Network Security Dan LI CS Department Tsinghua University

Network Security Dan LI CS Department, Tsinghua University 2021/2/25 1

Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User authentication SSL IPSec & IKE Distributed Denial of Service (DDo. S) Firewall Reading List 2021/2/25 2

Motivation https: // 2021/2/25 3

Excerpt From “General Terms of Use” 2021/2/25 4

Privacy and Security 2021/2/25 5

What Do You Think ß What do you think should be included in “privacy and security” for an e-commerce website? 2021/2/25 6

Desirable Security Properties ß ß ß ß ß Authenticity Confidentiality Integrity Availability Accountability and non-repudiation Freshness Access control Privacy of collected information Integrity of routing and DNS infrastructure 2021/2/25 7

Peek at the Dark Side 2021/2/25 8

What Drives the Attackers? ß ß ß Put up a fake financial website, collect users’ logins and passwords, empty out their accounts Insert a hidden program into unsuspecting users’ computers, use them to spread spam Subvert copy protection, gain access to music and video files 2021/2/25 9

What Drives the Attackers? ß ß Stage denial of service attacks on websites, extort money Wreak havoc, achieve fame and glory in the blackhat community 2021/2/25 10

Network Stack Phishing attacks, usability people email, Web, NFS application session transport network data link physical Sendmail, FTP, NFS bugs, chosenprotocol and version-rollback attacks RPC worms, portmapper exploits TCP SYN flooding, RIP attacks, sequence number prediction IP 802. 11 IP smurfing and other address spoofing attacks WEP attacks RF RF fingerprinting, Do. S Only as secure as the single weakest layer… … or interconnection between the layers 2021/2/25 11

Network Defenses People Password managers, company policies… Implementations Firewalls, intrusion detection… Blueprints Protocols and policies TLS, IPsec, access control… Building blocks Cryptographic primitives Systems 2021/2/25 End uses 12 RSA, DSS, SHA 1…

Correctness versus Security ß System correctness: system satisfies specification Þ ß For reasonable input, get reasonable output System security: system properties preserved in face of attack Þ For unreasonable input, output not completely disastrous Main difference: active interference from adversary 2021/2/25 13 ß

Bad News ß Security often not a primary consideration Þ ß ß Performance and usability take precedence Feature-rich systems may be poorly understood Implementations are buggy Þ Þ 2021/2/25 Buffer overflows are the “vulnerability of the decade” Cross-site scripting and other Web attacks 14

Bad News ß Networks are more open and accessible than ever Þ ß Increased exposure, easier to cover tracks Many attacks are not even technical in nature Þ 2021/2/25 Phishing, impersonation, etc. 15

Better News ß There a lot of defense mechanisms Þ ß It’s important to understand their limitations Þ ß ß We’ll study some, but by no means all, in this course Many security holes are based on misunderstanding Security awareness and user “buy-in” help Other important factors: usability and economics 2021/2/25 16

Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User authentication SSL IPSec & IKE Distributed Denial of Service (DDo. S) Firewall Reading List 2021/2/25 17

Communication on the Internet M M’ network M Bob Alice Learns M – attack on secrecy Changes M – attack on integrity 2021/2/25 18

Integrity vs. Secrecy ß ß Integrity: attacker cannot tamper with message Encryption may not guarantee integrity! Þ Þ Þ 2021/2/25 Intuition: attacker may able to modify message under encryption without learning what it is This is recognized by industry standards (e. g. , PKCS) Many encryption schemes provide secrecy AND integrity 19

More on Integrity VIRUS bad. File good. File The Times Big. Firm™ hash(good. File) User Idea: given good. File and hash(good. File), very hard to find bad. File such that hash(good. File)=hash(bad. File 2021/2/25 20

Authentication network Identification and assurance of origin of information 2021/2/25 21

Authentication with Shared Secrets SECRE T msg, H(SECRET, msg) Bob Alice wants to ensure that nobody modifies message in transi (both integrity and authentication) slide 22

Hash Functions: Main Idea . Hash function H “message digest” message x . . y . . x’’ x’ ß bit strings of any length H is a lossy compression function Þ Þ n-bit strings Collisions: h(x)=h(x’) for some inputs x, x’ Result of hashing should “look random” (make this precise later) � ß y’ Intuition: half of digest bits are “ 1”; any bit in digest is “ 1” half the time Cryptographic hash function needs a few properties… slide 23

One-Way ß Intuition: hash should be hard to invert Þ Þ Þ ß “Preimage resistance” Let h(x’)=y {0, 1}n for a random x’ Given y, it should be hard to find any x such that h(x)=y How hard? Þ Þ Brute-force: try every possible x, see if h(x)=y SHA-1 (common hash function) has 160 -bit output Suppose have hardware that’ll do 230 trials a pop 34 trials per second, can do 289 trials per � Assuming 2 year slide 24 71 years to invert SHA-1 on a random image � Will take 2 �

“Birthday Paradox” ß ß T people Suppose each birthday is a random number taken from K days (K=365) – how many possibilities? Þ KT (samples with replacement)

Collision Resistance ß ß Should be hard to find x, x’ such that h(x)=h(x’) Brute-force collision search is O(2 n/2), not O(2 n) Þ Þ ß n = number of bits in the output of hash function For SHA-1, this means O(280) vs. O(2160) Reason: birthday paradox slide 26

One-Way vs. Collision Resistance ß One-wayness does not imply collision resistance Þ Þ Suppose g is one-way Define h(x) as g(x’) where x’ is x except the last bit h is one-way (to invert h, must invert g) � Collisions for h are easy to find: for any x, h(x 0)=h(x 1) � ß Collision resistance does not imply onewayness Þ Þ Suppose g is collision-resistant Define h(x) to be 0 x if x is n-bit long, 1 g(x) otherwise Collisions for h are hard to find: if y starts with 0, then there are no collisions, if y starts with 1, then must find collisions in g � h is not one way: halfslide of 27 all y’s (those whose first bit is 0) �

Weak Collision Resistance ß Given randomly chosen x, hard to find x’ such that h(x)=h(x’) Þ Þ Attacker must find collision for a specific x. By contrast, to break collision resistance, enough to find any collision. Brute-force attack requires O(2 n) time slide 28

Which Property Do We Need? ß UNIX passwords stored as hash(password) Þ ß Integrity of software distribution Þ Þ ß One-wayness: hard to recover password Weak collision resistance But software images are not really random… maybe need full collision resistance Auction bidding Þ Þ Þ Alice wants to bid B, sends H(B), later reveals B One-wayness: rival bidders should not recover B Collision resistance: Alice should not be able to change her mind to bid B’ such that H(B)=H(B’) slide 29

Common Hash Functions ß MD 5 Þ Þ Þ ß RIPEMD-160 Þ ß 128 -bit output Still used very widely Completely broken by now 160 -bit variant of MD-5 SHA-1 (Secure Hash Algorithm) Þ Þ 160 -bit output US government (NIST) standard as of 1993 -95 � Also the hash algorithm for Digital Signature Standard (DSS) slide 30

Basic Structure of SHA-1 Against padding attacks Split message into 512 -bit blocks 160 -bit buffer (5 registers) initialized with magic values Compression function Applied to each 512 -bit block and current 160 -bit buffer This isslide the 31 heart of SHA-1

SHA-1 Compression Function Current buffer (five 32 -bit registers A, B, C, D, E) Current message block Four rounds, 20 steps in each Fifth round adds the original buffer to the result of 4 rounds slide 33 Buffer contains final hash value

One Step of SHA-1 (80 steps total) A B C D Logic function for steps 5 bitwise left-rotate + ft (B C) ( B D) 0. . 19 B C D 20. . 39 (B C) (B D) (C D) 40. . 59 B C D 60. . 79 + + Multi-level shifting of message blocks Special constant added 30 bitwise left-rotate (same value in each 20 -step round, 4 different constants altogether) A B E C slide 34 D + E Wt Kt

How Strong Is SHA-1? ß Every bit of output depends on every bit of input Þ ß ß Very important property for collision-resistance Brute-force inversion requires 2160 ops, birthday attack on collision resistance requires 280 ops Some recent weaknesses (2005) Þ Collisions can be found in 263 ops slide 35

Authentication Without Encryption KEY MAC (message authentication code) KEY message, MAC(KEY, message) ? = Alice message Bob Recomputes MAC and verifies whether it is equal to the MAC attached to the message slide 36

HMAC ß Construct MAC by applying a cryptographic hash function to message and key Þ Þ Þ ß ß Could also use encryption instead of hashing, but… Hashing is faster than encryption in software Library code for hash functions widely available Can easily replace one hash function with another There used to be US export restrictions on encryption Invented by Bellare, Canetti, and Krawczyk (1996) slide 37 Mandatory for IP security, also used in

Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User Authentication SSL IPSec & IKE Distributed Denial of Service (DDo. S) Firewall Reading List 2021/2/25 38

Basic Problem ? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problem slide 39

Many Ways to Prove Who You Are ß What you know Þ Þ ß Where you are Þ ß IP address What you are Þ ß Passwords Secret key Biometrics What you have Þ Secure tokens slide 40

Password-Based Authentication ß User has a secret password. Þ ß How is the password communicated? Þ ß System checks it to authenticate the user. Eavesdropping risk How is the password stored? Þ In the clear? Encrypted? Hashed? slide 41

Other Aspects ß Usability Þ Þ ß Hard-to-remember passwords? Carry a physical object all the time? Denial of service Þ Þ Þ Stolen wallet Attacker tries to authenticate as you, account locked after three failures “Suspicious” credit slide card usage 42

Passwords in the Real World ß From high school pranks… Þ Þ Student in Tyler changes school attendance records Students in California change grades � ß Different authentication for network login and grade system, but teachers were using the same password (very common) …to serious cash Þ ß [Password. Research. com] English accountant uses co-workers’ password to steal $17 million for gambling …to identity theft Þ Helpdesk employee uses passwords of a credit card database to sell credit reports to Nigerian slide 43 scammers

Passwords and Computer Security ß ß First step after any successful intrusion: install sniffer or keylogger to steal more passwords Second step: run cracking tools on password files Þ ß Usually on other hijacked computers In Mitnick’s “Art of Intrusion”, 8 out of 9 exploits involve password stealing and/or cracking slide 44

UNIX-Style Passwords “cypherpunk” system password file user hash function slide 45 t 4 h 97 t 4 m 43 fa 6326 b 1 c 2 N 53 uhjr 438 Hgg 658 n 53 …

Password Hashing ß ß Instead of user password, store H(password) When user enters password, compute its hash and compare with entry in password file Þ Þ System does not store actual passwords! Difficult to go from hash from password! � Do you see why hashing is better than encryption here? slide 46

UNIX Password System ß Uses DES encryption as if it were a hash function Þ Encrypt NULL string using password as the key � Þ Þ ß Truncates passwords to 8 characters! Artificial slowdown: run DES 25 times (why? ) Can instruct modern UNIXes to use MD 5 hash function Problem: passwords are not truly random Þ Þ With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 948 6 quadrillion possible 8 -character passwords Humans like to use dictionary words, human and pet names 1 million common passwords slide 47

Dictionary Attack ß Password file /etc/passwd is world-readable Þ Contains user IDs and group IDs which are used by many system programs ß Dictionary attack is possible because many ß passwords come from a small dictionary Þ Attacker can pre-compute H(word) for every word in the dictionary – this only needs to be done once!! slide 48

Salt shmat: f. URxfg, 4 h. LBX: 14510: 30: Vitaly: /u/shmat: /bin/csh /etc/passwd entry salt (chosen randomly when password is first set) Password hash(salt, pwd) slide 49

Advantages of Salting ß Without salt, attacker can pre-compute hashes of all dictionary words once for all password entries Þ Þ ß Same hash function on all UNIX machines; identical passwords hash to identical values One table of hash values works for all password files With salt, attacker must compute hashes of all dictionary words once for each combination of salt value and password Þ With 12 -bit random salt, same password can hash to 4096 different hash values slide 50

Shadow Passwords shmat: x: 14510: 30: Vitaly: /u/shmat: /bin/csh /etc/passwd entry Hashed password is not stored in a world-readable file slide 51

How People Use Passwords ß ß Write them down Use a single password at multiple sites Þ ß Make passwords easy to remember Þ ß Do you use the same password for Amazon and your bank account? UT Direct? Do you remember them all? “password”, “Kevin 123”, “popcorn” Some services use “secret questions” to reset passwords Þ Þ “What is your favorite pet’s name? ” slide 52 Paris Hilton’s T-Mobile cellphone hack

Password Surveys ß Klein (1990) and Spafford (1992) Þ Þ ß 2. 7% guessed in 15 minutes 21% in a week Sounds Ok? Not if passwords last 30 days or more! Much more computing power is available now! U. of Michigan: 5% of passwords were “goblue” Þ How many passwords on this campus involve “orange”, “horns”, etc. ? slide 53

Memorability vs. Security [Ross Anderson] ß One bank’s idea for making PINs “memorable” Þ If PIN is 2256, write your favorite word in the Normally 9, 999 choices for PIN – grid hard to guess Now only a few dozen possible English words – easy to guess! Þ Fill the rest with random letters slide 54

Heuristics for Guessing Attacks ß ß ß Dictionary with words spelled backwards First and last names, streets, cities Same with upper-case initials All valid license plate numbers in your state Room numbers, telephone numbers, etc. Letter substitutions and other tricks Þ If you can think of it, attacker will, too slide 55

Social Engineering ß Univ. of Sydney study (1996) Þ 336 CS students emailed asking for their passwords � Þ ß 138 returned their passwords; 30 returned invalid passwords; 200 reset passwords (not disjoint) Treasury Dept. report (2005) Þ Þ ß Pretext: “validate” password database after suspected break-in Auditors pose as IT personnel attempting to correct a “network problem” 35 of 100 IRS managers and employees provide their usernames and change passwords to a known value Other examples: Mitnick’s “Art of Deception” slide 56

Strengthening Passwords ß Add biometrics Þ Þ ß Graphical passwords Þ ß For example, keystroke dynamics or voiceprint Revocation is often a problem with biometrics Goal: increase the size of memorable password space Rely on the difficulty of computer vision Þ Þ Face recognition is easy for humans, hard for machines Present user with a sequence of faces, he must slide 57 times in a row to log in pick the right face several

Graphical Passwords ß Images are easy for humans to remember Þ ß Dictionary attacks on graphical passwords are believed to be difficult Þ ß Especially if you invent a memorable story to go along with the images Images are very “random” (is this true? ) Still not a perfect solution Þ Þ Need infrastructure for displaying and storing images Shoulder surfing slide 58

Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User authentication SSL IPSec & IKE Distributed Denial of Service (DDo. S) Firewall Reading List 2021/2/25 59

Layers of Security 2021/2/25 60

SSL Record Protocol Services ß ß SSL Record Protocol provides two services. Message integrity Þ Þ Þ ß using a MAC with a shared secret key similar to HMAC but with different padding hash functions: MD 5, SHA-1 Message confidentiality Þ Þ using symmetric encryption with a shared secret key Encryption algorithms: AES, IDEA, RC 2 -40, DES, 3 DES, RC 4 -40, RC 4 -128

SSL Handshake Protocol ß Allows server & client to: Þ Þ ß authenticate each other to negotiate encryption & MAC algorithms and keys Comprises a series of messages exchanged in phases: 1. 2. 3. 4. Establish Security Capabilities (to agree on encryption, MAC, and key-exchange algorithms) Server Authentication and Key Exchange Client Authentication and Key Exchange Finish

Client Hello Þ Protocol version � � Þ Random Number � � � Þ SMU 32 bytes First 4 bytes, time of the day in seconds, other 28 bytes random Prevents replay attack Session ID � Þ SSLv 3(major=3, minor=0) TLS (major=3, minor=1) 32 bytes – indicates the use of previous cryptographic material Compression algorithm

Client Hello - Cipher Suites SSL_NULL_WITH_NULL = { 0, 0 } PUBLIC-KEY SYMMETRIC ALGORITHM INITIAL (NULL) CIPHER SUITE HASH ALGORITHM SSL_RSA_WITH_NULL_MD 5 = { 0, 1 } SSL_RSA_WITH_NULL_SHA = { 0, 2 } CIPHER SUITE CODES USED IN SSL MESSAGES SSL_RSA_EXPORT_WITH_RC 4_40_MD 5 = { 0, 3 } SSL_RSA_WITH_RC 4_128_MD 5 = { 0, 4 } SSL_RSA_WITH_RC 4_128_SHA = { 0, 5 } SSL_RSA_EXPORT_WITH_RC 2_CBC_40_MD 5 = { 0, 6 } SSL_RSA_WITH_IDEA_CBC_SHA = { 0, 7 } SSL_RSA_EXPORT_WITH_DES 40_CBC_SHA = { 0, 8 } SSL_RSA_WITH_DES_CBC_SHA = { 0, 9 } SSL_RSA_WITH_3 DES_EDE_CBC_SHA = { 0, 10 } SMU

Server Hello ß ß Version Random Number Þ ß Session ID Þ ß SMU Provided to the client for later resumption of the session Cipher suite Þ ß Protects against handshake replay Usually picks client’s best preference – No obligation Compression method

Certificates ß Sequence of X. 509 certificates Þ ß ß X. 509 Certificate associates public key with identity Certification Authority (CA) creates certificate Þ Þ ß SMU Server’s, CA’s, … Adheres to policies and verifies identity Signs certificate User of Certificate must ensure it is valid CSE 5349/7349

Validating a Certificate ß Must recognize accepted CA in certificate chain Þ ß Must verify that certificate has not been revoked Þ SMU One CA may issue certificate for another CA CA publishes Certificate Revocation List (CRL) CSE 5349/7349

Client Key Exchange ß Premaster secret Þ Þ Þ Created by client; used to “seed” calculation of encryption parameters 2 bytes of SSL version + 46 random bytes Sent encrypted to server using server’s public key This is where the attack happened in SSLv 2 SMU

Change Cipher Spec & Finished Messages ß Change Cipher Spec Þ ß Finished Þ Þ Þ SMU Switch to newly negotiated algorithms and key material First message encrypted with new crypto parameters Digest of negotiated master secret, the ensemble of handshake messages, sender constant HMAC approach of nested hashing

SSL Encryption ß Master secret Þ ß Key material Þ ß Generated from the master secret and shared random values Encryption keys Þ SMU Generated by both parties from premaster secret and random values generated by both client and server Extracted from the key material

Generating the Master Secret SERVER’S PUBLIC KEY IS SENT BY SERVER IN Server. Key. Exchange CLIENT GENERATES THE PREMASTER SECRET ENCRYPTS WITH PUBLIC KEY OF SERVER CLIENT SENDS PREMASTER SECRET IN Client Key Exchange MASTER SECRET IS 3 MD 5 HASHES CONCATENATED TOGETHER = 384 BITS SMU SENT BY SERVER IN Server. Hello SENT BY CLIENT IN Client. Hello

Generation of Key Material JUST LIKE FORMING THE MASTER SECRET EXCEPT THE MASTER. . . SECRET IS USED HERE INSTEAD OF THE PREMASTER SECRET SMU

Obtaining Keys from the Key Material SECRET VALUES SYMMETRIC KEYS INITIALIZATION VECTORS INCLUDED IN MESSAGE FOR DES CBC ENCRYPTION AUTHENTICATION CODES SMU

SSL Record Protocol SMU CSE 5349/7349

Record Header ß Three pieces of information Þ Content type Application data � Alert � Handshake � Change_cipher_spec � Þ Content length � Þ SSL version � SMU Suggests when to start processing Redundant check for version agreement

Protocol (cont’d) ß ß Max. record length 214 – 1 MAC Þ Þ Þ Data Headers Sequence number To prevent replay and reordering attack � Not included in the record � SMU CSE 5349/7349

SSL Session and Connection ß ß ß SSL was designed to work with HTTP 1. 0 which tended to open a lot of TCP connections between the same client and server. SSL assumes a session is a relatively long -lived thing from which many (transient) connections can be cheaply derived. 1 session = 1 or more connections 77

SSL Overhead ß ß 2 -10 times slower than a TCP session Where do we lose time Þ Handshake phase Client does public-key encryption � Server does private-key encryption (still public-key cryptography) � Usually clients have to wait on servers to finish � Þ Data Transfer phase � SMU Symmetric key encryption CSE 5349/7349

SSL Applications ß ß HTTP – original application Secure mail Þ Þ ß ß SMU Server to client connection SMTP/SSL? Telnet, ftp. . Resources: http: //www. openssl. org/related/apps. html CSE 5349/7349

Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User authentication SSL IPSec & IKE Distributed Denial of Service (DDo. S) Firewall Reading List 2021/2/25 80

IPsec: Network Layer Security IPsec = AH + ESP + IPcomp + IKE Protection for IP traffic AH provides integrity and origin authentication ESP also confidentiality Compression slide 81 Sets up keys and algorithms for AH and ESP

IPsec Security Services ß Authentication and integrity for packet sources Þ ß Ensures connectionless integrity (for a single packet) and partial sequence integrity (prevent packet replay) Confidentiality (encapsulation) for packet contents Þ Also partial protection against traffic analysis slide 82

IPsec Modes ß Transport mode Þ Þ ß Used to deliver traffic from host to host or from host to gateway End-to-end across networks or within same network Tunnel mode Þ Þ Used to deliver traffic from gateway to gateway or from host to gateway Usually gateways are owned by the same organization � With an insecure network in the middle slide 83

IPsec in Transport Mode ß End-to-end security between two hosts Þ ß Typically, client to gateway (e. g. , PC to remote host) Requires IPsec support at each host slide 84

IPsec in Transport Tunnel Mode Implements IPsec protects communication on the insecure part of the network slide 85

Transport Mode vs. Tunnel Mode ß Transport mode secures packet payload and leaves IP header unchanged IP header (real dest) ß IPsec header TCP/UDP header + data Tunnel mode encapsulates both IP header and payload into IPsec packets IP header (gateway) IP header TCP/UDP header + data IPsec header (real dest) slide 86

Security Association (SA) ß One-way sender-recipient relationship Þ ß Two SAs required for a two-way conversation SA determines how packets are processed Þ Cryptographic algorithms, keys, IVs, lifetimes, sequence numbers, mode (transport or tunnel) – read textbook! slide 87

AH: Authentication Header ß ß ß Sender authentication Integrity for packet contents and IP header Sender and receiver must share a secret key Þ Þ Þ This key is used in HMAC computation The key is set up by IKE key establishment protocol and recorded in the Security Association (SA) SA also records protocol being used (AH) and mode (transport or tunnel) plus hashing algorithm used � MD 5 or SHA-1 supported slide 88 as hashing algorithms

IP Headers Version TOS Immutable Mutable Fragment offset Header Length TTL Packet length Packet Id Flags Predictable Protocol Source IP Destination Checksum Options number address IP address slide 89

Prevention of Replay Attacks ß When SA is established, sender initializes 32 -bit counter to 0, increments by 1 for each packet Þ ß If wraps around 232 -1, new SA must be established Recipient maintains a sliding 64 -bit window Þ If a packet with high sequence number is received, do not advance window until packet is authenticated slide 90

ESP: Encapsulating Security Payload ß ß Adds new header and trailer fields to packet Transport mode Þ Þ Þ ß Confidentiality of packet between two hosts Complete hole through firewalls Used sparingly Tunnel mode Þ Þ Confidentiality of packet between two gateways or a host and a gateway Implements VPN tunnels slide 91

ESP Security Guarantees ß Confidentiality and integrity for packet payload Þ ß ß encrypted Optionally provides authentication (similar Original IP to AH) ESP header TCP/UDP segment ESP trailer ESP auth header Can work in transport… authenticated New IP header ß Symmetric cipher negotiated as part of security assoc ESP header Original IP header …or tunnel mode TCP/UDP segment slide 92 ESP trailer ESP auth

Secure Key Establishment ß ß Goal: generate and agree on a session key using some public initial information What properties are needed? Þ Þ Þ Authentication (know identity of other party) Secrecy (generated key not known to any others) Forward secrecy (compromise of one session key does not compromise keys in other sessions) Prevent replay of old key material Prevent denial of service Protect identities from slide eavesdroppers 93

Key Management in IPsec ß Manual key management Þ ß Pre-shared symmetric keys Þ Þ ß Keys and parameters of crypto algorithms exchanged offline (e. g. , by phone), security associations established by hand New session key derived for each session by hashing pre-shared key with session-specific nonces Standard symmetric-key authentication and encryption Online key establishment Þ Þ Internet Key Exchange (IKE) protocol Use Diffie-Hellman to derive shared symmetric slide 94 key

IKE Overview ß Goal: create security association between 2 hosts Þ ß Two phases: 1 st phase establishes security association (IKE-SA) for the 2 nd phase Þ ß Shared encryption and authentication keys, agreement on crypto algorithms Always by authenticated Diffie-Hellman (expensive) 2 nd phase uses IKE-SA to create actual security association (child-SA) to be used by AH and ESP Þ Þ Use keys derived in the 1 st phase to avoid DH exchange Can be executed cheaply slide 95 in “quick” mode

IKE Genealogy Diffie-Hellman 1976 Station-to-Station + authentication, identity protection Diffie, van Oorschot, Wiener 1992 + defense against denial of service ISAKMP Photuris NSA 1998 “generic” protocol for establishing security associations + defense against replay Karn, Simpson 1994 -99 + compatibility with ISAKMP Oakley IKE Cisco 1998 IKEv 2 Internet standard December 2005 slide 96 Orman 1998

Design Objectives ß Shared secret Þ ß Authentication Þ ß Participants need to verify each other’s identity Identity protection Þ ß Create and agree on a secret which is known only to protocol participants Eavesdropper should not be able to infer participants’ identities by observing protocol execution Protection against denial of service Þ Malicious participant should not be able to exploit the protocol to cause the other party to waste resources slide 97

IKE: Phase One Optional: refuse 1 st message and demand return of stateless cookie ga mod p, crypto proposal, Ni Cookie. R, ga mod p, crypto proposal, Ni I gb mod p, crypto accepted, Nr switch to K=f(Ni, Nr, crypto, gab mod p) R Enc. K(“I”, sig. I(m 1 -4), [cert], child-SA) Enc. K(“R”, sig. R(m 1 -4), [cert], child-SA) Initiator reveals identity first Prevents “polling” attacks where attacker initiates IKE connections to find out who lives at an IP addr slide 98 Instead of running 2 nd phase, “piggyback” establishment of child-SA on initial exchange

IKE: Phase Two (Create Child-SA) After Phase One, I and R share key K Enc. K(proposal, Ni, [ga mod p], traffic) I Crypto suites, protocol (AH, ESP or IPcomp) Optional re-key using old DH value and fresh nonces IP address range, ports, protocol id R Enc. K(proposal, Nr , [gb mod p], traffic) Can run this several times to create multiple SAs slide 99

Other Aspects of IKE ß Interaction with other network protocols Þ ß Error handling Þ ß Very important! Bleichenbacher attacked SSL by cryptanalyzing error messages from an SSL server Protocol management Þ ß How to run IPsec through NAT (Network Address Translation) gateways? Dead peer detection, rekeying, etc. Legacy authentication Þ What if one of the parties doesn’t have a public key? slide 100

Current State of IPsec ß Best currently existing VPN standard Þ ß For example, used in Cisco PIX firewall, many remote access gateways IPsec has been out for a few years, but wide deployment has been hindered by complexity Þ ANX (Automotive Networking e. Xchange) uses IPsec to implement a private network for the Big 3 auto manufacturers and their suppliers slide 101

Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User authentication SSL IPSec & IKE Distributed Denial of Service Attacks Firewall Reading List 2021/2/25 102

Background Information: Denial of Service Attacks ß Denial of Service Attack: an attack on a computer or network that prevents legitimate use of its resources. ß Do. S Attacks Affect: Þ Þ Þ 2021/2/25 Software Systems Network Routers/Equipment/Servers and End-User PCs 103

Do. S Shortfalls ß ß ß Do. S attacks are unable to attack large bandwidth websites – one upstream client cannot generate enough bandwidth to cripple major megabit websites. New distributed server architecture makes it harder for one Do. S to take down an entire site. New software protections neutralize existing Do. S attacks quickly 2021/2/25 104

Distributed Denial of Service Attacks ß ß What is a Distributed Denial of Service Attack? A Distributed Denial of Service (DDo. S) attack uses many computers to launch a coordinated Do. S attack against one or more targets. 2021/2/25 105

DDo. S Architecture Client Handler Agents 2021/2/25 106 Handler

Why are these attacks easy? ß Internet built around end-to-end principle: Þ Þ ß Most functions done by end hosts. Examples: reliable delivery. Advantages: Þ Simplifies network core. � � Þ ß Example: IP packet forwarding. Example: it’s easy to start an ISP. Anyone can introduce new services. Result: lots of innovation. 2021/2/25 107

Why is defense hard? ß End-to-end principle conflicts with: Þ Þ Þ 2021/2/25 Centralized control. Centralized monitoring. Separation of data from control traffic. Mandatory authentication. Mandatory accounting. 108

Widely Used DDo. S Programs ß ß Trinoo Tribe Flood Network TFN 2 K stacheldraht (barbed wire) 2021/2/25 109

Common DDo. S Countermeasures Prevent Initial Hack ß Use of Firewalls and Demilitarized Zone ß Check Ingress/Egress Packets ß Use a server farm and load balancer to offset the effects of a DDo. S attack ß Prevent SYN flood attacks by discarding the first SYN packet (causes delay for legitimate users) ß Change IP address of attacked system (problem for updating legitimate users of new 2021/2/25 system IP address) 110 ß

DDo. S Protection Environment ß ß ß Linux Kernal (immune to TARGA & teardrop) Linux Virtual Server (provides balancing algorithms) Þ NAT via load balancer (translates incoming traffic before it hits the server). Þ Direct Routing Request Dispatching (allows MAC addresses to directly communicate with the server, bypassing the load balancer). Þ IP Tunneling Firewall – packet filtering Class Based Queuing (assigns repetitive packets to smaller queue freeing up queue space for legitimate users) Traffic Monitor 2021/2/25 111

Conceptual Model for Defending Against DDo. S Attacks ß ß ß Suitable technological solutions in the Internet and suitable incentives upon the users of the Internet. Economic incentives for Internet users to cooperate Technical solutions must work together with consistent incentive. 2021/2/25 112

Protect us from DDo. S Attacks ß Raise the bar: Þ Þ ß Improve host security. Make it hard to fake IP addresses Experiment with RON-like and peer-topeer architectures. 2021/2/25 113

Today’s Lecture ß ß ß ß Overview of Network Security Cryptographic hash functions User authentication SSL IPSec & IKE Distributed Denial of Service Attacks Firewall Reading List 2021/2/25 114

What is a Firewall? ß ß A firewall is hardware, software, or a combination of both. Used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer

Rules Determine WHO ? WHEN ? WHAT ? HOW ? My PC INTERNE T Firewall Protected Network

Hardware vs. Software Firewalls ß Hardware Firewalls Þ Þ Þ ß Protect an entire network Implemented on the router level Usually more expensive, harder to configure Software Firewalls Þ Þ Protect a single computer Usually less expensive, easier to configure

How does a software firewall work? ß ß ß Inspects each individual “packet” of data as it arrives at either side of the firewall Inbound to or outbound from your computer Determines whether it should be allowed to pass through or if it should be blocked

Firewall Rules ß ß ß Allow – traffic that flows automatically because it has been deemed as “safe” (Ex. Meeting Maker, Eudora, etc. ) Block – traffic that is blocked because it has been deemed dangerous to your computer Ask – asks the user whether or not the traffic is allowed to pass through

What a personal firewall can do ß ß Stop hackers from accessing your computer Protects your personal information Blocks “pop up” ads and certain cookies Determines which programs can access the Internet

What a personal firewall cannot do ß Cannot prevent e-mail viruses Þ ß Only an antivirus product with updated definitions can prevent e-mail viruses After setting it initially, you can forget about it Þ The firewall will require periodic updates to the rulesets and the software itself

Considerations when using personal firewall software ß ß ß If you did not initialize an action and your firewall picks up something, you should most likely deny it and investigate it It’s a learning process (Ex. Spooler Subsystem App) If you notice you cannot do something you did prior to the installation, there is a good chance it might be because of your firewall

Examples of personal firewall software ß ß Zone. Alarm <www. zonelabs. com> Black. ICE Defender <http: //blackice. iss. net> Tiny Personal Firewall <www. tinysoftware. com> Norton Personal Firewall <www. symantec. com>

Windows XP Firewall ß ß ß Currently *not* enabled by default Enable under Start -> Settings -> Control Panel Select Local Area Connection Select the Properties button Click the “Advanced” tab

Final Firewall Notes ß ß ß Rule Management Default Allow vs. Default Deny Firewalls do NOT Solve the Entire Problem

Q&A 2021/2/25 126