CSCI-1680 Security. Andrew Ferguson. Based on lecture notes by Scott Shenker and Mike Freedman. Today s Lecture. Classes of attacks Basic security requirements Simple cryptographic methods Cryptographic toolkit (Hash, Digital Signature, ) DNSSec Certificate Authorities SSL / HTTPS. - PowerPoint PPT Presentation
CSCI-1680 :: Computer Networks
Based on lecture notes by Scott Shenker and Mike FreedmanAndrew FergusonTodays LectureClasses of attacksBasic security requirementsSimple cryptographic methodsCryptographic toolkit (Hash, Digital Signature, )DNSSecCertificate AuthoritiesSSL / HTTPSBasic Requirements for Secure CommunicationAvailability: Will the network deliver data?Infrastructure compromise, DDoSAuthentication: Who is this actor?Spoofing, phishingIntegrity: Do messages arrive in original form?Confidentiality: Can adversary read the data?Sniffing, man-in-the-middleProvenance: Who is responsible for this data?Forging responses, denying responsibilityNot who sent the data, but who created it
Other Desirable Security PropertiesAuthorization: is actor allowed to do this action?Access controlsAccountability/Attribution: who did this activity?Audit/Forensics: what occurred in the past?A broader notion of accountability/attributionAppropriate use: is action consistent with policy?E.g., no spam; no games during business hours; etc.Freedom from traffic analysis: can someone tell when I am sending and to whom?Anonymity: can someone tell I sent this packet?
4Internets Design: InsecureDesigned for simplicity in a nave eraOn by default designReadily available zombie machinesAttacks look like normal trafficInternets federated operation obstructs cooperation for diagnosis/mitigation5Eavesdropping - Message Interception (Attack on Confidentiality)Unauthorized access to informationPacket sniffers and wiretappersIllicit copying of files and programsABEavesdropper6Eavesdropping Attack: Exampletcpdump with promiscuous network interfaceOn a switched network, what can you see?
What might the following traffic types reveal about communications?DNS lookups (and replies)IP packets without payloads (headers only)Payloads
7Integrity Attack - TamperingStop the flow of the messageDelay and optionally modify the messageRelease the message againABPerpetrator8Authenticity Attack - FabricationUnauthorized assumption of others identityGenerate and distribute objects under this identityABMasquerader: from A9Attack on AvailabilityDestroy hardware (cutting fiber) or softwareModify software in a subtle wayCorrupt packets in transit
Blatant denial of service (DoS):Crashing the serverOverwhelm the server (use up its resource)AB10Basic Forms of Cryptography11Confidentiality through CryptographyCryptography: communication over insecure channel in the presence of adversariesStudied for thousands of yearsCentral goal: how to encode information so that an adversary cant extract it but a friend canGeneral premise: a key is required for decodingGive it to friends, keep it away from attackersTwo different categories of encryptionSymmetric: efficient, requires key distributionAsymmetric (Public Key): computationally expensive, but no key distribution problem12Symmetric Key EncryptionSame key for encryption and decryptionBoth sender and receiver know keyBut adversary does not know keyFor communication, problem is key distributionHow do the parties (secretly) agree on the key?What can you do with a huge key? One-time padHuge key of random bitsTo encrypt/decrypt: just XOR with the key!Provably secure! . provided:You never reuse the key and it really is random/unpredictableSpies actually use these13Using Symmetric Keys Both the sender and the receiver use the same secret keysInternetEncrypt withsecret keyDecrypt withsecret keyPlaintextPlaintextCiphertext14Asymmetric Encryption (Public Key)Idea: use two different keys, one to encrypt (e) and one to decrypt (d)A key pairCrucial property: knowing e does not give away dTherefore e can be public: everyone knows it!If Alice wants to send to Bob, she fetches Bobs public key (say from Bobs home page) and encrypts with itAlice cant decrypt what shes sending to Bob but then, neither can anyone else (except Bob)15Public Key / Asymmetric EncryptionSender uses receivers public keyAdvertised to everyoneReceiver uses complementary private keyMust be kept secretInternetEncrypt withpublic keyDecrypt withprivate keyPlaintextPlaintextCiphertext16Works in Reverse Direction Too!Sender uses his own private keyReceiver uses complementary public keyAllows sender to prove he knows private key
InternetDecrypt withpublic keyEncrypt withprivate keyPlaintextPlaintextCiphertext17Realizing Public Key CryptographyInvented in the 1970sRevolutionized cryptography(Was actually invented earlier by British intelligence)How can we construct an encryption/decryption algorithm with public/private properties? Answer: Number TheoryMost fully developed approach: RSARivest / Shamir / Adleman, 1977; RFC 3447Based on modular multiplication of very large integersVery widely used (e.g., SSL/TLS for https)18Cryptographic Toolkit19Cryptographic ToolkitConfidentiality: EncryptionIntegrity: ?Authentication: ?Provenance: ?
Integrity: Cryptographic HashesSender computes a digest of message m, i.e., H(m)H() is a publicly known hash functionSend m in any mannerSend digest d = H(m) to receiver in a secure way:Using another physical channelUsing encryption (why does this help?) Upon receiving m and d, receiver re-computes H(m) to see whether result agrees with d21Operation of Hashing for IntegrityInternetDigest(MD5)PlaintextdigestDigest(MD5)=digestNOcorrupted msgPlaintext22Cryptographically Strong HashesHard to find collisionsAdversary cant find two inputs that produce same hashSomeone cannot alter message without modifying digestCan succinctly refer to large objects
Hard to invertGiven hash, adversary cant find input that produces itCan refer obliquely to private objects (e.g., passwords)Send hash of object rather than object itself23PropertiesEffects of Cryptographic Hashing
24Cryptographic ToolkitConfidentiality: EncryptionIntegrity: Cryptographic HashAuthentication: ?Provenance: ?
Public Key AuthenticationEach side need only to know the other sides public keyNo secret key need be sharedA encrypts a nonce (random number) x using Bs public keyB proves it can recover xA can authenticate itself to B in the same wayE(x, PublicB) xAB26Cryptographic ToolkitConfidentiality: EncryptionIntegrity: Cryptographic HashAuthentication: Decrypting nonceProvenance: ?
Digital SignaturesSuppose Alice has published public key KEIf she wishes to prove who she is, she can send a message x encrypted with her private key KDTherefore: anyone w/ public key KE can recover x, verify that Alice must have sent the messageIt provides a digital signatureAlice cant deny later deny it non-repudiation28RSA Crypto & Signatures, cont
29Summary of Our Crypto ToolkitIf we can securely distribute a key, thenSymmetric ciphers (e.g., AES) offer fast, presumably strong confidentialityPublic key cryptography does away with problem of secure key distributionBut not as computationally efficientOften addressed by using public key crypto to exchange a session keyAnd not guaranteed secure but major result if not30Summary of Our Crypto Toolkit, contCryptographically strong hash functions provide major building block for integrity (e.g., SHA-1)As well as providing concise digestsAnd providing a way to prove you know something (e.g., passwords) without revealing it (non-invertibility)But: worrisome recent results regarding their strengthPublic key also gives us signaturesIncluding sender non-repudiationTurns out theres a crypto trick based on similar algorithms that allows two parties who dont know each others public key to securely negotiate a secret key even in the presence of eavesdroppers 31DNS Security32Case study of security problems, build to a solution employing our cryptographic toolkit
Source: http://nsrc.org/tutorials/2009/apricot/dnssec/dnssec-tutorial.pdf33Root level DNS attacksFeb. 6, 2007:Botnet attack on the 13 Internet DNS root serversLasted 2.5 hoursNone crashed, but two performed badly:g-root (DoD), l-root (ICANN)Most other root servers use anycast34Do you trust the TLD operators?Wildcard DNS record for all .com and .net domain names not yet registered by othersSeptember 15 October 4, 2003February 2004: Verisign sues ICANNRedirection for these domain names to Verisign web portal: to help you searchand serve you adsand get sponsored search
35Defense: Replication and Caching
source: wikipedia36DNS Amplification Attack580,000 open resolvers on Internet (Kaminsky-Shiffman06)DNSServer
DoSTargetDNS QuerySrcIP: DoS Target
(60 bytes)EDNS Reponse
(3000 bytes)DNS Amplification attack: ( 40 amplification )37attackerSolutions
ip spoofed packetsrepliesvictimopenamplifierpreventip spoofingdisableopen amplifiers38Authentication, provenance holistic approach to securityBut should we believe it? Enter DNSSECDNSSEC protects against data spoofing and corruptionDNSSEC also provides mechanisms to authenticate servers and requestsDNSSEC provides mechanisms to establish authenticity and integrity39PK-DNSSEC (Public Key)The DNS servers sign the hash of resource record set with its private (signature) keysPublic keys can be used to verify the SIGsLeverages hierarchy:Authenticity of nameservers public keys is established by a signature over the keys by the parents private keyIn ideal case, only roots public keys need to be distributed out-of-band40Verifying the treestub resolverQuestion: www.cnn.com ?www.cnn.com A ?resolver.(root)www.cnn.com A ? ask .com server SIG (ip addr and PK of .com server).comwww.cnn.com A ?ask cnn.com server SIG (ip addr and PK of cnn.com server)cnn.comwww.cnn.com A ?SIG (xxx.xxx.xxx.xxx)xxx.xxx.xxx.xxxadd to cacheSrc.cs.brown.edudns.cs.brown.edutransaction signatures
slave serverstransaction signatures4142PKIs and HTTPS42Public Key Infrastructure (PKI)Public key crypto is very powerful but the realities of tying public keys to real wo