42
CSCI-1680 Security Based on lecture notes by Scott Shenker and Mike Fr Rodrigo Fonseca

CSCI-1680 Security

  • Upload
    moanna

  • View
    42

  • Download
    1

Embed Size (px)

DESCRIPTION

CSCI-1680 Security. Rodrigo Fonseca. Based on lecture notes by Scott Shenker and Mike Freedman. Today’ s Lecture. Classes of attacks Basic security requirements Simple cryptographic methods Cryptographic toolkit (Hash, Digital Signature, …) DNSSec Certificate Authorities SSL / HTTPS. - PowerPoint PPT Presentation

Citation preview

CSCI-1680 :: Computer Networks

CSCI-1680Security

Based on lecture notes by Scott Shenker and Mike FreedmanRodrigo FonsecaTodays LectureClasses of attacksBasic security requirementsSimple cryptographic methodsCryptographic toolkit (Hash, Digital Signature, )DNSSecCertificate AuthoritiesSSL / HTTPSBasic Requirements for Secure CommunicationAvailability: Will the network deliver data?Infrastructure compromise, DDoSAuthentication: Who is this actor?Spoofing, phishingIntegrity: Do messages arrive in original form?Confidentiality: Can adversary read the data?Sniffing, man-in-the-middleProvenance: Who is responsible for this data?Forging responses, denying responsibilityNot who sent the data, but who created it

Other Desirable Security PropertiesAuthorization: is actor allowed to do this action?Access controlsAccountability/Attribution: who did this activity?Audit/Forensics: what occurred in the past?A broader notion of accountability/attributionAppropriate use: is action consistent with policy?E.g., no spam; no games during business hours; etc.Freedom from traffic analysis: can someone tell when I am sending and to whom?Anonymity: can someone tell I sent this packet?

4Internets Design: InsecureDesigned for simplicity in a nave eraOn by default designReadily available zombie machinesAttacks look like normal trafficInternets federated operation obstructs cooperation for diagnosis/mitigation5Eavesdropping - Message Interception (Attack on Confidentiality)Unauthorized access to informationPacket sniffers and wiretappersIllicit copying of files and programsABEavesdropper6Eavesdropping Attack: Exampletcpdump with promiscuous network interfaceOn a switched network, what can you see?

What might the following traffic types reveal about communications?DNS lookups (and replies)IP packets without payloads (headers only)Payloads

7Remember the ARP flooding attack?Integrity Attack - TamperingStop the flow of the messageDelay and optionally modify the messageRelease the message againABPerpetrator8Authenticity Attack - FabricationUnauthorized assumption of others identityGenerate and distribute objects under this identityABMasquerader: from A9Attack on AvailabilityDestroy hardware (cutting fiber) or softwareModify software in a subtle wayCorrupt packets in transit

Blatant denial of service (DoS):Crashing the serverOverwhelm the server (use up its resource)AB10Basic Forms of Cryptography11Confidentiality through CryptographyCryptography: communication over insecure channel in the presence of adversariesStudied for thousands of yearsCentral goal: how to encode information so that an adversary cant extract it but a friend canGeneral premise: a key is required for decodingGive it to friends, keep it away from attackersTwo different categories of encryptionSymmetric: efficient, requires key distributionAsymmetric (Public Key): computationally expensive, but no key distribution problem12Symmetric Key EncryptionSame key for encryption and decryptionBoth sender and receiver know keyBut adversary does not know keyFor communication, problem is key distributionHow do the parties (secretly) agree on the key?What can you do with a huge key? One-time padHuge key of random bitsTo encrypt/decrypt: just XOR with the key!Provably secure! . provided:You never reuse the key and it really is random/unpredictableSpies actually use these13Using Symmetric Keys Both the sender and the receiver use the same secret keysInternetEncrypt withsecret keyDecrypt withsecret keyPlaintextPlaintextCiphertext14Asymmetric Encryption (Public Key)Idea: use two different keys, one to encrypt (e) and one to decrypt (d)A key pairCrucial property: knowing e does not give away dTherefore e can be public: everyone knows it!If Alice wants to send to Bob, she fetches Bobs public key (say from Bobs home page) and encrypts with itAlice cant decrypt what shes sending to Bob but then, neither can anyone else (except Bob)15Public Key / Asymmetric EncryptionSender uses receivers public keyAdvertised to everyoneReceiver uses complementary private keyMust be kept secretInternetEncrypt withpublic keyDecrypt withprivate keyPlaintextPlaintextCiphertext16Works in Reverse Direction Too!Sender uses his own private keyReceiver uses complementary public keyAllows sender to prove he knows private key

InternetDecrypt withpublic keyEncrypt withprivate keyPlaintextPlaintextCiphertext17Realizing Public Key CryptographyInvented in the 1970sRevolutionized cryptography(Was actually invented earlier by British intelligence)How can we construct an encryption/decryption algorithm with public/private properties? Answer: Number TheoryMost fully developed approach: RSARivest / Shamir / Adleman, 1977; RFC 3447Based on modular multiplication of very large integersVery widely used (e.g., SSL/TLS for https)18Cryptographic Toolkit19Cryptographic ToolkitConfidentiality: EncryptionIntegrity: ?Authentication: ?Provenance: ?

Integrity: Cryptographic HashesSender computes a digest of message m, i.e., H(m)H() is a publicly known hash functionSend m in any mannerSend digest d = H(m) to receiver in a secure way:Using another physical channelUsing encryption (why does this help?) Upon receiving m and d, receiver re-computes H(m) to see whether result agrees with d21Operation of Hashing for IntegrityInternetDigest(MD5)PlaintextdigestDigest(MD5)=digestNOcorrupted msgPlaintext22Cryptographically Strong HashesHard to find collisionsAdversary cant find two inputs that produce same hashSomeone cannot alter message without modifying digestCan succinctly refer to large objects

Hard to invertGiven hash, adversary cant find input that produces itCan refer obliquely to private objects (e.g., passwords)Send hash of object rather than object itself23PropertiesEffects of Cryptographic Hashing

24Cryptographic ToolkitConfidentiality: EncryptionIntegrity: Cryptographic HashAuthentication: ?Provenance: ?

Public Key AuthenticationEach side need only to know the other sides public keyNo secret key need be sharedA encrypts a nonce (random number) x using Bs public keyB proves it can recover xA can authenticate itself to B in the same wayE(x, PublicB) xAB26Cryptographic ToolkitConfidentiality: EncryptionIntegrity: Cryptographic HashAuthentication: Decrypting nonceProvenance: ?

Digital SignaturesSuppose Alice has published public key KEIf she wishes to prove who she is, she can send a message x encrypted with her private key KDTherefore: anyone w/ public key KE can recover x, verify that Alice must have sent the messageIt provides a digital signatureAlice cant deny later deny it non-repudiation28RSA Crypto & Signatures, cont

29Summary of Our Crypto ToolkitIf we can securely distribute a key, thenSymmetric ciphers (e.g., AES) offer fast, presumably strong confidentialityPublic key cryptography does away with problem of secure key distributionBut not as computationally efficientOften addressed by using public key crypto to exchange a session keyAnd not guaranteed secure but major result if not30No efficient algorithm to factor large numbers.Summary of Our Crypto Toolkit, contCryptographically strong hash functions provide major building block for integrity (e.g., SHA-1)As well as providing concise digestsAnd providing a way to prove you know something (e.g., passwords) without revealing it (non-invertibility)But: worrisome recent results regarding their strengthPublic key also gives us signaturesIncluding sender non-repudiationTurns out theres a crypto trick based on similar algorithms that allows two parties who dont know each others public key to securely negotiate a secret key even in the presence of eavesdroppers 3132PKIs and HTTPS32Public Key Infrastructure (PKI)Public key crypto is very powerful but the realities of tying public keys to real world identities turn out to be quite hard

PKI: Trust distribution mechanismAuthentication via Digital CertificatesTrust doesnt mean someone is honest, just that they are who they say they are

33Managing TrustThe most solid level of trust is rooted in our direct personal experienceE.g., Alices trust that Bob is who they say they areClearly doesnt scale to a global network!

In its absence, we rely on delegationAlice trusts Bobs identity because Charlie attests to it .. and Alice trusts Charlie34Managing Trust, contTrust is not particularly transitiveShould Alice trust Bob because she trusts Charlie and Charlie vouches for Donna and Donna says Eve is trustworthy and Eve vouches for Bobs identity?

Two models of delegating trustRely on your set of friends and their friendsWeb of trust -- e.g., PGPRely on trusted, well-known authorities (and their minions)Trusted root -- e.g., HTTPS35PKI Conceptual FrameworkTrusted-Root PKI: Basis: well-known public key serves as root of a hierarchyManaged by a Certificate Authority (CA)To publish a public key, ask the CA to digitally sign a statement indicating that they agree (certify) that it is indeed your keyThis is a certificate for your key (certificate = bunch of bits)Includes both your public key and the signed statementAnyone can verify the signatureDelegation of trust to the CATheyd better not screw up (duped into signing bogus key)Theyd better have procedures for dealing with stolen keysNote: can build up a hierarchy of signing36Components of a PKI

37Digital CertificateSigned data structure that binds an entity with its corresponding public keySigned by a recognized and trusted authority, i.e., Certification Authority (CA) Provide assurance that a particular public key belongs to a specific entityExample: certificate of entity Y Cert = E({nameY, KYpublic}, KCAprivate)KCAprivate: private key of Certificate AuthoritynameY: name of entity YKYpublic: public key of entity YIn fact, they may sign whatever glob of bits you give themYour browser has a bunch of CAs wired into it

38Certification AuthorityPeople, processes responsible for creation, delivery and management of digital certificatesOrganized in an hierarchyTo verify signature chain, follow hierarchy up to root

CA-1CA-2Root CA

39Registration AuthorityPeople & processes responsible for:Authenticating the identity of new entities (users or computing devices), e.g.,By phone, or physical presence + IDIssuing requests to CA for certificatesThe CA must trust the Registration AuthorityThis trust can be misplaced

40Certificate RepositoryA database accessible to all users of a PKIContains:Digital certificatesPolicy information associated with certsCertificate revocation information Vital to be able to identify certs that have been compromisedUsually done via a revocation list

41Putting It All Together: HTTPSSteps after clicking on https://www.amazon.comhttps = Use HTTP over SSL/TLSSSL = Secure Socket LayerTLS = Transport Layer SecuritySuccessor to SSL, and compatible with itRFC 4346 Provides security layer (authentication, encryption) on top of TCPFairly transparent to the app

HTTPS Connection (SSL/TLS), contBrowser (client) connects via TCP to Amazons HTTPS serverClient sends over list of crypto protocols it supportsServer picks protocols to use for this sessionServer sends over its certificate(all of this is in the clear)SYNSYN ACKACKBrowserAmazonHello. I support(TLS+RSA+AES128+SHA1) or(SSL+RSA+3DES+MD5) or Lets useTLS+RSA+AES128+SHA1Heres my cert~1 KB of data4344Inside the Servers CertificateName associated with cert (e.g., Amazon)Amazons public keyA bunch of auxiliary info (physical address, type of cert, expiration time)URL to revocation center to check for revoked keysName of certificates signatory (who signed it)A public-key signature of a hash (MD5) of all thisConstructed using the signatorys private RSA key44Validating Amazons IdentityBrowser retrieves cert belonging to the signatoryThese are hardwired into the browserIf it cant find the cert, then warns the user that site has not been verifiedAnd may ask whether to continueNote, can still proceed, just without authenticationBrowser uses public key in signatorys cert to decrypt signatureCompares with its own MD5 hash of Amazons certAssuming signature matches, now have high confidence its indeed Amazon assuming signatory is trustworthy45

HTTPS Connection (SSL/TLS), contBrowser constructs a random session key KBrowser encrypts K using Amazons public keyBrowser sends E(K, KApublic) to serverBrowser displaysAll subsequent communication encrypted w/ symmetric cipher using key KE.g., client can authenticate using a passwordBrowserAmazonHeres my cert~1 KB of dataE(K, KApublic)KKE(password , K)E(response , K)Agreed46DNS Security47Case study of security problems, build to a solution employing our cryptographic toolkit

Source: http://nsrc.org/tutorials/2009/apricot/dnssec/dnssec-tutorial.pdf48Root level DNS attacksFeb. 6, 2007:Botnet attack on the 13 Internet DNS root serversLasted 2.5 hoursNone crashed, but two performed badly:g-root (DoD), l-root (ICANN)Most other root servers use anycast49Do you trust the TLD operators?Wildcard DNS record for all .com and .net domain names not yet registered by othersSeptember 15 October 4, 2003February 2004: Verisign sues ICANNRedirection for these domain names to Verisign web portal: to help you searchand serve you adsand get sponsored search

50Defense: Replication and Caching

source: wikipedia51DNS Amplification Attack580,000 open resolvers on Internet (Kaminsky-Shiffman06)DNSServer

DoSSource

DoSTargetDNS QuerySrcIP: DoS Target

(60 bytes)EDNS Reponse

(3000 bytes)DNS Amplification attack: ( 40 amplification )52attackerSolutions

ip spoofed packetsrepliesvictimopenamplifierpreventip spoofingdisableopen amplifiers53Authentication, provenance holistic approach to securityBut should we believe it? Enter DNSSECDNSSEC protects against data spoofing and corruptionDNSSEC also provides mechanisms to authenticate servers and requestsDNSSEC provides mechanisms to establish authenticity and integrity54PK-DNSSEC (Public Key)The DNS servers sign the hash of resource record set with its private (signature) keysPublic keys can be used to verify the SIGsLeverages hierarchy:Authenticity of nameservers public keys is established by a signature over the keys by the parents private keyIn ideal case, only roots public keys need to be distributed out-of-band55Verifying the treestub resolverQuestion: www.cnn.com ?www.cnn.com A ?resolver.(root)www.cnn.com A ? ask .com server SIG (ip addr and PK of .com server).comwww.cnn.com A ?ask cnn.com server SIG (ip addr and PK of cnn.com server)cnn.comwww.cnn.com A ?SIG (xxx.xxx.xxx.xxx)xxx.xxx.xxx.xxxadd to cacheSrc.cs.brown.edudns.cs.brown.edutransaction signatures

slave serverstransaction signatures56Next ClassSome new trends, Software-Defined NetworkingSecond-to-last class!No class on Tuesday, Dec 4