Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison Wesley 2002)

Trusted Intermediaries How do 2 entities establish shared keys? –Trusted key distribution center –Gives appropriate one-time session key to each entity when a conversation is established –No entity knows another’s secret key (except for a specific conversation) How do I know the public key Alice sent me is really Alice’s public key? –Trusted Certification Authority keeps list of all public keys; issues certificates with ID & public key (encrypted with CA’s private key, so nonforgeable)

Key Distribution Center Alice knows R1 Bob knows to use R1 to communicate with Alice Alice and Bob communicate: using R1 as session key for shared symmetric encryption KDC generates R1 K B-KDC (A,R1) K A-KDC (A,B) K A-KDC (R1, K B-KDC (A,R1) )

Certification Authority Binds key to entity E (host or router) Generates digitally-signed certificate after receiving appropriate proof of identity and payment Bob’s public key K B + Bob’s identifying information digital signature (encrypt) CA private key K CA - K B + certificate for Bob’s public key, signed by CA

Firewall Analogy: brick wall between apartments to contain a fire In networking, isolates internal net from larger Internet, hopefully containing attacks firewall

What Can Firewall Prevent? Denial of service attacks –SYN flooding establishes bogus TCP connections, preventing “real users” from establishing them Illegal access / modification of internal data Access by unauthorized users/hosts

Types of Firewall Packet sniffing –Each packet examined and allowed to pass (or not) based on a set of rules Application level –All messages for a given application pass through a “gateway” –Information such as username available at application level, but not packet

Packet Filtering Rules Packets can be determined to pass or not based on: –Source, Destination IP address –TCP / UDP source & destination port numbers –ICMP message type –TCP SYN and ACK bits E.g. TCP ACK=0 is new message originating from outside Ordering of rules is important (and can get complex) - see Table 8.5

Application Gateway Filters packets on application data (e.g. user) –E.g. only certain users can telnet host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter –Telnet connections through gateway allowed (authentication at gateway) –All other (direct) telnet connections blocked

Limitations of Firewalls and Gateways IP spoofing - fake “return address” to get through Client needs to know how to access application gateway (e.g. proxy server address configured in browser) Tradeoff: more communication vs. more risk Even highly protected sites suffer attacks ‘Arms race’ mentality (hacker vs. netadmins)

Attacks Mapping –Ping, port sniffing, etc. Packet Sniffing –Interfaces in “promiscuous mode” look at every packet Spoofing –“From” IP does not match IP of device Denial of service & Hijacking (next slides)

Countermeasures Mapping –Record & analyze traffic, react to suspicious patterns (e.g. update firewall rules) Packet Sniffing –Watch for hosts in promiscuous mode –Avoid broadcast media (e.g. use switch, not hub) Spoofing –Stop bogus packet at outgoing router (if not from that network) but we can’t control everyone else’s router Denial of service & Hijacking (next slides)

Denial of Service Attacks SYN flooding –Starts the TCP handshake, but does not complete –Server allocates data structures for “partial connections” until space runs out SMURF attack –Convince many innocent hosts to send ICMP packets (traceroute) back to attacked host DDoS (Distributed Denial of Service) –Many hosts act as “slaves” for the attacker due to prior compromise

Denial of Service Countermeasures Filter out flooded packets at firewall (loss of good packets, too) Traceback to source of floods –Probably an innocent machine that has been compromised!

Hijacking Attack Bob is connected to Alice, Trudy listening in –Trudy gets seq num, ack num, etc from packets Trudy eliminates Alice’s host –DoS attack, e.g. Trudy continues the conversation –Spoof’s Alice’s host –All header info is correct –Data can be whatever Trudy wants!

Hijacking Countermeasures Application level –Authentication protocols –Encryption –Trusted intermediaries –Digital signatures Packet level –Encryption of broadcast media (e.g. wireless) –Protect physical media from tapping

Security Across Layers Application Layer –Secure Transport Layer –Secure sockets layer (SSL) –Transport Layer security (TLS) Network Layer –IPsec (IP security) Authentication Header Protocol (AH) Encapsulation Security Payload Protocol (ESP) Data Link Layer –Wired Equivalence Privacy (WEP) on

What Security Provides (review) Confidentiality Message integrity Authentication –Sender –Receiver

Secure Confidentiality Encryption options –Private key (key exchange problem) –Public key (inefficient for long ) Best of both worlds –Alice chooses “random” session key –Alice encrypts message using session key –Alice encrypts session key using Bob’s public key Recipient authentication as well as confidentiality (why?)

Confidential K S ( ). K B ( ) K S (m ) K B (K S ) + m KSKS KSKS KBKB + Internet K S ( ). K B ( ). - KBKB - KSKS m K S (m ) K B (K S ) + Ks = session key, Kb+ and Kb- are Bob’s public and private keys

Secure Message Integrity Use a hash function to compress the message: H(m) Encrypt the hash using Alice’s private key (KA- (H(m)) –This is the signature Send m + (KA- (H(m)) together Bob computes H(m), compares to KA+(Alice’s sig) –If they’re equal, message is valid Also provides sender authentication (why?)

Pretty Good Privacy Provides all 4 aspects of security –Note 3 keys! H( ). K A ( ). - + K A (H(m)) - m KAKA - m K S ( ). K B ( ). + + K B (K S ) + KSKS KBKB + Internet KSKS

Security for Internet Commerce Protect consumer from having credit card info stolen “in transit” Protect consumer from providing credit card (etc) information to “spoofed site”

Secure Sockets Layer Data Encryption and Authentication Handshake –Negotiate encryption algorithm and session keys –Authenticate server to the client Transaction –All data is encrypted using negotiated algorithm and session keys

How It Works (Almost-SSL) Client & Server exchange TCP handshake –SYN, SYN+ACK, ACK Client establishes server’s identity –SSL hello, certificate “Master Secret” (to generate keys) exchanged –Client creates MS, sends K+(MS) –K+ is public key from certificate

How It Works (Almost SSL) From MS, we generate 4 keys –Eb = session encryption key for Bob->Alice –Mb = session MAC key for Bob->Alice –Ea, Ma from Alice->Bob Encryption keys encrypt data MAC keys verify data integrity –Record data + M key are hashed & encrypted with E key. –Recipient decrypts and checks

Real SSL adds… Negotiate & agree on cryptographic algorithms Nonces sent during handshake –Used in creation of MS for E and M session keys MAC of handshakes sent both ways at end (to protect the handshake itself)

SSL Not Just for Web “Secure Sockets” can be used by other applications –ssh (secure telnet) –scp (secure file transfer) –IMAP (secure ) Application -> SSL -> TCP (& vice versa)

SSL Authentication Browser has list of trusted Certification Authorities & their public keys Browser obtains certificate with server’s public key (digitally signed by CA) Server also has access to client certificates from CA –Client authentication is optional

SSL Confidentiality All data is encrypted using info determined during handshake (authentication is included, too): –Browser sends its SSL version # and preferences –Server sends its SSL version #, preferences, and certificate (contains public key, signed by CA) –Browser checks validity of certificate –Browser generates session key, encrypts with server’s public key & sends –Browser sends encrypted “handshake done” message –Server sends encrypted “handshake done” message

IP Security (IPSec) Confidentiality –Message contents are encrypted –TCP / UDP headers are encrypted too This protects control and management messages as well as data Source Authentication –IP cannot be spoofed –Based on signature

IPSec Protocols Authentication Header Protocol (AH) –Source authentication –Data integrity Encapsulation Security Protocol (ESP) –Surce Authentication –Data Integrity –Confidentiality Both are based on Security Association –Logical connection established by handshake –Security protocol ID, source IP and Security Parameter Index (SPI) = unique 32-bit connection ID

IEEE (WiFi) Security “War Driving” - drive around a city, see what open networks are available –Generally find many unprotected networks available from the street Securing –WEP (failed) –802.11i (improved, ratified June 2004)

Wireless Equivalent Privacy Based on symmetric key (no key exchange protocol specified) –Request connection, receive nonce, encrypt nonce, if correct, connection accepted Encryption based on symmetric key plus Initialization Vector (IV) and XOR Algorithm, RC4, changes IV (in a pattern) for every transmission, and transmits Problems –Not enough unique IV’s (only a few seconds’ worth) –IV transmitted in plaintext! –If Trudy knows content and sees encrypted files, keys can be extracted.

IEEE i - Four phases AP: access point AS: Authentication server wired network STA: client station 1 Discovery of security capabilities 3 STA and AS mutually authenticate, together generate Master Key (MK). AP servers as “pass through” 2 3 STA derives Pairwise Master Key (PMK) AS derives same PMK, sends to AP 4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity

Advantages of i Explicit key distribution protocol, using concept of “trusted host”, in this case the authentication server Multiple available forms of encryption, including AES based encryption and other stronger than WEP Separates authentication server from Access Point (centralizing important decisions)