Upload
jack-stewart
View
217
Download
0
Embed Size (px)
Citation preview
10/5/2006 2
A Security Problem in Network
An adversary that has access to a network can insert new messages, modify current messages, or replay old messages in the network
These inserted, modified, and replayed messages can go undetected until they cause severe damage to network
The physical location of the adversary in network may never be determined
Example: denial-of-service attacks
10/5/2006 3
Denial-of-Service (DoS) Attacks
Aimed to deny normal service provided by the target computer
Communication-stopping attacks ARP spoofing attack
Resource-exhausting attacks Smurf attack SYN attack
10/5/2006 4
Ping Protocol Allow any computer to check whether any other computer in the
Internet is up Any computer x can send a “ping” message to any computer y
which replies by sending back a “pong” message (thus x knows y is up)
In ping message: src = xand dst = y In pong message: src = yand dst = x
x yping(x, y)
pong(y, x)
10/5/2006 5
Broadcast Ping Protocol If in ping message dst = “all”, a copy of ping is
broadcast to every computer Each computer replies by sending back a pong, and x is
flooded with pong messages In ping message: src = x anddst = “all” In pong messages: src = y, y’ and dst = x
x yping(x,all)
pong(y, x)
y´pong(y´,x)
10/5/2006 6
Smurf Attack An adversary pretends to be x and broadcasts a
ping message where src = x and dst = “all” Thus, x is flooded with pong messages that it
has not requested: denial-of-service attack at x
x y
pong(y, x)
y´
pong(y´,x)
a ping(x,all)
10/5/2006 7
Countering Smurf Attack Make each router check the src of each
received message and discard the message if the src is suspicious
x y
y´a ping(x, all) R3R2R1
src=x shouldn’t come to me
10/5/2006 8
Clever Smurf Attack An adversary inserts a ping(x, all) message
between routers R2 and R3 R3 thinks the message was forwarded by
R2 and so accepts the message
x y
y´
a
ping(x, all)
R3R2R1
10/5/2006 9
Countering Clever Smurf Attack
When R3 receives a message, R3 needs to determine whether message was indeed sent by R2, or was modified or replayed by an adversary between R3 and R2
If use IPSec, will need to set up SA’s between each pair of adjacent routers: too expensive
Our solution: use hop integrity protocol between each pair of adjacent routers
10/5/2006 10
Hop Integrity
Let p, q be routers connected to same subnetwork
Detection of Message Modification: when q receives a message m supposedly
from p, q can check that m was not modified after sent
Detection of Message Replay: when q receives a message m supposedly
from p, q can check that m was not a replay of an old message
10/5/2006 11
Adversary vs. Routers
The adversary can perform three types of actions to disrupt communication between two routers
Message loss Message modification Message replay
The routers are assumed to be secure and cannot be compromised by the adversary
The routers will execute hop integrity protocols that can detect and defeat the adversary actions
10/5/2006 12
Hop Integrity Protocol
Each pair of adjacent routers need to share a secret S, which is updated periodically by the two routers using a secret exchange protocol
To each IP message sent between two adjacent routers, add a sequence number sq, and an integrity check d
hd txt
hd txtsq d
IP messaged := MD(S | hd | sq | txt)
d 16 bytes if MD5;
20 bytes if SHA-1
MD MD5 or SHA-1
sq 4 bytes
10/5/2006 13
Architecture of Hop Integrity Protocols
secrets secrets
integrity check layer
secret exchange layer
pe
Network
pw or ps
Applications
Transport
Subnetwork
qe
Network
qw or qs
Applications
Transport
Subnetwork
router p router q
.
10/5/2006 14
Component of Hop Integrity Protocols
Three protocols between each pair of adjacent routers secret exchange protocol weak integrity protocol strong integrity protocol
10/5/2006 15
How to Exchange Secret
Each router p has a secret S that it uses for computing the digest of every msg sent to an adjacent router q
Both p and q need to know S What if p sends secret update message
to q periodically? Problem due to message loss
What if p sends secret update message to q periodically and q sends an ack to p? Problem due to bundling of secret exchange
layer and integrity check layer
10/5/2006 16
Secret Exchange Protocol
q updates secret S used by p by sending a secret update message to p every T hours
When p receives secret update message from q, p updates secret and sends an ack to q
If q does not receive ack from p for t seconds, q retransmits the secret update message
10/5/2006 17
Secret Exchange Protocolq p
S[0] oldS[1] new
S
S[0] = S[1] = S
S[0] = S[1] = S
BpS[0], S[1]
BqS
if S = S[0] S = S[1]then S :=S[1]
if S[1] = Sthen S[0] :=S[1]
S[0]
S[1]
S[0] oldS[1] new
S[0] = S[1] = S
BpS[0], S[1]
BqSif S[1] = Sthen S[0] :=S[1]
T hours
if S = S[0] S = S[1]then S :=S[1]
10/5/2006 18
Recovery in Secret Exchange Protocol
q p
S[0] oldS[1] new
SS[0] = S[1] = S
S[0] = S S[1]
BpS[0], S[1]
BqS
S[0]
S[1]
S[0] = S[1] = S
BpS[0], S[1]
BqSif S = S[0] S = S[1]then S :=S[1]
if S[1] = Sthen S[0] :=S[1]
t seconds
t seconds
if S = S[0] S = S[1]then S :=S[1]
BpS[0], S[1]
S[1] = S S[0]
10/5/2006 19
To detect insertion and modification Each sent msg from p to q is as follows
(hd | d | txt)where p computes d as
d = MD(S | hd | txt) On receiving a msg, q checks
if d = MD(S[0] | hd | txt) d = MD(S[1] | hd | txt)
then q forwards msgelse q discards msg
Weak Integrity Protocol
10/5/2006 20
Weak Integrity Protocol
q p
.
.
(hd | d | txt)
S[0]
S[1]S
10/5/2006 21
Strong Integrity
To detect replay, successive sequence numbers are attached to all sent msgs from p to q
Problem with reset If p is reset, unbounded number of fresh
messages are discarded by q If q is reset, it can accept unbounded
number of replayed messages Two solutions to overcome reset
Soft sequence numbers Hard sequence numbers
10/5/2006 22
Successive sequence numbers are attached to all sent msgs from p to q:
(hd | sq | txt) q maintains three variables
exp sequence number of next msgc #msgs receivedcmax random value changed when c
reaches it On receiving a msg, q checks
if (exp sq) (c = cmax)then q forwards msgelse q discards msgfi; q updates exp, c, cmax
Soft Sequence Numbers
10/5/2006 23
Soft Sequence Numbers
q p
sq
.
.
(hd | sq | txt)sq+1
exp
ccmax
sq
.
.
c = 0
c = cmax :
choose new cmax,
c = 0
c = 1.
.
10/5/2006 24
Each sent msg from p to q is as follows(hd | sq | d | txt)
where p computes d asd = MD(S | hd | sq | txt)
On receiving a msg, q checksif (d = MD(S[0] | hd | sq | txt)
d = MD(S[1] | hd | sq | txt) ) (exp sq c = random value
cmax)then q forwards msgelse q discards msgfi; q updates exp, c, cmax
Strong Integrity ProtocolUsing Soft Sequence Numbers
10/5/2006 25
Hard Sequence Numbers
To overcome reset, use two operations SAVE and FETCH
When SAVE is executed, the last sequence number will be stored in persistent memory
When FETCH is executed, the last stored sequence number will be loaded from persistent memory into memory
10/5/2006 26
Strong Integrity ProtocolUsing Hard Sequence Numbers
Each sent msg from p to q is as follows(hd | sq | d | txt)
where p computes d asd = MD(S | hd | sq | txt)
On receiving a msg, q checksif (d = MD(S[0] | hd | sq | txt)
d = MD(S[1] | hd | sq | txt) ) (exp sq)then q forwards msgelse q discards msgfi; q updates exp
p and q executes SAVE periodically When waking up from a reset, p (or q) executes FETCH to
fetch last stored seq#, executes SAVE to store next seq#, and continues after SAVE finishes
10/5/2006 27
Tradeoff between Soft and Hard Sequence numbers
Soft sequence numbers are easier to implement Do not require SAVE and FETCH operations
and do not require persistent memory Hard sequence numbers provide better
security When use soft sequence numbers, adversary
has a chance, although small, to guess and get its sequence number accepted
When use hard sequence numbers, p and q stick to their sequence numbers and leave adversary no chance
10/5/2006 28
Other Applications of Hop Integrity
Mobile IP
Secure multicast
Security of routing protocols
10/5/2006 29
Mobile IP
A mobile computer c can visit a foreign network F other than its home network H
Msgs destined for c will be received by its home agent (HA) and forwarded to its foreign agent (FA)
Internet
home agent (HA)
foreign agent (FA)
F H
c
m
m
m
10/5/2006 30
Problem with Mobile IP
Mobile computer c can send a msg thru FA However, this msg may be filtered out by
next router q because its source address is “strange”
Internet
home agent (HA)
foreign agent (FA)
HF
c?
qm
m
10/5/2006 31
Mobile IP with Hop Integrity
With integrity check d added to msg m, q can check that m was indeed forwarded by FA
Thus, q ignores strange source of msg m and forwards m toward its ultimate destination
Internet
home agent (HA)
foreign agent (FA)
HF
c qm
m
d
d
m d
10/5/2006 32
Multicast
Multicast msgs are forwarded through a spanning tree from root to every multicast destination
If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability
10/5/2006 33
Multicast
Multicast msgs are forwarded through a spanning tree from root to every multicast destination
If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability
10/5/2006 34
Multicast
Multicast msgs are forwarded through a spanning tree from root to every multicast destination
If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability
10/5/2006 35
Multicast
Multicast msgs are forwarded through a spanning tree from root to every multicast destination
If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability
10/5/2006 36
Security Problem with Multicast
If adversary inserts or modifies a multicast msg between two routers in middle of tree, then only a small fraction of multicast destinations receive the inserted or modified msg
10/5/2006 37
Multicast with Hop Integrity
With hop integrity, an inserted or modified multicast message will be detected and discarded at its first hop in the spanning tree
10/5/2006 38
Routing Information Protocol (RIP)
Every 30 seconds, RIP process in router R’ sends its routing table in a response msg to RIP process in each adjacent R
R updates its routing table when it receives a response msg from any adjacent R’
Security problem
R R
RIP RIP
UDP
IP IP
10/5/2006 39
RIP with Hop Integrity With hop integrity, the response msgs are
protected against message modification, insertion, and replay
R R
RIP RIP
UDP
IP IP
Secret Update
Integrity Check
Secret Update
Integrity Check
10/5/2006 40
Security of Routing Protocols
Hop integrity can also provide uniform protection (against message modification, insertion, and replay) for other routing protocols OSPF protocols (Hello, Exchange, Flood) RSVP
Better than custom security mechanisms that have been proposed for some protocols
10/5/2006 41
Implementation of Hop Integrity
Implementation of hop integrity protocols in Linux kernel
Add integrity check digest and soft sequence number to IP options in IP header
Compatible with legacy routers Flexibility of deployment
10/5/2006 42
Related Works
Ingress filtering [RFC2827]: Completes hop integrity
Secure routing [Che97, MB96, SMG97]: Not needed if hop integrity is installed
Traceback [BLT01, SWK+01, SPS+01]: Cannot prevent denial-of-service attacks,
but can detect some of them IPsec [KA98a]:
Has goals other than dealing with denial-of-service attacks
10/5/2006 43
Next Class
Security in transport layer SSL and TLS Application of SSL/TLS in Web
security Read Chapter 17