Transcript S = S[1] - University of South Carolina

CSCE 715:
Network Systems Security
Chin-Tser Huang
[email protected]
University of South Carolina
A Security Problem in Network




An adversary that has access to a network can insert
new messages, modify current messages, or replay
old messages in the network
These inserted, modified, and replayed messages can
go undetected until they cause severe damage to
network
The physical location of the adversary in network
may never be determined
Example: denial-of-service attacks
10/5/2004
2
Denial-of-Service (DoS) Attacks


Aimed to deny normal service provided
by the target computer
Communication-stopping attacks


ARP spoofing attack
Resource-exhausting attacks


10/5/2004
Smurf attack
SYN attack
3
Ping Protocol


Allow any computer to check whether any other
computer in the Internet is up
Any computer x can send a “ping” message to any
computer y which replies by sending back a “pong”
message (thus x knows y is up)


In ping message:
In pong message:
src = x and
src = y and
dst = y
dst = x
ping(x, y)
x
y
pong(y, x)
10/5/2004
4
Broadcast Ping Protocol


If in ping message dst = “all”, a copy of ping is
broadcast to every computer
Each computer replies by sending back a pong, and
x is flooded with pong messages


In ping message:
In pong message:
src = x and
src = y and
pong(y´,x)
dst = “all”
dst = x
y´
ping(x,all)
x
y
pong(y, x)
10/5/2004
5
Smurf Attack


An adversary pretends to be x and broadcasts a
ping message where src = x and dst = “all”
Thus, x is flooded with pong messages that it has
not requested: denial-of-service attack at x
a
ping(x,all)
y´
pong(y´,x)
x
y
pong(y, x)
10/5/2004
6
Countering Smurf Attack

Make each router check the src of each received
message and discard the message if the src is
suspicious
src=x
shouldn’t
come to me
a
x
10/5/2004
ping(x, all)
R1
R2
R3
y´
y
7
Clever Smurf Attack


An adversary inserts a ping(x, all) message
between routers R2 and R3
R3 thinks the message was forwarded by R2 and
so accepts the message
a
R1
R2
R3
y´
ping(x, all)
x
10/5/2004
y
8
Countering Clever Smurf Attack



When R3 receives a message, R3 needs to
determine whether message was indeed sent
by R2, or was modified or replayed by an
adversary between R3 and R2
If use IPSec, will need to set up SA’s between
each pair of adjacent routers: too expensive
Our solution: use hop integrity protocol
between each pair of adjacent routers
10/5/2004
9
Hop Integrity


Let p, q be routers connected to same
subnetwork
Detection of Message Modification:


when q receives a message m supposedly from p,
q can check that m was not modified after sent
Detection of Message Replay:

10/5/2004
when q receives a message m supposedly from p,
q can check that m was not a replay of an old
message
10
Adversary vs. Routers

The adversary can perform three types of actions
to disrupt communication between two routers





Message loss
Message modification
Message replay
The routers are assumed to be secure and cannot
be compromised by the adversary
The routers will execute hop integrity protocols
that can detect and defeat the adversary actions
10/5/2004
11
Hop Integrity Protocol


Each pair of adjacent routers need to share a secret S,
which is updated periodically by the two routers using a
secret exchange protocol
To each IP message sent between two adjacent routers,
add a sequence number sq, and an integrity check d
hd
txt
IP message
d := MD(S | hd | sq | txt)
d
16 bytes if MD5;
20 bytes if SHA-1
hd
10/5/2004
sq
d
txt
MD
MD5 or SHA-1
sq
4 bytes
12
Architecture of
Hop Integrity Protocols
router p
secret
exchange
layer
router q
Applications
Applications
Transport
Transport
qe
pe
secrets
secrets
Network
Network
integrity
check
layer
pw
or
Subnetwork
ps
qw
or
qs
Subnetwork
.
10/5/2004
13
Component of
Hop Integrity Protocols

Three protocols between each pair of
adjacent routers



10/5/2004
secret exchange protocol
weak integrity protocol
strong integrity protocol
14
How to Exchange Secret



Each router p has a secret S that it uses for
computing the digest of every msg sent to an
adjacent router q
Both p and q need to know S
What if p sends secret update message to q
periodically?


Problem due to message loss
What if p sends secret update message to q
periodically and q sends an ack to p?

10/5/2004
Problem due to bundling of secret exchange layer
and integrity check layer
15
Secret Exchange Protocol



q updates secret S used by p by sending a
secret update message to p every T hours
When p receives secret update message from
q, p updates secret and sends an ack to q
If q does not receive ack from p for t
seconds, q retransmits the secret update
message
10/5/2004
16
Secret Exchange Protocol
S[0]
S[1]
q
p S
S[0] = S[1] = S
BpS[0], S[1]
S[0] old
S[1] new
if S[1] = S
then S[0] :=S[1]
if S = S[0]  S = S[1]
then S :=S[1]
BqS
S[0] = S[1] = S
T hours
BpS[0], S[1]
S[0] old
S[1] new
if S[1] = S
then S[0] :=S[1]
10/5/2004
BqS
if S = S[0]  S = S[1]
then S :=S[1]
S[0] = S[1] = S
17
Recovery in
Secret Exchange Protocol
S[0]
S[1]
q
p S
S[0] = S[1] = S
BpS[0], S[1]
S[0] old
S[1] new
t seconds
S[0] = S  S[1]
BpS[0], S[1]
if S = S[0] S = S[1]
then S :=S[1]
BqS
t seconds
S[1] = S  S[0]
BpS[0], S[1]
if S[1] = S
then S[0] :=S[1]
10/5/2004
BqS
if S = S[0] S = S[1]
then S :=S[1]
S[0] = S[1] = S
18
Weak Integrity Protocol



To detect insertion and modification
Each sent msg from p to q is as follows
(hd | d | txt)
where p computes d as
d = MD(S | hd | txt)
On receiving a msg, q checks
if
d = MD(S[0] | hd | txt) 
d = MD(S[1] | hd | txt)
then q forwards msg
else q discards msg
10/5/2004
19
Weak Integrity Protocol
S[0]
S[1]
p S
q
(hd | d | txt)
.
.
10/5/2004
20
Strong Integrity


To detect replay, successive sequence
numbers are attached to all sent msgs from p
to q
Problem with reset



If p is reset, unbounded number of fresh
messages are discarded by q
If q is reset, it can accept unbounded number of
replayed messages
Two solutions to overcome reset


10/5/2004
Soft sequence numbers
Hard sequence numbers
21
Soft Sequence Numbers



Successive sequence numbers are attached to all
sent msgs from p to q:
(hd | sq | txt)
q maintains two variables
exp sequence number of next msg
c
#msgs received
On receiving a msg, q checks
if
(exp  sq)  (c = random value cmax)
then q forwards msg
else q discards msg
fi;
q updates exp, c, cmax
10/5/2004
22
Soft Sequence Numbers
exp
c
cmax
p sq
q
(hd | sq | txt)
sq
sq+1
.
.
10/5/2004
23
Strong Integrity Protocol
Using Soft Sequence Numbers


Each sent msg from p to q is as follows
(hd | sq | d | txt)
where p computes d as
d = MD(S | hd | sq | txt)
On receiving a msg, q checks
if
(d = MD(S[0] | hd | sq | txt) 
d = MD(S[1] | hd | sq | txt) ) 
(exp  sq  c = random value cmax)
then q forwards msg
else q discards msg
fi;
q updates exp, c, cmax
10/5/2004
24
Hard Sequence Numbers



To overcome reset, use two operations
SAVE and FETCH
When SAVE is executed, the last
sequence number will be stored in
persistent memory
When FETCH is executed, the last
stored sequence number will be loaded
from persistent memory into memory
10/5/2004
25
Strong Integrity Protocol
Using Hard Sequence Numbers




Each sent msg from p to q is as follows
(hd | sq | d | txt)
where p computes d as
d = MD(S | hd | sq | txt)
On receiving a msg, q checks
if
(d = MD(S[0] | hd | sq | txt) 
d = MD(S[1] | hd | sq | txt) )  (exp  sq)
then
q forwards msg
else
q discards msg
fi;
q updates exp
p and q executes SAVE periodically
When waking up from a reset, p (or q) executes FETCH to fetch last
stored seq#, executes SAVE to store next seq#, and continues after
SAVE finishes
10/5/2004
26
Other Applications of Hop Integrity

Mobile IP

Secure multicast

Security of routing protocols
10/5/2004
27
Mobile IP


A mobile computer c can visit a foreign network F
other than its home network H
Msgs destined for c will be received by its home
agent (HA) and forwarded to its foreign agent (FA)
m
m
c
home agent
(HA)
m
Internet
F
H
foreign agent
(FA)
10/5/2004
28
Problem with Mobile IP


m
c
Mobile computer c can send a msg thru FA
However, this msg may be filtered out by next
router q because its source address is
“strange”
?
home agent
q
(HA)
m
Internet
F
H
foreign agent
(FA)
10/5/2004
29
Mobile IP with Hop Integrity


With integrity check d added to msg m, q can
check that m was indeed forwarded by FA
Thus, q ignores strange source of msg m and
forwards m toward its ultimate destination
m d
c
q
m d
home agent
(HA)
m d
Internet
F
H
foreign agent
(FA)
10/5/2004
30
Multicast


Multicast msgs are forwarded through a spanning tree from root
to every multicast destination
If a destination receives a multicast msg, then each destination
receives a copy of same msg with high probability
10/5/2004
31
Multicast


Multicast msgs are forwarded through a spanning tree from root
to every multicast destination
If a destination receives a multicast msg, then each destination
receives a copy of same msg with high probability
10/5/2004
32
Multicast


Multicast msgs are forwarded through a spanning tree from root
to every multicast destination
If a destination receives a multicast msg, then each destination
receives a copy of same msg with high probability
10/5/2004
33
Multicast


Multicast msgs are forwarded through a spanning tree from root
to every multicast destination
If a destination receives a multicast msg, then each destination
receives a copy of same msg with high probability
10/5/2004
34
Security Problem with Multicast

If adversary inserts or modifies a multicast msg
between two routers in middle of tree, then only a
small fraction of multicast destinations receive the
inserted or modified msg
10/5/2004
35
Multicast with Hop Integrity

With hop integrity, an inserted or modified multicast
message will be detected and discarded at its first
hop in the spanning tree
10/5/2004
36
Routing Information Protocol (RIP)



Every 30 seconds, RIP process in router R’ sends its routing table
in a response msg to RIP process in each adjacent R
R updates its routing table when it receives a response msg from
any adjacent R’
Security problem
R
R
RIP
RIP
UDP
IP
10/5/2004
IP
37
RIP with Hop Integrity

With hop integrity, the response msgs are protected
against message modification, insertion, and replay
R
R
RIP
RIP
UDP
Secret Update
IP
Integrity Check
10/5/2004
Secret Update
IP
Integrity Check
38
Security of Routing Protocols

Hop integrity can also provide uniform
protection (against message modification,
insertion, and replay) for other routing
protocols



OSPF protocols (Hello, Exchange, Flood)
RSVP
Better than custom security mechanisms that
have been proposed for some protocols
10/5/2004
39
Implementation of Hop Integrity




Implementation of hop integrity
protocols in Linux kernel
Add integrity check digest and soft
sequence number to IP options in IP
header
Compatible with legacy routers
Flexibility of deployment
10/5/2004
40
Related Works

Ingress filtering [RFC2827]:


Secure routing [Che97, MB96, SMG97]:


Not needed if hop integrity is installed
Traceback [BLT01, SWK+01, SPS+01]:


Completes hop integrity
Cannot prevent denial-of-service attacks, but can
detect some of them
IPsec [KA98a]:

10/5/2004
Has goals other than dealing with denial-of-service
attacks
41
Next Class




Security in transport layer
SSL and TLS
Application of SSL/TLS in Web security
Read Chapter 17
10/5/2004
42