1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like ) security features mutual authentication session key establishment for subsequent conversation –security association – conversation protected with a session key perfect forward secrecy escrow-foilage protection clogging protection endpoint ID hiding security systems: IPsec, SSL/TLS, SSH
2 Networking Review the Internet (TCP/IP) is a packet-switched network data to be transmitted is divided into “packets” each packet is forwarded by “routers” towards the destination networking functions standardized into hierarchical layers of protocols, so that each layer uses the services of the lower layer and provides services to the upper the first three layers are implemented in the OS kernel the last layer is implemented in user space... Application Layer (HTTP, FTP, SMTP, etc.) Transport Layer (TCP, UDP) Network Layer (IP) Data Link Layer (PPP, Ethernet, etc.) Physical Layer OS
3 Approaches to Securing Network Communication above the OS (at level 4) – add a security wrapper around TCP interface (sockets) OS does not need to be modified minimum modification at applications TCP is below crypto – no cooperation between SSL and TCP – DoS attack possible: whole TCP session can be forced to reset by inserting a single bogus packet within the OS (at level 3) – replace IP with secure implementation (IPsec) no modifications at applications security of IPsec is underutilized – can only supply what IP does, even though can do authentication, etc. application TCP replace IP with IPsec lower layers OS insert SSL (TLS or SSH)
4 Session Key Establishment Issues message authentication with a session key establishment is needed against connection hijacking sequence numbers needed against packet replays (different from TCP seq.no.) session key reset before SN wrap around for freshness guarantee, both parties should contribute to the session key –less likely to attacks when someone impersonate one party to the other –good key even if only one party has access to random key generator
5 Perfect Forward Secrecy and Escrow-Foilage Protection what is PFS again? what’s an example of a system with PFS? non-PFS examples: –Kerberos (why?) –session key transport with RSA encryption (why?) key escrow – communicating parties have to store their long- term keys with a third-party (authorities, law-enforcement, etc.) escrow-foilage – key stored at the third party is used maliciously escrow-foilage protection – conversation between Alice and Bob is secret to passive eavesdropper – Trudy in possession of Alice’s and Bob’s long-term keys –if a system is PFS it is also protected against escrow-foilage. why?
6 Denial-of-Service Protection denial-of-service authentication attack – exhaust all server’s resources by initiating numerous authentication sessions (possibly with faked IP packets) solutions cookies – server responds to a session request with a random number (cookie), initiator has to reply back with that cookie to continue –attacker have to either reveal its address or, abort the attack –stateless cookies: cookie is H(IP address, server’s secret); server doesn’t have to remember it puzzles – to continue authentication server requires initiator to solve a puzzle: e.g. MD5(x) = …, x = ? –solving is slow (depends on the size of x), verification fast –can be made stateless, how? –client’s computation power varies, not useful against coordinated distributed DoS attack
7 Identity Hiding some apps require identity protection against eavesdropper parties can use Diffie-Hellman anonymously and then use shared key to encrypt the rest of the session (including authentication) –passive attacker will not know the identities –active attacker may still learn one or both identities, how? which identity is more valuable to protect? two opinions –initiator (Alice) – Bob’s identity is probably already known –responder (Bob) – if Bob’s id is harder to impersonate (Alice initiates the conversation) in the protocol below, whose id is protected against active attack? Alice Bob okay, g b mod p g a mod p {“Alice”,[g a mod p] Alice } g b mod p {“Bob”,[g b mod p] Bob } I want to talk, g a mod p
8 Live Partner Reassurance Bob is vulnerable to replays can use different D-H exponents for different sessions –DH exponentiation is expensive: problem for servers, low-end clients –solution: same DH exponents, different nonces Incorporate nonces into the session key. E.g., K = H(g ab mod p, nonces) how would these nonces be exchanged?
9 Parallel Key Computation Computing D-H exponents is expensive. May do it in advance in the protocol below, why is Bob sending two messages in sequence rather than combining them? Alice Bob [g b mod p] Bob g ab mod p {Bob’s message} g ab mod p {Alice’s message} [g a mod p] Alice
10 Other Issues session resumption: use previously established session keys to bypass public-key authentication –one solution: share a key medium term (derive the session key from it) and request knowledge on resumption deniability: possibly need not to leave a proof that Alice talked to Bob: –ex: Bob’s name signed by Alice’s key, what does this message prove? –solution: don’t use signatures for authentication. use encryption with public keys crypto negotiation: key exchange protocols negotiate the algorithms to be used as well (ex: key size, compression, prime (p) to use for D-H) –problem: Trudy may force Alice and Bob to use weak crypto (if it is available as an option for both parties by tampering with messages and removing stronger options –solution?