Network Security Dan LI CS Department Tsinghua University
- Slides: 125
Network Security Dan LI CS Department, Tsinghua University 2021/2/25 1
Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User authentication SSL IPSec & IKE Distributed Denial of Service (DDo. S) Firewall Reading List 2021/2/25 2
Motivation https: // 2021/2/25 3
Excerpt From “General Terms of Use” 2021/2/25 4
Privacy and Security 2021/2/25 5
What Do You Think ß What do you think should be included in “privacy and security” for an e-commerce website? 2021/2/25 6
Desirable Security Properties ß ß ß ß ß Authenticity Confidentiality Integrity Availability Accountability and non-repudiation Freshness Access control Privacy of collected information Integrity of routing and DNS infrastructure 2021/2/25 7
Peek at the Dark Side 2021/2/25 8
What Drives the Attackers? ß ß ß Put up a fake financial website, collect users’ logins and passwords, empty out their accounts Insert a hidden program into unsuspecting users’ computers, use them to spread spam Subvert copy protection, gain access to music and video files 2021/2/25 9
What Drives the Attackers? ß ß Stage denial of service attacks on websites, extort money Wreak havoc, achieve fame and glory in the blackhat community 2021/2/25 10
Network Stack Phishing attacks, usability people email, Web, NFS application session transport network data link physical Sendmail, FTP, NFS bugs, chosenprotocol and version-rollback attacks RPC worms, portmapper exploits TCP SYN flooding, RIP attacks, sequence number prediction IP 802. 11 IP smurfing and other address spoofing attacks WEP attacks RF RF fingerprinting, Do. S Only as secure as the single weakest layer… … or interconnection between the layers 2021/2/25 11
Network Defenses People Password managers, company policies… Implementations Firewalls, intrusion detection… Blueprints Protocols and policies TLS, IPsec, access control… Building blocks Cryptographic primitives Systems 2021/2/25 End uses 12 RSA, DSS, SHA 1…
Correctness versus Security ß System correctness: system satisfies specification Þ ß For reasonable input, get reasonable output System security: system properties preserved in face of attack Þ For unreasonable input, output not completely disastrous Main difference: active interference from adversary 2021/2/25 13 ß
Bad News ß Security often not a primary consideration Þ ß ß Performance and usability take precedence Feature-rich systems may be poorly understood Implementations are buggy Þ Þ 2021/2/25 Buffer overflows are the “vulnerability of the decade” Cross-site scripting and other Web attacks 14
Bad News ß Networks are more open and accessible than ever Þ ß Increased exposure, easier to cover tracks Many attacks are not even technical in nature Þ 2021/2/25 Phishing, impersonation, etc. 15
Better News ß There a lot of defense mechanisms Þ ß It’s important to understand their limitations Þ ß ß We’ll study some, but by no means all, in this course Many security holes are based on misunderstanding Security awareness and user “buy-in” help Other important factors: usability and economics 2021/2/25 16
Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User authentication SSL IPSec & IKE Distributed Denial of Service (DDo. S) Firewall Reading List 2021/2/25 17
Communication on the Internet M M’ network M Bob Alice Learns M – attack on secrecy Changes M – attack on integrity 2021/2/25 18
Integrity vs. Secrecy ß ß Integrity: attacker cannot tamper with message Encryption may not guarantee integrity! Þ Þ Þ 2021/2/25 Intuition: attacker may able to modify message under encryption without learning what it is This is recognized by industry standards (e. g. , PKCS) Many encryption schemes provide secrecy AND integrity 19
More on Integrity VIRUS bad. File good. File The Times Big. Firm™ hash(good. File) User Idea: given good. File and hash(good. File), very hard to find bad. File such that hash(good. File)=hash(bad. File 2021/2/25 20
Authentication network Identification and assurance of origin of information 2021/2/25 21
Authentication with Shared Secrets SECRE T msg, H(SECRET, msg) Bob Alice wants to ensure that nobody modifies message in transi (both integrity and authentication) slide 22
Hash Functions: Main Idea . Hash function H “message digest” message x . . y . . x’’ x’ ß bit strings of any length H is a lossy compression function Þ Þ n-bit strings Collisions: h(x)=h(x’) for some inputs x, x’ Result of hashing should “look random” (make this precise later) � ß y’ Intuition: half of digest bits are “ 1”; any bit in digest is “ 1” half the time Cryptographic hash function needs a few properties… slide 23
One-Way ß Intuition: hash should be hard to invert Þ Þ Þ ß “Preimage resistance” Let h(x’)=y {0, 1}n for a random x’ Given y, it should be hard to find any x such that h(x)=y How hard? Þ Þ Brute-force: try every possible x, see if h(x)=y SHA-1 (common hash function) has 160 -bit output Suppose have hardware that’ll do 230 trials a pop 34 trials per second, can do 289 trials per � Assuming 2 year slide 24 71 years to invert SHA-1 on a random image � Will take 2 �
“Birthday Paradox” ß ß T people Suppose each birthday is a random number taken from K days (K=365) – how many possibilities? Þ KT (samples with replacement)
Collision Resistance ß ß Should be hard to find x, x’ such that h(x)=h(x’) Brute-force collision search is O(2 n/2), not O(2 n) Þ Þ ß n = number of bits in the output of hash function For SHA-1, this means O(280) vs. O(2160) Reason: birthday paradox slide 26
One-Way vs. Collision Resistance ß One-wayness does not imply collision resistance Þ Þ Suppose g is one-way Define h(x) as g(x’) where x’ is x except the last bit h is one-way (to invert h, must invert g) � Collisions for h are easy to find: for any x, h(x 0)=h(x 1) � ß Collision resistance does not imply onewayness Þ Þ Suppose g is collision-resistant Define h(x) to be 0 x if x is n-bit long, 1 g(x) otherwise Collisions for h are hard to find: if y starts with 0, then there are no collisions, if y starts with 1, then must find collisions in g � h is not one way: halfslide of 27 all y’s (those whose first bit is 0) �
Weak Collision Resistance ß Given randomly chosen x, hard to find x’ such that h(x)=h(x’) Þ Þ Attacker must find collision for a specific x. By contrast, to break collision resistance, enough to find any collision. Brute-force attack requires O(2 n) time slide 28
Which Property Do We Need? ß UNIX passwords stored as hash(password) Þ ß Integrity of software distribution Þ Þ ß One-wayness: hard to recover password Weak collision resistance But software images are not really random… maybe need full collision resistance Auction bidding Þ Þ Þ Alice wants to bid B, sends H(B), later reveals B One-wayness: rival bidders should not recover B Collision resistance: Alice should not be able to change her mind to bid B’ such that H(B)=H(B’) slide 29
Common Hash Functions ß MD 5 Þ Þ Þ ß RIPEMD-160 Þ ß 128 -bit output Still used very widely Completely broken by now 160 -bit variant of MD-5 SHA-1 (Secure Hash Algorithm) Þ Þ 160 -bit output US government (NIST) standard as of 1993 -95 � Also the hash algorithm for Digital Signature Standard (DSS) slide 30
Basic Structure of SHA-1 Against padding attacks Split message into 512 -bit blocks 160 -bit buffer (5 registers) initialized with magic values Compression function Applied to each 512 -bit block and current 160 -bit buffer This isslide the 31 heart of SHA-1
SHA-1 Compression Function Current buffer (five 32 -bit registers A, B, C, D, E) Current message block Four rounds, 20 steps in each Fifth round adds the original buffer to the result of 4 rounds slide 33 Buffer contains final hash value
One Step of SHA-1 (80 steps total) A B C D Logic function for steps 5 bitwise left-rotate + ft (B C) ( B D) 0. . 19 B C D 20. . 39 (B C) (B D) (C D) 40. . 59 B C D 60. . 79 + + Multi-level shifting of message blocks Special constant added 30 bitwise left-rotate (same value in each 20 -step round, 4 different constants altogether) A B E C slide 34 D + E Wt Kt
How Strong Is SHA-1? ß Every bit of output depends on every bit of input Þ ß ß Very important property for collision-resistance Brute-force inversion requires 2160 ops, birthday attack on collision resistance requires 280 ops Some recent weaknesses (2005) Þ Collisions can be found in 263 ops slide 35
Authentication Without Encryption KEY MAC (message authentication code) KEY message, MAC(KEY, message) ? = Alice message Bob Recomputes MAC and verifies whether it is equal to the MAC attached to the message slide 36
HMAC ß Construct MAC by applying a cryptographic hash function to message and key Þ Þ Þ ß ß Could also use encryption instead of hashing, but… Hashing is faster than encryption in software Library code for hash functions widely available Can easily replace one hash function with another There used to be US export restrictions on encryption Invented by Bellare, Canetti, and Krawczyk (1996) slide 37 Mandatory for IP security, also used in
Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User Authentication SSL IPSec & IKE Distributed Denial of Service (DDo. S) Firewall Reading List 2021/2/25 38
Basic Problem ? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problem slide 39
Many Ways to Prove Who You Are ß What you know Þ Þ ß Where you are Þ ß IP address What you are Þ ß Passwords Secret key Biometrics What you have Þ Secure tokens slide 40
Password-Based Authentication ß User has a secret password. Þ ß How is the password communicated? Þ ß System checks it to authenticate the user. Eavesdropping risk How is the password stored? Þ In the clear? Encrypted? Hashed? slide 41
Other Aspects ß Usability Þ Þ ß Hard-to-remember passwords? Carry a physical object all the time? Denial of service Þ Þ Þ Stolen wallet Attacker tries to authenticate as you, account locked after three failures “Suspicious” credit slide card usage 42
Passwords in the Real World ß From high school pranks… Þ Þ Student in Tyler changes school attendance records Students in California change grades � ß Different authentication for network login and grade system, but teachers were using the same password (very common) …to serious cash Þ ß [Password. Research. com] English accountant uses co-workers’ password to steal $17 million for gambling …to identity theft Þ Helpdesk employee uses passwords of a credit card database to sell credit reports to Nigerian slide 43 scammers
Passwords and Computer Security ß ß First step after any successful intrusion: install sniffer or keylogger to steal more passwords Second step: run cracking tools on password files Þ ß Usually on other hijacked computers In Mitnick’s “Art of Intrusion”, 8 out of 9 exploits involve password stealing and/or cracking slide 44
UNIX-Style Passwords “cypherpunk” system password file user hash function slide 45 t 4 h 97 t 4 m 43 fa 6326 b 1 c 2 N 53 uhjr 438 Hgg 658 n 53 …
Password Hashing ß ß Instead of user password, store H(password) When user enters password, compute its hash and compare with entry in password file Þ Þ System does not store actual passwords! Difficult to go from hash from password! � Do you see why hashing is better than encryption here? slide 46
UNIX Password System ß Uses DES encryption as if it were a hash function Þ Encrypt NULL string using password as the key � Þ Þ ß Truncates passwords to 8 characters! Artificial slowdown: run DES 25 times (why? ) Can instruct modern UNIXes to use MD 5 hash function Problem: passwords are not truly random Þ Þ With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 948 6 quadrillion possible 8 -character passwords Humans like to use dictionary words, human and pet names 1 million common passwords slide 47
Dictionary Attack ß Password file /etc/passwd is world-readable Þ Contains user IDs and group IDs which are used by many system programs ß Dictionary attack is possible because many ß passwords come from a small dictionary Þ Attacker can pre-compute H(word) for every word in the dictionary – this only needs to be done once!! slide 48
Salt shmat: f. URxfg, 4 h. LBX: 14510: 30: Vitaly: /u/shmat: /bin/csh /etc/passwd entry salt (chosen randomly when password is first set) Password hash(salt, pwd) slide 49
Advantages of Salting ß Without salt, attacker can pre-compute hashes of all dictionary words once for all password entries Þ Þ ß Same hash function on all UNIX machines; identical passwords hash to identical values One table of hash values works for all password files With salt, attacker must compute hashes of all dictionary words once for each combination of salt value and password Þ With 12 -bit random salt, same password can hash to 4096 different hash values slide 50
Shadow Passwords shmat: x: 14510: 30: Vitaly: /u/shmat: /bin/csh /etc/passwd entry Hashed password is not stored in a world-readable file slide 51
How People Use Passwords ß ß Write them down Use a single password at multiple sites Þ ß Make passwords easy to remember Þ ß Do you use the same password for Amazon and your bank account? UT Direct? Do you remember them all? “password”, “Kevin 123”, “popcorn” Some services use “secret questions” to reset passwords Þ Þ “What is your favorite pet’s name? ” slide 52 Paris Hilton’s T-Mobile cellphone hack
Password Surveys ß Klein (1990) and Spafford (1992) Þ Þ ß 2. 7% guessed in 15 minutes 21% in a week Sounds Ok? Not if passwords last 30 days or more! Much more computing power is available now! U. of Michigan: 5% of passwords were “goblue” Þ How many passwords on this campus involve “orange”, “horns”, etc. ? slide 53
Memorability vs. Security [Ross Anderson] ß One bank’s idea for making PINs “memorable” Þ If PIN is 2256, write your favorite word in the Normally 9, 999 choices for PIN – grid hard to guess Now only a few dozen possible English words – easy to guess! Þ Fill the rest with random letters slide 54
Heuristics for Guessing Attacks ß ß ß Dictionary with words spelled backwards First and last names, streets, cities Same with upper-case initials All valid license plate numbers in your state Room numbers, telephone numbers, etc. Letter substitutions and other tricks Þ If you can think of it, attacker will, too slide 55
Social Engineering ß Univ. of Sydney study (1996) Þ 336 CS students emailed asking for their passwords � Þ ß 138 returned their passwords; 30 returned invalid passwords; 200 reset passwords (not disjoint) Treasury Dept. report (2005) Þ Þ ß Pretext: “validate” password database after suspected break-in Auditors pose as IT personnel attempting to correct a “network problem” 35 of 100 IRS managers and employees provide their usernames and change passwords to a known value Other examples: Mitnick’s “Art of Deception” slide 56
Strengthening Passwords ß Add biometrics Þ Þ ß Graphical passwords Þ ß For example, keystroke dynamics or voiceprint Revocation is often a problem with biometrics Goal: increase the size of memorable password space Rely on the difficulty of computer vision Þ Þ Face recognition is easy for humans, hard for machines Present user with a sequence of faces, he must slide 57 times in a row to log in pick the right face several
Graphical Passwords ß Images are easy for humans to remember Þ ß Dictionary attacks on graphical passwords are believed to be difficult Þ ß Especially if you invent a memorable story to go along with the images Images are very “random” (is this true? ) Still not a perfect solution Þ Þ Need infrastructure for displaying and storing images Shoulder surfing slide 58
Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User authentication SSL IPSec & IKE Distributed Denial of Service (DDo. S) Firewall Reading List 2021/2/25 59
Layers of Security 2021/2/25 60
SSL Record Protocol Services ß ß SSL Record Protocol provides two services. Message integrity Þ Þ Þ ß using a MAC with a shared secret key similar to HMAC but with different padding hash functions: MD 5, SHA-1 Message confidentiality Þ Þ using symmetric encryption with a shared secret key Encryption algorithms: AES, IDEA, RC 2 -40, DES, 3 DES, RC 4 -40, RC 4 -128
SSL Handshake Protocol ß Allows server & client to: Þ Þ ß authenticate each other to negotiate encryption & MAC algorithms and keys Comprises a series of messages exchanged in phases: 1. 2. 3. 4. Establish Security Capabilities (to agree on encryption, MAC, and key-exchange algorithms) Server Authentication and Key Exchange Client Authentication and Key Exchange Finish
Client Hello Þ Protocol version � � Þ Random Number � � � Þ SMU 32 bytes First 4 bytes, time of the day in seconds, other 28 bytes random Prevents replay attack Session ID � Þ SSLv 3(major=3, minor=0) TLS (major=3, minor=1) 32 bytes – indicates the use of previous cryptographic material Compression algorithm
Client Hello - Cipher Suites SSL_NULL_WITH_NULL = { 0, 0 } PUBLIC-KEY SYMMETRIC ALGORITHM INITIAL (NULL) CIPHER SUITE HASH ALGORITHM SSL_RSA_WITH_NULL_MD 5 = { 0, 1 } SSL_RSA_WITH_NULL_SHA = { 0, 2 } CIPHER SUITE CODES USED IN SSL MESSAGES SSL_RSA_EXPORT_WITH_RC 4_40_MD 5 = { 0, 3 } SSL_RSA_WITH_RC 4_128_MD 5 = { 0, 4 } SSL_RSA_WITH_RC 4_128_SHA = { 0, 5 } SSL_RSA_EXPORT_WITH_RC 2_CBC_40_MD 5 = { 0, 6 } SSL_RSA_WITH_IDEA_CBC_SHA = { 0, 7 } SSL_RSA_EXPORT_WITH_DES 40_CBC_SHA = { 0, 8 } SSL_RSA_WITH_DES_CBC_SHA = { 0, 9 } SSL_RSA_WITH_3 DES_EDE_CBC_SHA = { 0, 10 } SMU
Server Hello ß ß Version Random Number Þ ß Session ID Þ ß SMU Provided to the client for later resumption of the session Cipher suite Þ ß Protects against handshake replay Usually picks client’s best preference – No obligation Compression method
Certificates ß Sequence of X. 509 certificates Þ ß ß X. 509 Certificate associates public key with identity Certification Authority (CA) creates certificate Þ Þ ß SMU Server’s, CA’s, … Adheres to policies and verifies identity Signs certificate User of Certificate must ensure it is valid CSE 5349/7349
Validating a Certificate ß Must recognize accepted CA in certificate chain Þ ß Must verify that certificate has not been revoked Þ SMU One CA may issue certificate for another CA CA publishes Certificate Revocation List (CRL) CSE 5349/7349
Client Key Exchange ß Premaster secret Þ Þ Þ Created by client; used to “seed” calculation of encryption parameters 2 bytes of SSL version + 46 random bytes Sent encrypted to server using server’s public key This is where the attack happened in SSLv 2 SMU
Change Cipher Spec & Finished Messages ß Change Cipher Spec Þ ß Finished Þ Þ Þ SMU Switch to newly negotiated algorithms and key material First message encrypted with new crypto parameters Digest of negotiated master secret, the ensemble of handshake messages, sender constant HMAC approach of nested hashing
SSL Encryption ß Master secret Þ ß Key material Þ ß Generated from the master secret and shared random values Encryption keys Þ SMU Generated by both parties from premaster secret and random values generated by both client and server Extracted from the key material
Generating the Master Secret SERVER’S PUBLIC KEY IS SENT BY SERVER IN Server. Key. Exchange CLIENT GENERATES THE PREMASTER SECRET ENCRYPTS WITH PUBLIC KEY OF SERVER CLIENT SENDS PREMASTER SECRET IN Client Key Exchange MASTER SECRET IS 3 MD 5 HASHES CONCATENATED TOGETHER = 384 BITS SMU SENT BY SERVER IN Server. Hello SENT BY CLIENT IN Client. Hello
Generation of Key Material JUST LIKE FORMING THE MASTER SECRET EXCEPT THE MASTER. . . SECRET IS USED HERE INSTEAD OF THE PREMASTER SECRET SMU
Obtaining Keys from the Key Material SECRET VALUES SYMMETRIC KEYS INITIALIZATION VECTORS INCLUDED IN MESSAGE FOR DES CBC ENCRYPTION AUTHENTICATION CODES SMU
SSL Record Protocol SMU CSE 5349/7349
Record Header ß Three pieces of information Þ Content type Application data � Alert � Handshake � Change_cipher_spec � Þ Content length � Þ SSL version � SMU Suggests when to start processing Redundant check for version agreement
Protocol (cont’d) ß ß Max. record length 214 – 1 MAC Þ Þ Þ Data Headers Sequence number To prevent replay and reordering attack � Not included in the record � SMU CSE 5349/7349
SSL Session and Connection ß ß ß SSL was designed to work with HTTP 1. 0 which tended to open a lot of TCP connections between the same client and server. SSL assumes a session is a relatively long -lived thing from which many (transient) connections can be cheaply derived. 1 session = 1 or more connections 77
SSL Overhead ß ß 2 -10 times slower than a TCP session Where do we lose time Þ Handshake phase Client does public-key encryption � Server does private-key encryption (still public-key cryptography) � Usually clients have to wait on servers to finish � Þ Data Transfer phase � SMU Symmetric key encryption CSE 5349/7349
SSL Applications ß ß HTTP – original application Secure mail Þ Þ ß ß SMU Server to client connection SMTP/SSL? Telnet, ftp. . Resources: http: //www. openssl. org/related/apps. html CSE 5349/7349
Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User authentication SSL IPSec & IKE Distributed Denial of Service (DDo. S) Firewall Reading List 2021/2/25 80
IPsec: Network Layer Security IPsec = AH + ESP + IPcomp + IKE Protection for IP traffic AH provides integrity and origin authentication ESP also confidentiality Compression slide 81 Sets up keys and algorithms for AH and ESP
IPsec Security Services ß Authentication and integrity for packet sources Þ ß Ensures connectionless integrity (for a single packet) and partial sequence integrity (prevent packet replay) Confidentiality (encapsulation) for packet contents Þ Also partial protection against traffic analysis slide 82
IPsec Modes ß Transport mode Þ Þ ß Used to deliver traffic from host to host or from host to gateway End-to-end across networks or within same network Tunnel mode Þ Þ Used to deliver traffic from gateway to gateway or from host to gateway Usually gateways are owned by the same organization � With an insecure network in the middle slide 83
IPsec in Transport Mode ß End-to-end security between two hosts Þ ß Typically, client to gateway (e. g. , PC to remote host) Requires IPsec support at each host slide 84
IPsec in Transport Tunnel Mode Implements IPsec protects communication on the insecure part of the network slide 85
Transport Mode vs. Tunnel Mode ß Transport mode secures packet payload and leaves IP header unchanged IP header (real dest) ß IPsec header TCP/UDP header + data Tunnel mode encapsulates both IP header and payload into IPsec packets IP header (gateway) IP header TCP/UDP header + data IPsec header (real dest) slide 86
Security Association (SA) ß One-way sender-recipient relationship Þ ß Two SAs required for a two-way conversation SA determines how packets are processed Þ Cryptographic algorithms, keys, IVs, lifetimes, sequence numbers, mode (transport or tunnel) – read textbook! slide 87
AH: Authentication Header ß ß ß Sender authentication Integrity for packet contents and IP header Sender and receiver must share a secret key Þ Þ Þ This key is used in HMAC computation The key is set up by IKE key establishment protocol and recorded in the Security Association (SA) SA also records protocol being used (AH) and mode (transport or tunnel) plus hashing algorithm used � MD 5 or SHA-1 supported slide 88 as hashing algorithms
IP Headers Version TOS Immutable Mutable Fragment offset Header Length TTL Packet length Packet Id Flags Predictable Protocol Source IP Destination Checksum Options number address IP address slide 89
Prevention of Replay Attacks ß When SA is established, sender initializes 32 -bit counter to 0, increments by 1 for each packet Þ ß If wraps around 232 -1, new SA must be established Recipient maintains a sliding 64 -bit window Þ If a packet with high sequence number is received, do not advance window until packet is authenticated slide 90
ESP: Encapsulating Security Payload ß ß Adds new header and trailer fields to packet Transport mode Þ Þ Þ ß Confidentiality of packet between two hosts Complete hole through firewalls Used sparingly Tunnel mode Þ Þ Confidentiality of packet between two gateways or a host and a gateway Implements VPN tunnels slide 91
ESP Security Guarantees ß Confidentiality and integrity for packet payload Þ ß ß encrypted Optionally provides authentication (similar Original IP to AH) ESP header TCP/UDP segment ESP trailer ESP auth header Can work in transport… authenticated New IP header ß Symmetric cipher negotiated as part of security assoc ESP header Original IP header …or tunnel mode TCP/UDP segment slide 92 ESP trailer ESP auth
Secure Key Establishment ß ß Goal: generate and agree on a session key using some public initial information What properties are needed? Þ Þ Þ Authentication (know identity of other party) Secrecy (generated key not known to any others) Forward secrecy (compromise of one session key does not compromise keys in other sessions) Prevent replay of old key material Prevent denial of service Protect identities from slide eavesdroppers 93
Key Management in IPsec ß Manual key management Þ ß Pre-shared symmetric keys Þ Þ ß Keys and parameters of crypto algorithms exchanged offline (e. g. , by phone), security associations established by hand New session key derived for each session by hashing pre-shared key with session-specific nonces Standard symmetric-key authentication and encryption Online key establishment Þ Þ Internet Key Exchange (IKE) protocol Use Diffie-Hellman to derive shared symmetric slide 94 key
IKE Overview ß Goal: create security association between 2 hosts Þ ß Two phases: 1 st phase establishes security association (IKE-SA) for the 2 nd phase Þ ß Shared encryption and authentication keys, agreement on crypto algorithms Always by authenticated Diffie-Hellman (expensive) 2 nd phase uses IKE-SA to create actual security association (child-SA) to be used by AH and ESP Þ Þ Use keys derived in the 1 st phase to avoid DH exchange Can be executed cheaply slide 95 in “quick” mode
IKE Genealogy Diffie-Hellman 1976 Station-to-Station + authentication, identity protection Diffie, van Oorschot, Wiener 1992 + defense against denial of service ISAKMP Photuris NSA 1998 “generic” protocol for establishing security associations + defense against replay Karn, Simpson 1994 -99 + compatibility with ISAKMP Oakley IKE Cisco 1998 IKEv 2 Internet standard December 2005 slide 96 Orman 1998
Design Objectives ß Shared secret Þ ß Authentication Þ ß Participants need to verify each other’s identity Identity protection Þ ß Create and agree on a secret which is known only to protocol participants Eavesdropper should not be able to infer participants’ identities by observing protocol execution Protection against denial of service Þ Malicious participant should not be able to exploit the protocol to cause the other party to waste resources slide 97
IKE: Phase One Optional: refuse 1 st message and demand return of stateless cookie ga mod p, crypto proposal, Ni Cookie. R, ga mod p, crypto proposal, Ni I gb mod p, crypto accepted, Nr switch to K=f(Ni, Nr, crypto, gab mod p) R Enc. K(“I”, sig. I(m 1 -4), [cert], child-SA) Enc. K(“R”, sig. R(m 1 -4), [cert], child-SA) Initiator reveals identity first Prevents “polling” attacks where attacker initiates IKE connections to find out who lives at an IP addr slide 98 Instead of running 2 nd phase, “piggyback” establishment of child-SA on initial exchange
IKE: Phase Two (Create Child-SA) After Phase One, I and R share key K Enc. K(proposal, Ni, [ga mod p], traffic) I Crypto suites, protocol (AH, ESP or IPcomp) Optional re-key using old DH value and fresh nonces IP address range, ports, protocol id R Enc. K(proposal, Nr , [gb mod p], traffic) Can run this several times to create multiple SAs slide 99
Other Aspects of IKE ß Interaction with other network protocols Þ ß Error handling Þ ß Very important! Bleichenbacher attacked SSL by cryptanalyzing error messages from an SSL server Protocol management Þ ß How to run IPsec through NAT (Network Address Translation) gateways? Dead peer detection, rekeying, etc. Legacy authentication Þ What if one of the parties doesn’t have a public key? slide 100
Current State of IPsec ß Best currently existing VPN standard Þ ß For example, used in Cisco PIX firewall, many remote access gateways IPsec has been out for a few years, but wide deployment has been hindered by complexity Þ ANX (Automotive Networking e. Xchange) uses IPsec to implement a private network for the Big 3 auto manufacturers and their suppliers slide 101
Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User authentication SSL IPSec & IKE Distributed Denial of Service Attacks Firewall Reading List 2021/2/25 102
Background Information: Denial of Service Attacks ß Denial of Service Attack: an attack on a computer or network that prevents legitimate use of its resources. ß Do. S Attacks Affect: Þ Þ Þ 2021/2/25 Software Systems Network Routers/Equipment/Servers and End-User PCs 103
Do. S Shortfalls ß ß ß Do. S attacks are unable to attack large bandwidth websites – one upstream client cannot generate enough bandwidth to cripple major megabit websites. New distributed server architecture makes it harder for one Do. S to take down an entire site. New software protections neutralize existing Do. S attacks quickly 2021/2/25 104
Distributed Denial of Service Attacks ß ß What is a Distributed Denial of Service Attack? A Distributed Denial of Service (DDo. S) attack uses many computers to launch a coordinated Do. S attack against one or more targets. 2021/2/25 105
DDo. S Architecture Client Handler Agents 2021/2/25 106 Handler
Why are these attacks easy? ß Internet built around end-to-end principle: Þ Þ ß Most functions done by end hosts. Examples: reliable delivery. Advantages: Þ Simplifies network core. � � Þ ß Example: IP packet forwarding. Example: it’s easy to start an ISP. Anyone can introduce new services. Result: lots of innovation. 2021/2/25 107
Why is defense hard? ß End-to-end principle conflicts with: Þ Þ Þ 2021/2/25 Centralized control. Centralized monitoring. Separation of data from control traffic. Mandatory authentication. Mandatory accounting. 108
Widely Used DDo. S Programs ß ß Trinoo Tribe Flood Network TFN 2 K stacheldraht (barbed wire) 2021/2/25 109
Common DDo. S Countermeasures Prevent Initial Hack ß Use of Firewalls and Demilitarized Zone ß Check Ingress/Egress Packets ß Use a server farm and load balancer to offset the effects of a DDo. S attack ß Prevent SYN flood attacks by discarding the first SYN packet (causes delay for legitimate users) ß Change IP address of attacked system (problem for updating legitimate users of new 2021/2/25 system IP address) 110 ß
DDo. S Protection Environment ß ß ß Linux Kernal (immune to TARGA & teardrop) Linux Virtual Server (provides balancing algorithms) Þ NAT via load balancer (translates incoming traffic before it hits the server). Þ Direct Routing Request Dispatching (allows MAC addresses to directly communicate with the server, bypassing the load balancer). Þ IP Tunneling Firewall – packet filtering Class Based Queuing (assigns repetitive packets to smaller queue freeing up queue space for legitimate users) Traffic Monitor 2021/2/25 111
Conceptual Model for Defending Against DDo. S Attacks ß ß ß Suitable technological solutions in the Internet and suitable incentives upon the users of the Internet. Economic incentives for Internet users to cooperate Technical solutions must work together with consistent incentive. 2021/2/25 112
Protect us from DDo. S Attacks ß Raise the bar: Þ Þ ß Improve host security. Make it hard to fake IP addresses Experiment with RON-like and peer-topeer architectures. 2021/2/25 113
Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User authentication SSL IPSec & IKE Distributed Denial of Service Attacks Firewall Reading List 2021/2/25 114
What is a Firewall? ß ß A firewall is hardware, software, or a combination of both. Used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer
Rules Determine WHO ? WHEN ? WHAT ? HOW ? My PC INTERNE T Firewall Protected Network
Hardware vs. Software Firewalls ß Hardware Firewalls Þ Þ Þ ß Protect an entire network Implemented on the router level Usually more expensive, harder to configure Software Firewalls Þ Þ Protect a single computer Usually less expensive, easier to configure
How does a software firewall work? ß ß ß Inspects each individual “packet” of data as it arrives at either side of the firewall Inbound to or outbound from your computer Determines whether it should be allowed to pass through or if it should be blocked
Firewall Rules ß ß ß Allow – traffic that flows automatically because it has been deemed as “safe” (Ex. Meeting Maker, Eudora, etc. ) Block – traffic that is blocked because it has been deemed dangerous to your computer Ask – asks the user whether or not the traffic is allowed to pass through
What a personal firewall can do ß ß Stop hackers from accessing your computer Protects your personal information Blocks “pop up” ads and certain cookies Determines which programs can access the Internet
What a personal firewall cannot do ß Cannot prevent e-mail viruses Þ ß Only an antivirus product with updated definitions can prevent e-mail viruses After setting it initially, you can forget about it Þ The firewall will require periodic updates to the rulesets and the software itself
Considerations when using personal firewall software ß ß ß If you did not initialize an action and your firewall picks up something, you should most likely deny it and investigate it It’s a learning process (Ex. Spooler Subsystem App) If you notice you cannot do something you did prior to the installation, there is a good chance it might be because of your firewall
Examples of personal firewall software ß ß Zone. Alarm <www. zonelabs. com> Black. ICE Defender <http: //blackice. iss. net> Tiny Personal Firewall <www. tinysoftware. com> Norton Personal Firewall <www. symantec. com>
Windows XP Firewall ß ß ß Currently *not* enabled by default Enable under Start -> Settings -> Control Panel Select Local Area Connection Select the Properties button Click the “Advanced” tab
Final Firewall Notes ß ß ß Rule Management Default Allow vs. Default Deny Firewalls do NOT Solve the Entire Problem
Q&A 2021/2/25 126
- Tsinghua school of economics and management
- Tsinghua university subsidiaries
- Tsinghua university
- Tsinghua university library
- National tsinghua university
- Tsinghua university
- Dan li tsinghua
- Privat security
- Osi security architecture in network security
- Security guide to network security fundamentals
- Wireless security in cryptography
- Electronic mail security in network security
- Security guide to network security fundamentals
- Security guide to network security fundamentals
- Web learning tsinghua
- Tsinghua
- Stable prediction across unknown environments
- Un dss
- Department of homeland security minnesota
- Indiana department of homeland security ems
- Nys dept of homeland security
- Security department hotel
- Iowa department of public defense
- Homeland circular
- Department of law university of jammu
- Department of geology university of dhaka
- Narrativistic
- University of bridgeport it department
- University of iowa math department
- Sputonik v
- Texas state university psychology
- Department of information engineering university of padova
- Information engineering padova
- Manipal university chemistry department
- Syracuse university psychology department
- Jackson state university finance department
- Mice.cs.columbia
- Michigan state astronomy
- Columbia university cs department
- University of sargodha engineering department
- Stanford university philosophy department
- Visa international security model in information security
- Explain about cnss security model
- E commerce security meaning
- Seven touchpoints for software security
- 5g americas
- Wireless security definition
- Pearson vue pcnse
- Network security protocols
- William stallings network security essentials 5th edition
- Intruders in network security
- Network security design and implementation
- Module 3: information and network security
- Code c
- Network security protocols
- Nsm monitoring tool
- Languard scanner
- Des in networking
- Modulo table
- Introduction to cryptography and network security
- Number theory in cryptography and network security
- Firewall in cryptography and network security
- Authentication in cryptography and network security
- Aes in network security
- Ccna security chapter 1
- Network security services nss
- Network security topologies
- Interesting topics in network security
- Network security essentials william stallings ppt
- Ic chip 74190
- Ec-council network security administrator
- Primitive root in cryptography and network security
- Cryptography and network security 6th edition pdf
- Cryptography and network security pearson
- Source
- It network and security greensboro
- Cryptography and network security 4th edition
- 819 mod 26
- Bro network monitor
- Interruption threat
- Bro network security
- Literature review on network security
- Euler's theorem in cryptography and network security
- Multiplicative inverse
- Dsa in network security
- Modular arithmetic in cryptography and network security
- Pgp in cryptography and network security
- Computer & network security
- Top-down network design
- Sha network
- Network security process
- Languard network security scanner
- Ssl architecture in network security
- Network security model
- Cs 526
- Network security history
- Euler's theorem in cryptography and network security
- Malicious software in cryptography and network security
- Introduction to cryptography and network security
- Cisco rvs4000 throughput
- Computer and network security
- Border security using wins
- Rsa algorithm in cryptography and network security
- Principles of network security
- Network security
- Esp in network security
- Planning phase for network security design
- Access control matrix
- Firewall design principles in network security
- Hips network security
- Network security essentials 5th edition
- Fcnsp
- "network security"
- Introduction to cryptography and network security
- Bath spa university security number
- Virtual circuit vs datagram
- Network topologies
- Features of peer to peer network and client server network
- Ece 526
- Network centric computing and network centric content
- Packet switched network vs circuit switched
- University of rochester care network
- 沈榮麟
- Seperti apakah itu keamanan fisik (physical security)
- Instrument processing optimization
- Business management tools and techniques