Security in Networks (Part 2)

CPSC 363 Computer Networks

Ellen Walker

Hiram College

(Includes figures from Computer Networking by Kurose & Ross, © Addison Wesley 2002)

Trusted Intermediaries

• How do 2 entities establish shared keys?– Trusted key distribution center– Gives appropriate one-time session key to each entity when

a conversation is established– No entity knows another’s secret key (except for a specific

conversation)

• How do I know the public key Alice sent me is really Alice’s public key?– Trusted Certification Authority keeps list of all public keys;

issues certificates with ID & public key (encrypted with CA’s private key, so nonforgeable)

Key Distribution Center

Aliceknows

R1

Bob knows to use R1 to communicate with Alice

Alice and Bob communicate: using R1 as session key for shared symmetric

encryption

KDC generate

s R1

KB-KDC(A,R1)

KA-KDC(A,B)

KA-KDC(R1, KB-KDC(A,R1) )

Certification Authority

• Binds key to entity E (host or router)• Generates digitally-signed certificate after

receiving appropriate proof of identity and payment

Bob’s public

key K B+

Bob’s identifying informatio

n

digitalsignature(encrypt)

CA private

key K CA-

K B+

certificate for Bob’s public

key, signed by CA

Firewall• Analogy: brick wall between apartments to

contain a fire• In networking, isolates internal net from larger

Internet, hopefully containing attacks

administerednetwork

publicInternet

firewall

What Can Firewall Prevent?

• Denial of service attacks– SYN flooding establishes bogus TCP connections,

preventing “real users” from establishing them

• Illegal access / modification of internal data• Access by unauthorized users/hosts

Types of Firewall

• Packet sniffing– Each packet examined and allowed to pass (or

not) based on a set of rules

• Application level– All messages for a given application pass through

a “gateway”– Information such as username available at

application level, but not packet

Packet Filtering Rules

• Packets can be determined to pass or not based on:– Source, Destination IP address– TCP / UDP source & destination port numbers– ICMP message type– TCP SYN and ACK bits

• E.g. TCP ACK=0 is new message originating from outside

• Ordering of rules is important (and can get complex) - see Table 8.5

Application Gateway

• Filters packets on application data (e.g. user) – E.g. only certain users can telnet

host-to-gatewaytelnet session

gateway-to-remote host telnet session

applicationgateway

router and filter

– Telnet connections through gateway allowed (authentication at gateway)

– All other (direct) telnet connections blocked

Limitations of Firewalls and Gateways

• IP spoofing - fake “return address” to get through

• Client needs to know how to access application gateway (e.g. proxy server address configured in browser)

• Tradeoff: more communication vs. more risk• Even highly protected sites suffer attacks• ‘Arms race’ mentality (hacker vs. netadmins)

Attacks

• Mapping– Ping, port sniffing, etc.

• Packet Sniffing– Interfaces in “promiscuous mode” look at every

packet

• Spoofing– “From” IP does not match IP of device

• Denial of service & Hijacking (next slides)

Countermeasures

• Mapping– Record & analyze traffic, react to suspicious patterns (e.g.

update firewall rules)

• Packet Sniffing– Watch for hosts in promiscuous mode– Avoid broadcast media (e.g. use switch, not hub)

• Spoofing– Stop bogus packet at outgoing router (if not from that

network) but we can’t control everyone else’s router

• Denial of service & Hijacking (next slides)

Denial of Service Attacks

• SYN flooding– Starts the TCP handshake, but does not complete– Server allocates data structures for “partial

connections” until space runs out

• SMURF attack– Convince many innocent hosts to send ICMP

packets (traceroute) back to attacked host

• DDoS (Distributed Denial of Service)– Many hosts act as “slaves” for the attacker due to

prior compromise

Denial of Service Countermeasures

• Filter out flooded packets at firewall (loss of good packets, too)

• Traceback to source of floods– Probably an innocent machine that has been

compromised!

Hijacking Attack

• Bob is connected to Alice, Trudy listening in– Trudy gets seq num, ack num, etc from packets

• Trudy eliminates Alice’s host– DoS attack, e.g.

• Trudy continues the conversation– Spoof’s Alice’s host– All header info is correct– Data can be whatever Trudy wants!

Hijacking Countermeasures

• Application level– Authentication protocols– Encryption– Trusted intermediaries– Digital signatures

• Packet level– Encryption of broadcast media (e.g. wireless)– Protect physical media from tapping

Security Across Layers

• Application Layer– Secure e-mail

• Transport Layer– Secure sockets layer (SSL)– Transport Layer security (TLS)

• Network Layer– IPsec (IP security)

• Authentication Header Protocol (AH)• Encapsulation Security Payload Protocol (ESP)

• Data Link Layer– Wired Equivalence Privacy (WEP) on 802.11

What Security Provides (review)

• Confidentiality• Message integrity• Authentication

– Sender– Receiver

Secure Email: Confidentiality

• Encryption options– Private key (key exchange problem)– Public key (inefficient for long email)

• Best of both worlds– Alice chooses “random” session key– Alice encrypts message using session key– Alice encrypts session key using Bob’s public key

• Recipient authentication as well as confidentiality (why?)

Confidential Email

KS( ).

KB( ).+

+ -

KS(m

)

KB(KS )+

m

KS

KS

KB+

Internet

KS( ).

KB( ).-

KB-

KS

mKS(m

)

KB(KS )+

Ks = session key, Kb+ and Kb- are Bob’s public and private keys

Secure Email: Message Integrity

• Use a hash function to compress the message: H(m)

• Encrypt the hash using Alice’s private key (KA- (H(m))– This is the signature

• Send m + (KA- (H(m)) together• Bob computes H(m), compares to KA+(Alice’s sig)

– If they’re equal, message is valid

• Also provides sender authentication (why?)

Pretty Good Privacy

• Provides all 4 aspects of security– Note 3 keys!

H( ). KA( ).-

+

KA(H(m))-

m

KA-

m

KS( ).

KB( ).+

+

KB(KS )+

KS

KB+

Internet

KS

Security for Internet Commerce

• Protect consumer from having credit card info stolen “in transit”

• Protect consumer from providing credit card (etc) information to “spoofed site”

Secure Sockets Layer

• Data Encryption and Authentication• Handshake

– Negotiate encryption algorithm and session keys– Authenticate server to the client

• Transaction– All data is encrypted using negotiated algorithm

and session keys

How It Works (Almost-SSL)

• Client & Server exchange TCP handshake– SYN, SYN+ACK, ACK

• Client establishes server’s identity– SSL hello, certificate

• “Master Secret” (to generate keys) exchanged– Client creates MS, sends K+(MS) – K+ is public key from certificate

How It Works (Almost SSL)

• From MS, we generate 4 keys– Eb = session encryption key for Bob->Alice– Mb = session MAC key for Bob->Alice– Ea, Ma from Alice->Bob

• Encryption keys encrypt data• MAC keys verify data integrity

– Record data + M key are hashed & encrypted with E key.

– Recipient decrypts and checks

Real SSL adds…

• Negotiate & agree on cryptographic algorithms

• Nonces sent during handshake– Used in creation of MS for E and M session keys

• MAC of handshakes sent both ways at end (to protect the handshake itself)

SSL Not Just for Web

• “Secure Sockets” can be used by other applications– ssh (secure telnet)– scp (secure file transfer)– IMAP (secure email)

• Application -> SSL -> TCP (& vice versa)

SSL Authentication

• Browser has list of trusted Certification Authorities & their public keys

• Browser obtains certificate with server’s public key (digitally signed by CA)

• Server also has access to client certificates from CA– Client authentication is optional

SSL Confidentiality

• All data is encrypted using info determined during handshake (authentication is included, too):– Browser sends its SSL version # and preferences– Server sends its SSL version #, preferences, and certificate

(contains public key, signed by CA)– Browser checks validity of certificate– Browser generates session key, encrypts with server’s

public key & sends– Browser sends encrypted “handshake done” message– Server sends encrypted “handshake done” message

IP Security (IPSec)

• Confidentiality – Message contents are encrypted– TCP / UDP headers are encrypted too

• This protects control and management messages as well as data

• Source Authentication– IP cannot be spoofed– Based on signature

IPSec Protocols

• Authentication Header Protocol (AH)– Source authentication – Data integrity

• Encapsulation Security Protocol (ESP)– Surce Authentication– Data Integrity– Confidentiality

• Both are based on Security Association– Logical connection established by handshake– Security protocol ID , source IP and Security Parameter

Index (SPI) = unique 32-bit connection ID

IEEE 802.11 (WiFi) Security

• “War Driving” - drive around a city, see what open networks are available– Generally find many unprotected networks

available from the street

• Securing 802.11– WEP (failed)– 802.11i (improved, ratified June 2004)

Wireless Equivalent Privacy

• Based on symmetric key (no key exchange protocol specified)– Request connection, receive nonce, encrypt nonce, if correct,

connection accepted

• Encryption based on symmetric key plus Initialization Vector (IV) and XOR

• Algorithm, RC4, changes IV (in a pattern) for every transmission, and transmits

• Problems– Not enough unique IV’s (only a few seconds’ worth)– IV transmitted in plaintext!– If Trudy knows content and sees encrypted files, keys can be

extracted.

IEEE 802.11i - Four phasesAP: access point AS:

Authentication server

wirednetwork

STA:client station

1 Discovery ofsecurity capabilities

3

STA and AS mutually authenticate, togethergenerate Master Key (MK). AP servers as “pass through”

2

3 STA derivesPairwise Master

Key (PMK)

AS derivessame PMK, sends to AP

4 STA, AP use PMK to derive Temporal Key (TK) used for message

encryption, integrity

Advantages of 802.11i

• Explicit key distribution protocol, using concept of “trusted host”, in this case the authentication server

• Multiple available forms of encryption, including AES based encryption and other stronger than WEP

• Separates authentication server from Access Point (centralizing important decisions)