Chapter 8
advertisement
INFO 331 Computer Networking Technology II Chapter 8 Security Dr. Jennifer Booker INFO 331 Chapter 8 1 www.ischool.drexel.edu Security in Networks • Any two nodes (hosts, routers, etc.) might need to exchange data securely – Secure email, transfer routing tables, military secrets, private data (SSN, Visa), DNS servers, etc. all need secure communication • Security has many aspects – End-point Authentication: If Bob and Carol are communicating, how do they know it’s really Bob and Carol? INFO 331 Chapter 8 2 www.ischool.drexel.edu Security in Networks – Confidentiality: How do we keep others from reading their exchange? Encrypted content. – Message integrity: How do we ensure a message isn’t changed en route? – Nonrepudiation: How can we prove a message was sent be a specific sender? – Operational security: How do we protect the network infrastructure from things like denial of service (DoS) attacks or hackers? INFO 331 Chapter 8 3 www.ischool.drexel.edu Basic Defense Strategy • In any kind of security approach, we need to consider three aspects in our strategy – Prevent: Protect the network to make it harder for an attack to take place – Detect: How do you know if you’ve been attacked? • Often very difficult in networking – Mitigate: As or after an attack happens, how do you minimize the damage it did? INFO 331 Chapter 8 4 www.ischool.drexel.edu Non-network Example • Consider the problem of a bomb on a plane – Prevent: might prevent the problem by 1) scanning luggage and passengers, 2) requiring security checks for airport employees, and 3) controlling access to planes on the ground – Detect: detect the problem by 1) a bomb going off, or 2) someone identifying they have a bomb – Mitigate: Reduce damage by 1) reducing altitude before the bomb goes off, 2) design the plane to avoid duplicate systems next to each other INFO 331 Chapter 8 5 www.ischool.drexel.edu Non-network Example • This illustrates some important principles – Security costs effort and money – Security is often inconvenient, even annoying • Security measures often directly reduce productivity – Security often affects systems beyond the immediately obvious ones – Design of the system is often affected by security risks, even if they are rare events INFO 331 Chapter 8 6 www.ischool.drexel.edu Security vs classification • In discussing security, the notion of classification (e.g. Confidential, Secret, Top Secret, etc.) can emerge • Systems to handle classified material are known as ‘trusted’ systems – look for that keyword – Often based on old standards such as the Rainbow Series’ Orange Book INFO 331 Chapter 8 7 www.ischool.drexel.edu Passive Intruder • Going back to Bob and Carol, what happens if someone is listening to their exchange? • A passive intruder could – Eavesdrop – listen to and record the secure exchange – Modify, insert, or delete messages that Bob and Carol were trying to exchange – Could lead to stealing data, impersonating another user, hijacking a session or causing DoS INFO 331 Chapter 8 8 www.ischool.drexel.edu Cryptography • Codes for communication go back millennia • There are tons of resources on the subject: – RSA, NIST Computer Security Resource Center – The CERT Coordination Center • A plain (or clear) text message (e.g. “Sell IBM stock now!”) is encrypted into cipher text (which is illegible) using an encryption algorithm, KA – The key is an input to the algorithm (= cipher) – (Plain text + key) via algorithm ciphertext INFO 331 Chapter 8 9 www.ischool.drexel.edu Cryptography • At the receiving end, the cipher text is turned back into plain text using a decryption algorithm, KB) INFO 331 Chapter 8 10 www.ischool.drexel.edu Keys • A key is a string of characters, numbers, and other ASCII symbols that feeds into the encryption and decryption algorithms • The longer the key (in bits), the harder it is to break – – – – DES uses a 56-bit key (obsolete) Triple DES uses 168-bit AES use up to 256-bit keys RSA and PGP use up to 4096-bit keys INFO 331 Chapter 8 11 www.ischool.drexel.edu Keys • There are two major encryption approaches – symmetric key and public key • Symmetric key means that KA = KB – The same key is used by both sender and receiver • Public key encryption requires a public key that anyone can know, plus different private keys for sender and receiver – Public key requires longer keys for equal security INFO 331 Chapter 8 12 www.ischool.drexel.edu Block vs Stream • Another is whether each character is coded individually (stream cipher), or a group of characters are coded together (block cipher) – Stream cipher examples include Caesar’s code, the WWII Enigma machine, and WEP (Wired Equivalent Privacy) – Block ciphers are very common (AES, RSA, etc.) • Block sizes are typically 64 or 128 bits INFO 331 Chapter 8 13 www.ischool.drexel.edu Cipher-Block Chaining (CBC) • Repeated phrases, like ‘HTTP/1.1’ produce the same string when encrypted, making it easier to guess their meaning – Send a 64-bit Initialization Vector (IV) first – Encrypt and send (first block of text XOR IV) – For each subsequent block, encrypt and send (previous block XOR current clear text) • This keeps duplicate blocks from appearing that way INFO 331 Chapter 8 14 www.ischool.drexel.edu Key Breaking Approaches • There are three ways to approach breaking an encrypted message – Cipher-text-only attack – you only have the ciphertext, and little or no clue what it contains – Known-plaintext attack – when some of the message contents are known, such as certain names, words or phrases that should appear – Chosen-plaintext attack – when you can feed text (‘The quick brown fox jumps over the lazy dog’) into the cipher, and see what it produces INFO 331 Chapter 8 15 www.ischool.drexel.edu Symmetric Key Crypto • The Caesar cipher was very simple • Just move the alphabet down some number of characters, ‘k’ – A G (for k = 6) – Then B H, C I, D J, etc. – Wrap around when you get to T Z, U A • If you know this is the type of cipher, there are only 25 different possible keys! INFO 331 Chapter 8 16 www.ischool.drexel.edu Symmetric Key Crypto • Improve on this with a monoalphabetic cipher • Each letter corresponds to some other letter, but they aren’t in order – A V, B L, C R, or whatever • This makes 26! (= 4.03E26 or 4.03x1026) key combinations in theory, but patterns of common words make it a lot easier to break than that would suggest INFO 331 Chapter 8 17 www.ischool.drexel.edu Symmetric Key Crypto • Improve on the Caesar cipher with a polyalphabetic cipher (encryption) • Use multiple ciphers in a fixed pattern throughout the message, such as two Caesar ciphers with different offsets (k values) – E.g. follow a pattern of “C1 C2 C2 C1 C2” where C1 uses k=5 and C2 uses k=19 – Hence need to know pattern and k values INFO 331 Chapter 8 18 www.ischool.drexel.edu DES • The Data Encryption Standard (DES) was invented in 1977, and updated in 1993 – It is symmetric, uses 64-bit blocks, and nominally a 64-bit key – Ok, only 56 bits of the key are usable – the rest is for parity checks 2^56 = 72E15 possible keys • How DES works is very messy – The 64 bits in a block are permuted, go through 16 cycles of math operations, and get permuted again at the end INFO 331 Chapter 8 19 www.ischool.drexel.edu DES • Each of the 48-bit keys (K1 to K16) are different parts of the overall 56-bit key INFO 331 Chapter 8 20 www.ischool.drexel.edu DES Code-Breaking Tests • In 1997 it took under four months to break a DES-encrypted message by brute force (keep trying keys until one works) – In February 1998 it took 41 days – In July 1998 it took 56 hours – In January 1999 it took 22.25 hours, though using nearly 100,000 PC’s INFO 331 Chapter 8 21 www.ischool.drexel.edu Triple-DES • Ok, so DES isn’t perfect • Triple-DES (3DES) runs DES three times with different keys – Makes for a 168-bit key! – Used for PPP encryption INFO 331 Chapter 8 22 www.ischool.drexel.edu AES • The Advanced Encryption Standard (AES) was proposed in 2001 to replace DES – Uses symmetric encryption with 128-bit blocks – Keys can be 128, 192, or 256 bits long • NIST claims if a computer could crack 56-bit DES in one second, it would take 149 trillion years to break 128-bit AES INFO 331 Chapter 8 23 www.ischool.drexel.edu AES • AES, 3DES, and Skipjack are all recognized Federal Information Processing Standards (FIPS) – Skipjack was used on the Clipper chip for hardware security; uses a 64-bit key from an 80-bit cryptovariable INFO 331 Chapter 8 24 www.ischool.drexel.edu Public Key Encryption • So all this symmetric key stuff is good, but how to you exchange the keys securely? • Easier if we can show part of our key publicly • First public key approach was the 1976 Diffie-Hellman Key Exchange algorithm – Sender and receiver have public keys – Each receiver also uses a private key to decrypt a message INFO 331 Chapter 8 25 www.ischool.drexel.edu Public Key Encryption Why does this provide confidentiality? INFO 331 Chapter 8 26 www.ischool.drexel.edu Public Key Encryption • Two main concerns with public key ciphers – An intruder can easily know a receiver’s public key, and the encryption method, so a chosen-plaintext attack is possible – Hence private keys, and verifying the sender of a message are critical – the digital signature • The best known public key algorithm is RSA – Named for Rivest, Shamir, and Adleman INFO 331 Chapter 8 27 www.ischool.drexel.edu RSA • RSA works like this – Pick two large prime numbers, p and q – Want pq> 1024 for corporate use, pq>768 for lesser security – Let n = pq, and z = (p-1)(q-1) – Choose e < n which has no factors in common with z – Find d such that (ed-1)/z is an integer – The public key is (n,e); the private key is (n,d) INFO 331 Chapter 8 28 www.ischool.drexel.edu RSA • To use this, take a plaintext message m • The ciphertext is c = (m^e)*mod (n) – This is the integer remainder when m^e is divided by n • The receiver gets c, and decodes the message using m = (c^d) mod n • So n and e are used for encryption; n and d are used for decryption INFO 331 Chapter 8 29 www.ischool.drexel.edu RSA • So the theory isn’t too weird, just tedious because of the large numbers involved • Finding large prime numbers is a critical element of many crypto schemes – RSA is no exception • Also important is how to choose d and e • Such issues are beyond our scope here INFO 331 Chapter 8 30 www.ischool.drexel.edu RSA vs DES • RSA is 100 times slower than DES in software, and 1000 to 10,000 times slower than DES in hardware – Hence RSA is often used with DES or AES • For example, a DES session key KS can be sent via public RSA key, and then the rest of the transmission can be done using DES (key concept!!) INFO 331 Chapter 8 31 www.ischool.drexel.edu Why does RSA work? • The trick is that p and q are prime, so – 1 = mod (p-1)(q-1) = mod z • And we chose ed so that (ed-1)/z has no remainder, hence ed mod (z) = 1 • Encryption followed by decryption of message m therefore gives – (m^e)^d = m^1 mod n = m (the original message) INFO 331 Chapter 8 32 www.ischool.drexel.edu RSA • RSA also works because there is no fast way (yet?) to factor a large number n into the primes p and q • If you could do that, the private key d could be determined from the public key e, and RSA would be sunk INFO 331 Chapter 8 33 www.ischool.drexel.edu Message Integrity • In our legal system, a competent adult can use their written signature to affirm a contract – Whether paying for lunch on a credit card, or signing a law into existence, the effect is similar • A digital signature does the same thing online • Need to verify that the signature came from the person claimed, and only that person – Need it verifiable, non-forgeable and not alterable – Use public key crypto to do this INFO 331 Chapter 8 34 www.ischool.drexel.edu Digital Signature • For Fred to sign a message, m, he applies his private key to encrypt the message – The result is the signed message • To recover the message, apply his public key • Yes, this is the reverse of the way to send an encrypted message – Which was use the public key to create cipher text, then use the private key to decode it INFO 331 Chapter 8 35 www.ischool.drexel.edu Digital Signature • Why does this work backward? – The application of public and private keys is just math operations – in this case, doing them in either order results in recovering the original message • Since only Fred knows his private key (we hope!), that proves the message was generated by him – Lesson: Don’t share a private key – EVER!!! INFO 331 Chapter 8 36 www.ischool.drexel.edu Message Digests • Digital signatures are very computationally expensive • Want a way for large volumes of data to verify the sender of a message, and make sure the data wasn’t changed • A message digest does this, while being cheaper than a full blown digital signature – A message digest is a cryptographic hash function, like checksums and CRC codes INFO 331 Chapter 8 37 www.ischool.drexel.edu Message Digests • To create a message digest – For a message, m, compute the hash function H(m) – Sign H(m) with your private key, KB-(H(m)) – Send the unaltered message, m, with the encoded hash function • The recipient applies the public key KB+( KB-( H(m) ) ) to recover the hash function that came with the message INFO 331 Chapter 8 38 www.ischool.drexel.edu Message Digests • The recipient evaluates the hash function with the message received – If the message’s hash function agrees with the hash function they calculate for the message, it proves the message wasn’t altered • A hash function creates a string of fixed size – Must be infeasible to get the same hash function for any two input messages H(m) = H(n) – Consider it like a really fancy checksum INFO 331 Chapter 8 39 www.ischool.drexel.edu Message Digests • To improve on this approach, create the hash of the message (m) AND a secret authentication key (s) – H(m+s) = a Message Authentication Code, MAC – [This MAC is unrelated to the link layer MAC address] • HMAC (noted later) is a popular standard Is a MAC encrypted? for generating MACs INFO 331 Chapter 8 40 www.ischool.drexel.edu Message Digests • So two mechanisms are used in the message digest – The application of private and public keys is used “to verify the sender of a message” – The hash function is used to “make sure the data wasn’t changed” • The MD5 algorithm (Ron Rivest) is widely used for creating 128-bit message digests – See RFC 1864, if really bored on a long flight INFO 331 Chapter 8 41 www.ischool.drexel.edu Message Digests • If MD5 isn’t good enough for you, try SHA1, which has a 160-bit message digest – Based on MD4 (which preceded MD5) – Stands for Secure Hash Algorithm, defined by FIPS 180-2 – SHA can handle message sizes up to 264 or 2128 bits (that’s 1.8E19 or 3.4E38 bits) • Still not secure enough? – SHA-2 has up to 680-bit message digests INFO 331 Chapter 8 42 www.ischool.drexel.edu Key Distribution & Certification • Both symmetric and public key crypto desperately need to control access to keys • They require a trusted intermediary – For symmetric key crypto, that role is the Key Distribution Center (KDC) • MIT’s Kerberos is a classic example – For public key crypto, that role is the Certification Authority (CA) INFO 331 Chapter 8 43 www.ischool.drexel.edu Key Distribution Center (KDC) • Two people (Alice, Bob) on a public network can use symmetric key crypto via a KDC • Each user has a personal secret key registered with the KDC • Here call them KA-KDC and KB-KDC – Alice uses her secret key to tell the KDC she wants to talk to Bob – The KDC sends her a one-time session key, R1, and that key coded using Bob’s secret key (!) INFO 331 Chapter 8 44 www.ischool.drexel.edu Key Distribution Center (KDC) – Alice now knows the one-time session key, and sends the encrypted key to Bob – Bob decodes it, and now also knows the one-time session key – Now Alice and Bob can communicate securely using R1 • Sneaky, huh? • The critical (and risky) part is that the KDC knows everyone’s secret key INFO 331 Chapter 8 45 www.ischool.drexel.edu Key Distribution Center (KDC) KDC generates R1 KA-KDC(A,B) Alice knows R1 KA-KDC(R1, KB-KDC(A,R1) ) KB-KDC(A,R1) Bob knows to use R1 to communicate with Alice Alice and Bob communicate: using R1 as session key for shared symmetric encryption INFO 331 Chapter 8 46 www.ischool.drexel.edu Public Key Certification • Public keys can be made available many places – Email signature lines, web pages, or put in a public key server • But if I tell you XYZ123 is my public key, how do you know it’s really mine, and not someone else’s? – That’s the role of public key certification – to verify the identity of a public key INFO 331 Chapter 8 47 www.ischool.drexel.edu Certification Authority (CA) • A Certification Authority (CA) binds a public key to a particular person (entity) • The CA’s rules are simple – A CA must use some means to verify a person’s identity (the rules vary!) – The CA creates a digitally signed certificate which binds the person to the public key • The CA must have a public key which is well known (so they can’t be spoofed) INFO 331 Chapter 8 48 www.ischool.drexel.edu Certification Authority (CA) • Example of using a CA – If you order a pizza from Drexel Pizza over email – They could see your public key at, say, the bottom of your email message – They use the public key of the CA to verify that really is YOUR public key – Once your public key is verified, the order can be placed INFO 331 Chapter 8 49 www.ischool.drexel.edu Certification Authority (CA) • The ITU and IETF both have standards for certificate authorities – ITU X.509 and RFC 6170, respectively – Verisign is among the better known CAs INFO 331 Chapter 8 50 www.ischool.drexel.edu Authentication • Authentication is proving your identity – Over a network, no one can tell if you’re you! • Assume we’re dealing with live communication – A later issue is whether a message in the past was really sent – the digital signature problem • Here, authentication is done via messages (duh!) from an authentication protocol INFO 331 Chapter 8 51 www.ischool.drexel.edu Authentication • The authentication protocol has to confirm the identities before communication occurs • We’ll look at increasingly complex versions of an authentication protocol, “ap”, much like we did for TCP last term – Don’t worry, no finite state diagrams this time INFO 331 Chapter 8 52 www.ischool.drexel.edu Ap1.0 • The simplest way to authenticate is simply to self-identify – ‘I am Fred Smith’ • The obvious trouble is that there’s no assurance this is a true statement • For that matter, you don’t know if it’s really the correct Fred Smith you meant to talk to INFO 331 Chapter 8 53 www.ischool.drexel.edu Ap2.0 • If the sender is using a known fixed IP address, we could authenticate by checking the datagram for that source IP address – Yes, this datagram is coming from 23.65.133.2 – But this leads to the IP spoofing problem – changing a datagram to show a different source IP than is true • Good first hop routers will only send out datagrams with correct source IPs (RFC 3704) – But this isn’t enforced INFO 331 Chapter 8 54 www.ischool.drexel.edu Ap3.0 • Ok, how about using a password to authenticate the user? – If the sender sends a password, it could be intercepted, and later used to fraudulently authenticate a spy – Many passwords (HTTP, Telnet, FTP) are sent in plain text, or are trivially encoded • Sniffing packets on a server is an easy way to steal passwords INFO 331 Chapter 8 55 www.ischool.drexel.edu Ap3.1 • Um, so encrypt the password! – (Assuming a symmetric cipher is used) • Nope, no good – A sniffer could record the cipher text of the password, and replay it to log in (a playback attack) – Even though the sniffer doesn’t learn what the password is, they can still impersonate the sender INFO 331 Chapter 8 56 www.ischool.drexel.edu Ap4.0 • Well, the problem was reusing the same password over and over – what if it’s unique? • What if we have a sequence or set of passwords, and use each one only once? • Use a nonce – a number used by the protocol only once EVER, like this – Sender sends message to receiver – Receiver chooses a nonce, R, and replies INFO 331 Chapter 8 57 www.ischool.drexel.edu Ap4.0 – Sender encrypts the nonce with a symmetric key, KA-B(R) and sends it back – Receiver decrypts it – If the received message matches the nonce sent, it’s accepted • This works (yay!), but depends on having a symmetric key on both sides – See if we can improve on it… INFO 331 Chapter 8 58 www.ischool.drexel.edu Ap4.0 Sender Receiver “I am Alice” R KA-B(R) INFO 331 Chapter 8 Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice! 59 www.ischool.drexel.edu Ap5.0 • Can we achieve the good outcome of ap4.0 using public key encryption? • Try this: – Sender sends message to receiver – Receiver chooses a nonce, R, and replies – Sender uses private key to encrypt the nonce, and sends it back to receiver – Receiver uses sender’s public key to compute R and authenticates the sender INFO 331 Chapter 8 60 www.ischool.drexel.edu Ap5.0 • So what’s wrong? Try this scenario – Thief sends message impersonating sender to receiver – Receiver chooses nonce, R, and replies with it – Thief intercepts message, uses her private key to encode the message, and sends it to receiver – Receiver asks sender for public key, but it’s intercepted by the Thief, who sends their public key – Thief is authenticated as the sender! INFO 331 Chapter 8 61 www.ischool.drexel.edu Ap5.0 • The goodness of ap5.0 is limited by the availability of public keys • Similarly, a man-in-the-middle or bucket brigade attack puts the Thief in the middle of the real conversation, unknown to either side – Worse, neither sender nor receiver will know their content was seen by the Thief in the middle INFO 331 Chapter 8 62 www.ischool.drexel.edu Man-in-the-middle Attack I am Alice R K (R) A I am Alice R K (R) T Send me your public key + K T Send me your public key + K A - + m = K (K (m)) A A + K (m) A Trudy gets - + m = K (K (m)) T Alice sends T m to + K (m) T encrypted with Alice’s public key INFO 331 Chapter 8 63 www.ischool.drexel.edu Firewalls • Like the gateway on a castle, firewalls are designed to control entry into a network, and access out of it • The amount of control a firewall can have is immense INFO 331 Chapter 8 64 www.ischool.drexel.edu Firewalls • The goals of a firewall are generally – All traffic into and out of the organization must pass through a firewall – Only authorized traffic will be allowed to pass – The firewall itself is immune to attack • Firewalls are inherently paranoid – The default setting is to allow nothing in or out! INFO 331 Chapter 8 65 www.ischool.drexel.edu Firewalls • Firewalls fall in three categories – Packet filters (network level) – Stateful filters – Application gateways • First look at packet filtering – Most organizations have a firewall at the boundary to the public Internet (plus possibly others internally) INFO 331 Chapter 8 66 www.ischool.drexel.edu Firewalls • Packet filters can look at each packet’s – Source and/or destination IP addresses – Type of protocol (transport or application) – Source and/or destination port number – TCP flag bits – SYN, ACK, etc. – ICMP message type • Rules can vary for inbound vs outbound traffic, or for different router interfaces INFO 331 Chapter 8 67 www.ischool.drexel.edu Firewalls • Any of these can be a basis for filtering rules – For example, block all outgoing Telnet or FTP or HTTP traffic – Block UDP traffic to stop (some) streaming media – Or exclude specific IP addresses from these rules INFO 331 Chapter 8 68 www.ischool.drexel.edu Firewalls • A sneaky trick is to block incoming TCP traffic with the ACK bit set to 0 – This kills TCP connections originating from the outside • Another key issue is to be aware of the sequence in which packet filtering rules are applied – The first rule that applies to a packet determines its fate – not all the rules! INFO 331 Chapter 8 69 www.ischool.drexel.edu Firewalls • Even a simple firewall (Cisco PIX 501, about $400) can control (see handout) – – – – – – – Which interfaces are active, and at what speeds IP addresses allowed to take data in IP addresses allowed to send data out Which protocols are allowed to operate Which ports are allowed for each protocol Use of authentication servers (e.g. RADIUS) If the firewall acts as an HTTP or DHCP server INFO 331 Chapter 8 70 www.ischool.drexel.edu Firewalls – Use of a virtual private network (VPN), and what types of encryption are used (DES, 3DES, AES) – IP addresses of the interfaces – Where NAT is running inside the network – SNMP server information • Licensing issues include how many interfaces are active (2+), how many hosts can be connected (10, 50, or unlimited), allowable throughput, and whether VPN is available INFO 331 Chapter 8 71 www.ischool.drexel.edu Stateful Packet Filters • Stateful filters track each TCP connection, and decide in the context of that connection how to apply filtering rules – Do so by creating a connection table with each connection’s source and destination IP and port number – An access control list can define the rules for allowable IP, port, transport protocol, flags, etc. INFO 331 Chapter 8 72 www.ischool.drexel.edu Application Gateway • The other category of firewall is an application gateway – It’s a server which filters application data – Packet filters can’t filter by user, but an app gateway can • Can combine with packet filtering – Have packet filter only allow Telnet from the app gateway, then have app gateway control which users can use Telnet INFO 331 Chapter 8 73 www.ischool.drexel.edu Application Gateway • Can have separate app gateway servers for each app (HTTP, FTP, email, etc.) – Web cache & email servers are also gateways • Using an app gateway costs in lower app performance, plus the time needed for its configuration and maintenance • Firewalls can be breached by wireless devices, or even dialup connections INFO 331 Chapter 8 74 www.ischool.drexel.edu Intrusion Detection Systems • An IDS does deep packet inspection, looking at packet message contents instead of just headers – An IDS can be signature-based, where it keeps a database of attack signatures for various forms of attack – Or an anomaly-based IDS looks for statistically unusual packet patterns INFO 331 Chapter 8 75 www.ischool.drexel.edu Intrusion Detection Systems • The network between a packet filter and an IDS can be called the DMZ (demilitarized zone) – Public web servers are typically inside the DMZ • Snort is an open source IDS INFO 331 Chapter 8 76 www.ischool.drexel.edu Network Attacks • Many kinds of attacks on computer networks are possible – Can attack common operating systems – Can attack applications – Can attack the network itself • We’ll focus on the latter – Disclaimer: Naturally this isn’t intended to be a user’s guide to hacking, but is intended to help you be proactive to protect your network INFO 331 Chapter 8 77 www.ischool.drexel.edu Need 411 • Many attacks are preceded by gathering information – Same idea as ‘casing’ a future crime scene, scouting, reconnaissance, etc. – Here we call it mapping • Mapping is often to determine the IP addresses of hosts on the network, the type of OS’ used, and types of services offered INFO 331 Chapter 8 78 www.ischool.drexel.edu Mapping • Ping can be used to find IP addresses • Port scanning is done by trying to send TCP connection requests or UDP packets to every possible port number, and see which ones are active – Nmap is a free, open source, network mapping utility which uses WinPcap – Many firewalls look for port scanners, and report their presence to a network manager INFO 331 Chapter 8 79 www.ischool.drexel.edu Packet Sniffing • A packet sniffer receives all packets coming into or leaving a host – Promiscuous mode allows it to receive all passing frames – Unencrypted user names and passwords can be found this way INFO 331 Chapter 8 No, packet sniffing! 80 www.ischool.drexel.edu Packet Sniffing • To detect Packet Sniffing, need to detect network interfaces (NICs) that are in promiscuous mode • One way is to send ICMP Echo Request messages to all hosts, with a correct IP address, but wrong MAC address – Hosts that Reply are likely to be in promiscuous mode • Encrypt data when sniffing may be present INFO 331 Chapter 8 81 www.ischool.drexel.edu Spoofing • IP Spoofing is deliberately changing the IP address a datagram claims to be from • This is used to hide the true source of an attack, such as denial-of-service • Spoofing is preventable with ingress filtering – Have a router check to see if the packet came from the correct interface to have come from the claimed source IP address – Still, not very powerful if router has few interfaces INFO 331 Chapter 8 82 www.ischool.drexel.edu Denial-of-Service (DoS) • A herd of attacks fall under Denial-of-Service (DoS) or distributed DoS (DDoS) types • Main purpose is to prevent real users from getting to a network or web site • A SYN flooding attack sends many TCP SYN packets with spoofed IP addresses to a server – The server completes the second step of the handshake, and allocates resources for the connection INFO 331 Chapter 8 83 www.ischool.drexel.edu Denial-of-Service (DoS) – The server runs out of resources, and crashes • A variation of this is to send incomplete TCP fragments to a server, who will dutifully keep them in the hope of completing the segment – The final packet never arrives, but the server keeps the fragments until it runs out of storage • A smurf attack gets a lot of innocent hosts to respond to ICMP Echo Request messages – They all reply to a server whose IP was spoofed INFO 331 Chapter 8 84 www.ischool.drexel.edu Distributed DoS • Sneakier yet is the distributed DoS attack – A master attacker gains access to many unsuspecting hosts (e.g. via password sniffing) – The master installs a DoS application on each slave host – When a signal is sent, all of the slaves start a DoS attack against the same server • Since many hosts are involved in the attack, it’s very difficult to defend against this INFO 331 Chapter 8 85 www.ischool.drexel.edu Hijacking • Hijacking a connection means you take over one side of it, without the other side being aware of the subterfuge – An attacker monitors a connection to find out ACK and sequence numbers, IP addresses, etc. – They DoS attack one sender to keep them from responding, and start communicating with the other sender in place of the original host • The other sender may not be able to tell someone else is present! INFO 331 Chapter 8 86 www.ischool.drexel.edu Case Studies • All of the top four layers of protocols (App, Transport, Network, Link) can provide security to varying degrees – All layers above the secure one benefit from its security – Higher layer security needed for user-level protection; lower layers harder to implement • We’ll look at case studies in each layer – E-mail, SSL, IPsec, and 802.11 INFO 331 Chapter 8 87 www.ischool.drexel.edu Case Study: Secure E-mail • What features might we want from secure email? – Confidentiality – only sender and receiver can see the contents – Sender authentication – verify sender’s identity – Message integrity – to know it wasn’t changed – Receiver authentication • So how can we provide these features? INFO 331 Chapter 8 88 www.ischool.drexel.edu Case Study: Secure E-mail • Confidentiality could be done with symmetric key encryption (DES or AES), but distribution of a symmetric key is hard • Could use public key encryption – Makes the key exchange easier – Bad for long messages, though – Could use the symmetric-public trick from earlier – send the symmetric key using public key encryption, then converse using symmetric key INFO 331 Chapter 8 89 www.ischool.drexel.edu Case Study: Secure E-mail • Now ignore confidentiality for a moment, and consider sender authentication and message integrity – Sender applies a hash function (MD5) to a message, and signs it with their private key – Receiver applies sender’s public key, and compares the received hash value with that generated locally – This accomplishes both desired functions INFO 331 Chapter 8 90 www.ischool.drexel.edu Case Study: Secure E-mail • Now combine the two approaches – Sender generates a hash of their message and applies their private key to the hash – The hash + message then has their symmetric key applied – Receiver gets the message, undoes the symmetric encryption, applies the sender’s public key to recover the sent hash, and compares to the locally generated hash • Easy, huh? INFO 331 Chapter 8 91 www.ischool.drexel.edu Case Study: Secure E-mail • So to provide secure email we’re using three technologies – Hash functions & digital signatures – Symmetric key crypto – Public key crypto • Does it work? Yup! – And it has since 1991 INFO 331 Chapter 8 92 www.ischool.drexel.edu Pretty Good Privacy (PGP) • PGP was created in 1991 by Phil Zimmermann – Free versions are available, or you can buy fancier versions – It uses the approach outlined on slide 81 • Messages can be digitally signed, encrypted, or both – And it can throw in data compression, too INFO 331 Chapter 8 93 www.ischool.drexel.edu Pretty Good Privacy (PGP) • How does it do it? – The message digest is created with MD5 or SHA – Symmetric key crypto is done using CAST, 3DES, or IDEA – Public key crypto is done with RSA • PGP creates a public key for each user, and protects their private key with a password • Public keys can be kept on a server, your web site, or attached to messages INFO 331 Chapter 8 94 www.ischool.drexel.edu Pretty Good Privacy (PGP) • Key certification is done partially by mutual assurance – A user can certify a user/key combination – Some have mutual key signing parties (yippee) • But most people advertise their public keys via email or personal web sites INFO 331 Chapter 8 95 www.ischool.drexel.edu Secure Sockets Layer (SSL) • Secure Sockets Layer provide security at the transport layer (TCP) • Secure business transactions (stock trades, finance, etc.) are a key motivation – Otherwise sensitive info could be stolen, or a false storefront could trick real customers • SSL was created by Netscape to provide encryption and authentication between a web browser and a web server INFO 331 Chapter 8 96 www.ischool.drexel.edu Secure Sockets Layer (SSL) • SSL starts with a handshake phase to negotiate which crypto algorithm will be used (DES, IDEA, etc.), and authenticates the server to the client – During the session, all data is encrypted using keys negotiated during handshake • SSL 3.0 is the basis for the Transport Layer Security (TLS) protocol, RFC 5246 INFO 331 Chapter 8 97 www.ischool.drexel.edu Secure Sockets Layer (SSL) • SSL sits between the transport and application layers, and can be used for many kinds of apps (email, etc.) • From the sending side, SSL – Takes app data, encrypts it, and sends it to a TCP socket • From the receiving side, SSL – Reads from a socket (port), decrypts it, and sends it to the application at that end INFO 331 Chapter 8 98 www.ischool.drexel.edu Secure Sockets Layer (SSL) • SSL provides: – SSL server authentication – is this really the server I think it is? Done via Certificate Authorities (CA) and public keys – SSL client authentication – likewise prove the client is who they say they are – Encrypted SSL sessions – in which all data between client and server is encrypted INFO 331 Chapter 8 99 www.ischool.drexel.edu Secure Sockets Layer (SSL) • A web page on an SSL-enabled server is addressed by https instead of http • The web browser has a list of CAs and their public keys • We’re going to use the public key – to exchange symmetric keys trick again • So how does the handshake work? – Ok, this is a Reader’s Digest version of it… INFO 331 Chapter 8 100 www.ischool.drexel.edu SSL Handshake • Browser sends server their SSL version and symmetric crypto preferences • Server sends browser their version, preferences, & certificate with RSA public key • Browser checks certificate against list – If it’s not on the list, user is warned – If it is on the list, the CA’s public key is used to validate the certificate and get their public key INFO 331 Chapter 8 101 www.ischool.drexel.edu SSL Handshake • Browser generates a symmetric session key, encrypts it with server’s public key, and sends to server • Browser warns server all future messages will use the symmetric session key • Server tells browser the same thing • Handshake is done, and session begins INFO 331 Chapter 8 102 www.ischool.drexel.edu SSL Limitations • SSL is widely used for credit card purchases, but it wasn’t designed for that purpose • One could obtain a CA for a business that has nothing to sell, and no certificate authority could block it from getting a certificate – A certificate just proves you really are XYZ Corporation, not whether XYZ Corp is reputable or trustworthy! INFO 331 Chapter 8 103 www.ischool.drexel.edu IPsec • The IP security protocol, IPsec, is a suite of protocols at the network layer – It’s described in over a dozen RFCs, mainly RFC 4301 – Often used for Virtual Private Networks (VPNs) • We want network-layer confidentiality – All datagrams have encrypted data – Any encryption method could be used INFO 331 Chapter 8 104 www.ischool.drexel.edu IPsec – Data could include TCP or UDP segments, ICMP messages, etc. – If everyone provided network-layer confidentiality, anyone tapping the network would see only gibberish • We also might want source authentication – This would verify the source of a datagram really sent it, thereby defeating spoofing IP addresses INFO 331 Chapter 8 105 www.ischool.drexel.edu IPsec • IPsec offers two levels of service (RFC 7321) – Authentication Header (AH) protocol • The AH protocol provides source authentication and data integrity, but no confidentiality – Encapsulated Security Payload (ESP) protocol • The ESP protocol provides all three (source authentication, data integrity, confidentiality) • Hence ESP is more processing-intensive INFO 331 Chapter 8 106 www.ischool.drexel.edu Security Association (SA) • Both AH and ESP first establish a logical channel using a Security Association (SA) • Recall a normal IP connection has no state information • An SA defines a logical connection between hosts – SA is simplex (one-way) – For traffic to flow both directions, make two SAs INFO 331 Chapter 8 107 www.ischool.drexel.edu Security Association (SA) • An SA is defined by – Security protocol identifier (AH or ESP) – Source IP address – 32-bit connection identifier, the Security Parameter Index (SPI) • A given SA connection will use the same SPI value in all of its datagrams – Store SA info in Security Association Database (SAD) in the OS kernel INFO 331 Chapter 8 108 www.ischool.drexel.edu Authentication Header (AH) IP header AH header data (e.g., TCP, UDP segment) • Once an SA is established, a host can send secure datagrams to the other host • To use AH, a special header is inserted between the normal IP header and the TCP or UDP segment – The IP header has protocol field #51 • Routers handling AH traffic only see that protocol field – the rest is ignored by them INFO 331 Chapter 8 109 www.ischool.drexel.edu Authentication Header (AH) • The AH header has these key fields: – Next Header, which is the IP protocol field – SPI value for this connection – Sequence number – unlike the TCP sequence number, this is 0 to start and is tracked separately from the TCP field – Authentication Data field, which contains a message digest (digital signature) for this datagram INFO 331 Chapter 8 110 www.ischool.drexel.edu Authentication Header (AH) • The message digest is calculated for the IP header and the TCP/UDP segment, ensuring host authentication – It’s computed using the usual algorithms MD5, SHA, etc. – These algorithms are a.k.a. Hashed Message Authentication Codes (HMAC, RFC 2404) • When the receiving host gets a datagram with an AH header, it determines the SA and processes the authentication field INFO 331 Chapter 8 111 www.ischool.drexel.edu AH and ESP • After authentication, AH uses the TCP or UDP segment as is (no encryption was used) • ESP also starts with an SA connection • ESP surrounds the original IP datagram with both headers and trailers authenticated encrypted IP header ESP ESP TCP/UDP segment header trailer INFO 331 Chapter 8 ESP authent. 112 www.ischool.drexel.edu ESP • For ESP, IP protocol field 50 is used • The original segment and ESP trailer are encrypted using DES-CBC (RFC 2405) • The ESP header has – 32-bit SPI field – 32-bit sequence number – Same roles as in AH INFO 331 Chapter 8 113 www.ischool.drexel.edu ESP • The ESP trailer has – Next Header – Authentication Data field – Again, same roles as in AH • The optional ESP Authentication field is – “… a variable-length field containing an Integrity Check Value (ICV) computed over the ESP packet minus the Authentication Data. ” INFO 331 Chapter 8 114 www.ischool.drexel.edu SAD and SPD • When a router receives an unsecured datagram, how does it know it’s okay to encrypt it? And if so, according to which SA? – The Security Policy Database (SPD) knows what types of datagrams are to receive IPsec, and which SA is appropriate for each INFO 331 Chapter 8 115 www.ischool.drexel.edu Key Mgmt: IKE and ISAKMP • In order for IPsec to be widely used, key management has to be automated and reliable – Internet Key Exchange (IKE) does this for IPsec – RFC 7296 • Somewhat related, the Internet Security Association and Key Management Protocol (ISAKMP) defines how SA’s are established and torn down (RFC 4945) INFO 331 Chapter 8 116 www.ischool.drexel.edu Security in 802.11 • Since wireless access points are omnidirectional, security is a big concern (or should be!) • Only one of these was my network! INFO 331 Chapter 8 117 www.ischool.drexel.edu WEP • The basic level of 802.11 security for authentication and encryption is Wired Equivalent Privacy (WEP) • WEP uses a symmetric shared key • WEP doesn’t specify how the key is shared INFO 331 Chapter 8 118 www.ischool.drexel.edu WEP Authentication • WEP authenticates a host like this: – Host requests authentication by an AP – AP responds with a 128-bit nonce value – Host encrypts the nonce with its symmetric key – AP decrypts the host-encrypted nonce • If it matches the value sent by the AP, the host is authenticated INFO 331 Chapter 8 119 www.ischool.drexel.edu WEP Encryption • WEP encrypts data using a 40-bit secret symmetric key – Each frame also gets a different 24-bit Initialization Vector (IV), for a total of 64 bits • Encryption works like this: – Find a 4-byte CRC value for the data – Use RC4 to encrypt the (data plus CRC code) – The IV value for this frame is in plain text in the 802.11 frame header INFO 331 Chapter 8 120 www.ischool.drexel.edu WEP Encryption • Receiver of the data: – Takes the IV value, appends it to the known 40-bit secret symmetric key, and decrypts the frame – Then the CRC check can verify data integrity • RC4 is deliberately a weak code, so that it can pass US export regulations • For RC4 to work reliably, it can never use the same 64-bit key INFO 331 Chapter 8 121 www.ischool.drexel.edu WEP Encryption • But 40 bits of the key are rarely changing (if ever), so each key is only unique for 2^24 IV values • If IV is chosen randomly, a duplicate key is 99% likely after only 12,000 frames – If a duplicate keyed message is intercepted, a spoofed IP listener can decrypt the entire message, and determine what the secret key was • WEP has many documented weaknesses INFO 331 Chapter 8 122 www.ischool.drexel.edu 802.11i • 802.11i was approved in 2004 to improve wireless security – Wi-Fi Protected Access (WPA) is a subset of it • 802.11i provides a set of security options called Robust Security Network Association (RSNA) security • It also manages keys, and has an authentication server separate from the access point INFO 331 Chapter 8 123 www.ischool.drexel.edu 802.11i Phases of Operation STA: client station AP: access point AS: Authentication server wired network 1 Discovery of security capabilities 2 STA and AS mutually authenticate, together generate Master Key (MK). AP servers as “pass through” 3 STA derives Pairwise Master Key (PMK) 3 AS derives same PMK, sends to AP 4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity INFO 331 Chapter 8 124 www.ischool.drexel.edu 802.11i • 802.11i, and advanced encryption such as AES • It uses the Extensible Authentication Protocol (EAP, RFC 3748) – It can use RADIUS (and soon, DIAMETER) authentication between AP and authentication server – Between wireless host and AP it can use EAP over LAN (EAPoL, IEEE 802.1X) INFO 331 Chapter 8 125 www.ischool.drexel.edu Summary • So we’ve looked at the basics of: – – – – – Secure communication principles Encryption (cryptography), such as DES and RSA Authentication Digital signatures and message digests Key distribution methods • And examples of how these technologies are used within each network layer: email, SSL, IPsec, and 802.11 INFO 331 Chapter 8 126 www.ischool.drexel.edu
