S = S[1] - University of South Carolina
Download
Report
Transcript S = S[1] - University of South Carolina
CSCE 715:
Network Systems Security
Chin-Tser Huang
[email protected]
University of South Carolina
A Security Problem in Network
An adversary that has access to a network can insert
new messages, modify current messages, or replay
old messages in the network
These inserted, modified, and replayed messages can
go undetected until they cause severe damage to
network
The physical location of the adversary in network
may never be determined
Cannot be mitigated by end-to-end security scheme
Example: denial-of-service attacks
02/25/2009
2
Denial-of-Service (DoS) Attacks
Aimed to deny normal service provided
by the target computer
Communication-stopping attacks
ARP spoofing attack
Resource-exhausting attacks
02/25/2009
Smurf attack
SYN attack
3
Ping Protocol
Allow any computer to check whether any other
computer in the Internet is up
Any computer x can send a “ping” message to any
computer y which replies by sending back a “pong”
message (thus x knows y is up)
In ping message:
In pong message:
src = x and
src = y and
dst = y
dst = x
ping(x, y)
x
y
pong(y, x)
02/25/2009
4
Broadcast Ping Protocol
If in ping message dst = “all”, a copy of ping is
broadcast to every computer
Each computer replies by sending back a pong, and
x is flooded with pong messages
In ping message:
In pong messages:
src = x
and dst = “all”
src = y, y’ and dst = x
pong(y´,x)
y´
ping(x,all)
x
y
pong(y, x)
02/25/2009
5
Smurf Attack
An adversary pretends to be x and broadcasts a
ping message where src = x and dst = “all”
Thus, x is flooded with pong messages that it has
not requested: a denial-of-service attack at x
a
ping(x,all)
y´
pong(y´,x)
x
y
pong(y, x)
02/25/2009
6
Countering Smurf Attack
Make each router check the src of each received
message and discard the message if the src is
suspicious
src=x
shouldn’t
come to me
a
x
02/25/2009
ping(x, all)
R1
R2
R3
y´
y
7
Clever Smurf Attack
An adversary inserts a ping(x, all) message
between routers R2 and R3
R3 thinks the message was forwarded by R2 and
so accepts the message
a
R1
R2
R3
y´
ping(x, all)
x
02/25/2009
y
8
Countering Clever Smurf Attack
When R3 receives a message, R3 needs to
determine whether message was indeed sent
by R2, or was modified or replayed by an
adversary between R3 and R2
If use IPSec, will need to set up SA’s between
each pair of adjacent routers: too expensive
Our solution: use hop integrity protocol
between each pair of adjacent routers
02/25/2009
9
Hop Integrity
Let p, q be routers connected to same
subnetwork
Detection of Message Modification:
when q receives a message m supposedly from p,
q can check that m was not modified after sent
Detection of Message Replay:
02/25/2009
when q receives a message m supposedly from p,
q can check that m was not a replay of an old
message
10
Adversary vs. Routers
The adversary can perform three types of actions
to disrupt communication between two routers
Message loss
Message modification
Message replay
The routers are assumed to be secure and cannot
be compromised by the adversary
The routers will execute hop integrity protocols
that can detect and defeat the adversary actions
02/25/2009
11
Hop Integrity Protocol
Each pair of adjacent routers need to share a secret S,
which is updated periodically by the two routers using a
secret exchange protocol
To each IP message sent between two adjacent routers,
add a sequence number seq, and an integrity check d
hdr
txt
IP message
d := MD(S | hdr | seq | txt)
d
16 bytes if MD5;
20 bytes if SHA-1
hdr
02/25/2009
seq
d
txt
MD
MD5 or SHA-1
seq
4 bytes
12
Architecture of
Hop Integrity Protocols
router p
secret
exchange
layer
router q
Applications
Applications
Transport
Transport
qe
pe
secrets
secrets
Network
Network
integrity
check
layer
pw
or
Subnetwork
ps
qw
or
qs
Subnetwork
.
02/25/2009
13
Component of
Hop Integrity Protocols
Three protocols between each pair of
adjacent routers
02/25/2009
secret exchange protocol
weak integrity protocol
strong integrity protocol
14
How to Exchange Secret
Each router p has a secret S that it uses for
computing the digest of every msg sent to an
adjacent router q
Both p and q need to know S
What if p sends secret update message to q
periodically?
Problem due to message loss
What if p sends secret update message to q
periodically and q sends an ack to p?
02/25/2009
Problem due to bundling of secret exchange layer
and integrity check layer
15
Secret Exchange Protocol
q updates secret S used by p by sending a
secret update message to p every T hours
When p receives secret update message from
q, p updates secret and sends an ack to q
If q does not receive ack from p for t
seconds, q retransmits the secret update
message
02/25/2009
16
Secret Exchange Protocol
S[0]
S[1]
q
p S
S[0] = S[1] = S
BpS[0], S[1]
S[0] old
S[1] new
if S[1] = S
then S[0] :=S[1]
if S = S[0] S = S[1]
then S :=S[1]
BqS
S[0] = S[1] = S
T hours
BpS[0], S[1]
S[0] old
S[1] new
if S[1] = S
then S[0] :=S[1]
02/25/2009
BqS
if S = S[0] S = S[1]
then S :=S[1]
S[0] = S[1] = S
17
Recovery from Message Loss in
Secret Exchange Protocol
S[0]
S[1]
q
p S
S[0] = S[1] = S
BpS[0], S[1]
S[0] old
S[1] new
t seconds
S[0] = S S[1]
BpS[0], S[1]
if S = S[0] S = S[1]
then S :=S[1]
BqS
t seconds
S[1] = S S[0]
BpS[0], S[1]
if S[1] = S
then S[0] :=S[1]
02/25/2009
BqS
if S = S[0] S = S[1]
then S :=S[1]
S[0] = S[1] = S
18
Weak Integrity Protocol
To detect insertion and modification
Each sent msg from p to q is as follows
(hd | d | txt)
where p computes d as
d = MD(S | hd | txt)
On receiving a msg, q checks
if
d = MD(S[0] | hd | txt)
d = MD(S[1] | hd | txt)
then q forwards msg
else q discards msg
02/25/2009
19
Weak Integrity Protocol
S[0]
S[1]
p S
q
(hd | d | txt)
.
.
02/25/2009
20
Strong Integrity
To detect replay, successive sequence
numbers are attached to all sent msgs from p
to q
Problem with reset
If p is reset, unbounded number of fresh
messages are discarded by q
If q is reset, it can accept unbounded number of
replayed messages
Two solutions to overcome reset
02/25/2009
Soft sequence numbers
Hard sequence numbers
21
Soft Sequence Numbers
Successive sequence numbers are attached to all
sent msgs from p to q:
(hd | sq | txt)
q maintains three variables
exp sequence number of next msg
c
#msgs received
cmax random value changed when c reaches it
On receiving a msg, q checks
if
(exp sq) (c = cmax)
then q forwards msg
else q discards msg
fi;
q updates exp, c, cmax
02/25/2009
22
Soft Sequence Numbers
exp
c
cmax
p sq
q
(hd | sq | txt)
sq
sq+1
c=0
.
c=1
.
.
.
.
.
c = cmax :
choose new cmax,
c=0
02/25/2009
23
Strong Integrity Protocol
Using Soft Sequence Numbers
Each sent msg from p to q is as follows
(hd | sq | d | txt)
where p computes d as
d = MD(S | hd | sq | txt)
On receiving a msg, q checks
if
(d = MD(S[0] | hd | sq | txt)
d = MD(S[1] | hd | sq | txt) )
(exp sq c = random value cmax)
then q forwards msg
else q discards msg
fi;
q updates exp, c, cmax
02/25/2009
24
Hard Sequence Numbers
To overcome reset, use two operations
SAVE and FETCH
When SAVE is executed, the last
sequence number will be stored in
persistent memory
When FETCH is executed, the last
stored sequence number will be loaded
from persistent memory into memory
02/25/2009
25
Strong Integrity Protocol
Using Hard Sequence Numbers
Each sent msg from p to q is as follows
(hd | sq | d | txt)
where p computes d as
d = MD(S | hd | sq | txt)
On receiving a msg, q checks
if
(d = MD(S[0] | hd | sq | txt)
d = MD(S[1] | hd | sq | txt) ) (exp sq)
then
q forwards msg
else
q discards msg
fi;
q updates exp
p and q executes SAVE periodically
When waking up from a reset, p (or q) executes FETCH to fetch last
stored seq#, executes SAVE to store next seq#, and continues after
SAVE finishes
02/25/2009
26
Tradeoff between Soft and Hard
Sequence numbers
Soft sequence numbers are easier to
implement
Do not require SAVE and FETCH operations and do
not require persistent memory
Hard sequence numbers provide better
security
02/25/2009
When use soft sequence numbers, adversary has
a chance, although small, to guess and get its
sequence number accepted
When use hard sequence numbers, p and q stick
to their sequence numbers and leave adversary no
chance
27
Other Applications of Hop Integrity
Mobile IP
Secure multicast
Security of routing protocols
02/25/2009
28
Mobile IP
A mobile computer c can visit a foreign network F
other than its home network H
Msgs destined for c will be received by its home
agent (HA) and forwarded to its foreign agent (FA)
m
m
c
home agent
(HA)
m
Internet
F
H
foreign agent
(FA)
02/25/2009
29
Problem with Mobile IP
m
c
Mobile computer c can send a msg thru FA
However, this msg may be filtered out by next
router q because its source address is
“strange”
?
home agent
q
(HA)
m
Internet
F
H
foreign agent
(FA)
02/25/2009
30
Mobile IP with Hop Integrity
With integrity check d added to msg m, q can
check that m was indeed forwarded by FA
Thus, q ignores strange source of msg m and
forwards m toward its ultimate destination
m d
c
q
m d
home agent
(HA)
m d
Internet
F
H
foreign agent
(FA)
02/25/2009
31
Multicast
Multicast msgs are forwarded through a spanning tree from root
to every multicast destination
If a destination receives a multicast msg, then each destination
receives a copy of same msg with high probability
02/25/2009
32
Multicast
Multicast msgs are forwarded through a spanning tree from root
to every multicast destination
If a destination receives a multicast msg, then each destination
receives a copy of same msg with high probability
02/25/2009
33
Multicast
Multicast msgs are forwarded through a spanning tree from root
to every multicast destination
If a destination receives a multicast msg, then each destination
receives a copy of same msg with high probability
02/25/2009
34
Multicast
Multicast msgs are forwarded through a spanning tree from root
to every multicast destination
If a destination receives a multicast msg, then each destination
receives a copy of same msg with high probability
02/25/2009
35
Security Problem with Multicast
If adversary inserts or modifies a multicast msg
between two routers in middle of tree, then only a
small fraction of multicast destinations receive the
inserted or modified msg
02/25/2009
36
Multicast with Hop Integrity
With hop integrity, an inserted or modified multicast
message will be detected and discarded at its first
hop in the spanning tree
02/25/2009
37
Routing Information Protocol (RIP)
Every 30 seconds, RIP process in router R’ sends its routing table
in a response msg to RIP process in each adjacent R
R updates its routing table when it receives a response msg from
any adjacent R’
Security problem
R
R
RIP
RIP
UDP
IP
02/25/2009
IP
38
RIP with Hop Integrity
With hop integrity, the response msgs are protected
against message modification, insertion, and replay
R
R
RIP
RIP
UDP
Secret Update
IP
Integrity Check
02/25/2009
Secret Update
IP
Integrity Check
39
Security of Routing Protocols
Hop integrity can also provide uniform
protection (against message modification,
insertion, and replay) for other routing
protocols
OSPF protocols (Hello, Exchange, Flood)
RSVP
Better than custom security mechanisms that
have been proposed for some protocols
02/25/2009
40
Implementation of Hop Integrity
Implementation of hop integrity
protocols in Linux kernel
Add integrity check digest and soft
sequence number to IP options in IP
header
Compatible with legacy routers
Flexibility of deployment
02/25/2009
41
Related Works
Ingress filtering [RFC2827]:
Secure routing [Che97, MB96, SMG97]:
Not needed if hop integrity is installed
Traceback [BLT01, SWK+01, SPS+01]:
Completes hop integrity
Cannot prevent denial-of-service attacks, but can
detect some of them
IPsec [KA98a]:
02/25/2009
Has goals other than dealing with denial-of-service
attacks
42
Next Class
Security in transport layer
SSL and TLS
Application of SSL/TLS in Web security
Read Chapter 17
02/25/2009
43