Security 15-441 With slides from: Debabrata Dash, Nick Feamster, Vyas Sekar, and others.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Chapter 5 Network Security Protocols in Practice Part I
Security Part Two: Attacks and Countermeasures. Flashback: Internet design goals 1.Interconnection 2.Failure resilience 3.Multiple types of service 4.Variety.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Security Awareness: Applying Practical Security in Your World
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
L-13 Security 1. Schedule up to Midterm 2/26 No class (work on project 1, hw3) Review 3/2 Monday 4:30 pm NSH 3002 HW 3 due Midterm 3/3 Tuesday in class.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Security Part One: Network Attacks and Countermeasures Xin Zhang.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Introduction to Network Security
Secure Communication with an Insecure Internet Infrastructure.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Secure Communication with an Insecure Internet Infrastructure Lecture Nov. 21 st 2006 Dan Wendlandt.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Chapter 31 Network Security
L-24 Security 1. Today's Lecture Internet security weaknesses Establishing secure channels (Crypto 101) Key distribution 2.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Chapter 6: Packet Filtering
By Anonymous Student. Outline  Security vulnerabilities  Denial-of-Service (DoS) and Distributed-Denial-of- Service (D-DoS)  Firewalls  Intrusion.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 – Network Security.
Final Exam Review Knowledge questions True or false statement (explain why) Protocol Calculation Cover the second half contents.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Security: An Overview of Cryptographic Techniques /440 With slides from: Debabrata Dash, Nick Feamster, Gregory Kesden, Vyas Sekar and others.
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
Security Part One: Attacks and Countermeasures Dejian Ye, Liu Xin : F08 security1.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Network Security Understand principles of network security:
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
DoS/DDoS attack and defense
L-24 Security 1. Today's Lecture Internet security weaknesses Establishing secure channels (Crypto 101) Key distribution 2.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.
Presentation on ip spoofing BY
Distributed Systems Fall 2016
IT443 – Network Security Administration Instructor: Bo Sheng
Secure Sockets Layer (SSL)
Introduction to Network Security
Secure Communication with an Insecure Internet Infrastructure
Security With slides from: Debabrata Dash,Nick Feamster, Vyas Sekar, and others : security.
Lecture 10: Network Security.
Presentation transcript:

Security 15-441 With slides from: Debabrata Dash, Nick Feamster, Vyas Sekar, and others

 2011 Carnegie Mellon University Our “Narrow” Focus Yes: Protecting network resources and limiting connectivity (Part I) Creating a “secure channel” for communication (Part II - already covered, see lecture 5) No: Preventing software vulnerabilities & malware, or “social engineering”. For this course though, we want to focus on understanding how the Internet’s design contributes to a variety of security vulnerabilities, how these vulnerabilities can be exploited, and, most importantly, give you an idea of what tools are used to allow secure communication. 15-411 Fall 2011  2011 Carnegie Mellon University

Flashback .. Internet design goals Interconnection Failure resilience Multiple types of service Variety of networks Management of resources Cost-effective Low entry-cost Accountability for resources Where is security? Look back at some of the goals of early internet design .. Security doesn’t seem to figure at all! 15-411 Fall 2011  2011 Carnegie Mellon University

Why did they leave it out? Designed for connectivity Network designed with implicit trust No “bad” guys Can’t security be provided at the edge? Encryption, Authentication etc End-to-end arguments in system design Turns .. Out the original design was geared toward connectivity and getting different formats/protocols to interoperate. And since it was largely an academic initiative, there was implict trust across the network. Another argument was that many security properties really are edge-level -- I.e. you have to provide them end-to-end anyway .. Why bother doing anything at the network-level! There is some truth to this -- especially authentication/integrity/confidentiality etc. but there are other network-layer problems that the e2e argument doesn’t quite cover! 15-411 Fall 2011  2011 Carnegie Mellon University

Security Vulnerabilities At every layer in the protocol stack! Network-layer attacks IP-level vulnerabilities Routing attacks Transport-layer attacks TCP vulnerabilities Application-layer attacks Turns out .. There are vulnerabilities at every layer in the protocol stack -- network/transport/application. E.g., of network layer attacks include attacks on routing protocols and exploiting some of the drawbacks of internet addressing. Tranport layer attacks are things like session hijacks/syn floods etc. and of course application protocols could have their own set of problems 15-411 Fall 2011  2011 Carnegie Mellon University

IP-level vulnerabilities IP addresses are provided by the source Spoofing attacks Using IP address for authentication e.g., login with .rhosts Some “features” that have been exploited Fragmentation Broadcast for traffic amplification 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Security Flaws in IP The IP addresses are filled in by the originating host Address spoofing Using source address for authentication r-utilities (rlogin, rsh, rhosts etc..) Can A claim it is B to the server S? ARP Spoofing Can C claim it is B to the server S? Source Routing 2.1.1.1 C Internet 1.1.1.3 S A 1.1.1.1 1.1.1.2 B 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University ARP Spoofing Attacker uses ARP protocol to associate MAC address of attacker with another host's IP address E.g. become the default gateway: Forward packets to real gateway (interception) Alter packets and forward (man-in-the-middle attack) Use non-existant MAC address or just drop packets (denial of service attack) ARP Spoofing used in hotel & airport networks to direct new hosts to register before getting "connected" 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Source Routing ARP spoofing cannot redirect packets to another network We have studied routing protocols: routers do all the work, so if you spoof an IP source address, replies go to the spoofed host An option in IP is to provide a route in the packet: source routing. Equivalent to tunneling. Attack: spoof the host IP address and specify a source route back to the attacker. 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Smurf Attack Ping request to a broadcast address with source = victim's IP address Internet Ping reply from every host Attacking System How do we amplify the attack? Replies directed to victim Ping request to broadcast address with source = victim's IP address Broadcast Enabled Network Victim System 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University ICMP Attacks ICMP: Internet Control Message Protocol No authentication ICMP redirect message Oversized ICMP messages can crash hosts Destination unreachable Can cause the host to drop connection Many more… http://www.sans.org/rr/whitepapers/threats/477.php 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University ICMP Redirect ICMP Redirect message: tell a host to use a different gateway on the same network (saves a hop for future packets) Host A "Good" Gateway Attacker Spoof an ICMP Redirect message from "Good" Gateway to redirect traffic through Attacker TCP packets 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Routing attacks Divert traffic to malicious nodes Black-hole Eavesdropping How to implement routing attacks? Distance-Vector: Link-state: BGP vulnerabilities 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Routing attacks Divert traffic to malicious nodes Black-hole Eavesdropping How to implement routing attacks? Distance-Vector: Announce low-cost routes Link-state: Dropping links from topology BGP vulnerabilities Prefix-hijacking Path alteration 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University TCP-level attacks SYN-Floods Implementations create state at servers before connection is fully established Session hijack Pretend to be a trusted host Sequence number guessing Session resets Close a legitimate connection 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Session Hijack Server 1.SYN (ISN_X) SRC = X 2.SYN(ISN_S1), ACK(ISN_X) Trusted (T) First send a legitimate SYN to server Malicious (M) 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Session Hijack Server 1.SYN (ISN_X) SRC = T 2.SYN(ISN_S2), ACK(ISN_X) 3.ACK(ISN_S2) SRC = T Trusted (T) Using ISN_S1 from earlier connection guess ISN_S2! Malicious (M) 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University TCP Layer Attacks TCP SYN Flooding Exploit state allocated at server after initial SYN packet Send a SYN and don’t reply with ACK Server will wait for 511 seconds for ACK Finite queue size for incomplete connections (1024) Once the queue is full it doesn’t accept requests 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University TCP Layer Attacks TCP Session Poisoning Send RST packet Will tear down connection Do you have to guess the exact sequence number? Anywhere in window is fine For 64k window it takes 64k packets to reset About 15 seconds for a T1 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University An Example Shimomura (S) Trusted (T) Mitnick Finger Showmount -e SYN Finger @S showmount –e Send 20 SYN packets to S Attack when no one is around What other systems it trusts? Determine ISN behavior 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University An Example Shimomura (S) Trusted (T) Mitnick X Syn flood Finger @S showmount –e Send 20 SYN packets to S SYN flood T Attack when no one is around What other systems it trusts? Determine ISN behavior T won’t respond to packets 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University An Example Shimomura (S) Trusted (T) Mitnick SYN|ACK X ACK SYN Finger @S showmount –e Send 20 SYN packets to S SYN flood T Send SYN to S spoofing as T Send ACK to S with a guessed number Attack when no one is around What other systems it trusts? Determine ISN behavior T won’t respond to packets S assumes that it has a session with T 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University An Example Shimomura (S) Trusted (T) Mitnick X ++ > rhosts Finger @S showmount –e Send 20 SYN packets to S SYN flood T Send SYN to S spoofing as T Send ACK to S with a guessed number Send “echo + + > ~/.rhosts” Attack when no one is around What other systems it trusts? Determine ISN behavior T won’t respond to packets S assumes that it has a session with T Give permission to anyone from anywhere 15-411 Fall 2011  2011 Carnegie Mellon University

Where do the problems come from? Protocol-level vulnerabilities Implicit trust assumptions in design Implementation vulnerabilities Both on routers and end-hosts Incomplete specifications Often left to the imagination of programmers High-level question is where do these security problems come from -- protocol/implementation/specification 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Outline – Part I Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Denial of Service Make a service unusable/unavailable Disrupt service by taking down hosts E.g., ping-of-death Consume host-level resources E.g., SYN-floods Consume network resources E.g., UDP/ICMP floods 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Simple DoS Attacker usually spoofs source address to hide origin Aside: Backscatter Analysis When attack traffic results in replies from the victim E.g. TCP SYN, ICMP ECHO Lots of traffic Attacker Victim 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Backscatter Analysis Attacker sends spoofed TCP SYN packets to www.haplessvictim.com With spoofed addresses chosen at random My network sees TCP SYN-ACKs from www.haplessvictim.com at rate R What is the rate of the attack? Assuming addresses chosen are uniform (2^32/ Network Address space) * R 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Reflector Attack Attacker Agent Reflector Victim Src = Victim Destination = Reflector Reflector is another way to amplify the attack Src = Reflector Destination = Victim Unsolicited traffic at victim from legitimate hosts 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Distributed DoS Attacker Handler Agent Victim More like whats done today .. Botnet -- army of compromised hosts to attack -- cant implicate the true attacker .. Significant volumes of traffic can be generated 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Distributed DoS Handlers are usually high volume servers Easy to hide the attack packets Agents are usually home users with DSL/Cable Already infected and the agent installed Very difficult to track down the attacker Multiple levels of indirection! Aside: How to distinguish DDos from flash crowd? 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Outline – Part I Security, Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Worm Overview Self-propagate through network Typical Steps in worm propagation Probe host for vulnerable software Exploit the vulnerability (e.g., buffer overflow) Attacker gains privileges of the vulnerable program Launch copy on compromised host Spread at exponential rate 10M hosts in < 5 minutes Hard to deal with manual intervention 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Scanning Techniques Random Local subnet Routing Worm Hitlist Topological 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Random Scanning 32-bit randomly generated IP address E.g., Slammer and Code Red I What about IPv6? Hits black-holed IP space frequently Only 28.6% of IP space is allocated Detect worms by monitoring unused addresses Honeypots/Honeynet 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Subnet Scanning Generate last 1, 2, or 3 bytes of IP address randomly Code Red II and Blaster Some scans must be completely random to infect whole internet 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Routing Worm BGP information can tell which IP address blocks are allocated This information is publicly available http://www.routeviews.org/ http://www.ripe.net/ris/ 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Hit List List of vulnerable hosts sent with payload Determined before worm launch by scanning Boosts worm growth in the slow start phase Can evade common detection techniques 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Topological Uses info on the infected host to find the next target Morris Worm used /etc/hosts , .rhosts Email address books P2P software usually store info about peers that each host connects to 15-411 Fall 2011  2011 Carnegie Mellon University

Some proposals for countermeasures Better software safeguards Static analysis and array bounds checking (lint/e-fence) Safe versions of library calls gets(buf) -> fgets(buf, size, ...) sprintf(buf, ...) -> snprintf(buf, size, ...) Host-diversity Avoid same exploit on multiple machines Network-level: IP address space randomization Host-level solutions E.g., Memory randomization, Stack guard Rate-limiting: Contain the rate of spread Content-based filtering: signatures in packet payloads 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Outline – Part I Security, Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS 15-411 Fall 2011  2011 Carnegie Mellon University

Countermeasure Overview High level basic approaches Prevention Detection Resilience Requirements Security: soundness / completeness (false positive / negative Overhead Usability 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Design questions .. Why is it so easy to send unwanted traffic? Worm, DDoS, virus, spam, phishing etc Where to place functionality for stopping unwanted traffic? Edge vs. Core Routers vs. Middleboxes Redesign Internet architecture to detect and prevent unwanted traffic? 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Firewalls Block/filter/modify traffic at network-level Limit access to the network Installed at perimeter of the network Why network-level? Vulnerabilities on many hosts in network Users don’t keep systems up to date Lots of patches to keep track of Zero-day exploits 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Firewalls (contd…) Firewall inspects traffic through it Allows traffic specified in the policy Drops everything else Two Types Packet Filters, Proxies Internal Network Firewall Internet 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Packet Filters Selectively passes packets from one network interface to another Usually done within a router between external and internal network What/How to filter? Packet Header Fields IP source and destination addresses Application port numbers ICMP message types/ Protocol options etc. Packet contents (payloads) 15-411 Fall 2011  2011 Carnegie Mellon University

Packet Filters: Possible Actions Allow the packet to go through Drop the packet (Notify Sender/Drop Silently) Alter the packet (NAT?) Log information about the packet 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Some examples Block all packets from outside except for SMTP servers Block all traffic to/from a list of domains Ingress filtering Drop pkt from outside with addresses inside the network Egress filtering Drop pkt from inside with addresses outside the network 15-411 Fall 2011  2011 Carnegie Mellon University

Typical Firewall Configuration Internet Internal hosts can access DMZ and Internet External hosts can access DMZ only, not Intranet DMZ hosts can access Internet only Advantages? If a service gets compromised in DMZ it cannot affect internal hosts DMZ X X Intranet 15-411 Fall 2011  2011 Carnegie Mellon University

Firewall implementation Stateless packet filtering firewall Rule  (Condition, Action) Rules are processed in top-down order If a condition satisfied – action is taken 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Sample Firewall Rule Allow SSH from external hosts to internal hosts Two rules Inbound and outbound How to know a packet is for SSH? Inbound: src-port>1023, dst-port=22 Outbound: src-port=22, dst-port>1023 Protocol=TCP Ack Set? Problems? SYN SYN/ACK ACK Client Server Rule Dir Src Addr Src Port Dst Addr Dst Port Proto Ack Set? Action Ext Int Out SSH-2 In SSH-1 > 1023 22 TCP Yes Any Alow Allow 15-411 Fall 2011  2011 Carnegie Mellon University

Default Firewall Rules Egress Filtering Outbound traffic from external address  Drop Benefits? Ingress Filtering Inbound Traffic from internal address  Drop Default Deny Why? Rule Dir Src Addr Src Port Dst Addr Dst Port Proto Ack Set? Action Egress Out Ext Any Ext Any Any Any Deny Any Deny Int In Ingress Default Any Deny 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Packet Filters Advantages Transparent to application/user Simple packet filters can be efficient Disadvantages Usually fail open Very hard to configure the rules May only have coarse-grained information? Does port 22 always mean SSH? Who is the user accessing the SSH? 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Alternatives Stateful packet filters Keep the connection states Easier to specify rules Problems? State explosion State for UDP/ICMP? Proxy Firewalls Two connections instead of one Either at transport level SOCKS proxy Or at application level HTTP proxy 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Proxy Firewall Data Available Application level information User information Advantages? Better policy enforcement Better logging Fail closed Disadvantages? Doesn’t perform as well One proxy for each application Client modification 15-411 Fall 2011  2011 Carnegie Mellon University

Intrusion Detection Systems Firewalls allow traffic only to legitimate hosts and services Traffic to the legitimate hosts/services can have attacks Solution? Intrusion Detection Systems Monitor data and behavior Report when identify attacks 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Classes of IDS What type of analysis? Signature-based Anomaly-based Where is it operating? Network-based Host-based 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Signature-based IDS Characteristics Uses known pattern matching to signify attack Advantages? Widely available Fairly fast Easy to implement Easy to update Disadvantages? Cannot detect attacks for which it has no signature 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Anomaly-based IDS Characteristics Uses statistical model or machine learning engine to characterize normal usage behaviors Recognizes departures from normal as potential intrusions Advantages? Can detect attempts to exploit new and unforeseen vulnerabilities Can recognize authorized usage that falls outside the normal pattern Disadvantages? Generally slower, more resource intensive compared to signature-based IDS Greater complexity, difficult to configure Higher percentages of false alerts 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Network-based IDS Characteristics NIDS examine raw packets in the network passively and triggers alerts Advantages? Easy deployment Unobtrusive Difficult to evade if done at low level of network operation Disadvantages? Fail Open Different hosts process packets differently NIDS needs to create traffic seen at the end host Need to have the complete network topology and complete host behavior 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Host-based IDS Characteristics Runs on single host Can analyze audit-trails, logs, integrity of files and directories, etc. Advantages More accurate than NIDS Less volume of traffic so less overhead Disadvantages Deployment is expensive What happens when host get compromised? 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Summary – Part I Security vulnerabilities are real! Protocol or implementation or bad specs Poor programming practices At all layers in protocol stack DoS/DDoS Resource utilization attacks Worm/Malware Exploit vulnerable services Exponential spread Countermeasures: Firewall/IDS 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University PART 2 These slides will not be covered in class These topics already covered in lecture 5 These slides are here for future reference This might be a good way to review your knowledge of encryption for network security 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Our “Narrow” Focus Yes: Protecting network resources and limiting connectivity (Part I) Creating a “secure channel” for communication (Part II) No: Preventing software vulnerabilities & malware, or “social engineering”. For this course though, we want to focus on understanding how the Internet’s design contributes to a variety of security vulnerabilities, how these vulnerabilities can be exploited, and, most importantly, give you an idea of what tools are used to allow secure communication. 15-411 Fall 2011  2011 Carnegie Mellon University

Internet Design Decisions and Security Origin as a small and cooperative network (=> largely trusted infrastructure) Global Addressing (=> every sociopath is your next-door neighbor*) Connection-less datagram service (=> can’t verify source, hard to protect bandwidth) Assumption is still true, even now when Internet is a huge collection of independent ISPs. * Dan Geer 15-411 Fall 2011  2011 Carnegie Mellon University

Internet Design Decisions and Security Anyone can connect (=> ANYONE can connect) Millions of hosts run nearly identical software (=> single exploit can create epidemic) Most Internet users know about as much as Senator Stevens aka “the tubes guy” (=> God help us all…) Assumption is still true, even now when Internet is a huge collection of independent ISPs. 15-411 Fall 2011  2011 Carnegie Mellon University

Secure Communication with an Untrusted Infrastructure Bob ISP D ISP B The focus on today’s lecture will be how to we set up a “secure channel” for communication. Alice wants to talk to Bob. Alice probably trusts ISP A, but how does she know where her traffic is going after that? Or who else might see it, or modify it before it reaches bob? ISP C ISP A Alice 15-411 Fall 2011  2011 Carnegie Mellon University

Secure Communication with an Untrusted Infrastructure Mallory Bob ISP D ISP B Of course, its even more complicated…. As each ISP if made of up many routers, each which independently reach a forwarding decision. Can this infrastructure be trusted? No, mallory (or the NSA) might be on any of the routers, intercepting your communication ISP C ISP A Alice 15-411 Fall 2011  2011 Carnegie Mellon University

Secure Communication with an Untrusted Infrastructure ISP D ISP B Worse yet, how does Alice even know she’s actually talking to Bob at all? This way, Mallory may not even have to compromise a router! ISP C ISP A Alice Hello, I’m “Bob” 15-411 Fall 2011  2011 Carnegie Mellon University

What do we need for a secure communication channel? Authentication (Who am I talking to?) Confidentiality (Is my data hidden?) Integrity (Has my data been modified?) Availability (Can I reach the destination?) We will talk about the first three of these things today… we spoke about availability on Tuesday 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University What is cryptography? "cryptography is about communication in the presence of adversaries." - Ron Rivest “cryptography is using math and other crazy tricks to approximate magic” - Unknown 441 TA 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University What is cryptography? Tools to help us build secure communication channels that provide: 1) Authentication 2) Integrity 3) Confidentiality 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Cryptography As a Tool Using cryptography securely is not simple Designing cryptographic schemes correctly is near impossible. Today we want to give you an idea of what can be done with cryptography. Take a security course if you think you may use it in the future 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University The Great Divide Symmetric Crypto (Private key) (E.g., AES) Asymmetric Crypto (Public key) (E.g., RSA) Shared secret between parties? Yes No The three attributes of a secure communication we mentioned can be achieved using two different “types”, or “families” of cryptography. Each family has within it many different algorithms, with slightly different properties. Symmetric and Asymmetric cryptography differ in the assumptions they make about the “secrets”, or “keys” that two participants use to enable secure communication. Symmetric key crypto assumes that the parties have used some mechanism to set-up a “shared secret” between the two parties that can be used to secure further communication. Public key crypto, as we will see, does not make this assumption, yet can still provide strong security properties. However, the mechanism to do this uses complex math, and as a result, the time to perform asymmetric crypto operations is significantly longer than their symmetric counter-parts. Speed of crypto operations Fast Slow 15-411 Fall 2011  2011 Carnegie Mellon University

Symmetric Key: Confidentiality Motivating Example: You and a friend share a key K of L random bits, and want to secretly share message M also L bits long. Scheme: You send her the xor(M,K) and then she “decrypts” using xor(M,K) again. Do you get the right message to your friend? Can an adversary recover the message M? Can adversary recover the key K? 15-411 Fall 2011  2011 Carnegie Mellon University

Symmetric Key: Confidentiality One-time Pad (OTP) is secure but usually impactical Key is as long at the message Keys cannot be reused (why?) In practice, two types of ciphers are used that require constant length keys: Block Ciphers: Ex: DES, AES, Blowfish Stream Ciphers: Ex: RC4, A5 15-411 Fall 2011  2011 Carnegie Mellon University

Symmetric Key: Confidentiality Stream Ciphers (ex: RC4) PRNG Alice: Pseudo-Random stream of L bits XOR K A-B Message of Length L bits = Encrypted Ciphertext Bob uses KA-B as PRNG seed, and XORs encrypted text to get the message back (just like OTP). 15-411 Fall 2011  2011 Carnegie Mellon University

Symmetric Key: Confidentiality Block Ciphers (ex: AES) (fixed block size, e.g. 128 bits) Block 1 Block 2 Block 3 Block 4 Round #1 Round #2 Round #n Alice: K A-B Block 1 Block 2 Block 3 Block 4 Bob breaks the ciphertext into blocks, feeds it through decryption engine using KA-B to recover the message. 15-411 Fall 2011  2011 Carnegie Mellon University

Cryptographic Hash Functions Consistent hash(X) always yields same result One-way given Y, can’t find X s.t. hash(X) = Y Collision resistant given hash(W) = Z, can’t find X such that hash(X) = Z Hash Fn Fixed Size Hash Message of arbitrary length 15-411 Fall 2011  2011 Carnegie Mellon University

Symmetric Key: Integrity Hash Message Authentication Code (HMAC) Step #1: Alice creates MAC Hash Fn Message MAC This is similar to a checksum, but secure. Why? Note: the message does not have to be encrypted, unless you also desire confidentiality. Will the MAC always check out on the receiving end? Yes, b/c receiver has key, and HAS is consistent. Can attacker substitute in another message? No, b/c of collision resistance of HASH Can attacker recover the key, based on the message? No, b/c of one-way nature of HASH K A-B Alice Transmits Message & MAC Step #2 Step #3 Bob computes MAC with message and KA-B to verify. MAC Message Why is this secure? How do properties of a hash function help us? 15-411 Fall 2011  2011 Carnegie Mellon University

Symmetric Key: Authentication You already know how to do this! (hint: think about how we showed integrity) Hash Fn I am Bob A43FF234 whoops! K A-B Alice receives the hash, computes a hash with KA-B , and she knows the sender is Bob 15-411 Fall 2011  2011 Carnegie Mellon University

Symmetric Key: Authentication What if Mallory overhears the hash sent by Bob, and then “replays” it later? ISP D ISP B ISP C ISP A Hello, I’m Bob. Here’s the hash to “prove” it A43FF234 15-411 Fall 2011  2011 Carnegie Mellon University

Symmetric Key: Authentication A “Nonce” A random bitstring used only once. Alice sends nonce to Bob as a “challenge”. Bob Replies with “fresh” MAC result. Nonce Bob Alice Nonce Hash B4FE64 K A-B B4FE64 Performs same hash with KA-B and compares results 15-411 Fall 2011  2011 Carnegie Mellon University

Symmetric Key: Authentication A “Nonce” A random bitstring used only once. Alice sends nonce to Bob as a “challenge”. Bob Replies with “fresh” MAC result. Nonce ?!?! Alice Mallory If Alice sends Mallory a nonce, she cannot compute the corresponding MAC without K A-B 15-411 Fall 2011  2011 Carnegie Mellon University

Symmetric Key Crypto Review Confidentiality: Stream & Block Ciphers Integrity: HMAC Authentication: HMAC and Nonce Questions?? Are we done? Not Really: Number of keys scales as O(n2) How to securely share keys in the first place? 15-411 Fall 2011  2011 Carnegie Mellon University

Diffie-Hellman key exchange An early (1976) way to create a shared secret. Everyone knows a prime, p, and a generator, g. Alice and Bob want to share a secret, but only have internet to communicate over. 15-411 Fall 2011  2011 Carnegie Mellon University

DH key exchange Everyone: large prime p and generator g Bob Alice Create secret: a Send Bob: ga mod p Create secret: b Bob Alice Send Alice: gb mod p Compute: (gb mod p)a Compute: (ga mod p)b Voila: They both know gab which is secret! 15-411 Fall 2011  2011 Carnegie Mellon University

DH key exchange & Man-In-The-Middle ga mod p gc mod p gc mod p gb mod p 15-411 Fall 2011  2011 Carnegie Mellon University

Asymmetric Key Crypto: Instead of shared keys, each person has a “key pair” KB Bob’s public key KB-1 Bob’s private key Note: We are not going to go into the details of that KB(m) means as far as computation. We will treat it as a black box function with these properties. The keys are inverses, so: KB-1 (KB (m)) = m 15-411 Fall 2011  2011 Carnegie Mellon University

Asymmetric Key Crypto: It is believed to be computationally unfeasible to derive KB-1 from KB or to find any way to get M from KB(M) other than using KB-1 . => KB can safely be made public. Note: We will not explain the computation that KB(m) entails, but rather treat these functions as black boxes with the desired properties. Note: We are not going to go into the details of that KB(m) means as far as computation. We will treat it as a black box function with these properties. 15-411 Fall 2011  2011 Carnegie Mellon University

Asymmetric Key: Confidentiality Bob’s public key KB Bob’s private key KB-1 encryption algorithm ciphertext decryption algorithm plaintext message KB (m) m = KB-1 (KB (m)) 15-411 Fall 2011  2011 Carnegie Mellon University

Asymmetric Key: Sign & Verify If we are given a message M, and a value S such that KB(S) = M, what can we conclude? The message must be from Bob, because it must be the case that S = KB-1(M), and only Bob has KB-1 ! This gives us two primitives: Sign (M) = KB-1(M) = Signature S Verify (S, M) = test( KB(S) == M ) 15-411 Fall 2011  2011 Carnegie Mellon University

Asymmetric Key: Integrity & Authentication We can use Sign() and Verify() in a similar manner as our HMAC in symmetric schemes. S = Sign(M) Message M Integrity: Note: there is another way to do authentication, which we will see when we look at SSL. Receiver must only check Verify(M, S) Nonce Authentication: S = Sign(Nonce) Verify(Nonce, S) 15-411 Fall 2011  2011 Carnegie Mellon University

Asymmetric Key Review: Confidentiality: Encrypt with Public Key of Receiver Integrity: Sign message with private key of the sender Authentication: Entity being authenticated signs a nonce with private key, signature is then verified with the public key But, these operations are computationally expensive* 15-411 Fall 2011  2011 Carnegie Mellon University

One last “little detail”… How do I get these keys in the first place?? Remember: Symmetric key primitives assumed Alice and Bob had already shared a key. Asymmetric key primitives assumed Alice knew Bob’s public key. This may work with friends, but when was the last time you saw Amazon.com walking down the street? 15-411 Fall 2011  2011 Carnegie Mellon University

Symmetric Key Distribution How does Andrew do this? Andrew Uses Kerberos, which relies on a Key Distribution Center (KDC) to establish shared symmetric keys. 15-411 Fall 2011  2011 Carnegie Mellon University

Key Distribution Center (KDC) Alice, Bob need shared symmetric key. KDC: server shares different secret key with each registered user (many users) Alice, Bob know own symmetric keys, KA-KDC KB-KDC , for communicating with KDC. KDC KB-KDC KP-KDC KA-KDC KX-KDC KP-KDC KY-KDC KZ-KDC KB-KDC KA-KDC 15-411 Fall 2011  2011 Carnegie Mellon University

Key Distribution Center (KDC) Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other? KDC generates R1 KA-KDC(A,B) Downside: KDC must always be online to communicate securely KDC can give our session keys away (escrow) KA-KDC(R1, KB-KDC(A,R1) ) Alice knows R1 Bob knows to use R1 to communicate with Alice KB-KDC(A,R1) Alice and Bob communicate: using R1 as session key for shared symmetric encryption 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University How Useful is a KDC? Must always be online to support secure communication KDC can expose our session keys to others! Centralized trust and point of failure. In practice, the KDC model is mostly used within single organizations (e.g. Kerberos) but not more widely. 15-411 Fall 2011  2011 Carnegie Mellon University

Certification Authorities Certification authority (CA): binds public key to particular entity, E. An entity E registers its public key with CA. E provides “proof of identity” to CA. CA creates certificate binding E to its public key. Certificate contains E’s public key AND the CA’s signature of E’s public key. Note: CA’s do NOT generate keys. They simply are handed a public key along with proof of identify, and generate a signature which can accompany the key when it is given to a user that must validate that they key is in fact Bob’s public key. Bob’s public key CA generates S = Sign(KB) KB KB certificate = Bob’s public key and signature by CA CA private key Bob’s identifying information K-1 CA 15-411 Fall 2011  2011 Carnegie Mellon University

Certification Authorities When Alice wants Bob’s public key: Gets Bob’s certificate (Bob or elsewhere). Use CA’s public key to verify the signature within Bob’s certificate, then accepts public key Verify(S, KB) KB If signature is valid, use KB CA public key KCA 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Certificate Contents info algorithm and key value itself (not shown) Cert owner Cert issuer Valid dates Fingerprint of signature Wait… didn’t we just say that we needed to have the key’s from the CA’s? What does our browser use? 15-411 Fall 2011  2011 Carnegie Mellon University

Which Authority Should You Trust? Today: many authorities What about a shared Public Key Infrastructure (PKI)? A system in which “roots of trust” authoritatively bind public keys to real-world identities So far it has not been very successful PKI’s are notoriously complex 15-411 Fall 2011  2011 Carnegie Mellon University

Transport Layer Security (TLS) aka Secure Socket Layer (SSL) Used for protocols like HTTPS Special TLS socket layer between application and TCP (small changes to application). Handles confidentiality, integrity, and authentication. Uses “hybrid” cryptography. Originally created by a little known and know largely defunct net start-up called “netscape” in the mid-90’s 15-411 Fall 2011  2011 Carnegie Mellon University

Setup Channel with TLS “Handshake” Handshake Steps: Client and server negotiate exact cryptographic protocols Client validates public key certificate with CA public key. Client encrypts secret random value with server’s key, and sends it as a challenge. Server decrypts, proving it has the corresponding private key. This value is used to derive symmetric session keys for encryption & MACs. 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University How TLS Handles Data 1) Data arrives as a stream from the application via the TLS Socket 2) The data is segmented by TLS into chunks 3) A session key is used to encrypt and MAC each chunk to form a TLS “record”, which includes a short header and data that is encrypted, as well as a MAC. 4) Records form a byte stream that is fed to a TCP socket for transmission. 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Summary – Part II Internet design and growth => security challenges Symmetric (pre-shared key, fast) and asymmetric (key pairs, slow) primitives provide: Confidentiality Integrity Authentication “Hybrid Encryption” leverages strengths of both. Great complexity exists in securely acquiring keys. Crypto is hard to get right, so use tools from others, don’t design your own (e.g. TLS). 15-411 Fall 2011  2011 Carnegie Mellon University

 2011 Carnegie Mellon University Resources Textbook: 8.1 – 8.3 Wikipedia for overview of Symmetric/Asymmetric primitives and Hash functions. OpenSSL (www.openssl.org): top-rate open source code for SSL and primitive functions. “Handbook of Applied Cryptography” available free online: www.cacr.math.uwaterloo.ca/hac/ 15-411 Fall 2011  2011 Carnegie Mellon University

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.