Date post: | 11-Jan-2016 |
Category: |
Documents |
Upload: | kelley-clarke |
View: | 219 times |
Download: | 0 times |
www.ischool.drexel.edu
INFO 331Computer Networking
Technology II Chapter 8
Security
Dr. Jennifer Booker
1INFO 331 Chapter 8
www.ischool.drexel.edu
Security in Networks
• Any two nodes (hosts, routers, etc.) might need to exchange data securely– Secure email, transfer routing tables, military
secrets, private data (SSN, Visa), DNS servers, etc. all need secure communication
• Security has many aspects– End-point Authentication: If Bob and Carol
are communicating, how do they know it’s really Bob and Carol?
2INFO 331 Chapter 8
www.ischool.drexel.edu
Security in Networks
– Confidentiality: How do we keep others from reading their exchange? Encrypted content.
– Message integrity: How do we ensure a message isn’t changed en route?
– Nonrepudiation: How can we prove a message was sent be a specific sender?
– Operational security: How do we protect the network infrastructure from things like denial of service (DoS) attacks or hackers?
3INFO 331 Chapter 8
www.ischool.drexel.edu
Basic Defense Strategy
• In any kind of security approach, we need to consider three aspects in our strategy– Prevent: Protect the network to make it
harder for an attack to take place– Detect: How do you know if you’ve
been attacked?• Often very difficult in networking
– Mitigate: As or after an attack happens, how do you minimize the damage it did?
4INFO 331 Chapter 8
www.ischool.drexel.edu
Non-network Example
• Consider the problem of a bomb on a plane– Prevent: might prevent the problem by 1) scanning
luggage and passengers, 2) requiring security checks for airport employees, and 3) controlling access to planes on the ground
– Detect: detect the problem by 1) a bomb going off, or 2) someone identifying they have a bomb
– Mitigate: Reduce damage by 1) reducing altitude before the bomb goes off, 2) design the plane to avoid duplicate systems next to each other
5INFO 331 Chapter 8
www.ischool.drexel.edu
Non-network Example
• This illustrates some important principles– Security costs effort and money– Security is often inconvenient, even annoying
• Security measures often directly reduce productivity
– Security often affects systems beyond the immediately obvious ones
– Design of the system is often affected by security risks, even if they are rare events
6INFO 331 Chapter 8
www.ischool.drexel.edu
Security vs classification
• In discussing security, the notion of classification (e.g. Confidential, Secret, Top Secret, etc.) can emerge
• Systems to handle classified material are known as ‘trusted’ systems – look for that keyword– Often based on old standards such as the
Rainbow Series’ Orange Book
7INFO 331 Chapter 8
www.ischool.drexel.edu
Passive Intruder
• Going back to Bob and Carol, what happens if someone is listening to their exchange?
• A passive intruder could– Eavesdrop – listen to and record the
secure exchange– Modify, insert, or delete messages that
Bob and Carol were trying to exchange– Could lead to stealing data, impersonating another
user, hijacking a session or causing DoS
8INFO 331 Chapter 8
www.ischool.drexel.edu
Cryptography
• Codes for communication go back millennia• There are tons of resources on the subject:
– RSA, NIST Computer Security Resource Center– The CERT Coordination Center
• A plain (or clear) text message (e.g. “Sell IBM stock now!”) is encrypted into cipher text (which is illegible) using an encryption algorithm, KA
– The key is an input to the algorithm (= cipher)– (Plain text + key) via algorithm ciphertext
9INFO 331 Chapter 8
www.ischool.drexel.edu
Cryptography
• At the receiving end, the cipher text is turned back into plain text using a decryption algorithm, KB)
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alice’s encryptionkey
Bob’s decryptionkey
KB
plaintext plaintextciphertext
KA
KA
encryptionalgorithm
decryption algorithm
Alice’s encryptionkey
Bob’s decryptionkey
KB
KB
10INFO 331 Chapter 8
www.ischool.drexel.edu
Keys
• A key is a string of characters, numbers, and other ASCII symbols that feeds into the encryption and decryption algorithms
• The longer the key (in bits), the harder it is to break– DES uses a 56-bit key (obsolete)– Triple DES uses 168-bit– AES use up to 256-bit keys– RSA and PGP use up to 4096-bit keys
11INFO 331 Chapter 8
www.ischool.drexel.edu
Keys
• There are two major encryption approaches – symmetric key and public key
• Symmetric key means that KA = KB – The same key is used by both sender
and receiver
• Public key encryption requires a public key that anyone can know, plus different private keys for sender and receiver– Public key requires longer keys for equal security
12INFO 331 Chapter 8
www.ischool.drexel.edu
Block vs Stream
• Another is whether each character is coded individually (stream cipher), or a group of characters are coded together (block cipher)– Stream cipher examples include Caesar’s
code, the WWII Enigma machine, and WEP (Wired Equivalent Privacy)
– Block ciphers are very common (AES, RSA, etc.)
• Block sizes are typically 64 or 128 bits
13INFO 331 Chapter 8
www.ischool.drexel.edu
Cipher-Block Chaining (CBC)
• Repeated phrases, like ‘HTTP/1.1’ produce the same string when encrypted, making it easier to guess their meaning– Send a 64-bit Initialization Vector (IV) first– Encrypt and send (first block of text XOR IV)– For each subsequent block, encrypt and send
(previous block XOR current clear text)
• This keeps duplicate blocks from appearing that way
14INFO 331 Chapter 8
www.ischool.drexel.edu
Key Breaking Approaches
• There are three ways to approach breaking an encrypted message– Cipher-text-only attack – you only have the
ciphertext, and little or no clue what it contains– Known-plaintext attack – when some of the
message contents are known, such as certain names, words or phrases that should appear
– Chosen-plaintext attack – when you can feed text (‘The quick brown fox jumps over the lazy dog’) into the cipher, and see what it produces
15INFO 331 Chapter 8
www.ischool.drexel.edu
Symmetric Key Crypto
• The Caesar cipher was very simple
• Just move the alphabet down some number of characters, ‘k’– A G (for k = 6)– Then B H, C I, D J, etc.– Wrap around when you get to T Z, U A
• If you know this is the type of cipher, there are only 25 different possible keys!
16INFO 331 Chapter 8
www.ischool.drexel.edu
Symmetric Key Crypto
• Improve on this with a monoalphabetic cipher
• Each letter corresponds to some other letter, but they aren’t in order– A V, B L, C R, or whatever
• This makes 26! (= 4.03E26 or 4.03x1026) key combinations in theory, but patterns of common words make it a lot easier to break than that would suggest
17INFO 331 Chapter 8
www.ischool.drexel.edu
Symmetric Key Crypto
• Improve on the Caesar cipher with a polyalphabetic cipher (encryption)
• Use multiple ciphers in a fixed pattern throughout the message, such as two Caesar ciphers with different offsets (k values)– E.g. follow a pattern of “C1 C2 C2 C1 C2”
where C1 uses k=5 and C2 uses k=19– Hence need to know pattern and k values
18INFO 331 Chapter 8
www.ischool.drexel.edu
DES
• The Data Encryption Standard (DES) was invented in 1977, and updated in 1993– It is symmetric, uses 64-bit blocks, and nominally
a 64-bit key– Ok, only 56 bits of the key are usable – the rest is
for parity checks 2^56 = 72E15 possible keys
• How DES works is very messy– The 64 bits in a block are permuted, go through 16
cycles of math operations, and get permuted again at the end
19INFO 331 Chapter 8
www.ischool.drexel.edu
DES
• Each of the 48-bit keys (K1 to K16) are different parts of the overall 56-bit key
20INFO 331 Chapter 8
www.ischool.drexel.edu
DES Code-Breaking Tests
• In 1997 it took under four months to break a DES-encrypted message by brute force (keep trying keys until one works) – In February 1998 it took 41 days– In July 1998 it took 56 hours– In January 1999 it took 22.25 hours, though
using nearly 100,000 PC’s
21INFO 331 Chapter 8
www.ischool.drexel.edu
Triple-DES
• Ok, so DES isn’t perfect
• Triple-DES (3DES) runs DES three times with different keys– Makes for a 168-bit key!– Used for PPP encryption
22INFO 331 Chapter 8
www.ischool.drexel.edu
AES
• The Advanced Encryption Standard (AES) was proposed in 2001 to replace DES– Uses symmetric encryption with 128-bit
blocks– Keys can be 128, 192, or 256 bits long
• NIST claims if a computer could crack 56-bit DES in one second, it would take 149 trillion years to break 128-bit AES
23INFO 331 Chapter 8
www.ischool.drexel.edu
AES
• AES, 3DES, and Skipjack are all recognized Federal Information Processing Standards (FIPS)– Skipjack was used on the Clipper chip for
hardware security; uses a 64-bit key from an 80-bit cryptovariable
24INFO 331 Chapter 8
www.ischool.drexel.edu
Public Key Encryption
• So all this symmetric key stuff is good, but how to you exchange the keys securely?
• Easier if we can show part of our key publicly
• First public key approach was the 1976 Diffie-Hellman Key Exchange algorithm– Sender and receiver have public keys– Each receiver also uses a private key
to decrypt a message
25INFO 331 Chapter 8
www.ischool.drexel.edu
Public Key Encryption
plaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
Bob’s publickey
plaintextmessageK (m)
B+
K B+
Bob’s privatekey
K B-
m = K (K (m))B+
B-
plaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
Bob’s publickey
plaintextmessageK (m)
B+K (m)B+
K B+
Bob’s privatekey
K B-
m = K (K (m))B+
B-
m = K (K (m))B+
B-
Why does this provide confidentiality?
26INFO 331 Chapter 8
www.ischool.drexel.edu
Public Key Encryption
• Two main concerns with public key ciphers– An intruder can easily know a receiver’s
public key, and the encryption method, so a chosen-plaintext attack is possible
– Hence private keys, and verifying the sender of a message are critical – the digital signature
• The best known public key algorithm is RSA– Named for Rivest, Shamir, and Adleman
27INFO 331 Chapter 8
www.ischool.drexel.edu
RSA
• RSA works like this– Pick two large prime numbers, p and q– Want pq> 1024 for corporate use, pq>768 for
lesser security– Let n = pq, and z = (p-1)(q-1)– Choose e < n which has no factors in
common with z– Find d such that (ed-1)/z is an integer– The public key is (n,e); the private key is (n,d)
28INFO 331 Chapter 8
www.ischool.drexel.edu
RSA
• To use this, take a plaintext message m
• The ciphertext is c = (m^e)*mod (n) – This is the integer remainder when m^e is
divided by n
• The receiver gets c, and decodes the message using m = (c^d) mod n
• So n and e are used for encryption; n and d are used for decryption
29INFO 331 Chapter 8
www.ischool.drexel.edu
RSA
• So the theory isn’t too weird, just tedious because of the large numbers involved
• Finding large prime numbers is a critical element of many crypto schemes – RSA is no exception
• Also important is how to choose d and e
• Such issues are beyond our scope here
30INFO 331 Chapter 8
www.ischool.drexel.edu
RSA vs DES
• RSA is 100 times slower than DES in software, and 1000 to 10,000 times slower than DES in hardware– Hence RSA is often used with DES or AES
• For example, a DES session key KS can be sent via public RSA key, and then the rest of the transmission can be done using DES (key concept!!)
31INFO 331 Chapter 8
www.ischool.drexel.edu
Why does RSA work?
• The trick is that p and q are prime, so– 1 = mod (p-1)(q-1) = mod z
• And we chose ed so that (ed-1)/z has no remainder, hence ed mod (z) = 1
• Encryption followed by decryption of message m therefore gives– (m^e)^d = m^1 mod n = m (the original
message)
32INFO 331 Chapter 8
www.ischool.drexel.edu
RSA
• RSA also works because there is no fast way (yet?) to factor a large number n into the primes p and q
• If you could do that, the private key d could be determined from the public key e, and RSA would be sunk
33INFO 331 Chapter 8
www.ischool.drexel.edu
Message Integrity
• In our legal system, a competent adult can use their written signature to affirm a contract– Whether paying for lunch on a credit card, or signing
a law into existence, the effect is similar
• A digital signature does the same thing online• Need to verify that the signature came from the
person claimed, and only that person– Need it verifiable, non-forgeable and not alterable– Use public key crypto to do this
34INFO 331 Chapter 8
www.ischool.drexel.edu
Digital Signature
• For Fred to sign a message, m, he applies his private key to encrypt the message– The result is the signed message
• To recover the message, apply his public key
• Yes, this is the reverse of the way to send an encrypted message – Which was use the public key to create cipher
text, then use the private key to decode it
35INFO 331 Chapter 8
www.ischool.drexel.edu
Digital Signature
• Why does this work backward?– The application of public and private keys is
just math operations – in this case, doing them in either order results in recovering the original message
• Since only Fred knows his private key (we hope!), that proves the message was generated by him– Lesson: Don’t share a private key – EVER!!!
36INFO 331 Chapter 8
www.ischool.drexel.edu
Message Digests
• Digital signatures are very computationally expensive
• Want a way for large volumes of data to verify the sender of a message, and make sure the data wasn’t changed
• A message digest does this, while being cheaper than a full blown digital signature– A message digest is a cryptographic hash
function, like checksums and CRC codes
37INFO 331 Chapter 8
www.ischool.drexel.edu
Message Digests
• To create a message digest– For a message, m, compute the hash
function H(m)– Sign H(m) with your private key, KB
-(H(m))– Send the unaltered message, m, with the
encoded hash function
• The recipient applies the public key KB
+( KB-( H(m) ) ) to recover the hash
function that came with the message
38INFO 331 Chapter 8
www.ischool.drexel.edu
Message Digests
• The recipient evaluates the hash function with the message received – If the message’s hash function agrees with the hash
function they calculate for the message, it proves the message wasn’t altered
• A hash function creates a string of fixed size– Must be infeasible to get the same hash function for
any two input messages H(m) = H(n)– Consider it like a really fancy checksum
39INFO 331 Chapter 8
www.ischool.drexel.edu
Message Digests
• To improve on this approach, create the hash of the message (m) AND a secret authentication key (s)– H(m+s) = a Message Authentication Code,
MAC– [This MAC is unrelated to the link layer MAC
address]
• HMAC (noted later) is a popular standard for generating MACs Is a MAC encrypted?
40INFO 331 Chapter 8
www.ischool.drexel.edu
Message Digests
• So two mechanisms are used in the message digest– The application of private and public keys is
used “to verify the sender of a message” – The hash function is used to “make sure the
data wasn’t changed”
• The MD5 algorithm (Ron Rivest) is widely used for creating 128-bit message digests– See RFC 1864, if really bored on a long flight
41INFO 331 Chapter 8
www.ischool.drexel.edu
Message Digests
• If MD5 isn’t good enough for you, try SHA-1, which has a 160-bit message digest– Based on MD4 (which preceded MD5)– Stands for Secure Hash Algorithm, defined by
FIPS 180-2– SHA can handle message sizes up to 264 or
2128 bits (that’s 1.8E19 or 3.4E38 bits)
• Still not secure enough?– SHA-2 has up to 680-bit message digests
42INFO 331 Chapter 8
www.ischool.drexel.edu
Key Distribution & Certification
• Both symmetric and public key crypto desperately need to control access to keys
• They require a trusted intermediary – For symmetric key crypto, that role is the Key
Distribution Center (KDC)• MIT’s Kerberos is a classic example
– For public key crypto, that role is the Certification Authority (CA)
43INFO 331 Chapter 8
www.ischool.drexel.edu
Key Distribution Center (KDC)
• Two people (Alice, Bob) on a public network can use symmetric key crypto via a KDC
• Each user has a personal secret key registered with the KDC
• Here call them KA-KDC and KB-KDC – Alice uses her secret key to tell the KDC she wants
to talk to Bob– The KDC sends her a one-time session key, R1,
and that key coded using Bob’s secret key (!)
44INFO 331 Chapter 8
www.ischool.drexel.edu
Key Distribution Center (KDC)
– Alice now knows the one-time session key, and sends the encrypted key to Bob
– Bob decodes it, and now also knows the one-time session key
– Now Alice and Bob can communicate securely using R1
• Sneaky, huh?• The critical (and risky) part is that the KDC
knows everyone’s secret key
45INFO 331 Chapter 8
www.ischool.drexel.edu
Key Distribution Center (KDC)
Aliceknows
R1
Bob knows to use R1 to
communicate with Alice
Alice and Bob communicate: using R1 as session key f or shared symmetric encryption
KDC generates
R1
KB-KDC(A,R1)
KA-KDC(A,B)
KA-KDC(R1, KB-KDC(A,R1) )Aliceknows
R1
Bob knows to use R1 to
communicate with Alice
Alice and Bob communicate: using R1 as session key f or shared symmetric encryption
KDC generates
R1
KB-KDC(A,R1)
KA-KDC(A,B)
KA-KDC(R1, KB-KDC(A,R1) )
46INFO 331 Chapter 8
www.ischool.drexel.edu
Public Key Certification
• Public keys can be made available many places – Email signature lines, web pages, or put in a
public key server
• But if I tell you XYZ123 is my public key, how do you know it’s really mine, and not someone else’s?– That’s the role of public key certification – to
verify the identity of a public key47INFO 331 Chapter 8
www.ischool.drexel.edu
Certification Authority (CA)
• A Certification Authority (CA) binds a public key to a particular person (entity)
• The CA’s rules are simple– A CA must use some means to verify a
person’s identity (the rules vary!)– The CA creates a digitally signed certificate
which binds the person to the public key
• The CA must have a public key which is well known (so they can’t be spoofed)
48INFO 331 Chapter 8
www.ischool.drexel.edu
Certification Authority (CA)
• Example of using a CA– If you order a pizza from Drexel Pizza over
email– They could see your public key at, say, the
bottom of your email message– They use the public key of the CA to verify
that really is YOUR public key– Once your public key is verified, the order
can be placed
49INFO 331 Chapter 8
www.ischool.drexel.edu
Certification Authority (CA)
• The ITU and IETF both have standards for certificate authorities– ITU X.509 and RFC 6170, respectively– Verisign is among the better known CAs
50INFO 331 Chapter 8
www.ischool.drexel.edu
Authentication
• Authentication is proving your identity– Over a network, no one can tell if you’re you!
• Assume we’re dealing with live communication– A later issue is whether a message in the past
was really sent – the digital signature problem
• Here, authentication is done via messages (duh!) from an authentication protocol
51INFO 331 Chapter 8
www.ischool.drexel.edu
Authentication
• The authentication protocol has to confirm the identities before communication occurs
• We’ll look at increasingly complex versions of an authentication protocol, “ap”, much like we did for TCP last term– Don’t worry, no finite state diagrams this time
52INFO 331 Chapter 8
www.ischool.drexel.edu
Ap1.0
• The simplest way to authenticate is simply to self-identify– ‘I am Fred Smith’
• The obvious trouble is that there’s no assurance this is a true statement
• For that matter, you don’t know if it’s really the correct Fred Smith you meant to talk to
53INFO 331 Chapter 8
www.ischool.drexel.edu
Ap2.0
• If the sender is using a known fixed IP address, we could authenticate by checking the datagram for that source IP address– Yes, this datagram is coming from 23.65.133.2– But this leads to the IP spoofing problem – changing a
datagram to show a different source IP than is true
• Good first hop routers will only send out datagrams with correct source IPs (RFC 3704)
– But this isn’t enforced
54INFO 331 Chapter 8
www.ischool.drexel.edu
Ap3.0
• Ok, how about using a password to authenticate the user?– If the sender sends a password, it could be
intercepted, and later used to fraudulently authenticate a spy
– Many passwords (HTTP, Telnet, FTP) are sent in plain text, or are trivially encoded
• Sniffing packets on a server is an easy way to steal passwords
55INFO 331 Chapter 8
www.ischool.drexel.edu
Ap3.1
• Um, so encrypt the password!– (Assuming a symmetric cipher is used)
• Nope, no good– A sniffer could record the cipher text of the
password, and replay it to log in (a playback attack)
– Even though the sniffer doesn’t learn what the password is, they can still impersonate the sender
56INFO 331 Chapter 8
www.ischool.drexel.edu
Ap4.0
• Well, the problem was reusing the same password over and over – what if it’s unique?
• What if we have a sequence or set of passwords, and use each one only once?
• Use a nonce – a number used by the protocol only once EVER, like this– Sender sends message to receiver– Receiver chooses a nonce, R, and replies
57INFO 331 Chapter 8
www.ischool.drexel.edu
Ap4.0
– Sender encrypts the nonce with a symmetric key, KA-B(R) and sends it back
– Receiver decrypts it– If the received message matches the nonce
sent, it’s accepted
• This works (yay!), but depends on having a symmetric key on both sides– See if we can improve on it…
58INFO 331 Chapter 8
www.ischool.drexel.edu
Ap4.0
“I am Alice”
R
K (R)A-B
Alice is live, and only Alice knows key to encrypt
nonce, so it must be Alice!
“I am Alice”
R
K (R)A-B
K (R)A-B
Alice is live, and only Alice knows key to encrypt
nonce, so it must be Alice!
Sender Receiver
59INFO 331 Chapter 8
www.ischool.drexel.edu
Ap5.0
• Can we achieve the good outcome of ap4.0 using public key encryption?
• Try this:– Sender sends message to receiver– Receiver chooses a nonce, R, and replies– Sender uses private key to encrypt the nonce,
and sends it back to receiver– Receiver uses sender’s public key to compute
R and authenticates the sender
60INFO 331 Chapter 8
www.ischool.drexel.edu
Ap5.0
• So what’s wrong? Try this scenario– Thief sends message impersonating sender to
receiver– Receiver chooses nonce, R, and replies with it– Thief intercepts message, uses her private key to
encode the message, and sends it to receiver– Receiver asks sender for public key, but it’s
intercepted by the Thief, who sends their public key– Thief is authenticated as the sender!
61INFO 331 Chapter 8
www.ischool.drexel.edu
Ap5.0
• The goodness of ap5.0 is limited by the availability of public keys
• Similarly, a man-in-the-middle or bucket brigade attack puts the Thief in the middle of the real conversation, unknown to either side– Worse, neither sender nor receiver will know
their content was seen by the Thief in the middle
62INFO 331 Chapter 8
www.ischool.drexel.edu
Man-in-the-middle AttackI am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted with
Alice’s public key
AK (m)+
Am = K (K (m))+
A-
R
I am Alice I am Alice
R
TK (R)
-T
K (R)-
K (R)-
Send me your public key
TK
+T
K T
K +
AK (R)
-A
K (R)-
K (R)-
Send me your public key
AK
+A
K A
K +
TK (m)+T
K (m)+
Tm = K (K (m))+
T-T
m = K (K (m))+T
-Trudy gets
sends m to Alice encrypted with
Alice’s public key
AK (m)+A
K (m)+
Am = K (K (m))+
A-A
m = K (K (m))+A
-
R
63INFO 331 Chapter 8
www.ischool.drexel.edu
Firewalls
• Like the gateway on a castle, firewalls are designed to control entry into a network, and access out of it
• The amount of control a firewall can have is immense
64INFO 331 Chapter 8
www.ischool.drexel.edu
Firewalls
• The goals of a firewall are generally– All traffic into and out of the organization must
pass through a firewall– Only authorized traffic will be allowed to pass– The firewall itself is immune to attack
• Firewalls are inherently paranoid– The default setting is to allow nothing in
or out!
65INFO 331 Chapter 8
www.ischool.drexel.edu
Firewalls
• Firewalls fall in three categories – Packet filters (network level) – Stateful filters – Application gateways
• First look at packet filtering– Most organizations have a firewall at the
boundary to the public Internet (plus possibly others internally)
66INFO 331 Chapter 8
www.ischool.drexel.edu
Firewalls
• Packet filters can look at each packet’s– Source and/or destination IP addresses– Type of protocol (transport or application)– Source and/or destination port number– TCP flag bits – SYN, ACK, etc.– ICMP message type
• Rules can vary for inbound vs outbound traffic, or for different router interfaces
67INFO 331 Chapter 8
www.ischool.drexel.edu
Firewalls
• Any of these can be a basis for filtering rules– For example, block all outgoing Telnet or
FTP or HTTP traffic– Block UDP traffic to stop (some) streaming
media– Or exclude specific IP addresses from
these rules
68INFO 331 Chapter 8
www.ischool.drexel.edu
Firewalls
• A sneaky trick is to block incoming TCP traffic with the ACK bit set to 0– This kills TCP connections originating from
the outside
• Another key issue is to be aware of the sequence in which packet filtering rules are applied– The first rule that applies to a packet
determines its fate – not all the rules!69INFO 331 Chapter 8
www.ischool.drexel.edu
Firewalls
• Even a simple firewall (Cisco PIX 501, about $400) can control (see handout)– Which interfaces are active, and at what speeds– IP addresses allowed to take data in– IP addresses allowed to send data out– Which protocols are allowed to operate– Which ports are allowed for each protocol– Use of authentication servers (e.g. RADIUS)– If the firewall acts as an HTTP or DHCP server
70INFO 331 Chapter 8
www.ischool.drexel.edu
Firewalls
– Use of a virtual private network (VPN), and what types of encryption are used (DES, 3DES, AES)
– IP addresses of the interfaces– Where NAT is running inside the network– SNMP server information
• Licensing issues include how many interfaces are active (2+), how many hosts can be connected (10, 50, or unlimited), allowable throughput, and whether VPN is available
71INFO 331 Chapter 8
www.ischool.drexel.edu
Stateful Packet Filters
• Stateful filters track each TCP connection, and decide in the context of that connection how to apply filtering rules– Do so by creating a connection table with
each connection’s source and destination IP and port number
– An access control list can define the rules for allowable IP, port, transport protocol, flags, etc.
72INFO 331 Chapter 8
www.ischool.drexel.edu
Application Gateway
• The other category of firewall is an application gateway– It’s a server which filters application data– Packet filters can’t filter by user, but an app
gateway can
• Can combine with packet filtering– Have packet filter only allow Telnet from the
app gateway, then have app gateway control which users can use Telnet
73INFO 331 Chapter 8
www.ischool.drexel.edu
Application Gateway
• Can have separate app gateway servers for each app (HTTP, FTP, email, etc.)– Web cache & email servers are also
gateways
• Using an app gateway costs in lower app performance, plus the time needed for its configuration and maintenance
• Firewalls can be breached by wireless devices, or even dialup connections
74INFO 331 Chapter 8
www.ischool.drexel.edu
Intrusion Detection Systems
• An IDS does deep packet inspection, looking at packet message contents instead of just headers– An IDS can be signature-based, where it
keeps a database of attack signatures for various forms of attack
– Or an anomaly-based IDS looks for statistically unusual packet patterns
75INFO 331 Chapter 8
www.ischool.drexel.edu
Intrusion Detection Systems
• The network between a packet filter and an IDS can be called the DMZ (demilitarized zone)– Public web servers are typically inside
the DMZ
• Snort is an open source IDS
76INFO 331 Chapter 8
www.ischool.drexel.edu
Network Attacks
• Many kinds of attacks on computer networks are possible– Can attack common operating systems– Can attack applications– Can attack the network itself
• We’ll focus on the latter– Disclaimer: Naturally this isn’t intended to be
a user’s guide to hacking, but is intended to help you be proactive to protect your network
77INFO 331 Chapter 8
www.ischool.drexel.edu
Need 411
• Many attacks are preceded by gathering information– Same idea as ‘casing’ a future crime scene,
scouting, reconnaissance, etc.– Here we call it mapping
• Mapping is often to determine the IP addresses of hosts on the network, the type of OS’ used, and types of services offered
78INFO 331 Chapter 8
www.ischool.drexel.edu
Mapping
• Ping can be used to find IP addresses
• Port scanning is done by trying to send TCP connection requests or UDP packets to every possible port number, and see which ones are active– Nmap is a free, open source, network
mapping utility which uses WinPcap– Many firewalls look for port scanners, and
report their presence to a network manager79INFO 331 Chapter 8
www.ischool.drexel.edu
Packet Sniffing
• A packet sniffer receives all packets coming into or leaving a host– Promiscuous mode
allows it to receive all passing frames
– Unencrypted user names and passwords can be found this way
No, packet sniffing!
80INFO 331 Chapter 8
www.ischool.drexel.edu
Packet Sniffing
• To detect Packet Sniffing, need to detect network interfaces (NICs) that are in promiscuous mode
• One way is to send ICMP Echo Request messages to all hosts, with a correct IP address, but wrong MAC address– Hosts that Reply are likely to be in
promiscuous mode
• Encrypt data when sniffing may be present
81INFO 331 Chapter 8
www.ischool.drexel.edu
Spoofing
• IP Spoofing is deliberately changing the IP address a datagram claims to be from
• This is used to hide the true source of an attack, such as denial-of-service
• Spoofing is preventable with ingress filtering– Have a router check to see if the packet came from
the correct interface to have come from the claimed source IP address
– Still, not very powerful if router has few interfaces
82INFO 331 Chapter 8
www.ischool.drexel.edu
Denial-of-Service (DoS)
• A herd of attacks fall under Denial-of-Service (DoS) or distributed DoS (DDoS) types
• Main purpose is to prevent real users from getting to a network or web site
• A SYN flooding attack sends many TCP SYN packets with spoofed IP addresses to a server– The server completes the second step of the
handshake, and allocates resources for the connection
83INFO 331 Chapter 8
www.ischool.drexel.edu
Denial-of-Service (DoS)
– The server runs out of resources, and crashes
• A variation of this is to send incomplete TCP fragments to a server, who will dutifully keep them in the hope of completing the segment– The final packet never arrives, but the server keeps
the fragments until it runs out of storage
• A smurf attack gets a lot of innocent hosts to respond to ICMP Echo Request messages– They all reply to a server whose IP was spoofed
84INFO 331 Chapter 8
www.ischool.drexel.edu
Distributed DoS
• Sneakier yet is the distributed DoS attack– A master attacker gains access to many unsuspecting
hosts (e.g. via password sniffing)– The master installs a DoS application on each
slave host– When a signal is sent, all of the slaves start a DoS
attack against the same server
• Since many hosts are involved in the attack, it’s very difficult to defend against this
85INFO 331 Chapter 8
www.ischool.drexel.edu
Hijacking
• Hijacking a connection means you take over one side of it, without the other side being aware of the subterfuge– An attacker monitors a connection to find out ACK
and sequence numbers, IP addresses, etc.– They DoS attack one sender to keep them from
responding, and start communicating with the other sender in place of the original host
• The other sender may not be able to tell someone else is present!
86INFO 331 Chapter 8
www.ischool.drexel.edu
Case Studies
• All of the top four layers of protocols (App, Transport, Network, Link) can provide security to varying degrees– All layers above the secure one benefit from
its security– Higher layer security needed for user-level
protection; lower layers harder to implement
• We’ll look at case studies in each layer– E-mail, SSL, IPsec, and 802.11
87INFO 331 Chapter 8
www.ischool.drexel.edu
Case Study: Secure E-mail
• What features might we want from secure email?– Confidentiality – only sender and receiver can
see the contents– Sender authentication – verify sender’s
identity– Message integrity – to know it wasn’t changed– Receiver authentication
• So how can we provide these features?
88INFO 331 Chapter 8
www.ischool.drexel.edu
Case Study: Secure E-mail
• Confidentiality could be done with symmetric key encryption (DES or AES), but distribution of a symmetric key is hard
• Could use public key encryption– Makes the key exchange easier– Bad for long messages, though– Could use the symmetric-public trick from
earlier – send the symmetric key using public key encryption, then converse using symmetric key
89INFO 331 Chapter 8
www.ischool.drexel.edu
Case Study: Secure E-mail
• Now ignore confidentiality for a moment, and consider sender authentication and message integrity– Sender applies a hash function (MD5) to a
message, and signs it with their private key– Receiver applies sender’s public key, and
compares the received hash value with that generated locally
– This accomplishes both desired functions
90INFO 331 Chapter 8
www.ischool.drexel.edu
Case Study: Secure E-mail
• Now combine the two approaches– Sender generates a hash of their message
and applies their private key to the hash– The hash + message then has their
symmetric key applied– Receiver gets the message, undoes the
symmetric encryption, applies the sender’s public key to recover the sent hash, and compares to the locally generated hash
• Easy, huh?
91INFO 331 Chapter 8
www.ischool.drexel.edu
Case Study: Secure E-mail
• So to provide secure email we’re using three technologies– Hash functions & digital signatures– Symmetric key crypto– Public key crypto
• Does it work? Yup! – And it has since 1991
92INFO 331 Chapter 8
www.ischool.drexel.edu
Pretty Good Privacy (PGP)
• PGP was created in 1991 by Phil Zimmermann– Free versions are available, or you can buy
fancier versions– It uses the approach outlined on slide 81
• Messages can be digitally signed, encrypted, or both– And it can throw in data compression, too
93INFO 331 Chapter 8
www.ischool.drexel.edu
Pretty Good Privacy (PGP)
• How does it do it?– The message digest is created with MD5 or SHA – Symmetric key crypto is done using CAST, 3DES, or
IDEA – Public key crypto is done with RSA
• PGP creates a public key for each user, and protects their private key with a password
• Public keys can be kept on a server, your web site, or attached to messages
94INFO 331 Chapter 8
www.ischool.drexel.edu
Pretty Good Privacy (PGP)
• Key certification is done partially by mutual assurance– A user can certify a user/key combination– Some have mutual key signing parties
(yippee)
• But most people advertise their public keys via email or personal web sites
95INFO 331 Chapter 8
www.ischool.drexel.edu
Secure Sockets Layer (SSL)
• Secure Sockets Layer provide security at the transport layer (TCP)
• Secure business transactions (stock trades, finance, etc.) are a key motivation– Otherwise sensitive info could be stolen, or a
false storefront could trick real customers
• SSL was created by Netscape to provide encryption and authentication between a web browser and a web server
96INFO 331 Chapter 8
www.ischool.drexel.edu
Secure Sockets Layer (SSL)
• SSL starts with a handshake phase to negotiate which crypto algorithm will be used (DES, IDEA, etc.), and authenticates the server to the client– During the session, all data is encrypted using
keys negotiated during handshake
• SSL 3.0 is the basis for the Transport Layer Security (TLS) protocol, RFC 5246
97INFO 331 Chapter 8
www.ischool.drexel.edu
Secure Sockets Layer (SSL)
• SSL sits between the transport and application layers, and can be used for many kinds of apps (email, etc.)
• From the sending side, SSL– Takes app data, encrypts it, and sends it to
a TCP socket
• From the receiving side, SSL– Reads from a socket (port), decrypts it, and
sends it to the application at that end
98INFO 331 Chapter 8
www.ischool.drexel.edu
Secure Sockets Layer (SSL)
• SSL provides:– SSL server authentication – is this really the
server I think it is? Done via Certificate Authorities (CA) and public keys
– SSL client authentication – likewise prove the client is who they say they are
– Encrypted SSL sessions – in which all data between client and server is encrypted
99INFO 331 Chapter 8
www.ischool.drexel.edu
Secure Sockets Layer (SSL)
• A web page on an SSL-enabled server is addressed by https instead of http
• The web browser has a list of CAs and their public keys
• We’re going to use the public key – to exchange symmetric keys trick again
• So how does the handshake work?– Ok, this is a Reader’s Digest version of it…
100INFO 331 Chapter 8
www.ischool.drexel.edu
SSL Handshake
• Browser sends server their SSL version and symmetric crypto preferences
• Server sends browser their version, preferences, & certificate with RSA public key
• Browser checks certificate against list– If it’s not on the list, user is warned– If it is on the list, the CA’s public key is used
to validate the certificate and get their public key
101INFO 331 Chapter 8
www.ischool.drexel.edu
SSL Handshake
• Browser generates a symmetric session key, encrypts it with server’s public key, and sends to server
• Browser warns server all future messages will use the symmetric session key
• Server tells browser the same thing
• Handshake is done, and session begins
102INFO 331 Chapter 8
www.ischool.drexel.edu
SSL Limitations
• SSL is widely used for credit card purchases, but it wasn’t designed for that purpose
• One could obtain a CA for a business that has nothing to sell, and no certificate authority could block it from getting a certificate– A certificate just proves you really are XYZ
Corporation, not whether XYZ Corp is reputable or trustworthy!
103INFO 331 Chapter 8
www.ischool.drexel.edu
IPsec
• The IP security protocol, IPsec, is a suite of protocols at the network layer– It’s described in over a dozen RFCs, mainly
RFC 4301– Often used for Virtual Private Networks
(VPNs)
• We want network-layer confidentiality– All datagrams have encrypted data– Any encryption method could be used
104INFO 331 Chapter 8
www.ischool.drexel.edu
IPsec
– Data could include TCP or UDP segments, ICMP messages, etc.
– If everyone provided network-layer confidentiality, anyone tapping the network would see only gibberish
• We also might want source authentication– This would verify the source of a datagram
really sent it, thereby defeating spoofing IP addresses
105INFO 331 Chapter 8
www.ischool.drexel.edu
IPsec
• IPsec offers two levels of service (RFC 7321)– Authentication Header (AH) protocol
• The AH protocol provides source authentication and data integrity, but no confidentiality
– Encapsulated Security Payload (ESP) protocol
• The ESP protocol provides all three (source authentication, data integrity, confidentiality)
• Hence ESP is more processing-intensive
106INFO 331 Chapter 8
www.ischool.drexel.edu
Security Association (SA)
• Both AH and ESP first establish a logical channel using a Security Association (SA)
• Recall a normal IP connection has no state information
• An SA defines a logical connection between hosts– SA is simplex (one-way)– For traffic to flow both directions,
make two SAs
107INFO 331 Chapter 8
www.ischool.drexel.edu
Security Association (SA)
• An SA is defined by– Security protocol identifier (AH or ESP)– Source IP address– 32-bit connection identifier, the Security
Parameter Index (SPI)
• A given SA connection will use the same SPI value in all of its datagrams– Store SA info in Security Association
Database (SAD) in the OS kernel108INFO 331 Chapter 8
www.ischool.drexel.edu
Authentication Header (AH)
• Once an SA is established, a host can send secure datagrams to the other host
• To use AH, a special header is inserted between the normal IP header and the TCP or UDP segment– The IP header has protocol field #51
• Routers handling AH traffic only see that protocol field – the rest is ignored by them
I P header data (e.g., TCP, UDP segment)AH headerI P header data (e.g., TCP, UDP segment)AH header
109INFO 331 Chapter 8
www.ischool.drexel.edu
Authentication Header (AH)
• The AH header has these key fields:– Next Header, which is the IP protocol field– SPI value for this connection– Sequence number – unlike the TCP sequence
number, this is 0 to start and is tracked separately from the TCP field
– Authentication Data field, which contains a message digest (digital signature) for this datagram
110INFO 331 Chapter 8
www.ischool.drexel.edu
Authentication Header (AH)
• The message digest is calculated for the IP header and the TCP/UDP segment, ensuring host authentication– It’s computed using the usual algorithms -
MD5, SHA, etc.– These algorithms are a.k.a. Hashed Message
Authentication Codes (HMAC, RFC 2404)
• When the receiving host gets a datagram with an AH header, it determines the SA and processes the authentication field
111INFO 331 Chapter 8
www.ischool.drexel.edu
AH and ESP
• After authentication, AH uses the TCP or UDP segment as is (no encryption was used)
• ESP also starts with an SA connection
• ESP surrounds the original IP datagram with both headers and trailers
I P header TCP/ UDP segmentESP
headerESP
trailerESP
authent.
encryptedauthenticated
I P header TCP/ UDP segmentESP
headerESP
trailerESP
trailerESP
authent.ESP
authent.
encryptedauthenticated
112INFO 331 Chapter 8
www.ischool.drexel.edu
ESP
• For ESP, IP protocol field 50 is used
• The original segment and ESP trailer are encrypted using DES-CBC (RFC 2405)
• The ESP header has– 32-bit SPI field– 32-bit sequence number– Same roles as in AH
113INFO 331 Chapter 8
www.ischool.drexel.edu
ESP
• The ESP trailer has– Next Header– Authentication Data field– Again, same roles as in AH
• The optional ESP Authentication field is – “… a variable-length field containing an
Integrity Check Value (ICV) computed over the ESP packet minus the Authentication Data. ”
114INFO 331 Chapter 8
www.ischool.drexel.edu
SAD and SPD
• When a router receives an unsecured datagram, how does it know it’s okay to encrypt it? And if so, according to which SA?– The Security Policy Database (SPD) knows
what types of datagrams are to receive IPsec, and which SA is appropriate for each
115INFO 331 Chapter 8
www.ischool.drexel.edu
Key Mgmt: IKE and ISAKMP
• In order for IPsec to be widely used, key management has to be automated and reliable– Internet Key Exchange (IKE) does this for IPsec– RFC 7296
• Somewhat related, the Internet Security Association and Key Management Protocol (ISAKMP) defines how SA’s are established and torn down (RFC 4945)
116INFO 331 Chapter 8
www.ischool.drexel.edu
Security in 802.11
• Since wireless access points are omni-directional, security is a big concern (or should be!)
• Only one of these was my network!
117INFO 331 Chapter 8
www.ischool.drexel.edu
WEP
• The basic level of 802.11 security for authentication and encryption is Wired Equivalent Privacy (WEP)
• WEP uses a symmetric shared key
• WEP doesn’t specify how the key is shared
118INFO 331 Chapter 8
www.ischool.drexel.edu
WEP Authentication
• WEP authenticates a host like this:– Host requests authentication by an AP– AP responds with a 128-bit nonce value – Host encrypts the nonce with its symmetric
key– AP decrypts the host-encrypted nonce
• If it matches the value sent by the AP, the host is authenticated
119INFO 331 Chapter 8
www.ischool.drexel.edu
WEP Encryption
• WEP encrypts data using a 40-bit secret symmetric key– Each frame also gets a different 24-bit
Initialization Vector (IV), for a total of 64 bits
• Encryption works like this:– Find a 4-byte CRC value for the data– Use RC4 to encrypt the (data plus CRC code)– The IV value for this frame is in plain text in
the 802.11 frame header
120INFO 331 Chapter 8
www.ischool.drexel.edu
WEP Encryption
• Receiver of the data:– Takes the IV value, appends it to the known
40-bit secret symmetric key, and decrypts the frame
– Then the CRC check can verify data integrity
• RC4 is deliberately a weak code, so that it can pass US export regulations
• For RC4 to work reliably, it can never use the same 64-bit key
121INFO 331 Chapter 8
www.ischool.drexel.edu
WEP Encryption
• But 40 bits of the key are rarely changing (if ever), so each key is only unique for 2^24 IV values
• If IV is chosen randomly, a duplicate key is 99% likely after only 12,000 frames– If a duplicate keyed message is intercepted, a
spoofed IP listener can decrypt the entire message, and determine what the secret key was
• WEP has many documented weaknesses
122INFO 331 Chapter 8
www.ischool.drexel.edu
802.11i
• 802.11i was approved in 2004 to improve wireless security– Wi-Fi Protected Access (WPA) is a subset of it
• 802.11i provides a set of security options called Robust Security Network Association (RSNA) security
• It also manages keys, and has an authentication server separate from the access point
123INFO 331 Chapter 8
www.ischool.drexel.edu
802.11i Phases of OperationAP: access point AS:
Authenticationserver
wirednetwork
STA:client station
1 Discovery ofsecurity capabilities
3
STA and AS mutually authenticate, togethergenerate Master Key (MK). AP servers as “pass through”
2
3 STA derivesPairwise Master
Key (PMK)
AS derivessame PMK, sends to AP
4 STA, AP use PMK to derive Temporal Key (TK) used for message
encryption, integrity
AP: access point AS:Authentication
server
wirednetwork
STA:client station
1 Discovery ofsecurity capabilities
1 Discovery ofsecurity capabilities
33
STA and AS mutually authenticate, togethergenerate Master Key (MK). AP servers as “pass through”
22
33 STA derivesPairwise Master
Key (PMK)
AS derivessame PMK, sends to AP
4 STA, AP use PMK to derive Temporal Key (TK) used for message
encryption, integrity
44 STA, AP use PMK to derive Temporal Key (TK) used for message
encryption, integrity
124INFO 331 Chapter 8
www.ischool.drexel.edu
802.11i
• 802.11i, and advanced encryption such as AES
• It uses the Extensible Authentication Protocol (EAP, RFC 3748)– It can use RADIUS (and soon, DIAMETER)
authentication between AP and authentication server
– Between wireless host and AP it can use EAP over LAN (EAPoL, IEEE 802.1X)
125INFO 331 Chapter 8
www.ischool.drexel.edu
Summary
• So we’ve looked at the basics of:– Secure communication principles– Encryption (cryptography), such as DES and RSA– Authentication – Digital signatures and message digests– Key distribution methods
• And examples of how these technologies are used within each network layer: email, SSL, IPsec, and 802.11
126INFO 331 Chapter 8