Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.

Slides:



Advertisements
Similar presentations
ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.
Advertisements

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
CPS 290 Computer Security Network Tools Cryptography Basics CPS 290Page 1.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
Network Attacks Mark Shtern.
Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,
Introduction to Security Computer Networks Computer Networks Term B10.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 10 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #37 Dec 14 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Subnetting.
Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security Guest Lecture for J ohn Black Lecture #16 Oct 21 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
JMU GenCyber Boot Camp Summer, Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
ARP Poisoning Rushad Shaikh CSCI 5931 Web Security Spring 2004.
Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Connecting The Network Layer to Data Link Layer. ARP in the IP Layer The Address Resolution Protocol (ARP) The Address Resolution Protocol (ARP) Part.
ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.
1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.
Network Security – Special Topic on Skype Security.
CHAPTER 9 Sniffing.
CPS 290 Computer Security Network Tools Cryptography Basics CPS 290Page 1.
CNIT 124: Advanced Ethical Hacking Ch 7: Capturing Traffic.
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
CSIT 220 (Blum)1 ARP Based on Computer Networks and Internets (Comer)
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
An Introduction To ARP Spoofing & Other Attacks
Security Issues with Domain Name Systems
IP: Addressing, ARP, Routing
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
LAN Vulnerabilities.
DNS security.
CS4622: Computer Networking
Network Security: DNS Spoofing, SQL Injection, ARP Poisoning
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Presentation transcript:

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013

Security of Network Protocols Virtually any network protocol you can name has the following features –When it was designed, security was not considered –Since that time, security has been added –There have been many known vulnerabilities in the protocol, and –(Some) are still insecure Examples: –Ethernet, ARP, DHCP, DNS, BGP, TCP/IP, DNS, HTTP, FTP, WEP Let’s look at a few of these

Ethernet Ethernet is a broadcast protocol –Sniffing reveals all plaintext on a given segment –Switches can help, but they can be fooled Main tool is libpcap/tcpdump –Put interface into “promiscuous mode” Most cards support this; may require privs –Wireshark is a popular GUI/filter

Wireshark

Case Study: Internet Chess Club ICC (Internet Chess Club) Over 30,000 members Pay Site ($60/year) Madonna, Nicholas Cage, Will Smith, Sting, even Kasparov Best choice for online chess Written by and run by: Daniel Sleator –Theoretical Computer Science Professor –Carnegie Mellon University

Basic Idea ICC Server Chess Client 1 Chess Client 2 Client 1 Move Enforce Chess Rules, Manage Clocks Client 1 Move

Move Timestamping Critical Issue –Serious chess is timed –Each player’s clock ticks during his turn –Player’s clock runs out, he loses Difficulty –Network lag appears as player’s thinking time Solution –Timestamp each move locally at client

Security Overview Players now send time themselves Can they lie? –There are cash prizes on ICC sometimes! Sleator’s solutions –Source code to any timestamping software is not released –Encrypt all data to and from server (homebrew encryption protocol) Later Emboldened –Web page encourages you to send sensitive information including CC#’s

What We Did Two main attacks on server –Timestamping (how to cheat) Adversarial model like DRM –Encryption (how to steal CC numbers, etc) Normal crypto adversarial model, and… Block cipher has bad differentials Mode of operation easily broken Key exchange horribly weak No message authentication Suggest Remedies

Timestamping Crack Sleator’s solutions –Control source code –Encrypt Our solution –Reverse engineer binary Linux timestamper only 27KB Not stripped! Yummy!

Symbols can be Useful main() { static int interesting_variable_name; descriptive_function_name(); } descriptive_function_name() { }

Symbols (cont) $ nm a.out …… W data_start T descriptive_function_name b dtor_idx t frame_dummy b interesting_variable_name T main ……

How to Strip $ strip a.out $ nm a.out nm: a.out: no symbols $

Timestamping Remedies Could have been harder –Strip symbols –Obfuscate code No perfect solution –Smartcards (expensive) –Other network services to try and catch cheaters (can spoof everything…. arms race)

Block Cipher (Feistel) 64 Bit Key 64 Bit Input x 32 MSB = L 0 32 LSB = R 0 f R1R1 L1L1 16 Rounds

Block Cipher f() does not use the highest bit of input! –Changing bit 31 or 63 of input changes only bit 31 or 63 of output (respectively) –(In Geek-Speak: there is a probability 1 differential characteristic) Very poor property –Distinguish in 2 chosen plaintexts –Cipher used as random number generator

Mode of Operation Pad formed by XOR of two LCGs x n+1 = 3x n + 1 mod y n+1 = 17y n mod pad = x n y n (just low byte) Given 10 pad bytes, we get the rest 1.1 secs on my student’s laptop

Key Exchange Seeds for symmetric keys exchanged in the clear!!! We sniff the connection (pcap) and read all the traffic trivially –Get CC #s –Get usernames and passwords Active attacks would be even MORE damaging

Remedies Solution –Use SSL (ok, wasn’t around in 1992) –Use really old stuff that works Diffie-Hellman RSA CBC encryption with CBC MAC –Ok, but now just use OpenSSL

Software Products –Sniffer/decryptor using libpcap Linux Blitzin (a little more work) –Timestamping Client (lets you cheat) Didn’t release any of this Sleator was notified –Web page has been changed; perhaps more –But he had to update 30,000+ clients

The Moral People say the easiest way to break a system is not via the crypto… guess what? People, even very smart people, shouldn’t invent their own crypto –You’ll get it wrong without experience –This is kind of an old lesson, but somehow it still hasn’t sunk in (as we’ll see with WEP)

ARP: Address Resolution Protocol We already went through this protocol at a high level: –ARP_REQUEST –ARP_REPLY –Passive caching –Easily Spoofed –Note: this is for LANs only

ARP Packet Hardware Type 1 = Ethernet; ProtocolType 0x0800 = IP; Operation 1 = Request, 2 = Reply; Source MAC and IP, then Target MAC and IP follow

ARP Cache Poisoning Client A requests MAC for IP –Client B replies “I am with MAC 01:01:01:01:01:01” (broadcast) –Client C hears reply and caches  01:01:01:01:01:01 Unsolicited replies are also cached –Suppose gateway IP is and A’s IP is –B tells A:  01:01:01:01:01:01 –B tells gateway:  01:01:01:01:01:01 –Note: these are unicast ARP_REPLYs

Man-in-the-Middle A Gateway B (MAC: 01:01:01:01:01:01) B now proxies all traffic between A and the outside world

Tools: Ettercap Ettercap is a freely-available tool that does ARP cache poisoning for you –I had a grad student do his thesis on this topic –It was easy to set up and use –Handles SSH as well Uses OpenSSL library

Defenses Static ARP tables –Administrative headache –Doesn’t scale ARPWatch –Watches all traffic and detects anomolies –But only alerts admin after an attack has already occurred –Sometimes generates false positives

Using Cryptography AuthARP (Hector Urtubia) –Each client must sign replies with a private key –Unapproved users cannot issue ARP_REPLYs –Downside: PKI

DNS: Domain Name System Already covered this service (roughly) Distributed database mapping names to IP addresses –13 (logical) root servers –Locally cached like ARP –Recursive algorithm: If colorado.edu doesn’t know, ask edu, if they don’t know, ask a root server

DNS: Security BIND –Berkeley DNS implementation –Ubiquitous –History of bugs Even without vulnerabilities, DNS is a flawed protocol –No authentication –Spoofing not too hard

Unsolicited Replies Not Accepted Can’t just send a DNS record to a client who did not request it But we CAN send a reply to a client who DID request it –Problems: we have to know the request was made Not too hard if we control origin of the request (eg, a web page) Not too hard if we can sniff local network –Problems: we have to throttle legitimate replier

DNS Spoofing A requests –Local DNS server may have it cached, or may not; if cached, replies to A –Evil host (on local network) throttles DNS server Ping of death, DoS, overflows, etc Evil host answers for DNS server, redirecting A to bad IP address

Remote Attacks You visit which has a legitimate link to –evil.com then throttles your DNS server and spoofs –evil.com knows you’re waiting for a resolution for amazon.com Doesn’t always work: –Sequence numbers are used, and they are sniffable on a LAN, but not remotely They used to be sequential (thus easy to guess) but now they are randomized Makes remote attacks much harder

Remote DNS Poisoning Attack a local nameserver –Send hundreds of requests to a victim nameserver for the same (bogus) name, bogus.com nameserver must ask someone else, since he won’t have this cached –Send hundreds of replies for bogus.com Problem: sequence numbers of nameserver’s help requests much be matched Answer: birthday phenomenon –Random numbers aren’t that random, which helps –Chance of a collision very high –Now users of this local nameserver will get the IP of your choice when asking for bogus.com

Remote DNS Poisoning

DNSSEC DNSSEC is a project to have a central company, Network Solutions, sign all the.com DNS records. Here's the idea, proposed in 1993: Network Solutions creates and publishes a verification key. (They are the CA) Each *.com creates a key and signs its own DNS records. Yahoo, for example, creates a key and signs the yahoo.com DNS records under that key. Network Solutions signs each *.com key. Yahoo, for example, gives its cert to Network Solutions, and Network Solutions signs a document identifying that key as the yahoo.com key. Computers around the Internet are given the Network Solutions key, and begin rejecting DNS records that aren't accompanied by the appropriate signatures. As of November 2005, Network Solutions simply isn't doing this. There is no Network Solutions key. There are no Network Solutions *.com signatures. Good news: As of 2011, about 25% of DNS queries are signed Stub resolvers must still trust link to recursive name servers (usually the ISP)

CA Cert Fingerprint, 2013 % openssl x509 -in cacert.pem - fingerprint –noout SHA1 Fingerprint = 3D:E9:8C:7D:F5:6A:5C:0A:76: 50:CC:C7:70:C5:74:F4:B1:68: EF:E2