1. CSCE 790: Computer Network Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina

2. 10/2/20032 A Security Problem in Network An adversary that has access to a network can insert new messages, modify current messages, or replay old messages in the network These inserted, modified, and replayed messages can go undetected until they cause severe damage to network The physical location of the adversary in network may never be determined Example: denial-of-service attacks

3. 10/2/20033 Denial-of-Service (DoS) Attacks Aimed to deny normal service provided by the target computer Communication-stopping attacks ARP spoofing attack Resource-exhausting attacks Smurf attack SYN attack

4. 10/2/20034 Ping Protocol Allow any computer to check whether any other computer in the Internet is up Any computer x can send a “ping” message to any computer y which replies by sending back a “pong” message (thus x knows y is up) In ping message: src = xanddst = y In pong message: src = yanddst = x xy ping(x, y) pong(y, x)

5. 10/2/20035 Broadcast Ping Protocol If in ping message dst = “all”, a copy of ping is broadcast to every computer Each computer replies by sending back a pong, and x is flooded with pong messages In ping message: src = xanddst = “all” In pong message: src = yanddst = x xy ping(x,all) pong(y, x) y´y´ pong(y´,x)

6. 10/2/20036 Smurf Attack An adversary pretends to be x and broadcasts a ping message where src = x and dst = “all” Thus, x is flooded with pong messages that it has not requested: denial-of-service attack at x xy pong(y, x) y´y´ pong(y´,x) a ping(x,all)

7. 10/2/20037 Countering Smurf Attack Make each router check the src of each received message and discard the message if the src is suspicious xy y´y´a ping(x, all) R3R2R1 src=x shouldn’t come to me

8. 10/2/20038 Clever Smurf Attack An adversary inserts a ping(x, all) message between routers R2 and R3 R3 thinks the message was forwarded by R2 and so accepts the message xy y´y´ a ping(x, all) R3R2R1

9. 10/2/20039 Countering Clever Smurf Attack When R3 receives a message, R3 needs to determine whether message was indeed sent by R2, or was modified or replayed by an adversary between R3 and R2 If use IPSec, will need to set up SA’s between each pair of adjacent routers: too expensive Our solution: use hop integrity protocol between each pair of adjacent routers

10. 10/2/200310 Hop Integrity Let p, q be routers connected to same subnetwork Detection of Message Modification: when q receives a message m supposedly from p, q can check that m was not modified after sent Detection of Message Replay: when q receives a message m supposedly from p, q can check that m was not a replay of an old message

11. 10/2/200311 Adversary vs. Routers The adversary can perform three types of actions to disrupt communication between two routers Message loss Message modification Message replay The routers are assumed to be secure and cannot be compromised by the adversary The routers will execute hop integrity protocols that can detect and defeat the adversary actions

12. 10/2/200312 Hop Integrity Protocol Each pair of adjacent routers need to share a secret S, which is updated periodically by the two routers using a secret exchange protocol To each IP message sent between two adjacent routers, add a sequence number sq, and an integrity check d hdtxt hdtxtsqd IP message d := MD(S | hd | sq | txt) d 16 bytes if MD5; 20 bytes if SHA-1 MD MD5 or SHA-1 sq 4 bytes

13. 10/2/200313 Architecture of Hop Integrity Protocols secrets integrity check layer secret exchange layer pe Network pw or ps Application s Transport Subnetwork qe Network qw or qs Applications Transport Subnetwork router p router q.

14. 10/2/200314 Component of Hop Integrity Protocols Three protocols between each pair of adjacent routers secret exchange protocol weak integrity protocol strong integrity protocol

15. 10/2/200315 Secret Exchange Protocol Each router p has a secret S that it uses for computing the digest of every msg sent to an adjacent router q Both p and q need to know S S is updated by q every T hours If q does not receive acknowledgment from p for t seconds, q retransmits the secret update message

16. 10/2/200316 Secret Exchange Protocol qp S[0] old S[1] new S S[0] = S[1] = S B p  S[0], S[1]  BqSBqS if S = S[0]  S = S[1] then S :=S[1] if S[1] = S then S[0] :=S[1] S[0] S[1] S[0] old S[1] new S[0] = S[1] = S B p  S[0], S[1]  BqSBqS if S[1] = S then S[0] :=S[1] T hours if S = S[0]  S = S[1] then S :=S[1]

17. 10/2/200317 Recovery in Secret Exchange Protocol qp S[0] old S[1] new S S[0] = S[1] = S S[0] = S  S[1] B p  S[0], S[1]  BqSBqS S[0] S[1] S[0] = S[1] = S B p  S[0], S[1]  BqSBqS if S = S[0]  S = S[1] then S :=S[1] if S[1] = S then S[0] :=S[1] t seconds if S = S[0]  S = S[1] then S :=S[1] B p  S[0], S[1]  S[1] = S  S[0]

18. 10/2/200318 To detect insertion and modification Each sent msg from p to q is as follows (hd | d | txt) where p computes d as d = MD(S | hd | txt) On receiving a msg, q checks if d = MD(S[0] | hd | txt)  d = MD(S[1] | hd | txt) thenq forwards msg elseq discards msg Weak Integrity Protocol

19. 10/2/200319 Weak Integrity Protocol qp.... (hd | d | txt) S[0] S[1] S

20. 10/2/200320 Strong Integrity To detect replay, successive sequence numbers are attached to all sent msgs from p to q Problem with reset If p is reset, unbounded number of fresh messages are discarded by q If q is reset, it can accept unbounded number of replayed messages Two solutions to overcome reset Soft sequence numbers Hard sequence numbers

21. 10/2/200321 Successive sequence numbers are attached to all sent msgs from p to q: (hd | sq | txt) q maintains two variables expsequence number of next msg c#msgs received On receiving a msg, q checks if(exp  sq)  (c = random value cmax) thenq forwards msg elseq discards msg fi;q updates exp, c, cmax Soft Sequence Numbers

22. 10/2/200322 Soft Sequence Numbers qp sq.... (hd | sq | txt) sq+1 exp c cmax sq

23. 10/2/200323 Each sent msg from p to q is as follows (hd | sq | d | txt) where p computes d as d = MD(S | hd | sq | txt) On receiving a msg, q checks if (d = MD(S[0] | hd | sq | txt)  d = MD(S[1] | hd | sq | txt) )  (exp  sq  c = random value cmax) thenq forwards msg elseq discards msg fi;q updates exp, c, cmax Strong Integrity Protocol Using Soft Sequence Numbers

24. 10/2/200324 Hard Sequence Numbers To overcome reset, use two operations SAVE and FETCH When SAVE is executed, the last sequence number will be stored in persistent memory When FETCH is executed, the last stored sequence number will be loaded from persistent memory into memory

25. 10/2/200325 Strong Integrity Protocol Using Hard Sequence Numbers Each sent msg from p to q is as follows (hd | sq | d | txt) where p computes d as d = MD(S | hd | sq | txt) On receiving a msg, q checks if (d = MD(S[0] | hd | sq | txt)  d = MD(S[1] | hd | sq | txt) )  (exp  sq) thenq forwards msg elseq discards msg fi;q updates exp p and q executes SAVE periodically When waking up from a reset, p (or q) executes FETCH to fetch last stored seq#, executes SAVE to store next seq#, and continues after SAVE finishes

26. 10/2/200326 Other Applications of Hop Integrity Mobile IP Secure multicast Security of routing protocols

27. 10/2/200327 Mobile IP A mobile computer c can visit a foreign network F other than its home network H Msgs destined for c will be received by its home agent (HA) and forwarded to its foreign agent (FA) Internet home agent (HA) foreign agent (FA) FH c m m m

28. 10/2/200328 Problem with Mobile IP Mobile computer c can send a msg thru FA However, this msg may be filtered out by next router q because its source address is “strange” Internet home agent (HA) foreign agent (FA) HF c ? q m m

29. 10/2/200329 Mobile IP with Hop Integrity With integrity check d added to msg m, q can check that m was indeed forwarded by FA Thus, q ignores strange source of msg m and forwards m toward its ultimate destination Internet home agent (HA) foreign agent (FA) HF c q m m d d md

30. 10/2/200330 Multicast Multicast msgs are forwarded through a spanning tree from root to every multicast destination If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability

31. 10/2/200331 Multicast Multicast msgs are forwarded through a spanning tree from root to every multicast destination If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability

32. 10/2/200332 Multicast Multicast msgs are forwarded through a spanning tree from root to every multicast destination If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability

33. 10/2/200333 Multicast Multicast msgs are forwarded through a spanning tree from root to every multicast destination If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability

34. 10/2/200334 Security Problem with Multicast If adversary inserts or modifies a multicast msg between two routers in middle of tree, then only a small fraction of multicast destinations receive the inserted or modified msg

35. 10/2/200335 Multicast with Hop Integrity With hop integrity, an inserted or modified multicast message will be detected and discarded at its first hop in the spanning tree

36. 10/2/200336 Routing Information Protocol (RIP) Every 30 seconds, RIP process in router R’ sends its routing table in a response msg to RIP process in each adjacent R R updates its routing table when it receives a response msg from any adjacent R’ Security problem R R RIP UDP IP

37. 10/2/200337 RIP with Hop Integrity With hop integrity, the response msgs are protected against message modification, insertion, and replay R R RIP UDP IP Secret Update Integrity Check Secret Update Integrity Check

38. 10/2/200338 Security of Routing Protocols Hop integrity can also provide uniform protection (against message modification, insertion, and replay) for other routing protocols OSPF protocols (Hello, Exchange, Flood) RSVP Better than custom security mechanisms that have been proposed for some protocols

39. 10/2/200339 Implementation of Hop Integrity Implementation of hop integrity protocols in Linux kernel Add integrity check digest and soft sequence number to IP options in IP header Compatible with legacy routers Flexibility of deployment

40. 10/2/200340 Related Works Ingress filtering [RFC2827]: Completes hop integrity Secure routing [Che97, MB96, SMG97]: Not needed if hop integrity is installed Traceback [BLT01, SWK+01, SPS+01]: Cannot prevent denial-of-service attacks, but can detect some of them IPsec [KA98a]: Has goals other than dealing with denial-of-service attacks

41. 10/2/200341 Next Class Security in transport layer SSL and TLS Application of SSL/TLS in Web security Read Chapter 17