CSCE 715: Network Systems Security Chin-Tser Huang [email protected] University of South Carolina

CSCE 715:Network Systems Security

Chin-Tser [email protected]

University of South Carolina

10/5/2006 2

A Security Problem in Network

An adversary that has access to a network can insert new messages, modify current messages, or replay old messages in the network

These inserted, modified, and replayed messages can go undetected until they cause severe damage to network

The physical location of the adversary in network may never be determined

Example: denial-of-service attacks

10/5/2006 3

Denial-of-Service (DoS) Attacks

Aimed to deny normal service provided by the target computer

Communication-stopping attacks ARP spoofing attack

Resource-exhausting attacks Smurf attack SYN attack

10/5/2006 4

Ping Protocol Allow any computer to check whether any other computer in the

Internet is up Any computer x can send a “ping” message to any computer y

which replies by sending back a “pong” message (thus x knows y is up)

In ping message: src = xand dst = y In pong message: src = yand dst = x

x yping(x, y)

pong(y, x)

10/5/2006 5

Broadcast Ping Protocol If in ping message dst = “all”, a copy of ping is

broadcast to every computer Each computer replies by sending back a pong, and x is

flooded with pong messages In ping message: src = x anddst = “all” In pong messages: src = y, y’ and dst = x

x yping(x,all)

pong(y, x)

y´pong(y´,x)

10/5/2006 6

Smurf Attack An adversary pretends to be x and broadcasts a

ping message where src = x and dst = “all” Thus, x is flooded with pong messages that it

has not requested: denial-of-service attack at x

x y

pong(y, x)

y´

pong(y´,x)

a ping(x,all)

10/5/2006 7

Countering Smurf Attack Make each router check the src of each

received message and discard the message if the src is suspicious

x y

y´a ping(x, all) R3R2R1

src=x shouldn’t come to me

10/5/2006 8

Clever Smurf Attack An adversary inserts a ping(x, all) message

between routers R2 and R3 R3 thinks the message was forwarded by

R2 and so accepts the message

x y

y´

a

ping(x, all)

R3R2R1

10/5/2006 9

Countering Clever Smurf Attack

When R3 receives a message, R3 needs to determine whether message was indeed sent by R2, or was modified or replayed by an adversary between R3 and R2

If use IPSec, will need to set up SA’s between each pair of adjacent routers: too expensive

Our solution: use hop integrity protocol between each pair of adjacent routers

10/5/2006 10

Hop Integrity

Let p, q be routers connected to same subnetwork

Detection of Message Modification: when q receives a message m supposedly

from p, q can check that m was not modified after sent

Detection of Message Replay: when q receives a message m supposedly

from p, q can check that m was not a replay of an old message

10/5/2006 11

Adversary vs. Routers

The adversary can perform three types of actions to disrupt communication between two routers

Message loss Message modification Message replay

The routers are assumed to be secure and cannot be compromised by the adversary

The routers will execute hop integrity protocols that can detect and defeat the adversary actions

10/5/2006 12

Hop Integrity Protocol

Each pair of adjacent routers need to share a secret S, which is updated periodically by the two routers using a secret exchange protocol

To each IP message sent between two adjacent routers, add a sequence number sq, and an integrity check d

hd txt

hd txtsq d

IP messaged := MD(S | hd | sq | txt)

d 16 bytes if MD5;

20 bytes if SHA-1

MD MD5 or SHA-1

sq 4 bytes

10/5/2006 13

Architecture of Hop Integrity Protocols

secrets secrets

integrity check layer

secret exchange layer

pe

Network

pw or ps

Applications

Transport

Subnetwork

qe

Network

qw or qs

Applications

Transport

Subnetwork

router p router q

.

10/5/2006 14

Component of Hop Integrity Protocols

Three protocols between each pair of adjacent routers secret exchange protocol weak integrity protocol strong integrity protocol

10/5/2006 15

How to Exchange Secret

Each router p has a secret S that it uses for computing the digest of every msg sent to an adjacent router q

Both p and q need to know S What if p sends secret update message

to q periodically? Problem due to message loss

What if p sends secret update message to q periodically and q sends an ack to p? Problem due to bundling of secret exchange

layer and integrity check layer

10/5/2006 16

Secret Exchange Protocol

q updates secret S used by p by sending a secret update message to p every T hours

When p receives secret update message from q, p updates secret and sends an ack to q

If q does not receive ack from p for t seconds, q retransmits the secret update message

10/5/2006 17

Secret Exchange Protocolq p

S[0] oldS[1] new

S

S[0] = S[1] = S

S[0] = S[1] = S

BpS[0], S[1]

BqS

if S = S[0] S = S[1]then S :=S[1]

if S[1] = Sthen S[0] :=S[1]

S[0]

S[1]

S[0] oldS[1] new

S[0] = S[1] = S

BpS[0], S[1]

BqSif S[1] = Sthen S[0] :=S[1]

T hours

if S = S[0] S = S[1]then S :=S[1]

10/5/2006 18

Recovery in Secret Exchange Protocol

q p

S[0] oldS[1] new

SS[0] = S[1] = S

S[0] = S S[1]

BpS[0], S[1]

BqS

S[0]

S[1]

S[0] = S[1] = S

BpS[0], S[1]

BqSif S = S[0] S = S[1]then S :=S[1]

if S[1] = Sthen S[0] :=S[1]

t seconds

t seconds

if S = S[0] S = S[1]then S :=S[1]

BpS[0], S[1]

S[1] = S S[0]

10/5/2006 19

To detect insertion and modification Each sent msg from p to q is as follows

(hd | d | txt)where p computes d as

d = MD(S | hd | txt) On receiving a msg, q checks

if d = MD(S[0] | hd | txt) d = MD(S[1] | hd | txt)

then q forwards msgelse q discards msg

Weak Integrity Protocol

10/5/2006 20

Weak Integrity Protocol

q p

.

.

(hd | d | txt)

S[0]

S[1]S

10/5/2006 21

Strong Integrity

To detect replay, successive sequence numbers are attached to all sent msgs from p to q

Problem with reset If p is reset, unbounded number of fresh

messages are discarded by q If q is reset, it can accept unbounded

number of replayed messages Two solutions to overcome reset

Soft sequence numbers Hard sequence numbers

10/5/2006 22

Successive sequence numbers are attached to all sent msgs from p to q:

(hd | sq | txt) q maintains three variables

exp sequence number of next msgc #msgs receivedcmax random value changed when c

reaches it On receiving a msg, q checks

if (exp sq) (c = cmax)then q forwards msgelse q discards msgfi; q updates exp, c, cmax

Soft Sequence Numbers

10/5/2006 23

Soft Sequence Numbers

q p

sq

.

.

(hd | sq | txt)sq+1

exp

ccmax

sq

.

.

c = 0

c = cmax :

choose new cmax,

c = 0

c = 1.

.

10/5/2006 24

Each sent msg from p to q is as follows(hd | sq | d | txt)

where p computes d asd = MD(S | hd | sq | txt)

On receiving a msg, q checksif (d = MD(S[0] | hd | sq | txt)

d = MD(S[1] | hd | sq | txt) ) (exp sq c = random value

cmax)then q forwards msgelse q discards msgfi; q updates exp, c, cmax

Strong Integrity ProtocolUsing Soft Sequence Numbers

10/5/2006 25

Hard Sequence Numbers

To overcome reset, use two operations SAVE and FETCH

When SAVE is executed, the last sequence number will be stored in persistent memory

When FETCH is executed, the last stored sequence number will be loaded from persistent memory into memory

10/5/2006 26

Strong Integrity ProtocolUsing Hard Sequence Numbers

Each sent msg from p to q is as follows(hd | sq | d | txt)

where p computes d asd = MD(S | hd | sq | txt)

On receiving a msg, q checksif (d = MD(S[0] | hd | sq | txt)

d = MD(S[1] | hd | sq | txt) ) (exp sq)then q forwards msgelse q discards msgfi; q updates exp

p and q executes SAVE periodically When waking up from a reset, p (or q) executes FETCH to

fetch last stored seq#, executes SAVE to store next seq#, and continues after SAVE finishes

10/5/2006 27

Tradeoff between Soft and Hard Sequence numbers

Soft sequence numbers are easier to implement Do not require SAVE and FETCH operations

and do not require persistent memory Hard sequence numbers provide better

security When use soft sequence numbers, adversary

has a chance, although small, to guess and get its sequence number accepted

When use hard sequence numbers, p and q stick to their sequence numbers and leave adversary no chance

10/5/2006 28

Other Applications of Hop Integrity

Mobile IP

Secure multicast

Security of routing protocols

10/5/2006 29

Mobile IP

A mobile computer c can visit a foreign network F other than its home network H

Msgs destined for c will be received by its home agent (HA) and forwarded to its foreign agent (FA)

Internet

home agent (HA)

foreign agent (FA)

F H

c

m

m

m

10/5/2006 30

Problem with Mobile IP

Mobile computer c can send a msg thru FA However, this msg may be filtered out by

next router q because its source address is “strange”

Internet

home agent (HA)

foreign agent (FA)

HF

c?

qm

m

10/5/2006 31

Mobile IP with Hop Integrity

With integrity check d added to msg m, q can check that m was indeed forwarded by FA

Thus, q ignores strange source of msg m and forwards m toward its ultimate destination

Internet

home agent (HA)

foreign agent (FA)

HF

c qm

m

d

d

m d

10/5/2006 32

Multicast

Multicast msgs are forwarded through a spanning tree from root to every multicast destination

If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability

10/5/2006 33

Multicast



10/5/2006 34

Multicast



10/5/2006 35

Multicast



10/5/2006 36

Security Problem with Multicast

If adversary inserts or modifies a multicast msg between two routers in middle of tree, then only a small fraction of multicast destinations receive the inserted or modified msg

10/5/2006 37

Multicast with Hop Integrity

With hop integrity, an inserted or modified multicast message will be detected and discarded at its first hop in the spanning tree

10/5/2006 38

Routing Information Protocol (RIP)

Every 30 seconds, RIP process in router R’ sends its routing table in a response msg to RIP process in each adjacent R

R updates its routing table when it receives a response msg from any adjacent R’

Security problem

R R

RIP RIP

UDP

IP IP

10/5/2006 39

RIP with Hop Integrity With hop integrity, the response msgs are

protected against message modification, insertion, and replay

R R

RIP RIP

UDP

IP IP

Secret Update

Integrity Check

Secret Update

Integrity Check

10/5/2006 40

Security of Routing Protocols

Hop integrity can also provide uniform protection (against message modification, insertion, and replay) for other routing protocols OSPF protocols (Hello, Exchange, Flood) RSVP

Better than custom security mechanisms that have been proposed for some protocols

10/5/2006 41

Implementation of Hop Integrity

Implementation of hop integrity protocols in Linux kernel

Add integrity check digest and soft sequence number to IP options in IP header

Compatible with legacy routers Flexibility of deployment

10/5/2006 42

Related Works

Ingress filtering [RFC2827]: Completes hop integrity

Secure routing [Che97, MB96, SMG97]: Not needed if hop integrity is installed

Traceback [BLT01, SWK+01, SPS+01]: Cannot prevent denial-of-service attacks,

but can detect some of them IPsec [KA98a]:

Has goals other than dealing with denial-of-service attacks

10/5/2006 43

Next Class

Security in transport layer SSL and TLS Application of SSL/TLS in Web

security Read Chapter 17

Documents

CSCE 715: Network Systems Security Chin-Tser Huang [email protected] University of South Carolina