Presentation is loading. Please wait.

Presentation is loading. Please wait.

TELE3119: Trusted Networks Week 3

Similar presentations


Presentation on theme: "TELE3119: Trusted Networks Week 3"— Presentation transcript:

1 TELE3119: Trusted Networks Week 3
Course Coordinator: Prof. Aruna Seneviratne, Room EE 312 Course web-page:

2 Basic View of Cryptography
Access & Availability Confidentiality Integrity Authentication Cryptography Symmetric Asymmetric Protocols Data Link Stream Ciphers Block Ciphers Trusted Networks

3 WEP design goals Provide Authentication and Data Encryption
Self-synchronizing Each packet separately encrypted Given encrypted packet and key, can decrypt; Can continue to decrypt packets when preceding packet was lost Efficient implementable in hardware or software Security 8-3

4 WEP Autentication Authentication process:
A wireless host requests authentication by an access point. The access point responds to the authentication request with a 128-byte nonce value. The wireless host encrypts the nonce using the symmetric key that it shares with the access point. The access point decrypts the host-encrypted nonce. If the decrypted nonce matches the nonce value originally sent to the host, then the host is authenticated by the access point. Security 8-4

5 Review: Symmetric Stream Ciphers
keystream generator key Symmetric Key Crypto WEP does not specify a key management algorithm, Assumes that the host and wireless access point have somehow agreed on the key combine each byte of keystream with byte of plaintext to get ciphertext: m(i) = ith unit of message ks(i) = ith unit of keystream c(i) = ith unit of ciphertext c(i) = ks(i)  m(i) ( = exclusive or) m(i) = ks(i)  c(i) WEP uses RC4 Security 8-5

6 Stream Cipher and Packet Independence
Recall design goal: each packet separately encrypted If for frame n+1, use keystream from where we left off for frame n, then each frame is not separately encrypted need to know where we left off for packet n WEP approach: Initialize Keystream with key + new IV for each packet keystream generator Key+IVpacket keystreampacket Security 8-6

7 WEP encryption (1) Sender calculates an Integrity Check Value (ICV)
Four-byte hash/CRC over data Each side has 104-bit shared key sender creates 24-bit IV, appends to key ->gives 128-bit key sender also appends keyID (in 8-bit field) 128-bit key inputted into pseudo random number generator to get keystream data in frame + ICV is encrypted with RC4: bytes of keystream are XORed with bytes of data & ICV IV & keyID are appended to encrypted data to create payload payload inserted into frame Security 8-7

8 WEP encryption (2) new IV for each frame data ICV IV encrypted
MAC payload encrypted Security 8-8

9 WEP decryption overview
data ICV IV MAC payload encrypted Receiver extracts IV Inputs IV, shared secret key into pseudo random generator, gets keystream XORs keystream with encrypted data to decrypt data + ICV Verifies integrity of data with ICV message integrity used here is different from MAC (message authentication code) and signatures (using PKI). Security 8-9

10 WEP authentication … Notes: authentication request nonce (128 bytes)
nonce encrypted with shared key success if decrypted value equals nonce IV + (Data + ICV) encrypted with Key + IV IV + (Data + ICV) encrypted with Key + IV Notes: Not all APs do it, even if WEP is being used AP indicates if authentication is necessary in beacon frame done before association Security 8-10

11 Breaking WEP Encryption
security hole: 24-bit IV, one IV per frame, -> IV’s eventually reused IV transmitted in plaintext -> IV reuse detected attack: Trudy causes Alice to encrypt known plaintext d1 d2 d3 d4 … Trudy sees: ci = di XOR kiIV Trudy knows ci di, so can compute kiIV Trudy knows encrypting key sequence k1IV k2IV k3IV … Next time IV is used, Trudy can decrypt! Security 8-11

12 802.11i: Improved Security Implemented as Wi-Fi Protected Access II (WPA2)
Numerous (stronger) forms of encryption possible Provides key distribution Uses authentication server separate from access point Security 8-12

13 802.11i: four phases of operation
AP: access point STA: client station AS: Authentication server wired network 1 Discovery of security capabilities STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through” 2 3 STA derives Pairwise Master Key (PMK) AS derives same PMK, sends to AP 4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity Security 8-13

14 Discovery Phase 1 AP advertises its presence and the forms of authentication and encryption that can be provided to the wireless client The client then requests the specific forms of authentication and encryption that it desires. Although the client and AP are already exchanging messages, the client has not yet been authenticated nor does it have an encryption key Trusted Networks

15 Mutual authentication and Master Key (MK) generation
2 Authentication takes place between the wireless client and the authentication server. In this phase, the access point acts essentially as a relay, forwarding messages between the client and the authentication server. The Extensible Authentication Protocol (EAP) defines the end-to-end message formats used in a simple request/response mode of interaction between the client and authentication server. EAP messages are encapsulated using EAPoL (EAP over LAN) These EAP messages are then decapsulated at the access point, and then re-encapsulated using the RADIUS protocol for transmission over UDP/IP to the authentication server. While the RADIUS server and protocol are not required by the i protocol, they are de facto standard components for i. The recently standardized DIAMETER protocol is likely to replace RADIUS in the near future. Trusted Networks

16 EAP: Extensible Authentication Protocol
2 EAP: end-end client (mobile) to authentication server protocol EAP sent over separate “links” mobile-to-AP (EAP over LAN) AP to authentication server (RADIUS over UDP) wired network EAP TLS EAP EAP over LAN (EAPoL) RADIUS IEEE UDP/IP Security 8-16

17 EAP cont. 2 The authentication server can choose one of a number of ways to perform authentication. 802.11i does not mandate a particular authentication method EAP-TLS authentication scheme is often used. EAP-TLS uses public key techniques (including nonce encryption and message digests) to allow the client and the authentication server to mutually authenticate each other, and to derive a Master Key (MK) that is known to both parties. Trusted Networks

18 Pairwise Master Key (PMK) Generation
3 The MK is a shared secret known only to the client and the authentication server, Used to generate a second key, the Pairwise Master Key (PMK). The authentication server then sends the PMK to the AP. Now have a shared key (recall that in WEP, the problem of key distribution was not addressed at all) and have mutually authenticated each other. Trusted Networks

19 Temporal Key (TK) Generation
4 With the PMK, the wireless client and AP can now generate additional keys that will be used for communication. A Temporal Key (TK), which will be used to perform the link-level encryption of data sent over the wireless link and to an arbitrary remote host 802.11i provides several forms of encryption, including an AES-based encryption scheme and a strengthened version of WEP encryption. Trusted Networks

20 Summary Operation of WEP Short Comings of WEP
Operation of i and its Implementation (WPA2) Trusted Networks

21 Basic View of Cryptography
Access & Availability Confidentiality Integrity Authentication Cryptography Symmetric Asymmetric Protocols Network Appliances Stream Ciphers Block Ciphers Trusted Networks

22 Firewalls Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others administered network public Internet firewall trusted “good guys” untrusted “bad guys” Security 8-22

23 Why? Prevent Denial of Service Attacks:
SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connection Prevent Illegal Modification/Access of Internal Data Attacker replaces CIA’s homepage with something else Allow ONLY Authorized Access to Inside Network Set of authenticated users/hosts Security 8-23

24 Firewalls cont. Many organizations have distinct needs
Trusted Networks Firewalls cont. Many organizations have distinct needs public data (e.g., website) accessible to anyone internal data only accessible to employees Inner and out (DMZ) networks Three types of firewalls: Stateless Packet Filters Stateful Packet Filters Application Gateways

25 Stateless packet filtering
Should arriving packet be allowed in? Departing packet let out? Internal network connected to Internet via router firewall Router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits Security 8-25

26 TCP, UDP and IP Packets Port Description 20/21 FTP – Data/Control 23
Trusted Networks TCP, UDP and IP Packets Port Description 20/21 FTP – Data/Control 23 Telnet 25 SMTP 53 DNS 80 HTTP

27 Stateless packet filtering: example
Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 result: all incoming, outgoing UDP flows and telnet connections are blocked Example 2: block inbound TCP segments with ACK=0. result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Security 8-27

28 Stateless packet filtering: more examples
Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 No incoming TCP connections, except those for institution’s public Web server only. Drop all incoming TCP SYN packets to any IP except , port 80 Prevent Web-radios from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (e.g ). Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic Security 8-28

29 Access Control Lists ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs action source address dest protocol port flag bit allow 222.22/16 outside of TCP > 1023 80 any ACK UDP 53 --- ---- deny all Security 8-29

30 Stateful packet filtering
Stateless Packet Filter: heavy handed tool admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established: action source address dest protocol port flag bit allow outside of 222.22/16 TCP 80 > 1023 ACK Stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets “makes sense” timeout inactive connections at firewall: no longer admit packets Security 8-30

31 Stateful packet filtering
ACL augmented to indicate need to check connection state table before admitting packet action source address dest proto port flag bit check conxion allow 222.22/16 outside of TCP > 1023 80 any ACK x UDP 53 --- ---- deny all Security 8-31

32 Application gateways Filter packets on application data as well as on IP/TCP/UDP fields. Example: allow select internal users to telnet outside application gateway host-to-gateway telnet session router and filter gateway-to-remote host telnet session Require all users to telnet through gateway For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections Router filter blocks all telnet connections not originating from gateway. Security 8-32

33 Limitations of firewalls, gateways
IP spoofing: router can’t know if data “really” comes from claimed source If multiple app’s. need special treatment, each has own app. gateway Client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser Filters often use all or nothing policy for UDP Tradeoff: degree of communication with outside world, level of security Many highly protected sites still suffer from attacks Security 8-33

34 Intrusion detection systems
Packet Filtering: Operates on TCP/IP headers only No correlation check among sessions IDS: intrusion detection system Deep Packet Inspection (DPI): look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) Examine correlation among multiple packets port scanning network mapping DoS attack Security 8-34

35 Intrusion Detection Systems
Multiple IDSs: different types of checking at different locations firewall internal network Internet IDS sensors Web server DNS server FTP server demilitarized zone Security 8-35

36 Measuring Accuracy Events are actions occurring in the system (e.g. file access. Login, etc) An instruction is an event that is part of an attack An alarm is generated if an event is diagnosed as being an intrusion Trusted Networks

37 Measuring Accuracy cont.
True Positive Rate (TPR): Fraction of instructions correctly identified False Negative Rate (FNR): fraction of instructions incorrectly detected FNR = 1 –TPR True Negative Rate (TNR): Fraction of non-instructions correctly identified False Positive Rate (FPR): Fraction of non-instructions incorrectly identifies FPR – 1 – TNR Trusted Networks

38 IDS types Two types Signature based Anomaly based Trusted Networks

39 Signature Based IDS Detect attack using signatures
Sniffs packets, compares with signatures in DB Characteristics of real attacks Set of characteristics about a single packet or a series of packets Only detect “already-known” attacks FPR is low, but FNR is high Trusted Networks

40 Anomaly Based IDS Define a model of “normal” behaviour, try to detect deviation from it Potentially detect new (not previously encountered) Attacks FNR is low, FPR is high Trusted Networks

41 Summary Functionality of FWs and IDSs Types of FWs
Difference between FWs and IDSs Security 8-41

42 Basic View of Cryptography
Access & Availability Confidentiality Integrity Authentication Cryptography Symmetric Asymmetric Protocols DNS Stream Ciphers Block Ciphers Trusted Networks

43 Data Exfiltration “Cyber Kill Chain” Getting Inside Find some data
Get Inside Find some data Exfiltrate it Trusted Networks

44 Cyber Kill Chain Get Inside Exfiltrate it Find some data
Trusted Networks

45 Covert Channel - Exfiltrating Data DNS
compromised system malicious.com stolen data ftp port 21 ssh port 22 http port 80 Trusted Networks

46 Exfiltrating Data cont.
compromised system malicious.com stolen data ftp port 21 ssh port 22 http port 80 Block with FW rules or  IP / domain block-lists Could be evade IP Black lists, FW Rules etc? Trusted Networks

47 DNS requests name server local DNS server .com DNS server example.com
what is the address for “Dunno, I’ll ask someone else” “Dunno, but I know some who does” “I know the answer” it is: it is: Trusted Networks

48 Exfiltrating Data by DNS
compromised system “top.secret.data” DNS lookup for top.secret.data.malicious.com local DNS server name server malicious.com reply: Trusted Networks

49 Exfiltrating Data by DNS
DNS lookup problems:  Punctuation forbidden (limited to a-z & 0-9, no space or !) Case insensitive  Base64 Encoding ?? Base32 Encoding “top secret data”  ORXXAIDTMVRXEZLUEBSGC5DB  “Top Secret !!!!”  KRXXAICTMVRXEZLUEAQSCIJB  DNS requests logs  mail.domain2.com  server.xyz.domain3.com  ORXXAIDTMVRXEZLUEBSGC5DB.malicious.com  long random string! Trusted Networks

50 Lets look for ‘long’ domain names. Oh, great there are 100 million!
OpenDNS DNS Lookup Data  Lets look for ‘long’ domain names.  Oh, great there are 100 million! difficult to analyze data  need a model?  Trusted Networks

51 Model Data: Distribution Frequency
spike ??? Subdomain length Trusted Networks

52 Identify Anomalies we only analyse particular length Subdomain length
Trusted Networks

53 Active Exfiltration Pattern ? Stealing credit card data !
log.nu6timjqgq4dimbuhe.3ikfsb---redacted---cg3.7s3bnxqmavqy7sec.dojfgj.com lll.nu6toobygq3dsnjrgm.snksjg---redacted---dth.ejitjtk4g4lwvbos.amouc.com ooo.nu6tgnzvgm2tmmbzgq4a.rkgo---redacted---tw5.5z5i6fjnugmxfowy.beevish.com Pattern ? begins with 3 characters (i.e. log, lll, ooo), followed by a dot, followed by a long random string with a fingerprint (i.e. starts with nut6), followed by a dot, followed by a really long string, … Stealing credit card data ! Trusted Networks

54 Point of Sale malware would sniff the memory of PoS device to collect card numbers, Expiry date, etc Trusted Networks

55 Active Exfiltration PoS malware domain
log.nu6timjqgq4dimbuhe.3ikfsb---redacted---cg3.7s3bnxqmavqy7sec.dojfgj.com lll.nu6toobygq3dsnjrgm.snksjg---redacted---dth.ejitjtk4g4lwvbos.amouc.com ooo.nu6tgnzvgm2tmmbzgq4a.rkgo---redacted---tw5.5z5i6fjnugmxfowy.beevish.com Base32 encoded machine identifier Base32 encoded & RSA 1024 encrypted card information previously unknown malware domains Trusted Networks

56 Summary How cover channels can be used for data exfiltration
DNS exfiltration Detecting exfiltration over DNS  Trusted Networks

57 Basic View of Cryptography
Access & Availability Confidentiality Integrity Authentication Cryptography Symmetric Asymmetric Protocols TCP/IP Stream Ciphers Block Ciphers Trusted Networks

58 Covert Channel - Exfiltrating Data Other Protocols
Semi-Covert: Fooling the Casual Observer If examined, traffic appears unusual Assumes “they” won’t bother looking Detecting it requires a low to moderate amount of work Truly Covert: Fooling Everyone Traffic appears completely normal Will work even if “they” know the procedure used Detecting it is as hard as breaking the underlying cryptography

59 Two Types of Covert Channels
Extra communication to a host Hiding the fact that you’re even communicating with a host

60 Extra Communication to a Host
Useful when you must hide the fact that you’re encrypting data Method Uses some amount of cover/permissible traffic Sender embeds covert message outbound Receiver gets traffic as normal Receiver analyzes traffic, retrieves message This is a bit of a rocky transition. We give the simple example, then give the parameters, then flip back to the example. It works when you think about it, but not when you picture yourself saying it. nevermind

61 Finding a Good Covert Channel
First find a place that random data is being transmitted naturally Ex. Initial Sequence Numbers, complex timing of network transmissions Then replace that random data with your own ‘random data’ which is actually an encrypted message

62 A simple example Alice wants to send a message to Bob
Alice FTPs Bob a couple of old vacation pictures, meanwhile Bob records all traffic Alice encodes the secret message byte by byte in the padding of several TCP segment headers Bob looks at padding of recorded traffic [ah] how about we use a simple example of a ‘good’ covert chan? This is a simple example that’s good for demonstrating the concepts involved, namely the server/client type architecture. It’s really easy to understand the use of outmoded features. Also good as it intros the layout for examining the other methods as well as the rating system.

63 Unseen Path of Communication
Useful if you do not want your association with a node to be known Communicating with a closely scrutinized node Accessing ‘forbidden’ material Malicious activity Use another node to relay information for you

64 Finding a Good Channel Use a hard to monitor node as an intermediary
Protection is possible even if all networks are watched Mixes, onion routing Prevents association of incoming and outgoing Also use extra communication covert channel Prevents detection that a node is relaying info

65 Unseen Path Example Alice and Bob both are allowed to make requests to the same small webserver To transmit a one, Alice pounds the webserver with heavy traffic To transmit a zero, Alice doesn’t make any requests Bob makes requests to the webserver and measures latencies

66 Evaluating a Covert Channel
Bandwidth bits per TCP connection bits per packet Ease of Detection Permissibility How often will it be permitted? Prevention Difficulty of Implementing Special Cases or Restrictions

67 What are we going to look at?
Extra communication covert channels Needed if encryption is restricted Hidden path is being looked at heavily by anonyminity researchers TCP/IP Headers Occurs frequently on networks Able to piggy-back on legitimate traffic

68 TCP Header

69 TCP URG Pointer Sequence number that points to end of urgent data
Only interpreted if URG control bit is set Set the 16-bit URG pointer to the value that you’re transmitting, however do not set the URG bit To be a bit more stealthy, the URG pointer value should be restricted to be near the sequence numbers so that it actually could be pointing at something

70 URG Pointer Evaluation
Bandwidth Good: 16 bits per TCP Segment; much less if the URG pointer is restricted to be near sequence numbers Detection Easy: URG pointer rarely used, and should never be used without setting the URG control bit Also, URG pointer must actually point to data Prevention Moderate/Easy, if URG bit is not set, rewrite pointer Perhaps disallow use of URG

71 URG Pointer Eval (continued)
Permissibility Traffic normalizers and some firewalls may clear the URG pointer, especially if the URG control bit is zero Difficulty of Implementing Easy, simply replace bits in packets in transit Special Cases Can not be used in TCP segments where the URG pointer is actually being used

72 Padding & Reserved bits
Similar to URG example Lower bandwidth Padding is easy to detect, because almost always set to zeros Padding and reserved bits may be rewritten by some routers

73 Initial Sequence Number (ISN)
Sequence numbers used to index TCP data being transmitted ISN should be random to prevent TCP session hijacking and spoofing Choose your initial sequence numbers to be the message to be transmitted

74 ISN Evaluation Bandwidth Detection - ‘Impossible’ Prevention
Low: 32 bits per TCP connection Detection - ‘Impossible’ Prevention Difficult, have to proxy all TCP connections

75 ISN Evaluation (continued)
Permissibility Will pass through all, except some proxies Difficulty of Implementing Moderately Easy, simply replace the function used to generate initial sequence numbers Special Cases Some OSs (such as Windows 98) do not choose random ISNs

76 Timestamp Low-bit Modulation
TCP option Modulate low bit of TCP timestamp to convey data Presented by Giffin, et al at PET2002 At low bandwidths, the low bit of the timestamp is quite random (based on complex timings)

77 Timestamp Evaluation Bandwidth Detection Prevention Permissibility
Low: one bit per TCP segment Detection Very, very difficult for low bandwidth Prevention Moderate/Easy, strip out TCP timestamp option Permissibility Permitted on just about all networks

78 Timestamp Eval (continued)
Difficulty of Implementing Moderate, many things must be kept in mind Must be sure timestamps are monotonically increasing In order to to this, a fast connection will be slowed down while sending covert data

79 Timestamp Detection - Fast
When on a fast connection, the sending of TCP segments will be slowed down to a fixed rate Algorithm to detect: Count number of different & total timestamps sent by a particular host Calculate the ratio of total to different timestamps If timestamp covert channel is being used on a sufficiently fast network, the ratio will converge to about 1.94 To prevent slow down more than needed

80 Timestamp Detection - Slow
For even a slow connection, it is very difficult, but possible, to detect The covert channel makes the low bit more random than it normally is Algorithm: Record all the low bits of the timestamp Put them through a complex randomness test If very random, then covert channel being used To prevent introduce some non-random data

81 Detection and Prevention
Detect anomalous traffic Some IDSs can do this, but it can be very noisy Perform normalization of traffic norm BSD pf Use a pump method to defeat timing channels Can not close all covert channels, only possible to decrease bandwidth and ease

82 IP Type of Service Indicates quality of service requested
Precedence, delay, throughput, reliability, reserved Set the IP ToS byte to your data To be much more stealthy, only modulate the Delay bit

83 IP ToS Evaluation Bandwidth Detection
1 byte per IP datagram if using entire ToS field 1 bit per IP datagram if using only delay bit Detection Easy if using entire ToS field, because the entire field is never used Moderate if using only the delay bit Look for frequent occurrences of set delay bits

84 ToS Evaluation (continued)
Permissibility Passed through tested equipment Prevention Easy, rewrite all ToS bits Could slightly alter handling of traffic Difficulty of Implementing Easy, simply replace bits in packets in transit Special Cases Could slightly alter actual handling of traffic, but not noticeable

85 Problem (1) Extracting information regarding the original source of the packets and their ultimate destination is referred to as the traffic analysis attack Internet surveillance Knowing who's talking to whom, when, and for how long e.g. military intelligence or counter-intelligence Reveals users privacy  security concern! Encryption does not work, since packet headers still reveal a great deal about users TLS (packet headers are still in clear text) IPSec (packet sniffers at the origination point) End-to-end anonymity is needed Solution: a distributed, anonymous network

86 Summary How cover channels can be used for data exfiltration
TCP and IP exfiltration Detecting exfiltration over TCP and IP  Trusted Networks


Download ppt "TELE3119: Trusted Networks Week 3"

Similar presentations


Ads by Google