Chapters 9 and 8

Download Report

Transcript Chapters 9 and 8

Chapters 9 and 8
Samba/SMB, Network Security
Professor Rick Han
University of Colorado at Boulder
[email protected]
Announcements
• HW #5 a possibility
• Programming Assignment #3 due May 2
• Lecture slides from last week online after
class
• In Chapter 8, read all sections.
• Next, Samba/SMB, Network Security
Prof. Rick Han, University of
Colorado at Boulder
Recap of Previous Lecture
• An example caching policy for an HTTP proxy
•
•
•
Conditional GET with If-Modified-Since header
Proxy returns page from its cache only if that page is
not expired and its Last-Modified is more recent than
If-Modified-Since date
Otherwise, proxy forwards conditional GET to server,
who either replies with
• New page, or
• Status 340 “Not Modified”
• Network Address Translation (NAT)
•
•
Outbound: Substitute NAT’s IP address and TCP port
for the packet’s source IP and source TCP port
Inbound: Substitute NAT’s IP addr and TCP port for
packet’s dest IPProf.
and
dest TCP port
Rick Han, University of
Colorado at Boulder
Recap of Previous Lecture (2)
• NAT
•
•
Static NAT’s map an inbound packet’s dest IP and
dest TCP port to a internal host’s fixed IP addr and
TCP port
• Enables a Web server behind a NAT to serve Web
pages to external hosts
• Adds security risk
Dynamic NAT’s provide a firewall masquerading
capability
• In absence of fixed mappings, external hosts can’t
make an inbound connection to any internal host
• Internal hosts can still make outbound TCP
connections
Prof. Rick Han, University of
Colorado at Boulder
Samba/SMB
• Server Message Block (SMB) Protocol
•
•
File sharing protocol that ships with Microsoft OS’s
• Basis for Network Neighborhood
Application-layer protocol over TCP/UDP/IP
• Open-source SAMBA Server suite enables other
OS’s such as Linux to speak SMB
•
Enables an MS client to access files on a UNIX server
– very useful!
Prof. Rick Han, University of
Colorado at Boulder
Samba/SMB (2)
• For historical reasons, SMB first ran across the
NETBIOS API, which then ran across various
network protocols, e.g. TCP/UDP, IPX, SNA,
DECnet, etc.
•
•
SMB packets can be framed in NETBIOS packets
which are encapsulated by TCP/UDP
NETBIOS over TCP/UDP is called NBT
SMB
NETBIOS
TCP/UDP, IPX, SNA or …
Prof. Rick Han, University of
Colorado at Boulder
Samba/SMB (3)
• Newer version of SMB: Windows 2000 now runs
SMB natively on top of TCP/UDP
•
•
•
no NETBIOS framing
renamed to Common Internet FileSystem (CIFS)
• CIFS actually refers to entire suite of protocols:
file/printer-sharing, service announcement,
naming, authentication, authorization
Supports older version of SMB too, to maintain
compatibility
SMB (Windows 2000)
TCP/UDP
Prof. Rick Han, University of
Colorado at Boulder
Samba/SMB (4)
• NBT creates an abstraction: a virtual LAN, even
if actual nodes are distributed over wide area
• NBT provides 3 services over a virtual LAN
•
•
•
Naming Service
Datagram Distribution Service
Session Service
•
•
Broadcast: “where’s anchor?” “Here I am”
Point-to-point: required to bridge subnets, because
broadcasts are typically confined to a subnet
A NETBIOS Name Server (NBNS) provides name-toIP mappings for a NETBIOS virtual LAN
• Also called WINS in MS terminology
• NBT Naming Service
•
Prof. Rick Han, University of
Colorado at Boulder
Samba/SMB (5)
• NBT Naming Service (cont.)
•
Runs on UDP port 137: NETBIOS naming queries are
encapsulated in UDP then IP
• NBT Datagram Service
•
•
•
Runs over UDP port 138
Point-to-point and multicast are straightforward
within a LAN
Multicast across IP subnets requires a bridging agent:
a NETBIOS Datagram Distribution Server (NBDD)
• Multicast datagrams are sent to NBDD, which gets
list of hosts in multicast group from NBNS, then
sends point-to-point to each host
• WINS messed up its implementation of NBDD (as
of May 2001) – some group members won’t receive
Rick Han, University of
multicast Prof.Colorado
at Boulder
Samba/SMB (6)
• NBT Session Service
•
•
•
Runs over TCP port 139
Implements file sharing
Simple sequence of events:
1. Source X gives NETBIOS name of destination Y to
NBT Name Service and gets back IP address of Y
2. Source X establishes a TCP connection with Y
3. Source X sends a NETBIOS SESSION SERVICE
REQUEST to Y. Y accepts request.
4. X and Y exchange files via SMB.
• SMB packets consist of “0xFF” then the letters
“SMB” followed by a command and data
•
Commands are patterned after DOS I/O commands,
Prof. Rick
Han, University
of
and include OPEN,
CLOSE,
DELETE,
etc.
Colorado at Boulder
• SMB
Samba/SMB (7)
•
•
Several dialects of SMB, so there is always a
negotiation phase to make sure SMB client speaks the
same dialect as SMB server
Network Neighborhood is supported by a “Browsing”
Service
• Browsing is organized in terms of IP subnets and
Workgroups.
• A "Workgroup" is a set of NBT nodes on an IP
subnet that shares the same Workgroup name.
• On each subnet, the Workgroup members hold an
"election," which involves sending group datagrams via
the NBT Datagram Service.
• A Domain Master Browser enables browsing across
Prof. Rick Han, University of
subnets
Colorado at Boulder
• CIFS
Samba/SMB (8)
•
•
•
Removes NETBIOS/NBT
Also, replaces NETBIOS services with standardbased services
• Example: NBNS is replaced with Dynamic DNS
SAMBA
• Racing to stay compatible with latest MS twist on
CIFS, e.g. Windows 2000
• See www.samba.org for more info
Prof. Rick Han, University of
Colorado at Boulder
Network Security
• Classic properties of secure systems:
• Confidentiality
•
Encrypt message so only sender and receiver can
understand it.
• Authentication
•
Both sender and receiver need to verify the
identity of the other party in a communication: are
you really who you claim to be?
• Authorization
•
Does a party with a verified identity have
permission to access (r/w/x/…) information? Gets
into access control policies.
Prof. Rick Han, University of
Colorado at Boulder
Network Security (2)
• Classic properties of secure systems: (cont.)
• Integrity
•
During a communication, can both sender and
receiver detect whether a message has been
altered?
• Non-Repudiation
•
Originator of a communication can’t deny later
that the communication never took place
• Availability
•
Guaranteeing access to legitimate users.
Prevention of Denial-of-Service (DOS) attacks.
Prof. Rick Han, University of
Colorado at Boulder
Cryptography
plaintext
ciphertext
Encryption
plaintext
Decryption
• Encryption algorithm also called a cipher
• Cryptography has evolved so that modern
encryption and decryption use secret keys
•
Only have to protect the keys! => Key distribution
problem
• Cryptographic algorithms can be openly published
plaintext
ciphertext
plaintext
Encryption
Decryption
Key KA
Prof. Rick Han, University of
Colorado at Boulder
Key KB
Cryptography (2)
• Cryptography throughout history:
•
Julius Caesar cipher: replaced each character by a
character cyclically shifted to the left.
Weakness?
•
•
•
Easy to attack by looking at frequency of characters
Mary Queen of Scots: put to
death for treason after Queen
Elizabeth’s I’s spymaster cracked
her encryption code
WWII: Allies break German
Enigma code and Japanese naval
code
•
Enigma code machine (right)
Prof. Rick Han, University of
Colorado at Boulder
Cryptography (3)
• Cryptanalysis – Type of attacks:
•
•
Brute force: try every key
Ciphertext-only attack:
•
•
•
Attacker knows ciphertext of several messages
encrypted with same key (but doesn’t know plaintext).
Possible to recover plaintext (also possible to deduce
key) by looking at frequency of ciphertext letters
Known-plaintext attack:
•
•
Attackers observes pairs of plaintext/ciphertext
encrypted with same key.
Possible to deduce key and/or devise algorithm to
decrypt ciphertext.
Prof. Rick Han, University of
Colorado at Boulder
Cryptography (4)
• Cryptanalysis – Type of attacks:
•
Chosen-plaintext attack:
•
•
•
Attacker can choose the plaintext and look at the paired
ciphertext.
Attacker has more control than known-plaintext attack
and may be able to gain more info about key
Adaptive Chosen-Plaintext attack:
•
•
Attacker chooses a series of plaintexts, basing the next
plaintext on the result of previous encryption
Differential cryptanalysis – very powerful attacking tool
• But DES is resistant to it
• Cryptanalysis attacks often exploit the
redundancy of natural language
•
Lossless compression before encryption removes
redundancy Prof. Rick Han, University of
Colorado at Boulder
Cryptography (5)
• Symmetric or Secret-Key Cryptography
•
•
Both sender and receiver keys are the same: KA=KB
Data Encryption Standard (DES)
• Encodes plaintext in 64-bit chunks using a 64bit key (56 bits + 8 bits parity)
• Uses permutation or transposition of
characters:
• abcd  dbac
• Was cracked in 1997
• Triple-DES: put the output of DES back as
input into DES again, loop again
Prof. Rick Han, University of
Colorado at Boulder
Cryptography (6)
• Public-Key Cryptography
•
•
•
•
Host who wants data sent to it advertises a public
encryption key Kpublic
Decryption algorithm has the property that only a
private key Kprivate can decrypt the ciphertext
• Based on the difficulty of factoring the
product of two prime #’s
Even though attacker knows the public key Kpublic
and the encryption algorithm, the attacker still
does not know the private key Kprivate
Example: RSA encryption algorithm
Prof. Rick Han, University of
Colorado at Boulder