Post on 02-Jun-2020
transcript
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Network Security (NetSec)
IN2101 – WS 19/20
Prof. Dr.-Ing. Georg Carle
Dr. Holger KinkelinJonas Jelten
Richard von SeckJohannes Schleger
Chair of Network Architectures and ServicesDepartment of Informatics
Technical University of Munich
Chapter 1: Introduction
Network InSecurity
Do not Trust a Network Connection
Do not Trust the Network
Attacker Models
Capabilities of Attackers
Attacker Model
The Attacker’s Position in the Network determines her Capabilities
Security Goals
Security Goals Technically Defined
Threats
Threats Technically Defined
Literature
Chapter 1: Introduction 1-1
Chapter 1: Introduction
Network InSecurity
Do not Trust a Network Connection
Do not Trust the Network
Attacker Models
Security Goals
Threats
Literature
Chapter 1: Introduction 1-2
Do not Trust a Network Connection
• Example: An Ethernet cable
• How secure is it?
Alice Bob
Chapter 1: Introduction — Network InSecurity 1-3
Do not Trust a Network Connection
• Step 1: Obtain a knife
• Step 2: Add RJ45 adapters
Alice Bob
Chapter 1: Introduction — Network InSecurity 1-4
Do not Trust a Network Connection
• Step 3: Get yourself a computer with two network interfaces
• Step 4: Configure transparent Ethernet bridging
• You are now in full control of the traffic• read• modify
• Technical term for this attacker: Man in the Middle (MitM)
• Note: Cryptography can mitigate this situation, which is why we later focus on crypto and secure chan-nels!
Alice BobChapter 1: Introduction — Network InSecurity 1-5
Do not Trust the Network
Alice the Internet Bob
• Note: of cause, not only secret services are "the bad guys" in the Internet
• Also criminals, corporations, etc. monitor internet traffic to gain your data or interfere with the traffic to achieveeven worse goals
• Note 2: of cause, not only the internet is problematic but every other type of (switched) network: networksin companies, universities, internet cafes, airports, dorms, residential communities, ...
• In this case, you are not even required to be a physical "man in the middle": an ARP spoofing attack can logicallyplace the attacker between e.g. Alice and Bob. With tampered ARP tables, packets flow fromAlice↔ Attacker↔ Bob!
• Result: There are endless opportunities for any kind of attacker to monitor/interfere with your traffic!
Chapter 1: Introduction — Network InSecurity 1-6
Do not Trust the Network
Alice NSA, GCHQ, ... Bob
• Note: of cause, not only secret services are "the bad guys" in the Internet
• Also criminals, corporations, etc. monitor internet traffic to gain your data or interfere with the traffic to achieveeven worse goals
• Note 2: of cause, not only the internet is problematic but every other type of (switched) network: networksin companies, universities, internet cafes, airports, dorms, residential communities, ...
• In this case, you are not even required to be a physical "man in the middle": an ARP spoofing attack can logicallyplace the attacker between e.g. Alice and Bob. With tampered ARP tables, packets flow fromAlice↔ Attacker↔ Bob!
• Result: There are endless opportunities for any kind of attacker to monitor/interfere with your traffic!
Chapter 1: Introduction — Network InSecurity 1-6
Do not Trust the Network
Alice NSA, GCHQ, bad ISP/AS, criminals, ... Bob
• Note: of cause, not only secret services are "the bad guys" in the Internet• Also criminals, corporations, etc. monitor internet traffic to gain your data or interfere with the traffic to achieve
even worse goals
• Note 2: of cause, not only the internet is problematic but every other type of (switched) network: networksin companies, universities, internet cafes, airports, dorms, residential communities, ...
• In this case, you are not even required to be a physical "man in the middle": an ARP spoofing attack can logicallyplace the attacker between e.g. Alice and Bob. With tampered ARP tables, packets flow fromAlice↔ Attacker↔ Bob!
• Result: There are endless opportunities for any kind of attacker to monitor/interfere with your traffic!
Chapter 1: Introduction — Network InSecurity 1-6
Do not Trust the Network
Alice NSA, GCHQ, bad ISP/AS, criminals, employer, ... Bob
• Note: of cause, not only secret services are "the bad guys" in the Internet• Also criminals, corporations, etc. monitor internet traffic to gain your data or interfere with the traffic to achieve
even worse goals
• Note 2: of cause, not only the internet is problematic but every other type of (switched) network: networksin companies, universities, internet cafes, airports, dorms, residential communities, ...• In this case, you are not even required to be a physical "man in the middle": an ARP spoofing attack can logically
place the attacker between e.g. Alice and Bob. With tampered ARP tables, packets flow fromAlice↔ Attacker↔ Bob!
• Result: There are endless opportunities for any kind of attacker to monitor/interfere with your traffic!
Chapter 1: Introduction — Network InSecurity 1-6
Do not Trust the Network
Alice NSA, GCHQ, bad ISP/AS, criminals, employer, ... Bob
• Note: of cause, not only secret services are "the bad guys" in the Internet• Also criminals, corporations, etc. monitor internet traffic to gain your data or interfere with the traffic to achieve
even worse goals
• Note 2: of cause, not only the internet is problematic but every other type of (switched) network: networksin companies, universities, internet cafes, airports, dorms, residential communities, ...• In this case, you are not even required to be a physical "man in the middle": an ARP spoofing attack can logically
place the attacker between e.g. Alice and Bob. With tampered ARP tables, packets flow fromAlice↔ Attacker↔ Bob!
• Result: There are endless opportunities for any kind of attacker to monitor/interfere with your traffic!
Chapter 1: Introduction — Network InSecurity 1-6
Chapter 1: Introduction
Network InSecurity
Attacker Models
Capabilities of Attackers
Attacker Model
The Attacker’s Position in the Network determines her Capabilities
Security Goals
Threats
Literature
Chapter 1: Introduction 1-7
Capabilities of Attackers
What could an attacker possibly do?
• Attacking communication on the message level
• Passive attacks• Eavesdropping of messages
• Traffic Analysis
• Active attacks• All passive attacks
• Delay
• Replay
• Deletion
• Modification
• Insertion
Chapter 1: Introduction — Attacker Models 1-8
Attacker Model
• Attacker model = definition what an attacker can do and cannot do
• The attacker is the network
• And can perform any active attack
• But cannot break cryptographic primitives (encryption, signing, hashing, etc.)
• Attacker has no control over end systems
• This is called the Dolev-Yao attacker model
Alice Bob• Important: If not stated otherwise, we will always assume this attacker model in the lectures, the exer-
cises, and also the exam.Chapter 1: Introduction — Attacker Models 1-9
The Attacker’s Position in the Network determines her Capabilities
End system(Initiator)
End system(Responder)
Network
?? ??
• Attackers typically do not control the entire Internet.
• Their position in the network is crucial and defines what the attacker can do /which messages can be seen
Chapter 1: Introduction — Attacker Models 1-10
The Attacker’s Position in the Network determines her Capabilities
End system(Initiator)
End system(Responder)
Network
?? ??
• Assume the attacker is close to your end system (initiator/client)
• Example: You sit in a cyber cafe and accidentally connected to the attacker’s hot spot• The attacker can perform any active attacks on you
• But you can defend against this attacker: Establish a secure tunnel to a server in the Internet
• Route all your packets over the secure tunnel
• The attacker can now perform only DOS (Denial Of Service) attacks against you, collect meta data, etc.
Chapter 1: Introduction — Attacker Models 1-11
The Attacker’s Position in the Network determines her Capabilities
End system(Initiator)
End system(Responder)
Network
?? ??
• Assume the attacker is somewhere in the Internet
• Internet: Best effort packet switching
• End-user has no control on how packets are routed
• Are all AS/ISP trustworthy?
• Does you ISP alter your packets?• “Value added service 1”: your ISP places advertisement on the websites you are visiting (seen in aircraft WiFi
networks)• “Value added service 2” your ISP reduces quality of images to save bandwidth (seen in mobile networks)• “Value added service 3” your ISP redirects requests to non-existent or mis-typed websites to their own portal
which has advertisements
• NSA/GCHQ/ ... black boxes can be basically everywhereChapter 1: Introduction — Attacker Models 1-12
The Attacker’s Position in the Network determines her Capabilities
End system(Initiator)
End system(Responder)
Network
?? ??
• Assume the attacker is close to your end system (responder/server)
• Example: She rented a VM on the same host machine where your virtual server is running• The attacker could try to perform timing attacks against your server
• Work by measuring how long certain operations (operation successfully completed, operation failed) take at yourserver
• Result: the attacker might be able to break a security service, deduce a secret key, etc.
• Only works if the service is vulnerable to side channel attacks; we will come back to these attacks in a couple ofweeks
• Such measurements are usually not possible/difficult over the Internet, as latencies/delays make it difficult to getgood measurements
Chapter 1: Introduction — Attacker Models 1-13
Chapter 1: Introduction
Network InSecurity
Attacker Models
Security Goals
Security Goals Technically Defined
Threats
Literature
Chapter 1: Introduction 1-14
Security Goals Technically Defined
• Data Integrity• German: “Datenintegrität”
• No improper or unauthorized change of data
• Confidentiality• German: “Vertraulichkeit”
• Concealment of information
• Availability• German: “Verfügbarkeit”
• Services should be available and function correctly
• Authenticity• German: “Echtheit”
• An entity is who it claims to be
• Accountability• German: “Zurechenbarkeit”
• Identify the entity responsible for any communication event
• Controlled Access• German: “Zugriffskontrolle”
• Only authorized entities can access certain services or information
Chapter 1: Introduction — Security Goals 1-15
Quiz
• What is needed to support non-repudiation? („Nicht-Abstreitbarkeit“)• I.e. you cannot claim not to have done something, like changed a file or sent an email
• Accountability
Chapter 1: Introduction — Security Goals 1-16
Quiz
• What is needed to support non-repudiation? („Nicht-Abstreitbarkeit“)• I.e. you cannot claim not to have done something, like changed a file or sent an email
• Accountability
Chapter 1: Introduction — Security Goals 1-16
Quiz
• What is necessary to support accountability?
• Authenticity
Chapter 1: Introduction — Security Goals 1-17
Quiz
• What is necessary to support accountability?• Authenticity
Chapter 1: Introduction — Security Goals 1-17
Quiz
• What do you want to support deterrence („Abschreckung“)• I.e. we want to prevent that something undesired happens, e.g. a malicious user destroys a document
• Accountability
Chapter 1: Introduction — Security Goals 1-18
Quiz
• What do you want to support deterrence („Abschreckung“)• I.e. we want to prevent that something undesired happens, e.g. a malicious user destroys a document
• Accountability
Chapter 1: Introduction — Security Goals 1-18
Quiz
• What is another word for data origin integrity?
• Authenticity
Chapter 1: Introduction — Security Goals 1-19
Quiz
• What is another word for data origin integrity?• Authenticity
Chapter 1: Introduction — Security Goals 1-19
Quiz
What is the difference?
• Authentication
• Proves who you are
• Associated security goal: Authenticity
• E.g. checking your passport
• Authorization
• Defines what you are allowed to do
• Associated security goal: Controlled Access
• E.g. “are you on the VIP list?”
Chapter 1: Introduction — Security Goals 1-20
Quiz
What is the difference?
• Authentication• Proves who you are
• Associated security goal: Authenticity
• E.g. checking your passport
• Authorization• Defines what you are allowed to do
• Associated security goal: Controlled Access
• E.g. “are you on the VIP list?”
Chapter 1: Introduction — Security Goals 1-20
Quiz
What is the difference?
• Authentication• Proves who you are
• Associated security goal: Authenticity
• E.g. checking your passport
• Authorization• Defines what you are allowed to do
• Associated security goal: Controlled Access
• E.g. “are you on the VIP list?”
Chapter 1: Introduction — Security Goals 1-20
Mixing Authentication and Authorization
My best attempt was registering to Black Hat with firstname: “Staff” and last name: “Access All Areas”
https://twitter.com/mikko/status/587973545797492738
Chapter 1: Introduction — Security Goals 1-21
Chapter 1: Introduction
Network InSecurity
Attacker Models
Security Goals
Threats
Threats Technically Defined
Literature
Chapter 1: Introduction 1-22
Threats
• Abstract Definition• A threat in a communication network is any possible event or sequence of actions that might exploit a vulnerability,
leading to a violation of one or more security goals
• The actual realization of a threat is called an attack
Chapter 1: Introduction — Threats 1-23
Threats Technically Defined
• Masquerade• An entity claims to be another entity (also called “impersonation”)
• Eavesdropping• An entity reads information it is not intended to read
• Loss or modification of (transmitted) information• Data is being altered or destroyed
• Denial of communication acts (repudiation)• An entity falsely denies its participation in a communication act
• Forgery of information• An entity creates new information in the name of another entity
• Sabotage/Denial of Service• Any action that aims to reduce the availability and / or correct functioning of services or systems
• Authorization Violation:• An entity uses a service or resources it is not intended to use
Chapter 1: Introduction — Threats 1-24
Example 1
• Eavesdropping + Authorization Violation
• Example• Alice@Box$ ./rootremoteshell $ROUTER
root@router# tcpdump | grep password
• If Alice does not start modifying the traffic, she is a passive attacker
• Note: If not stated otherwise, we assume that attackers don’t have remote code execution on our boxes
Chapter 1: Introduction — Threats 1-25
Example 2
• Masquerade + Forgery of Information
• Example• Alice pretends to be Bob
• Alice@Box$ hping3 –count 1 –spoof $BOB –icmp –icmptype 8 $CARL
• CARL gets an ICMP Echo Request which appears to be sent from BOB
• BOB gets an ICMP Echo Reply which he never requested
• Alice is an active attacker
• IP source addresses are not secured
Chapter 1: Introduction — Threats 1-26
Example 2: IP Spoofing cont.
Alice Bob Carl
src:Bob dst:Carl ping
src:Carl dst:Bob pong
Chapter 1: Introduction — Threats 1-27
Example 2: IP Spoofing cont.
• Alice: 192.168.1.170
• Bob 192.168.1.227
• Carl: 192.168.1.1
• Alice sends the spoofed packet• Internet Protocol Version 4, Src: 192.168.1.227, Dst: 192.168.1.1; ICMP Echo Request
• Carl replies to the source address specified
• Bob receives a lonely echo reply• Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.1.227; ICMP Echo Reply
Chapter 1: Introduction — Threats 1-28
Example 3
• Denial of communication acts
• Example• Bob runs a web server (http, tcp port 80) with very limited memory
• Alice floods Bob with TCP SYN packets
• Alice@Box$ hping3 –fast –count 42 –syn –destport 80 $BOB
• Bob allocates memory to store the 42 connections in the SYN-RECEIVED state
• Now Alice starts to deny that she is responsible for the attack
• Denial of Communication Acts + Masquerade + Forgery of Information
• Example• Alice@Box$ hping3 –fast –count 42 –rand-source –syn –destport 80 $BOB
• –rand-source: random spoofed source IP address
Chapter 1: Introduction — Threats 1-29
Example 3
• Why does the attack succeed?
• This is a good opportunity to refresh your knowledge about the TCP 3-way handshake
Chapter 1: Introduction — Threats 1-30
Chapter 1: Introduction
Network InSecurity
Attacker Models
Security Goals
Threats
Literature
Chapter 1: Introduction 1-31
Literature
• Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2004
• Claudia Eckert, IT-Sicherheit: Konzepte – Verfahren – Protokolle, Oldenbourg, 2014
• Charlie Kaufman, Radia Perlman, and Mike Speciner, Network Security: Private Communication in aPublic World (2nd Edition), Prentice Hall, 2002
• Matt Bishop, Computer Security: Art and Science, Addison-Wesley, 2002
• Günter Schäfer, Security in Fixed and Wireless Networks: An Introduction to Securing Data Communi-cations, Wiley, 2004
• Günter Schäfer, Netzsicherheit, dpunkt, 2003
Chapter 1: Introduction — Literature 1-32