15-440 Distributed Systems Fall 2016 L-23 Security

Today's Lecture Internet security weaknesses Establishing secure channels (Crypto 101) Key distribution

What is “Internet Security” ? Denial-of-Service Password Cracking Traffic modification Worms & Viruses Trojan Horse DNS Poisoning * This list is pretty broad, some things are actual incidents that may cause harm, while others are vulnerabilities that lead to more complex attacks that cause harm. From such a list, we might define Internet security broadly as preventing bad things that can happen when someone is using the Internet. Phishing Spyware IP Spoofing Route Hijacks Traffic Eavesdropping End-host impersonation Spam Internet Security: Prevent bad things from happening on the internet!

Internet Design Decisions: (ie: how did we get here? ) Origin as a small and cooperative network ( largely trusted infrastructure) Global Addressing (every sociopath is your next-door neighbor) Connection-less datagram service (can’t verify source, hard to protect bandwidth) Assumption is still true, even now when Internet is a huge collection of independent ISPs.

Internet Design Decisions: (ie: how did we get here? ) Anyone can connect ( ANYONE can connect) Millions of hosts run nearly identical software ( single exploit can create epidemic) Most Internet users know about as much as Senator Stevens aka “the tubes guy” ( God help us all…) Assumption is still true, even now when Internet is a huge collection of independent ISPs. And with the advent of things like Mobile Devices and Internet of Things, it does not look like things will become any easier in the future.

Our “Narrow” Focus Yes: 1) Creating a “secure channel” for communication Some: 2) Protecting resources and limiting connectivity No: 1) Preventing software vulnerabilities & malware, or “social engineering”. For this course though, we want to focus on understanding how the Internet’s design contributes to a variety of security vulnerabilities, how these vulnerabilities can be exploited, and, most importantly, give you an idea of what tools are used to allow secure communication.

Secure Communication with an Untrusted Infrastructure Bob ISP D ISP B The focus on today’s lecture will be how to we set up a “secure channel” for communication. Alice wants to talk to Bob. Alice probably trusts ISP A, but how does she know where her traffic is going after that? Or who else might see it, or modify it before it reaches bob? ISP C ISP A Alice

What do we need for a secure communication channel? Authentication (Who am I talking to?) Confidentiality (Is my data hidden?) Integrity (Has my data been modified?) Availability (Can I reach the destination?) We will talk about the first three of these things today… availability we must tolerate failures and assume network gives us some guarantee

Example: Eavesdropping - Message Interception (Attack on Confidentiality) Mallory Bob ISP D ISP B Of course, its even more complicated…. As each ISP if made of up many routers, each which independently reach a forwarding decision. Can this infrastructure be trusted? No, mallory (or the NSA) might be on any of the routers, intercepting your communication ISP C ISP A Alice

Example: Eavesdropping - Message Interception (Attack on Confidentiality) Unauthorized access to information Packet sniffers and wiretappers Illicit copying of files and programs B A Eavesdropper slide derived from original by Nick Feamster

Eavesdropping Attack: Example tcpdump with promiscuous network interface On a switched network, what can you see? What might the following traffic types reveal about communications? Full IP packets with unencrypted data Full IP packets with encrypted payloads Just DNS lookups (and replies) slide derived from original by Nick Feamster

Authenticity Attack - Fabrication ISP D ISP B Worse yet, how does Alice even know she’s actually talking to Bob at all? This way, Mallory may not even have to compromise a router! ISP C ISP A Alice Hello, I’m “Bob”

Authenticity Attack - Fabrication Unauthorized assumption of other’s identity Generate and distribute objects under this identity B A Masquerader: from A slide derived from original by Nick Feamster

Integrity Attack - Tampering Stop the flow of the message Delay and optionally modify the message Release the message again Alice Bob Perpetrator slide derived from original by Nick Feamster

Attack on Availability Destroy hardware (cutting fiber) or software Modify software in a subtle way Corrupt packets in transit Blatant denial of service (DoS): Crashing the server Overwhelm the server (use up its resource) Alice Bob slide derived from original by Nick Feamster

Example: Web access Alice wants to connect to her bank to transfer some money... Alice wants to know ... that she’s really connected to her bank. That nobody can observe her financial data That nobody can modify her request That nobody can steal her money! The bank wants to know ... That Alice is really Alice (or is authorized to act for Alice) The same privacy things that Alice wants so they don’t get sued or fined by the government. Authentication Confidentiality Integrity (A mix)

Today's Lecture Internet security weaknesses Crypto 101 Key distribution

Cryptography As a Tool Using cryptography securely is not simple Designing cryptographic schemes correctly is near impossible. Today we want to give you an idea of what can be done with cryptography. Take a security course if you think you may use it in the future (e.g. 18-487)

Well... What tools do we have at hand? Hashing e.g., SHA-1 Secret-key cryptography, aka symmetric key. e.g., AES Public-key cryptography e.g., RSA

Secret Key Cryptography Given a key k and a message m Two functions: Encryption (E), decryption (D) ciphertext c = E(k, m) plaintext m = D(k, c) Both use the same key k. “secure” channel Hello,Bob Alice Bob.com knows K knows K But... how does that help with authentication? They both have to know a pre-shared key K before they start!

Symmetric Key: Confidentiality Motivating Example: You and a friend share a key K of L random bits, and a message M also L bits long. Scheme: You send her the xor(M,K) and then they “decrypt” using xor(M,K) again. Using XOR for encryption by itself not useful since it can be broken by frequency analysis, but it is a component in many encryption schemes. Do you get the right message to your friend? Can an adversary recover the message M?

Symmetric Key: Confidentiality One-time Pad (OTP) is secure but usually impractical Key is as long at the message Keys cannot be reused (why?) Keys cannot be resused often since if you use the same key with others they know how to decrypt the message. Also, using frequency analysis an attacker could guess the key. In practice, two types of ciphers are used that require only constant key length: Stream Ciphers: Ex: RC4, A5 Block Ciphers: Ex: DES, AES, Blowfish

Symmetric Key: Confidentiality Stream Ciphers (ex: RC4) PRNG Alice: Pseudo-Random stream of L bits XOR K A-B Message of Length L bits PRNG == Pseudorandom number generator = Encrypted Ciphertext Bob uses KA-B as PRNG seed, and XORs encrypted text to get the message back (just like OTP).

Symmetric Key: Confidentiality Block Ciphers (ex: AES) (fixed block size, e.g. 128 bits) Block 1 Block 2 Block 3 Block 4 Round #1 Round #2 Round #n The book has AES and DES descriptions. Turns out DES by itself has been shown to be succeptible to cracking, while a variant a it (called 3DES is still Ok and used). Alice: K A-B Block 1 Block 2 Block 3 Block 4 Bob breaks the ciphertext into blocks, feeds it through decryption engine using KA-B to recover the message.

Symmetric Key: Integrity Background: Hash Function Properties Consistent hash(X) always yields same result One-way given X, can’t find Y s.t. hash(Y) = X Collision resistant given hash(W) = Z, can’t find X such that hash(X) = Z Hash Fn Fixed Size Hash Message of arbitrary length

Symmetric Key: Integrity Hash Message Authentication Code (HMAC) Step #1: Alice creates MAC Hash Fn Message MAC This is similar to a checksum, but secure. Why? Note: the message does not have to be encrypted, unless you also desire confidentiality. Will the MAC always check out on the receiving end? Yes, b/c receiver has key, and HASH is consistent. Can attacker substitute in another message? No, b/c of collision resistance of HASH Can attacker recover the key, based on the message? No, b/c of one-way nature of HASH K A-B Alice Transmits Message & MAC Step #2 Step #3 Bob computes MAC with message and KA-B to verify. MAC Message Why is this secure from a message integrity perspective? How do properties of a hash function help us?

Symmetric Key: Authentication You already know how to do this! (hint: think about how we showed integrity) Hash Fn I am Bob A43FF234 Wrong! K A-B Alice receives the hash, computes a hash with KA-B , and she knows the sender is Bob

Symmetric Key: Authentication What if Mallory overhears the hash sent by Bob, and then “replays” it later? ISP D ISP B ISP C ISP A Hello, I’m Bob. Here’s the hash to “prove” it A43FF234

Symmetric Key: Authentication A “Nonce” A random bitstring used only once. Alice sends nonce to Bob as a “challenge”. Bob Replies with “fresh” MAC result. Nonce Bob Alice Nonce Hash B4FE64 K A-B B4FE64 Performs same hash with KA-B and compares results

Symmetric Key: Authentication A “Nonce” A random bitstring used only once. Alice sends nonce to Bob as a “challenge”. Bob Replies with “fresh” MAC result. Nonce ?!?! Alice Mallory If Alice sends Mallory a nonce, she cannot compute the corresponding MAC without K A-B

Symmetric Key Crypto Review Confidentiality: Stream & Block Ciphers Integrity: HMAC Authentication: HMAC and Nonce Questions?? Are we done? Not Really: Number of keys scales as O(n2) How to securely share keys in the first place?

Asymmetric Key Crypto: Instead of shared keys, each person has a “key pair” KB Bob’s public key Bob’s private key Note: We are not going to go into the details of what KB(m) means as far as computation. We will treat it as a black box function with these properties. KB-1 The keys are inverses, so: KB-1 (KB (m)) = m

Asymmetric/Public Key Crypto: Given a key k and a message m Two functions: Encryption (E), decryption (D) ciphertext c = E(KB, m) plaintext m = D(KB-1 , c) Encryption and decryption use different keys! “secure” channel Hello,Bob Alice Bob.com Knows KB Knows KB, KB-1 But how does Alice know that KB means “Bob”?

Asymmetric Key Crypto: It is believed to be computationally unfeasible to derive KB-1 from KB or to find any way to get M from KB(M) other than using KB-1 . KB can safely be made public. Note: We will not detail the computation that KB(m) entails, but rather treat these functions as black boxes with the desired properties. (more details in the book). Note: We are not going to go into the details of that KB(m) means as far as computation. We will treat it as a black box function with these properties.

Asymmetric Key: Confidentiality KB Bob’s public key KB-1 Bob’s private key encryption algorithm decryption algorithm plaintext message ciphertext m = KB-1 (KB (m)) KB (m)

Asymmetric Key: Sign & Verify If we are given a message M, and a value S such that KB(S) = M, what can we conclude? The message must be from Bob, because it must be the case that S = KB-1(M), and only Bob has KB-1 ! This gives us two primitives: Sign (M) = KB-1(M) = Signature S Verify (S, M) = test( KB(S) == M )

Asymmetric Key: Integrity & Authentication We can use Sign() and Verify() in a similar manner as our HMAC in symmetric schemes. S = Sign(M) Message M Integrity: Note: there is another way to do authentication, which we will see when we look at SSL. Receiver must only check Verify(M, S) Nonce Authentication: S = Sign(Nonce) Verify(Nonce, S)

Asymmetric Key Review: Confidentiality: Encrypt with Public Key of Receiver Integrity: Sign message with private key of the sender Authentication: Entity being authenticated signs a nonce with private key, signature is then verified with the public key But, these operations are computationally expensive*

The Great Divide Yes No Fast Slow Asymmetric Crypto: (Public key) Example: RSA Symmetric Crypto: (Private key) Example: AES Requires a pre-shared secret between communicating parties? Yes No The three attributes of a secure communication we mentioned can be achieved using two different “types”, or “families” of cryptography. Each family has within it many different algorithms, with slightly different properties. Symmetric and Asymmetric cryptography differ in the assumptions they make about the “secrets”, or “keys” that two participants use to enable secure communication. Symmetric key crypto assumes that the parties have used some mechanism to set-up a “shared secret” between the two parties that can be used to secure further communication. Public key crypto, as we will see, does not make this assumption, yet can still provide strong security properties. However, the mechanism to do this uses complex math, and as a result, the time to perform asymmetric crypto operations is significantly longer than their symmetric counter-parts. Overall speed of cryptographic operations Fast Slow

Today's Lecture Internet security weaknesses Crypto 101 Key distribution (cover on Thursday)