1. TELE3119: Trusted Networks Week 3
Course Coordinator:
Prof. Aruna Seneviratne, Room EE 312 –
Course web-page:

2. Basic View of Cryptography
Access &
Availability
Confidentiality
Integrity
Authentication
Cryptography
Symmetric
Asymmetric
Protocols
Data Link
Stream Ciphers
Block Ciphers
Trusted Networks

3. WEP design goals Provide Authentication and Data Encryption
Self-synchronizing
Each packet separately encrypted
Given encrypted packet and key, can decrypt;
Can continue to decrypt packets when preceding packet was lost
Efficient
implementable in hardware or software
Security
8-3

4. WEP Autentication Authentication process:
A wireless host requests authentication by an access point.
The access point responds to the authentication request with a 128-byte nonce value.
The wireless host encrypts the nonce using the symmetric key that it shares with the access point.
The access point decrypts the host-encrypted nonce.
If the decrypted nonce matches the nonce value originally sent to the host, then the host is authenticated by the access point.
Security
8-4

5. Review: Symmetric Stream Ciphers
keystream
generator
key
Symmetric Key Crypto
WEP does not specify a key management algorithm,
Assumes that the host and wireless access point have somehow agreed on the key
combine each byte of keystream with byte of plaintext to get ciphertext:
m(i) = ith unit of message
ks(i) = ith unit of keystream
c(i) = ith unit of ciphertext
c(i) = ks(i)  m(i) ( = exclusive or)
m(i) = ks(i)  c(i)
WEP uses RC4
Security
8-5

6. Stream Cipher and Packet Independence
Recall design goal: each packet separately encrypted
If for frame n+1, use keystream from where we left off for frame n, then each frame is not separately encrypted
need to know where we left off for packet n
WEP approach:
Initialize Keystream with key + new IV for each packet
keystream
generator
Key+IVpacket
keystreampacket
Security
8-6

7. WEP encryption (1) Sender calculates an Integrity Check Value (ICV)
Four-byte hash/CRC over data
Each side has 104-bit shared key
sender creates 24-bit IV, appends to key ->gives 128-bit key
sender also appends keyID (in 8-bit field)
128-bit key inputted into pseudo random number generator to get keystream
data in frame + ICV is encrypted with RC4:
bytes of keystream are XORed with bytes of data & ICV
IV & keyID are appended to encrypted data to create payload
payload inserted into frame
Security
8-7

8. WEP encryption (2) new IV for each frame data ICV IV encrypted
MAC payload
encrypted
Security
8-8

9. WEP decryption overview
data
ICV IV
MAC payload
encrypted
Receiver extracts IV
Inputs IV, shared secret key into pseudo random generator, gets keystream
XORs keystream with encrypted data to decrypt data + ICV
Verifies integrity of data with ICV
message integrity used here is different from MAC (message authentication code) and signatures (using PKI).
Security
8-9

10. WEP authentication … Notes: authentication request nonce (128 bytes)
nonce encrypted with shared key
success if decrypted value equals nonce
IV + (Data + ICV) encrypted with Key + IV …
IV + (Data + ICV) encrypted with Key + IV
Notes:
Not all APs do it, even if WEP is being used
AP indicates if authentication is necessary in beacon frame
done before association
Security
8-10

11. Breaking WEP Encryption
security hole:
24-bit IV, one IV per frame, -> IV’s eventually reused
IV transmitted in plaintext -> IV reuse detected
attack:
Trudy causes Alice to encrypt known plaintext d1 d2 d3 d4 …
Trudy sees: ci = di XOR kiIV
Trudy knows ci di, so can compute kiIV
Trudy knows encrypting key sequence k1IV k2IV k3IV …
Next time IV is used, Trudy can decrypt!
Security
8-11

12. 802.11i: Improved Security Implemented as Wi-Fi Protected Access II (WPA2)
Numerous (stronger) forms of encryption possible
Provides key distribution
Uses authentication server separate from access point
Security
8-12

13. 802.11i: four phases of operation
AP: access point
STA:
client station
AS:
Authentication
server
wired
network
1 Discovery of
security capabilities
STA and AS mutually authenticate, together
generate Master Key (MK). AP serves as “pass through” 2 3
STA derives
Pairwise Master
Key (PMK)
AS derives
same PMK,
sends to AP 4
STA, AP use PMK to derive
Temporal Key (TK) used for message
encryption, integrity
Security
8-13

14. Discovery Phase 1
AP advertises its presence and the forms of authentication and encryption that can be provided to the wireless client
The client then requests the specific forms of authentication and encryption that it desires.
Although the client and AP are already exchanging messages, the client has not yet been authenticated nor does it have an encryption key
Trusted Networks

15. Mutual authentication and Master Key (MK) generation2
Authentication takes place between the wireless client and the authentication server.
In this phase, the access point acts essentially as a relay, forwarding messages between the client and the authentication server.
The Extensible Authentication Protocol (EAP) defines the end-to-end message formats used in a simple request/response mode of interaction between the client and authentication server.
EAP messages are encapsulated using EAPoL (EAP over LAN)
These EAP messages are then decapsulated at the access point, and then re-encapsulated using the RADIUS protocol for transmission over UDP/IP to
the authentication server.
While the RADIUS server and protocol are not required by the i protocol, they are de facto standard components for i.
The recently standardized DIAMETER protocol is likely to replace RADIUS in the near future.
Trusted Networks

16. EAP: Extensible Authentication Protocol2
EAP: end-end client (mobile) to authentication server protocol
EAP sent over separate “links”
mobile-to-AP (EAP over LAN)
AP to authentication server (RADIUS over UDP)
wired
network
EAP TLS
EAP
EAP over LAN (EAPoL)
RADIUS
IEEE
UDP/IP
Security
8-16

17. EAP cont. 2
The authentication server can choose one of a number of ways to perform authentication.
802.11i does not mandate a particular authentication method
EAP-TLS authentication scheme is often used.
EAP-TLS uses public key techniques (including nonce encryption and message digests) to allow the client and the authentication server to mutually authenticate each other, and to derive a Master Key (MK) that is known to both parties.
Trusted Networks

18. Pairwise Master Key (PMK) Generation3
The MK is a shared secret known only to the client and the authentication server,
Used to generate a second key, the Pairwise Master Key (PMK).
The authentication server then sends the PMK to the AP.
Now have a shared key (recall that in WEP, the problem of key distribution was not addressed at all) and have mutually authenticated each other.
Trusted Networks

19. Temporal Key (TK) Generation4
With the PMK, the wireless client and AP can now generate additional keys that will be used for communication.
A Temporal Key (TK), which will be used to perform the link-level encryption of data sent over the wireless link and to an arbitrary remote host
802.11i provides several forms of encryption, including an AES-based encryption scheme and a strengthened version of WEP encryption.
Trusted Networks

20. Summary Operation of WEP Short Comings of WEP
Operation of i and its Implementation (WPA2)
Trusted Networks

21. Basic View of Cryptography
Access &
Availability
Confidentiality
Integrity
Authentication
Cryptography
Symmetric
Asymmetric
Protocols
Network Appliances
Stream Ciphers
Block Ciphers
Trusted Networks

22. Firewalls
Firewalls
isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others
administered
network
public
Internet
firewall
trusted “good guys”
untrusted “bad guys”
Security
8-22

23. Why? Prevent Denial of Service Attacks:
SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connection
Prevent Illegal Modification/Access of Internal Data
Attacker replaces CIA’s homepage with something else
Allow ONLY Authorized Access to Inside Network
Set of authenticated users/hosts
Security
8-23

24. Firewalls cont. Many organizations have distinct needs
Trusted Networks
Firewalls cont.
Many organizations have distinct needs
public data (e.g., website) accessible to anyone
internal data only accessible to employees
Inner and out (DMZ) networks
Three types of firewalls:
Stateless Packet Filters
Stateful Packet Filters
Application Gateways

25. Stateless packet filtering
Should arriving packet be allowed in? Departing packet let out?
Internal network connected to Internet via router firewall
Router filters packet-by-packet, decision to forward/drop packet based on:
source IP address, destination IP address
TCP/UDP source and destination port numbers
ICMP message type
TCP SYN and ACK bits
Security
8-25

26. TCP, UDP and IP Packets Port Description 20/21 FTP – Data/Control 23
Trusted Networks
TCP, UDP and IP Packets
Port
Description
20/21
FTP – Data/Control 23
Telnet 25
SMTP 53
DNS 80
HTTP

27. Stateless packet filtering: example
Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23
result: all incoming, outgoing UDP flows and telnet connections are blocked
Example 2: block inbound TCP segments with ACK=0.
result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.
Security
8-27

28. Stateless packet filtering: more examples
Policy
Firewall Setting
No outside Web access.
Drop all outgoing packets to any IP address, port 80
No incoming TCP connections, except those for institution’s public Web server only.
Drop all incoming TCP SYN packets to any IP except , port 80
Prevent Web-radios from eating up the available bandwidth.
Drop all incoming UDP packets - except DNS and router broadcasts.
Prevent your network from being used for a smurf DoS attack.
Drop all ICMP packets going to a “broadcast” address (e.g ).
Prevent your network from being tracerouted
Drop all outgoing ICMP TTL expired traffic
Security
8-28

29. Access Control Lists
ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs
action
source
address
dest
protocol
port
flag
bit
allow
222.22/16
outside of
TCP
> 1023 80
any
ACK
UDP 53
---
----
deny
all
Security
8-29

30. Stateful packet filtering
Stateless Packet Filter: heavy handed tool
admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established:
action
source
address
dest
protocol
port
flag
bit
allow
outside of
222.22/16
TCP 80
> 1023
ACK
Stateful packet filter: track status of every TCP connection
track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets “makes sense”
timeout inactive connections at firewall: no longer admit packets
Security
8-30

31. Stateful packet filtering
ACL augmented to indicate need to check connection state table before admitting packet
action
source
address
dest
proto
port
flag
bit
check conxion
allow
222.22/16
outside of
TCP
> 1023 80
any
ACK x
UDP 53
---
----
deny
all
Security
8-31

32. Application gateways
Filter packets on application data as well as on IP/TCP/UDP fields.
Example: allow select internal users to telnet outside
application
gateway
host-to-gateway
telnet session
router and filter
gateway-to-remote
host telnet session
Require all users to telnet through gateway
For authorized users, gateway sets up telnet connection to dest host.
Gateway relays data between 2 connections
Router filter blocks all telnet connections not originating from gateway.
Security
8-32

33. Limitations of firewalls, gateways
IP spoofing: router can’t know if data “really” comes from claimed source
If multiple app’s. need special treatment, each has own app. gateway
Client software must know how to contact gateway.
e.g., must set IP address of proxy in Web browser
Filters often use all or nothing policy for UDP
Tradeoff: degree of communication with outside world, level of security
Many highly protected sites still suffer from attacks
Security
8-33

34. Intrusion detection systems
Packet Filtering:
Operates on TCP/IP headers only
No correlation check among sessions
IDS: intrusion detection system
Deep Packet Inspection (DPI): look at packet contents (e.g., check character strings in packet against database of known virus, attack strings)
Examine correlation among multiple packets
port scanning
network mapping
DoS attack
Security
8-34

35. Intrusion Detection Systems
Multiple IDSs: different types of checking at different locations
firewall
internal
network
Internet
IDS
sensors
Web
server
DNS
server
FTP
server
demilitarized
zone
Security
8-35

36. Measuring Accuracy
Events are actions occurring in the system (e.g. file access. Login, etc)
An instruction is an event that is part of an attack
An alarm is generated if an event is diagnosed as being an intrusion
Trusted Networks

37. Measuring Accuracy cont.
True Positive Rate (TPR): Fraction of instructions correctly identified
False Negative Rate (FNR): fraction of instructions incorrectly detected
FNR = 1 –TPR
True Negative Rate (TNR): Fraction of non-instructions correctly identified
False Positive Rate (FPR): Fraction of non-instructions incorrectly identifies
FPR – 1 – TNR
Trusted Networks

38. IDS types
Two types
Signature based
Anomaly based
Trusted Networks

39. Signature Based IDS Detect attack using signatures
Sniffs packets, compares with signatures in DB
Characteristics of real attacks
Set of characteristics about a single packet or a series of packets
Only detect “already-known” attacks
FPR is low, but FNR is high
Trusted Networks

40. Anomaly Based IDS
Define a model of “normal” behaviour, try to detect deviation from it
Potentially detect new (not previously encountered)
Attacks
FNR is low, FPR is high
Trusted Networks

41. Summary Functionality of FWs and IDSs Types of FWs
Difference between FWs and IDSs
Security
8-41

42. Basic View of Cryptography
Access &
Availability
Confidentiality
Integrity
Authentication
Cryptography
Symmetric
Asymmetric
Protocols
DNS
Stream Ciphers
Block Ciphers
Trusted Networks

43. Data Exfiltration “Cyber Kill Chain” Getting Inside Find some data
Get Inside
Find some data
Exfiltrate it
Trusted Networks

44. Cyber Kill Chain Get Inside Exfiltrate it Find some data
Trusted Networks

45. Covert Channel - Exfiltrating Data DNS
compromised system
malicious.com
stolen data
ftp port 21
ssh port 22
http port 80
Trusted Networks

46. Exfiltrating Data cont.
compromised system
malicious.com
stolen data
ftp port 21
ssh port 22
http port 80
Block with FW rules or  IP / domain block-lists
Could be evade IP Black lists, FW Rules etc?
Trusted Networks

47. DNS requests name server local DNS server .com DNS server example.com
what is the address for
“Dunno, I’ll ask someone else”
“Dunno, but I know some who does”
“I know the answer”
it is:
it is:
Trusted Networks

48. Exfiltrating Data by DNS
compromised system
“top.secret.data”
DNS lookup for
top.secret.data.malicious.com
local DNS server
name server
malicious.com
reply:
Trusted Networks

49. Exfiltrating Data by DNS
DNS lookup problems: 
Punctuation forbidden (limited to a-z & 0-9, no space or !)
Case insensitive 
Base64 Encoding ??
Base32 Encoding
“top secret data”  ORXXAIDTMVRXEZLUEBSGC5DB 
“Top Secret !!!!”  KRXXAICTMVRXEZLUEAQSCIJB 
DNS requests logs 
mail.domain2.com 
server.xyz.domain3.com 
ORXXAIDTMVRXEZLUEBSGC5DB.malicious.com 
long random string!
Trusted Networks

50. Lets look for ‘long’ domain names. Oh, great there are 100 million!
OpenDNS DNS Lookup Data 
Lets look for ‘long’ domain names. 
Oh, great there are 100 million!
difficult to analyze data  need a model? 
Trusted Networks

51. Model Data: Distribution Frequency
spike ???
Subdomain length
Trusted Networks

52. Identify Anomalies we only analyse particular length Subdomain length
Trusted Networks

53. Active Exfiltration Pattern ? Stealing credit card data !
log.nu6timjqgq4dimbuhe.3ikfsb---redacted---cg3.7s3bnxqmavqy7sec.dojfgj.com lll.nu6toobygq3dsnjrgm.snksjg---redacted---dth.ejitjtk4g4lwvbos.amouc.com ooo.nu6tgnzvgm2tmmbzgq4a.rkgo---redacted---tw5.5z5i6fjnugmxfowy.beevish.com
Pattern ?
begins with 3 characters (i.e. log, lll, ooo), followed by a dot, followed by a long random string with a fingerprint (i.e. starts with nut6), followed by a dot, followed by a really long string, …
Stealing credit card data !
Trusted Networks

54. Point of Sale
malware would sniff the memory of PoS device to collect card numbers, Expiry date, etc
Trusted Networks

55. Active Exfiltration PoS malware domain
log.nu6timjqgq4dimbuhe.3ikfsb---redacted---cg3.7s3bnxqmavqy7sec.dojfgj.com lll.nu6toobygq3dsnjrgm.snksjg---redacted---dth.ejitjtk4g4lwvbos.amouc.com ooo.nu6tgnzvgm2tmmbzgq4a.rkgo---redacted---tw5.5z5i6fjnugmxfowy.beevish.com
Base32 encoded
machine identifier
Base32 encoded & RSA 1024 encrypted card information
previously unknown malware domains
Trusted Networks

56. Summary How cover channels can be used for data exfiltration
DNS exfiltration
Detecting exfiltration over DNS 
Trusted Networks

57. Basic View of Cryptography
Access &
Availability
Confidentiality
Integrity
Authentication
Cryptography
Symmetric
Asymmetric
Protocols
TCP/IP
Stream Ciphers
Block Ciphers
Trusted Networks

58. Covert Channel - Exfiltrating Data Other Protocols
Semi-Covert: Fooling the Casual Observer
If examined, traffic appears unusual
Assumes “they” won’t bother looking
Detecting it requires a low to moderate amount of work
Truly Covert: Fooling Everyone
Traffic appears completely normal
Will work even if “they” know the procedure used
Detecting it is as hard as breaking the underlying cryptography

59. Two Types of Covert Channels
Extra communication to a host
Hiding the fact that you’re even communicating with a host

60. Extra Communication to a Host
Useful when you must hide the fact that you’re encrypting data
Method
Uses some amount of cover/permissible traffic
Sender embeds covert message outbound
Receiver gets traffic as normal
Receiver analyzes traffic, retrieves message
This is a bit of a rocky transition.
We give the simple example, then give the parameters, then flip back to the example. It works when you think about it, but not when you picture yourself saying it.
nevermind

61. Finding a Good Covert Channel
First find a place that random data is being transmitted naturally
Ex. Initial Sequence Numbers, complex timing of network transmissions
Then replace that random data with your own ‘random data’ which is actually an encrypted message

62. A simple example Alice wants to send a message to Bob
Alice FTPs Bob a couple of old vacation pictures, meanwhile Bob records all traffic
Alice encodes the secret message byte by byte in the padding of several TCP segment headers
Bob looks at padding of recorded traffic
[ah] how about we use a simple example of a ‘good’ covert chan?
This is a simple example that’s good for demonstrating the concepts involved, namely the server/client type architecture. It’s really easy to understand the use of outmoded features.
Also good as it intros the layout for examining the other methods as well as the rating system.

63. Unseen Path of Communication
Useful if you do not want your association with a node to be known
Communicating with a closely scrutinized node
Accessing ‘forbidden’ material
Malicious activity
Use another node to relay information for you

64. Finding a Good Channel Use a hard to monitor node as an intermediary
Protection is possible even if all networks are watched
Mixes, onion routing
Prevents association of incoming and outgoing
Also use extra communication covert channel
Prevents detection that a node is relaying info

65. Unseen Path Example
Alice and Bob both are allowed to make requests to the same small webserver
To transmit a one, Alice pounds the webserver with heavy traffic
To transmit a zero, Alice doesn’t make any requests
Bob makes requests to the webserver and measures latencies

66. Evaluating a Covert Channel
Bandwidth
bits per TCP connection
bits per packet
Ease of Detection
Permissibility
How often will it be permitted?
Prevention
Difficulty of Implementing
Special Cases or Restrictions

67. What are we going to look at?
Extra communication covert channels
Needed if encryption is restricted
Hidden path is being looked at heavily by anonyminity researchers
TCP/IP Headers
Occurs frequently on networks
Able to piggy-back on legitimate traffic

68. TCP Header

69. TCP URG Pointer Sequence number that points to end of urgent data
Only interpreted if URG control bit is set
Set the 16-bit URG pointer to the value that you’re transmitting, however do not set the URG bit
To be a bit more stealthy, the URG pointer value should be restricted to be near the sequence numbers so that it actually could be pointing at something

70. URG Pointer Evaluation
Bandwidth
Good: 16 bits per TCP Segment; much less if the URG pointer is restricted to be near sequence numbers
Detection
Easy: URG pointer rarely used, and should never be used without setting the URG control bit
Also, URG pointer must actually point to data
Prevention
Moderate/Easy, if URG bit is not set, rewrite pointer
Perhaps disallow use of URG

71. URG Pointer Eval (continued)
Permissibility
Traffic normalizers and some firewalls may clear the URG pointer, especially if the URG control bit is zero
Difficulty of Implementing
Easy, simply replace bits in packets in transit
Special Cases
Can not be used in TCP segments where the URG pointer is actually being used

72. Padding & Reserved bits
Similar to URG example
Lower bandwidth
Padding is easy to detect, because almost always set to zeros
Padding and reserved bits may be rewritten by some routers

73. Initial Sequence Number (ISN)
Sequence numbers used to index TCP data being transmitted
ISN should be random to prevent TCP session hijacking and spoofing
Choose your initial sequence numbers to be the message to be transmitted

74. ISN Evaluation Bandwidth Detection - ‘Impossible’ Prevention
Low: 32 bits per TCP connection
Detection - ‘Impossible’
Prevention
Difficult, have to proxy all TCP connections

75. ISN Evaluation (continued)
Permissibility
Will pass through all, except some proxies
Difficulty of Implementing
Moderately Easy, simply replace the function used to generate initial sequence numbers
Special Cases
Some OSs (such as Windows 98) do not choose random ISNs

76. Timestamp Low-bit Modulation
TCP option
Modulate low bit of TCP timestamp to convey data
Presented by Giffin, et al at PET2002
At low bandwidths, the low bit of the timestamp is quite random (based on complex timings)

77. Timestamp Evaluation Bandwidth Detection Prevention Permissibility
Low: one bit per TCP segment
Detection
Very, very difficult for low bandwidth
Prevention
Moderate/Easy, strip out TCP timestamp option
Permissibility
Permitted on just about all networks

78. Timestamp Eval (continued)
Difficulty of Implementing
Moderate, many things must be kept in mind
Must be sure timestamps are monotonically increasing
In order to to this, a fast connection will be slowed down while sending covert data

79. Timestamp Detection - Fast
When on a fast connection, the sending of TCP segments will be slowed down to a fixed rate
Algorithm to detect:
Count number of different & total timestamps sent by a particular host
Calculate the ratio of total to different timestamps
If timestamp covert channel is being used on a sufficiently fast network, the ratio will converge to about 1.94
To prevent slow down more than needed

80. Timestamp Detection - Slow
For even a slow connection, it is very difficult, but possible, to detect
The covert channel makes the low bit more random than it normally is
Algorithm:
Record all the low bits of the timestamp
Put them through a complex randomness test
If very random, then covert channel being used
To prevent introduce some non-random data

81. Detection and Prevention
Detect anomalous traffic
Some IDSs can do this, but it can be very noisy
Perform normalization of traffic
norm
BSD pf
Use a pump method to defeat timing channels
Can not close all covert channels, only possible to decrease bandwidth and ease

82. IP Type of Service Indicates quality of service requested
Precedence, delay, throughput, reliability, reserved
Set the IP ToS byte to your data
To be much more stealthy, only modulate the Delay bit

83. IP ToS Evaluation Bandwidth Detection
1 byte per IP datagram if using entire ToS field
1 bit per IP datagram if using only delay bit
Detection
Easy if using entire ToS field, because the entire field is never used
Moderate if using only the delay bit
Look for frequent occurrences of set delay bits

84. ToS Evaluation (continued)
Permissibility
Passed through tested equipment
Prevention
Easy, rewrite all ToS bits
Could slightly alter handling of traffic
Difficulty of Implementing
Easy, simply replace bits in packets in transit
Special Cases
Could slightly alter actual handling of traffic, but not noticeable

85. Problem (1)
Extracting information regarding the original source of the packets and their ultimate destination is referred to as the traffic analysis attack
Internet surveillance
Knowing who's talking to whom, when, and for how long
e.g. military intelligence or counter-intelligence
Reveals users privacy  security concern!
Encryption does not work, since packet headers still reveal a great deal about users
TLS (packet headers are still in clear text)
IPSec (packet sniffers at the origination point)
End-to-end anonymity is needed
Solution: a distributed, anonymous network

86. Summary How cover channels can be used for data exfiltration
TCP and IP exfiltration
Detecting exfiltration over TCP and IP 
Trusted Networks