.ischool.drexel.edu
DES
• Each of the 48-bit
keys (K1 to K16)
are different parts
of the overall
56-bit key
INFO 331 Chapter 8
20
www.ischool.drexel.edu
DES Code-Breaking Tests
• In 1997 it took under four months to break
a DES-encrypted message by brute force
(keep trying keys until one works)
– In February 1998 it took 41 days
– In July 1998 it took 56 hours
– In January 1999 it took 22.25 hours, though
using nearly 100,000 PC’s
INFO 331 Chapter 8
21
www.ischool.drexel.edu
Triple-DES
• Ok, so DES isn’t perfect
• Triple-DES (3DES) runs DES three
times with different keys
– Makes for a 168-bit key!
– Used for PPP encryption
INFO 331 Chapter 8
22
www.ischool.drexel.edu
AES
• The Advanced Encryption Standard (AES)
was proposed in 2001 to replace DES
– Uses symmetric encryption with 128-bit
blocks
– Keys can be 128, 192, or 256 bits long
• NIST claims if a computer could crack
56-bit DES in one second, it would take
149 trillion years to break 128-bit AES
INFO 331 Chapter 8
23
www.ischool.drexel.edu
AES
• AES, 3DES, and Skipjack are all
recognized Federal Information
Processing Standards (FIPS)
– Skipjack was used on the Clipper chip for
hardware security; uses a 64-bit key from
an 80-bit cryptovariable
INFO 331 Chapter 8
24
www.ischool.drexel.edu
Public Key Encryption
• So all this symmetric key stuff is good, but
how to you exchange the keys securely?
• Easier if we can show part of our key
publicly
• First public key approach was the 1976
Diffie-Hellman Key Exchange algorithm
– Sender and receiver have public keys
– Each receiver also uses a private key
to decrypt a message
INFO 331 Chapter 8
25
www.ischool.drexel.edu
Public Key Encryption
Why does this provide confidentiality?
INFO 331 Chapter 8
26
www.ischool.drexel.edu
Public Key Encryption
• Two main concerns with public key ciphers
– An intruder can easily know a receiver’s
public key, and the encryption method, so a
chosen-plaintext attack is possible
– Hence private keys, and verifying the sender
of a message are critical – the digital
signature
• The best known public key algorithm is
RSA
– Named for Rivest, Shamir, and Adleman
INFO 331 Chapter 8
27
www.ischool.drexel.edu
RSA
• RSA works like this
– Pick two large prime numbers, p and q
– Want pq> 1024 for corporate use, pq>768 for
lesser security
– Let n = pq, and z = (p-1)(q-1)
– Choose e < n which has no factors in
common with z
– Find d such that (ed-1)/z is an integer
– The public key is (n,e); the private key is (n,d)
INFO 331 Chapter 8
28
www.ischool.drexel.edu
RSA
• To use this, take a plaintext message m
• The ciphertext is c = (m^e)*mod (n)
– This is the integer remainder when m^e is
divided by n
• The receiver gets c, and decodes the
message using m = (c^d) mod n
• So n and e are used for encryption;
n and d are used for decryption
INFO 331 Chapter 8
29
www.ischool.drexel.edu
RSA
• So the theory isn’t too weird, just tedious
because of the large numbers involved
• Finding large prime numbers is a critical
element of many crypto schemes
– RSA is no exception
• Also important is how to choose d and e
• Such issues are beyond our scope here
INFO 331 Chapter 8
30
www.ischool.drexel.edu
RSA vs DES
• RSA is 100 times slower than DES in
software, and 1000 to 10,000 times slower
than DES in hardware
– Hence RSA is often used with DES or AES
• For example, a DES session key KS can
be sent via public RSA key, and then the
rest of the transmission can be done
using DES (key concept!!)
INFO 331 Chapter 8
31
www.ischool.drexel.edu
Why does RSA work?
• The trick is that p and q are prime, so
– 1 = mod (p-1)(q-1) = mod z
• And we chose ed so that (ed-1)/z has no
remainder, hence ed mod (z) = 1
• Encryption followed by decryption of
message m therefore gives
– (m^e)^d = m^1 mod n = m (the original
message)
INFO 331 Chapter 8
32
www.ischool.drexel.edu
RSA
• RSA also works because there is no fast
way (yet?) to factor a large number n into
the primes p and q
• If you could do that, the private key d
could be determined from the public key e,
and RSA would be sunk
INFO 331 Chapter 8
33
www.ischool.drexel.edu
Message Integrity
• In our legal system, a competent adult can use
their written signature to affirm a contract
– Whether paying for lunch on a credit card, or signing
a law into existence, the effect is similar
• A digital signature does the same thing online
• Need to verify that the signature came from the
person claimed, and only that person
– Need it verifiable, non-forgeable and not alterable
– Use public key crypto to do this
INFO 331 Chapter 8
34
www.ischool.drexel.edu
Digital Signature
• For Fred to sign a message, m, he applies
his private key to encrypt the message
– The result is the signed message
• To recover the message, apply his public
key
• Yes, this is the reverse of the way to send
an encrypted message
– Which was use the public key to create cipher
text, then use the private key to decode it
INFO 331 Chapter 8
35
www.ischool.drexel.edu
Digital Signature
• Why does this work backward?
– The application of public and private keys is
just math operations – in this case, doing
them in either order results in recovering the
original message
• Since only Fred knows his private key (we
hope!), that proves the message was
generated by him
– Lesson: Don’t share a private key – EVER!!!
INFO 331 Chapter 8
36
www.ischool.drexel.edu
Message Digests
• Digital signatures are very computationally
expensive
• Want a way for large volumes of data to
verify the sender of a message, and make
sure the data wasn’t changed
• A message digest does this, while being
cheaper than a full blown digital signature
– A message digest is a cryptographic hash
function, like checksums and CRC codes
INFO 331 Chapter 8
37
www.ischool.drexel.edu
Message Digests
• To create a message digest
– For a message, m, compute the hash
function H(m)
– Sign H(m) with your private key, KB-(H(m))
– Send the unaltered message, m, with the
encoded hash function
• The recipient applies the public key
KB+( KB-( H(m) ) ) to recover the hash
function that came with the message
INFO 331 Chapter 8
38
www.ischool.drexel.edu
Message Digests
• The recipient evaluates the hash function with
the message received
– If the message’s hash function agrees with the hash
function they calculate for the message, it proves the
message wasn’t altered
• A hash function creates a string of fixed size
– Must be infeasible to get the same hash function for
any two input messages H(m) = H(n)
– Consider it like a really fancy checksum
INFO 331 Chapter 8
39
www.ischool.drexel.edu
Message Digests
• To improve on this approach, create the
hash of the message (m) AND a secret
authentication key (s)
– H(m+s) = a Message Authentication Code,
MAC
– [This MAC is unrelated to the link layer MAC
address]
• HMAC (noted later) is a popular standard
Is a MAC encrypted?
for generating MACs
INFO 331 Chapter 8
40
www.ischool.drexel.edu
Message Digests
• So two mechanisms are used in the
message digest
– The application of private and public keys is
used “to verify the sender of a message”
– The hash function is used to “make sure the
data wasn’t changed”
• The MD5 algorithm (Ron Rivest) is widely
used for creating 128-bit message digests
– See RFC 1864, if really bored on a long flight
INFO 331 Chapter 8
41
www.ischool.drexel.edu
Message Digests
• If MD5 isn’t good enough for you, try SHA1, which has a 160-bit message digest
– Based on MD4 (which preceded MD5)
– Stands for Secure Hash Algorithm, defined by
FIPS 180-2
– SHA can handle message sizes up to 264 or
2128 bits (that’s 1.8E19 or 3.4E38 bits)
• Still not secure enough?
– SHA-2 has up to 680-bit message digests
INFO 331 Chapter 8
42
www.ischool.drexel.edu
Key Distribution & Certification
• Both symmetric and public key crypto
desperately need to control access to keys
• They require a trusted intermediary
– For symmetric key crypto, that role is the Key
Distribution Center (KDC)
• MIT’s Kerberos is a classic example
– For public key crypto, that role is the
Certification Authority (CA)
INFO 331 Chapter 8
43
www.ischool.drexel.edu
Key Distribution Center (KDC)
• Two people (Alice, Bob) on a public network can
use symmetric key crypto via a KDC
• Each user has a personal secret key registered
with the KDC
• Here call them KA-KDC and KB-KDC
– Alice uses her secret key to tell the KDC she wants
to talk to Bob
– The KDC sends her a one-time session key, R1,
and that key coded using Bob’s secret key (!)
INFO 331 Chapter 8
44
www.ischool.drexel.edu
Key Distribution Center (KDC)
– Alice now knows the one-time session key,
and sends the encrypted key to Bob
– Bob decodes it, and now also knows the
one-time session key
– Now Alice and Bob can communicate
securely using R1
• Sneaky, huh?
• The critical (and risky) part is that the KDC
knows everyone’s secret key
INFO 331 Chapter 8
45
www.ischool.drexel.edu
Key Distribution Center (KDC)
KDC
generates
R1
KA-KDC(A,B)
Alice
knows
R1
KA-KDC(R1, KB-KDC(A,R1) )
KB-KDC(A,R1)
Bob knows to
use R1 to
communicate
with Alice
Alice and Bob communicate: using R1 as
session key for shared symmetric encryption
INFO 331 Chapter 8
46
www.ischool.drexel.edu
Public Key Certification
• Public keys can be made available many
places
– Email signature lines, web pages, or put in a
public key server
• But if I tell you XYZ123 is my public key,
how do you know it’s really mine, and not
someone else’s?
– That’s the role of public key certification – to
verify the identity of a public key
INFO 331 Chapter 8
47
www.ischool.drexel.edu
Certification Authority (CA)
• A Certification Authority (CA) binds a
public key to a particular person (entity)
• The CA’s rules are simple
– A CA must use some means to verify a
person’s identity (the rules vary!)
– The CA creates a digitally signed certificate
which binds the person to the public key
• The CA must have a public key which is
well known (so they can’t be spoofed)
INFO 331 Chapter 8
48
www.ischool.drexel.edu
Certification Authority (CA)
• Example of using a CA
– If you order a pizza from Drexel Pizza over
email
– They could see your public key at, say, the
bottom of your email message
– They use the public key of the CA to verify
that really is YOUR public key
– Once your public key is verified, the order
can be placed
INFO 331 Chapter 8
49
www.ischool.drexel.edu
Certification Authority (CA)
• The ITU and IETF both have standards
for certificate authorities
– ITU X.509 and RFC 6170, respectively
– Verisign is among the better known CAs
INFO 331 Chapter 8
50
www.ischool.drexel.edu
Authentication
• Authentication is proving your identity
– Over a network, no one can tell if you’re you!
• Assume we’re dealing with live
communication
– A later issue is whether a message in the past
was really sent – the digital signature problem
• Here, authentication is done via messages
(duh!) from an authentication protocol
INFO 331 Chapter 8
51
www.ischool.drexel.edu
Authentication
• The authentication protocol has to confirm
the identities before communication occurs
• We’ll look at increasingly complex versions
of an authentication protocol, “ap”, much
like we did for TCP last term
– Don’t worry, no finite state diagrams this time
INFO 331 Chapter 8
52
www.ischool.drexel.edu
Ap1.0
• The simplest way to authenticate is simply
to self-identify
– ‘I am Fred Smith’
• The obvious trouble is that there’s no
assurance this is a true statement
• For that matter, you don’t know if it’s really
the correct Fred Smith you meant to talk to
INFO 331 Chapter 8
53
www.ischool.drexel.edu
Ap2.0
• If the sender is using a known fixed IP address,
we could authenticate by checking the datagram
for that source IP address
– Yes, this datagram is coming from 23.65.133.2
– But this leads to the IP spoofing problem – changing
a datagram to show a different source IP than is true
• Good first hop routers will only send out
datagrams with correct source IPs (RFC 3704)
– But this isn’t enforced
INFO 331 Chapter 8
54
www.ischool.drexel.edu
Ap3.0
• Ok, how about using a password to
authenticate the user?
– If the sender sends a password, it could be
intercepted, and later used to fraudulently
authenticate a spy
– Many passwords (HTTP, Telnet, FTP) are
sent in plain text, or are trivially encoded
• Sniffing packets on a server is an easy
way to steal passwords
INFO 331 Chapter 8
55
www.ischool.drexel.edu
Ap3.1
• Um, so encrypt the password!
– (Assuming a symmetric cipher is used)
• Nope, no good
– A sniffer could record the cipher text of the
password, and replay it to log in (a playback
attack)
– Even though the sniffer doesn’t learn what the
password is, they can still impersonate the
sender
INFO 331 Chapter 8
56
www.ischool.drexel.edu
Ap4.0
• Well, the problem was reusing the same
password over and over – what if it’s
unique?
• What if we have a sequence or set of
passwords, and use each one only once?
• Use a nonce – a number used by the
protocol only once EVER, like this
– Sender sends message to receiver
– Receiver chooses a nonce, R, and replies
INFO 331 Chapter 8
57
www.ischool.drexel.edu
Ap4.0
– Sender encrypts the nonce with a symmetric
key, KA-B(R) and sends it back
– Receiver decrypts it
– If the received message matches the nonce
sent, it’s accepted
• This works (yay!), but depends on having
a symmetric key on both sides
– See if we can improve on it…
INFO 331 Chapter 8
58
www.ischool.drexel.edu
Ap4.0
Sender
Receiver
“I am Alice”
R
KA-B(R)
INFO 331 Chapter 8
Alice is live, and
only Alice knows
key to encrypt
nonce, so it must
be Alice!
59
www.ischool.drexel.edu
Ap5.0
• Can we achieve the good outcome of
ap4.0 using public key encryption?
• Try this:
– Sender sends message to receiver
– Receiver chooses a nonce, R, and replies
– Sender uses private key to encrypt the nonce,
and sends it back to receiver
– Receiver uses sender’s public key to compute
R and authenticates the sender
INFO 331 Chapter 8
60
www.ischool.drexel.edu
Ap5.0
• So what’s wrong? Try this scenario
– Thief sends message impersonating sender to
receiver
– Receiver chooses nonce, R, and replies with it
– Thief intercepts message, uses her private key to
encode the message, and sends it to receiver
– Receiver asks sender for public key, but it’s
intercepted by the Thief, who sends their public key
– Thief is authenticated as the sender!
INFO 331 Chapter 8
61
www.ischool.drexel.edu
Ap5.0
• The goodness of ap5.0 is limited by the
availability of public keys
• Similarly, a man-in-the-middle or bucket
brigade attack puts the Thief in the middle
of the real conversation, unknown to either
side
– Worse, neither sender nor receiver will know
their content was seen by the Thief in the
middle
INFO 331 Chapter 8
62
www.ischool.drexel.edu
Man-in-the-middle Attack
I am Alice
R
K (R)
A
I am Alice
R
K (R)
T
Send me your public key
+
K
T
Send me your public key
+
K
A
- +
m = K (K (m))
A A
+
K (m)
A
Trudy gets
- +
m = K (K (m))
T Alice
sends T
m to
+
K (m)
T
encrypted with
Alice’s public key
INFO 331 Chapter 8
63
www.ischool.drexel.edu
Firewalls
• Like the gateway on a
castle, firewalls are
designed to control
entry into a network,
and access out of it
• The amount of control
a firewall can have is
immense
INFO 331 Chapter 8
64
www.ischool.drexel.edu
Firewalls
• The goals of a firewall are generally
– All traffic into and out of the organization must
pass through a firewall
– Only authorized traffic will be allowed to pass
– The firewall itself is immune to attack
• Firewalls are inherently paranoid
– The default setting is to allow nothing in
or out!
INFO 331 Chapter 8
65
www.ischool.drexel.edu
Firewalls
• Firewalls fall in three categories
– Packet filters (network level)
– Stateful filters
– Application gateways
• First look at packet filtering
– Most organizations have a firewall at the
boundary to the public Internet (plus possibly
others internally)
INFO 331 Chapter 8
66
www.ischool.drexel.edu
Firewalls
• Packet filters can look at each packet’s
– Source and/or destination IP addresses
– Type of protocol (transport or application)
– Source and/or destination port number
– TCP flag bits – SYN, ACK, etc.
– ICMP message type
• Rules can vary for inbound vs outbound
traffic, or for different router interfaces
INFO 331 Chapter 8
67
www.ischool.drexel.edu
Firewalls
• Any of these can be a basis for filtering
rules
– For example, block all outgoing Telnet or
FTP or HTTP traffic
– Block UDP traffic to stop (some) streaming
media
– Or exclude specific IP addresses from
these rules
INFO 331 Chapter 8
68
www.ischool.drexel.edu
Firewalls
• A sneaky trick is to block incoming TCP
traffic with the ACK bit set to 0
– This kills TCP connections originating from
the outside
• Another key issue is to be aware of the
sequence in which packet filtering rules
are applied
– The first rule that applies to a packet
determines its fate – not all the rules!
INFO 331 Chapter 8
69
www.ischool.drexel.edu
Firewalls
• Even a simple firewall (Cisco PIX 501, about
$400) can control (see handout)
–
–
–
–
–
–
–
Which interfaces are active, and at what speeds
IP addresses allowed to take data in
IP addresses allowed to send data out
Which protocols are allowed to operate
Which ports are allowed for each protocol
Use of authentication servers (e.g. RADIUS)
If the firewall acts as an HTTP or DHCP server
INFO 331 Chapter 8
70
www.ischool.drexel.edu
Firewalls
– Use of a virtual private network (VPN), and what
types of encryption are used (DES, 3DES, AES)
– IP addresses of the interfaces
– Where NAT is running inside the network
– SNMP server information
• Licensing issues include how many interfaces
are active (2+), how many hosts can be
connected (10, 50, or unlimited), allowable
throughput, and whether VPN is available
INFO 331 Chapter 8
71
www.ischool.drexel.edu
Stateful Packet Filters
• Stateful filters track each TCP connection,
and decide in the context of that
connection how to apply filtering rules
– Do so by creating a connection table with
each connection’s source and destination IP
and port number
– An access control list can define the rules for
allowable IP, port, transport protocol, flags,
etc.
INFO 331 Chapter 8
72
www.ischool.drexel.edu
Application Gateway
• The other category of firewall is an
application gateway
– It’s a server which filters application data
– Packet filters can’t filter by user, but an app
gateway can
• Can combine with packet filtering
– Have packet filter only allow Telnet from the
app gateway, then have app gateway control
which users can use Telnet
INFO 331 Chapter 8
73
www.ischool.drexel.edu
Application Gateway
• Can have separate app gateway servers
for each app (HTTP, FTP, email, etc.)
– Web cache & email servers are also
gateways
• Using an app gateway costs in lower app
performance, plus the time needed for its
configuration and maintenance
• Firewalls can be breached by wireless
devices, or even dialup connections
INFO 331 Chapter 8
74
www.ischool.drexel.edu
Intrusion Detection Systems
• An IDS does deep packet inspection,
looking at packet message contents
instead of just headers
– An IDS can be signature-based, where it
keeps a database of attack signatures for
various forms of attack
– Or an anomaly-based IDS looks for
statistically unusual packet patterns
INFO 331 Chapter 8
75
www.ischool.drexel.edu
Intrusion Detection Systems
• The network between a packet filter and
an IDS can be called the DMZ
(demilitarized zone)
– Public web servers are typically inside
the DMZ
• Snort is an open source IDS
INFO 331 Chapter 8
76
www.ischool.drexel.edu
Network Attacks
• Many kinds of attacks on computer
networks are possible
– Can attack common operating systems
– Can attack applications
– Can attack the network itself
• We’ll focus on the latter
– Disclaimer: Naturally this isn’t intended to be
a user’s guide to hacking, but is intended to
help you be proactive to protect your network
INFO 331 Chapter 8
77
www.ischool.drexel.edu
Need 411
• Many attacks are preceded by gathering
information
– Same idea as ‘casing’ a future crime scene,
scouting, reconnaissance, etc.
– Here we call it mapping
• Mapping is often to determine the IP
addresses of hosts on the network, the
type of OS’ used, and types of services
offered
INFO 331 Chapter 8
78
www.ischool.drexel.edu
Mapping
• Ping can be used to find IP addresses
• Port scanning is done by trying to send
TCP connection requests or UDP packets
to every possible port number, and see
which ones are active
– Nmap is a free, open source, network
mapping utility which uses WinPcap
– Many firewalls look for port scanners, and
report their presence to a network manager
INFO 331 Chapter 8
79
www.ischool.drexel.edu
Packet Sniffing
• A packet sniffer
receives all packets
coming into or leaving
a host
– Promiscuous mode
allows it to receive all
passing frames
– Unencrypted user
names and passwords
can be found this way
INFO 331 Chapter 8
No, packet sniffing!
80
www.ischool.drexel.edu
Packet Sniffing
• To detect Packet Sniffing, need to detect
network interfaces (NICs) that are in
promiscuous mode
• One way is to send ICMP Echo Request
messages to all hosts, with a correct IP
address, but wrong MAC address
– Hosts that Reply are likely to be in
promiscuous mode
• Encrypt data when sniffing may be present
INFO 331 Chapter 8
81
www.ischool.drexel.edu
Spoofing
• IP Spoofing is deliberately changing the IP
address a datagram claims to be from
• This is used to hide the true source of an attack,
such as denial-of-service
• Spoofing is preventable with ingress filtering
– Have a router check to see if the packet came from
the correct interface to have come from the claimed
source IP address
– Still, not very powerful if router has few interfaces
INFO 331 Chapter 8
82
www.ischool.drexel.edu
Denial-of-Service (DoS)
• A herd of attacks fall under Denial-of-Service
(DoS) or distributed DoS (DDoS) types
• Main purpose is to prevent real users from
getting to a network or web site
• A SYN flooding attack sends many TCP SYN
packets with spoofed IP addresses to a server
– The server completes the second step of the
handshake, and allocates resources for the
connection
INFO 331 Chapter 8
83
www.ischool.drexel.edu
Denial-of-Service (DoS)
– The server runs out of resources, and crashes
• A variation of this is to send incomplete TCP
fragments to a server, who will dutifully keep
them in the hope of completing the segment
– The final packet never arrives, but the server keeps
the fragments until it runs out of storage
• A smurf attack gets a lot of innocent hosts to
respond to ICMP Echo Request messages
– They all reply to a server whose IP was spoofed
INFO 331 Chapter 8
84
www.ischool.drexel.edu
Distributed DoS
• Sneakier yet is the distributed DoS attack
– A master attacker gains access to many unsuspecting
hosts (e.g. via password sniffing)
– The master installs a DoS application on each
slave host
– When a signal is sent, all of the slaves start a DoS
attack against the same server
• Since many hosts are involved in the attack, it’s
very difficult to defend against this
INFO 331 Chapter 8
85
www.ischool.drexel.edu
Hijacking
• Hijacking a connection means you take over one
side of it, without the other side being aware of
the subterfuge
– An attacker monitors a connection to find out ACK
and sequence numbers, IP addresses, etc.
– They DoS attack one sender to keep them from
responding, and start communicating with the other
sender in place of the original host
• The other sender may not be able to tell someone else
is present!
INFO 331 Chapter 8
86
www.ischool.drexel.edu
Case Studies
• All of the top four layers of protocols (App,
Transport, Network, Link) can provide
security to varying degrees
– All layers above the secure one benefit from
its security
– Higher layer security needed for user-level
protection; lower layers harder to implement
• We’ll look at case studies in each layer
– E-mail, SSL, IPsec, and 802.11
INFO 331 Chapter 8
87
www.ischool.drexel.edu
Case Study: Secure E-mail
• What features might we want from secure
email?
– Confidentiality – only sender and receiver can
see the contents
– Sender authentication – verify sender’s
identity
– Message integrity – to know it wasn’t changed
– Receiver authentication
• So how can we provide these features?
INFO 331 Chapter 8
88
www.ischool.drexel.edu
Case Study: Secure E-mail
• Confidentiality could be done with
symmetric key encryption (DES or AES),
but distribution of a symmetric key is hard
• Could use public key encryption
– Makes the key exchange easier
– Bad for long messages, though
– Could use the symmetric-public trick from
earlier – send the symmetric key using public
key encryption, then converse using
symmetric key
INFO 331 Chapter 8
89
www.ischool.drexel.edu
Case Study: Secure E-mail
• Now ignore confidentiality for a moment,
and consider sender authentication and
message integrity
– Sender applies a hash function (MD5) to a
message, and signs it with their private key
– Receiver applies sender’s public key, and
compares the received hash value with that
generated locally
– This accomplishes both desired functions
INFO 331 Chapter 8
90
www.ischool.drexel.edu
Case Study: Secure E-mail
• Now combine the two approaches
– Sender generates a hash of their message
and applies their private key to the hash
– The hash + message then has their
symmetric key applied
– Receiver gets the message, undoes the
symmetric encryption, applies the sender’s
public key to recover the sent hash, and
compares to the locally generated hash
• Easy, huh?
INFO 331 Chapter 8
91
www.ischool.drexel.edu
Case Study: Secure E-mail
• So to provide secure email we’re using
three technologies
– Hash functions & digital signatures
– Symmetric key crypto
– Public key crypto
• Does it work? Yup!
– And it has since 1991
INFO 331 Chapter 8
92
www.ischool.drexel.edu
Pretty Good Privacy (PGP)
• PGP was created in 1991 by Phil
Zimmermann
– Free versions are available, or you can buy
fancier versions
– It uses the approach outlined on slide 81
• Messages can be digitally signed,
encrypted, or both
– And it can throw in data compression, too
INFO 331 Chapter 8
93
www.ischool.drexel.edu
Pretty Good Privacy (PGP)
• How does it do it?
– The message digest is created with MD5 or SHA
– Symmetric key crypto is done using CAST, 3DES, or
IDEA
– Public key crypto is done with RSA
• PGP creates a public key for each user, and
protects their private key with a password
• Public keys can be kept on a server, your web
site, or attached to messages
INFO 331 Chapter 8
94
www.ischool.drexel.edu
Pretty Good Privacy (PGP)
• Key certification is done partially by mutual
assurance
– A user can certify a user/key combination
– Some have mutual key signing parties
(yippee)
• But most people advertise their public
keys via email or personal web sites
INFO 331 Chapter 8
95
www.ischool.drexel.edu
Secure Sockets Layer (SSL)
• Secure Sockets Layer provide security at
the transport layer (TCP)
• Secure business transactions (stock
trades, finance, etc.) are a key motivation
– Otherwise sensitive info could be stolen, or a
false storefront could trick real customers
• SSL was created by Netscape to provide
encryption and authentication between a
web browser and a web server
INFO 331 Chapter 8
96
www.ischool.drexel.edu
Secure Sockets Layer (SSL)
• SSL starts with a handshake phase to
negotiate which crypto algorithm will be
used (DES, IDEA, etc.), and authenticates
the server to the client
– During the session, all data is encrypted using
keys negotiated during handshake
• SSL 3.0 is the basis for the Transport
Layer Security (TLS) protocol, RFC 5246
INFO 331 Chapter 8
97
www.ischool.drexel.edu
Secure Sockets Layer (SSL)
• SSL sits between the transport and
application layers, and can be used
for many kinds of apps (email, etc.)
• From the sending side, SSL
– Takes app data, encrypts it, and sends it to
a TCP socket
• From the receiving side, SSL
– Reads from a socket (port), decrypts it, and
sends it to the application at that end
INFO 331 Chapter 8
98
www.ischool.drexel.edu
Secure Sockets Layer (SSL)
• SSL provides:
– SSL server authentication – is this really the
server I think it is? Done via Certificate
Authorities (CA) and public keys
– SSL client authentication – likewise prove the
client is who they say they are
– Encrypted SSL sessions – in which all data
between client and server is encrypted
INFO 331 Chapter 8
99
www.ischool.drexel.edu
Secure Sockets Layer (SSL)
• A web page on an SSL-enabled server is
addressed by https instead of http
• The web browser has a list of CAs and
their public keys
• We’re going to use the public key – to
exchange symmetric keys trick again
• So how does the handshake work?
– Ok, this is a Reader’s Digest version of it…
INFO 331 Chapter 8
100
www.ischool.drexel.edu
SSL Handshake
• Browser sends server their SSL version
and symmetric crypto preferences
• Server sends browser their version,
preferences, & certificate with RSA
public key
• Browser checks certificate against list
– If it’s not on the list, user is warned
– If it is on the list, the CA’s public key is used to
validate the certificate and get their public key
INFO 331 Chapter 8
101
www.ischool.drexel.edu
SSL Handshake
• Browser generates a symmetric session
key, encrypts it with server’s public key,
and sends to server
• Browser warns server all future messages
will use the symmetric session key
• Server tells browser the same thing
• Handshake is done, and session begins
INFO 331 Chapter 8
102
www.ischool.drexel.edu
SSL Limitations
• SSL is widely used for credit card
purchases, but it wasn’t designed for
that purpose
• One could obtain a CA for a business that
has nothing to sell, and no certificate
authority could block it from getting a
certificate
– A certificate just proves you really are XYZ
Corporation, not whether XYZ Corp is
reputable or trustworthy!
INFO 331 Chapter 8
103
www.ischool.drexel.edu
IPsec
• The IP security protocol, IPsec, is a suite
of protocols at the network layer
– It’s described in over a dozen RFCs, mainly
RFC 4301
– Often used for Virtual Private Networks
(VPNs)
• We want network-layer confidentiality
– All datagrams have encrypted data
– Any encryption method could be used
INFO 331 Chapter 8
104
www.ischool.drexel.edu
IPsec
– Data could include TCP or UDP segments,
ICMP messages, etc.
– If everyone provided network-layer
confidentiality, anyone tapping the network
would see only gibberish
• We also might want source authentication
– This would verify the source of a datagram
really sent it, thereby defeating spoofing IP
addresses
INFO 331 Chapter 8
105
www.ischool.drexel.edu
IPsec
• IPsec offers two levels of service (RFC
7321)
– Authentication Header (AH) protocol
• The AH protocol provides source authentication
and data integrity, but no confidentiality
– Encapsulated Security Payload (ESP)
protocol
• The ESP protocol provides all three (source
authentication, data integrity, confidentiality)
• Hence ESP is more processing-intensive
INFO 331 Chapter 8
106
www.ischool.drexel.edu
Security Association (SA)
• Both AH and ESP first establish a logical
channel using a Security Association (SA)
• Recall a normal IP connection has no
state information
• An SA defines a logical connection
between hosts
– SA is simplex (one-way)
– For traffic to flow both directions,
make two SAs
INFO 331 Chapter 8
107
www.ischool.drexel.edu
Security Association (SA)
• An SA is defined by
– Security protocol identifier (AH or ESP)
– Source IP address
– 32-bit connection identifier, the Security
Parameter Index (SPI)
• A given SA connection will use the same
SPI value in all of its datagrams
– Store SA info in Security Association
Database (SAD) in the OS kernel
INFO 331 Chapter 8
108
www.ischool.drexel.edu
Authentication Header (AH)
IP header
AH header
data (e.g., TCP, UDP segment)
• Once an SA is established, a host can
send secure datagrams to the other host
• To use AH, a special header is inserted
between the normal IP header and the
TCP or UDP segment
– The IP header has protocol field #51
• Routers handling AH traffic only see that
protocol field – the rest is ignored by them
INFO 331 Chapter 8
109
www.ischool.drexel.edu
Authentication Header (AH)
• The AH header has these key fields:
– Next Header, which is the IP protocol field
– SPI value for this connection
– Sequence number – unlike the TCP sequence
number, this is 0 to start and is tracked
separately from the TCP field
– Authentication Data field, which contains a
message digest (digital signature) for this
datagram
INFO 331 Chapter 8
110
www.ischool.drexel.edu
Authentication Header (AH)
• The message digest is calculated for the
IP header and the TCP/UDP segment,
ensuring host authentication
– It’s computed using the usual algorithms MD5, SHA, etc.
– These algorithms are a.k.a. Hashed Message
Authentication Codes (HMAC, RFC 2404)
• When the receiving host gets a datagram
with an AH header, it determines the SA
and processes the authentication field
INFO 331 Chapter 8
111
www.ischool.drexel.edu
AH and ESP
• After authentication, AH uses the TCP or
UDP segment as is (no encryption was
used)
• ESP also starts with an SA connection
• ESP surrounds the original IP datagram
with both headers and trailers
authenticated
encrypted
IP header
ESP
ESP
TCP/UDP segment
header
trailer
INFO 331 Chapter 8
ESP
authent.
112
www.ischool.drexel.edu
ESP
• For ESP, IP protocol field 50 is used
• The original segment and ESP trailer are
encrypted using DES-CBC (RFC 2405)
• The ESP header has
– 32-bit SPI field
– 32-bit sequence number
– Same roles as in AH
INFO 331 Chapter 8
113
www.ischool.drexel.edu
ESP
• The ESP trailer has
– Next Header
– Authentication Data field
– Again, same roles as in AH
• The optional ESP Authentication field is
– “… a variable-length field containing an
Integrity Check Value (ICV) computed over
the ESP packet minus the Authentication
Data. ”
INFO 331 Chapter 8
114
www.ischool.drexel.edu
SAD and SPD
• When a router receives an unsecured
datagram, how does it know it’s okay to
encrypt it? And if so, according to which
SA?
– The Security Policy Database (SPD) knows
what types of datagrams are to receive IPsec,
and which SA is appropriate for each
INFO 331 Chapter 8
115
www.ischool.drexel.edu
Key Mgmt: IKE and ISAKMP
• In order for IPsec to be widely used, key
management has to be automated and reliable
– Internet Key Exchange (IKE) does this for IPsec
– RFC 7296
• Somewhat related, the Internet Security
Association and Key Management Protocol
(ISAKMP) defines how SA’s are established and
torn down (RFC 4945)
INFO 331 Chapter 8
116
www.ischool.drexel.edu
Security in 802.11
• Since wireless
access points
are omnidirectional,
security is a big
concern
(or should be!)
• Only one of
these was my
network!
INFO 331 Chapter 8
117
www.ischool.drexel.edu
WEP
• The basic level of 802.11 security for
authentication and encryption is Wired
Equivalent Privacy (WEP)
• WEP uses a symmetric shared key
• WEP doesn’t specify how the key is
shared
INFO 331 Chapter 8
118
www.ischool.drexel.edu
WEP Authentication
• WEP authenticates a host like this:
– Host requests authentication by an AP
– AP responds with a 128-bit nonce value
– Host encrypts the nonce with its symmetric
key
– AP decrypts the host-encrypted nonce
• If it matches the value sent by the AP, the host is
authenticated
INFO 331 Chapter 8
119
www.ischool.drexel.edu
WEP Encryption
• WEP encrypts data using a 40-bit secret
symmetric key
– Each frame also gets a different 24-bit
Initialization Vector (IV), for a total of 64 bits
• Encryption works like this:
– Find a 4-byte CRC value for the data
– Use RC4 to encrypt the (data plus CRC code)
– The IV value for this frame is in plain text in
the 802.11 frame header
INFO 331 Chapter 8
120
www.ischool.drexel.edu
WEP Encryption
• Receiver of the data:
– Takes the IV value, appends it to the known
40-bit secret symmetric key, and decrypts the
frame
– Then the CRC check can verify data integrity
• RC4 is deliberately a weak code, so that it
can pass US export regulations
• For RC4 to work reliably, it can never use
the same 64-bit key
INFO 331 Chapter 8
121
www.ischool.drexel.edu
WEP Encryption
• But 40 bits of the key are rarely changing (if
ever), so each key is only unique for 2^24 IV
values
• If IV is chosen randomly, a duplicate key is
99% likely after only 12,000 frames
– If a duplicate keyed message is intercepted, a
spoofed IP listener can decrypt the entire message,
and determine what the secret key was
• WEP has many documented weaknesses
INFO 331 Chapter 8
122
www.ischool.drexel.edu
802.11i
• 802.11i was approved in 2004 to improve
wireless security
– Wi-Fi Protected Access (WPA) is a subset of it
• 802.11i provides a set of security options called
Robust Security Network Association (RSNA)
security
• It also manages keys, and has an authentication
server separate from the access point
INFO 331 Chapter 8
123
www.ischool.drexel.edu
802.11i Phases of Operation
STA:
client station
AP: access point
AS:
Authentication
server
wired
network
1 Discovery of
security capabilities
2 STA and AS mutually authenticate, together
generate Master Key (MK). AP servers as “pass through”
3 STA derives
Pairwise Master
Key (PMK)
3 AS derives
same PMK,
sends to AP
4 STA, AP use PMK to derive
Temporal Key (TK) used for message
encryption, integrity
INFO 331 Chapter 8
124
www.ischool.drexel.edu
802.11i
• 802.11i, and advanced encryption such
as AES
• It uses the Extensible Authentication
Protocol (EAP, RFC 3748)
– It can use RADIUS (and soon, DIAMETER)
authentication between AP and authentication
server
– Between wireless host and AP it can use EAP
over LAN (EAPoL, IEEE 802.1X)
INFO 331 Chapter 8
125
www.ischool.drexel.edu
Summary
• So we’ve looked at the basics of:
–
–
–
–
–
Secure communication principles
Encryption (cryptography), such as DES and RSA
Authentication
Digital signatures and message digests
Key distribution methods
• And examples of how these technologies are
used within each network layer: email, SSL,
IPsec, and 802.11
INFO 331 Chapter 8
126
www.ischool.drexel.edu