Outline EEC-484/584 Computer NetworksEEC-484/584 Computer Networks Lecture 26 Wenbing Zhao [email protected] (Lecture notes are based on materials supplied by ... Based on public-key

1

EEC-484/584Computer Networks

Lecture 26

Wenbing [email protected]

(Lecture notes are based on materials supplied by Dr. Louise Moser at UCSB and Prentice-Hall)

9 December 2005 EEC484/584

2

Wenbing Zhao

Outline

Today’s topicsWeb SecuritySocial issuesReview for final exam

Final Exam: Dec 14, 6:00-8:00pmChapters 7 and 8

Final hard deadline for project 1 and project 2(improvement only): Dec 14, midnightRecords of your course work will be posted on the course Web site. If there is any mistake, please contact me as soon as possible


3

Wenbing Zhao

Web Security

ThreatsSecure NamingSSL – The Secure Sockets LayerMobile Code Security


4

Wenbing Zhao

Threats

Web server is compromised and Web page is replacedDenial of Service attackSteal confidential data such as credit card infoPropagation of false information over Internet

2


5

Wenbing Zhao

Secure Naming

Normal situation An attack based on breaking into DNS and modifying Bob's record


6

Wenbing Zhao

Secure NamingDNS spoofing: tricking a DNS server into installing a false IP addressPoisoned cache: a cache that holds an intentionally false IP address


7

Wenbing Zhao

Secure Naming

DNS has some preliminary barrier for DNS spoofingFirst, DNS server checks to see that the reply bears the correct IP source address of the top-level server

− But since Trudy can put anything she wants in that IP field, she can defeat that test easily since the IP addresses of the top-level servers have to be public

Second, to allow DNS servers to tell which reply goes with which request, all requests carry a sequence number

− To spoof Alice's ISP, Trudy has to know its current sequence number


8

Wenbing Zhao

Secure Naming

How Trudy spoofs Alice's ISP

3


9

Wenbing Zhao

DNSsec (DNS security)Based on public-key cryptography. Every DNS zone has a public/private key pairAll information sent by a DNS server is signed with the originating zone's private key, so the receiver can verify its authenticity


10

Wenbing Zhao

DNSsecDNSsec offers three fundamental services:

Proof of where the data originated: verifies that the data being returned has been approved by the zone's ownerPublic key distribution: storing and retrieving public keys securelyTransaction and request authentication: guards against playback and spoofing attacks

Secrecy is not an offered service since all the information in DNS is considered public


11

Wenbing Zhao

DNSsecDNS records are grouped into sets called RRSets (Resource Record Sets), with all the records having the same name, class and type being lumped together in a setAn RRSet may contain multiple A records, for example, if a DNS name resolves to a primary IP address and a secondary IP addressEach RRSet is cryptographically hashed (e.g., using MD5 or SHA-1). The hash is signed by the zone's private key (e.g., using RSA)The unit of transmission to clients is the signed RRSet


12

Wenbing Zhao

DNSsecUpon receipt of a signed RRSet, the client can verify whether it was signed by the private key of the originating zone. If the signature agrees, the data are acceptedSince each RRSet contains its own signature, RRSetscan be cached anywhere, even at untrustworthy servers, without endangering the security

4


13

Wenbing Zhao

DNSsecThe RRSets are extended with several new record types

KEY record: holds the public key and other infoSIG record: holds the signed hash according to the algorithm specified in the KEY recordCERT record: can be used for storing (e.g., X.509) certificates


14

Wenbing Zhao

Self-Certifying Names

Self-certifying URL: The essence of the idea is that each URL contains a cryptographic hash of the server's name and public key as part of the URL

The hash is computed by concatenating the DNS name of the server with the server's public key and running the result through the SHA-1 function to get a 160-bit hashA string of 32 characters can hold the 160-bit SHA-1 hash


15

Wenbing Zhao

SSL—The Secure Sockets LayerSSL (Secure Sockets Layer): a security package for secure communication over Internet. It is widely used

Introduced in 1995, Netscape Communications Corp

SSL builds a secure connection between two sockets, including

Parameter negotiation between client and serverMutual authentication of client and serverSecret communicationData integrity protection


16

Wenbing Zhao

SSL—The Secure Sockets LayerHTTPS (Secure HTTP): HTTP over SSL

Sometimes it is available at a new port (443) instead of the standard port (80)

Layers (and protocols) for home user using HTTPS

5


17

Wenbing Zhao

SSL—The Secure Sockets Layer

SSL consists of two subprotocols, one for establishing a secure connection and one for using itSSL supports multiple cryptographic algorithms

The strongest one uses triple DES with three separate keys for encryption and SHA-1 for message integrity

− This combination is mostly used for banking and other applications in which the highest security is required

For ordinary e-commerce applications, RC4 is used with a 128-bit key for encryption and MD5 is used for message authentication

SSL Connection Establishment Subprotocolkey used for encrypting data is derived from the premaster key combined with both nonces in a complex way

Data Transmission Using SSLMAC: a secret key derived from the two nonces and premaster key is concatenated with the compressed text and the result hashed with the agreed-on hashing algorithm

16 KB each


20

Wenbing Zhao

SSL and TLS

In 1996, Netscape Communications Corp. turned SSL over to IETF for standardization. The result was TLS (Transport Layer Security)

It is described in RFC 2246.The changes made to SSL were relatively small, but just enough that SSL version 3 and TLS cannot interoperateThe TLS version is also known as SSL version 3.1

6


21

Wenbing Zhao

Java Applet SecurityApplets inserted into a Java Virtual Machine interpreter inside the browser


22

Wenbing Zhao

ActiveX SecurityActiveX: Win32 programs that can be embedded into Web pages. Its security is based on code signing

Code signing: Each ActiveX control is accompanied by a digital signature—a hash of the code that is signed by its creator using public key cryptographyWhen an ActiveX control shows up, the browser first verifies thesignature to make sure it has not been tampered with in transitIf the signature is correct, the browser then checks its internal tables to see if the program's creator is trusted or there is a chain of trust back to a trusted creatorUsers got to choose whether to enable trusted ActiveX or notOnce an ActiveX program is enabled, it can do anything it wants


23

Wenbing Zhao

Social Issues

PrivacyFreedom of SpeechCopyright


24

Wenbing Zhao

Anonymous RemailersUsers who wish anonymity chain requests through multiple anonymous remailers

7

SteganographySteganography - The science of hiding messages

From the Greek words for “covered writing”

Three zebras and a tree Three zebras, a tree, and the complete text of five plays

by William Shakespeare

SteganographyHow does this steganographic channel work?

The original color image is 1024 x 768 pixels. Each pixel consists of three 8-bit numbers, one each for the red, green, and blue intensity of that pixel. The pixel's color is formed by the linear superposition of the three colors. The steganographic encoding method uses the low-order bit of each RGB color value as a covert channel. Thus, each pixel has room for 3 bits of secret information, one in the red value, one in the green value, and one in the blue value. With an image of this size, up to 1024 × 768 × 3 bits or 294,912 bytes of secret information can be stored in it


27

Wenbing Zhao

Review of Chapters 7 & 8

Application layerDNS, Email, HTTP, Multimedia

Network securitySymmetric-key algorithms, cipher modesPublic-key algorithms, digital signatures, message digest, public key management Communications security (IPsec, firewall, VPN, 802.11 security)Authentication protocols, PGP, SSL


28

Wenbing Zhao

DNS – The Domain Name System

Hierarchical domain-based naming scheme and distributed database system for implementing itMaps symbolic names (ASCII strings) to network addresses, i.e., maps hostnames and email addresses to IP addresses

8


29

Wenbing Zhao

The DNS Name SpaceEach domain is named by the path upward from it to the unnamed root. E.g., eng.sun.com.Domain names can be absolute (end with period), or relativeDomain names are case insentive. Component names <= 63 chars. Full path names <= 255 chars


30

Wenbing Zhao

Resource RecordsEvery domain has set of resource recordsResolver returns set of resource record

Domain-name, Time_to_live, Type, Class, Value


31

Wenbing Zhao

Electronic MailTwo subsystems

User agents – allow users to read and send email. Message transfer agents – move messages from source to destination

SMTP – simple mail transfer protocolProblems with email

Email spoofingOpen relay problems


32

Wenbing Zhao

MIME – Encoding Binary Messages

Base64 encoding or ASCII armor:Groups of 24 bits are broken up into four 6-bit units, with each unit being sent as a legal ASCII characterThe coding is ''A'' for 0, ''B'' for 1, and so on, followed by the 26 lower-case letters, the ten digits, and finally + and / for 62 and 63, respectivelyThe == and = sequences indicate that the last group contained only 8 or 16 bits, respectivelyCarriage returns and line feeds are ignored,

Quoted-printable encoding: For messages that are almost entirely ASCII but with a few non-ASCII characters

This is just 7-bit ASCII, with all the characters above 127 encoded as an equal sign followed by the character's value as two hexadecimal digits

9


33

Wenbing Zhao

HyperText Transfer ProtocolHTTP – HyperText Transfer Protocol

It specifies what messages clients may send to servers and what responses they get back in returnEach interaction consists of one ASCII request, followed by one RFC 822 MIME-like responseDefined in RFC 2616

HTTPConnection

− In HTTP 1.0: make connection, sends a request, gets a response, tears down connection

− In HTTP 2.0: connection can be reusedMethods: had some provision for object-oriented programmingMessage header


34

Wenbing Zhao

HTTP Methods

The built-in HTTP request methodsMethod names are case sensitive!


35

Wenbing Zhao

Performance EnhancementCaching

Save pages that have been requested in case they are used againClient-side technique

Server replicationReplicate server’s contents at multiple locationsSometimes called mirroring

Content delivery networksDeliver contents for their providers to end users efficiently for a feeWhole process starts with URL replacement so all contents point to a CDN serverOn receiving client’s request, the request is redirected to the closest proxy server


36

Wenbing Zhao

Audio CompressionTwo ways to do audio compression

Waveform coding: the signal is transformed mathematically by a Fourier transform into its frequency components. Perceptual coding: based on the science of psychoacoustics(how people perceive sound)

− Frequency masking and temporal masking− MP3 (MPEG audio layer 3) is based on perceptual coding

10


37

Wenbing Zhao

Streaming Audio The media player buffers input from the media server and plays from the buffer rather than directly from the network


38

Wenbing Zhao

Voice over IP

The H323 protocol stack


39

Wenbing Zhao

Video CompressionRequirements on encoding and decoding

Decoding happens a lot and it must be fastFor most of video documents, it is OK if the encoding algorithm is complex and time consumingFor real-time multimedia, encoding must also be fast and efficientEncode/decode process need not be invertible

A video is just a sequence of images plus soundA good algorithm for encoding a single image is a good starting point. When the decoded output is not exactly the same as original input, the system is said to be lossyJPEG – Joint Photographic Experts Group


40

Wenbing Zhao

The MPEG Standard

MPEG-1 output consists of four kinds of framesI (Intracoded) frames: self-contained JPEG-encoded still picturesP (Predictive) frames: block-by-block difference with the last frameB (Bidirectional) frames: differences between the last and next frameD (DC-coded) frames: block averages used for fast forward

11


41

Wenbing Zhao

An Introduction to CryptographyPlaintext: message to be encryptedKey: string of characters used to encrypt the messageCiphertext: encrypted messageDK(EK(P)) = P


42

Wenbing Zhao

Introduction to CryptographyCryptanalysis problems

Ciphertext-only: cryptanalyst has a quantity of ciphertextand no plaintextKnown plaintext: cryptanalyst has some matched ciphertextand plaintextChosen plaintext: cryptanalyst has the ability to encrypt pieces of plaintext of his own choosing

Encryption methodsSubstitution ciphersTransposition ciphers


43

Wenbing Zhao

One-Time Pads

One-time pad: way to construct an unbreakable cipherChoose a random bit string as the keyConvert the plaintext into a bit stringCompute the XOR of these two strings, bit by bitThe resulting ciphertext cannot be broken, because in a sufficiently large sample of ciphertext, each letter will occur equally often, as will every digram, every trigram, and so on, =>There is simply no information in the message because all possible plaintexts of the given length are equally likely


44

Wenbing Zhao

Quantum Cryptography

12


45

Wenbing Zhao

Symmetric-Key Algorithms

DES – The Data Encryption StandardAES – The Advanced Encryption StandardCipher ModesOther CiphersCryptanalysis


46

Wenbing Zhao

Cipher Modes

Despite all the complexity, AES and DES (or any block cipher) is basically a monoalphabeticsubstitution cipher using big charactersElectronic Code Book ModeCipher Block Chaining ModeCipher Feedback ModeStream Cipher ModeCounter Mode


47

Wenbing Zhao

RSARivest, Shamir, Adleman, 1978: a good method for public-key cryptographyRSA method:

Choose two large primes, p and q (typically 1024 bits)Compute n = p × q and z = (p-1) × (q-1)Choose a number relatively prime to z and call it dFind e such that e × d = 1 mod z

To encrypt a message, P, Compute C = Pe (mod n)To decrypt C, compute P = Cd (mod n)The public key consists of the pair (e, n)The private key consists of the pair (d, n)


48

Wenbing Zhao

Digital SignaturesRequirement on digital signatures: one party can send a signed message to another party in such a way that the following conditions hold:

The receiver can verify the claimed identity of the sender.The sender cannot later repudiate the contents of the messageThe receiver cannot possibly have concocted the message himself

13


49

Wenbing Zhao

Digital Signatures

Digital signatures with symmetric-key cryptography

Digital signatures using public-key cryptography9 December 2005 EEC484/584

50

Wenbing Zhao

Message DigestsOften, authentication is needed but secrecy is notMessage digest (MD): using a one-way hash function that takes an arbitrarily long piece of plaintext and from it computes a fixed-length bit string

Given P, it is easy to compute MD(P)Given MD(P), it is effectively impossible to find PGiven P no one can find P’ such that MD(P’) = MD(P)A change to the input of even 1 bit produces a very different output


51

Wenbing Zhao

Message DigestsMD5 is the fifth in a series of message digests designed by Ronald Rivest (1992). MD5 generates a 128-bit fixed valueSHA-1: Secure Hash Algorithm 1, developed by National Security Agency (NSA) and blessed by NIST. It generates 160-bit message digest


52

Wenbing Zhao

The Birthday AttackHow many messages need to be generated to find a collision for an m-bit message digest?

Only 2m/2, NOT 2m, using the birthday attack

Birthday attack. Generally, if there is some mapping between inputs and outputs with n inputs and k possible outputs,

There are n(n-1)/2 input pairsIf n(n-1)/2 > k, the chance of having at least one match is pretty good. Thus, approximately, a match is likely for n > sqr(k)

14


53

Wenbing Zhao

Problems with Public-Key Management

If Alice and Bob do not know each other, how do they get each other’s public keys to start the communication process ?

It is essential Alice gets Bob’s public key, not someone else’s

A way for Trudy to subvert public-key encryption


54

Wenbing Zhao

CertificatesCertification Authority (CA): an organization that certifies public keys

It certifies the public keys belonging to people, companies, or even attributesCA does not need to be on-line all the time

A possible certificate and its signed hash


55

Wenbing Zhao

Public-Key InfrastructuresHierarchical PKIA chain of trust/certification path: A chain of certificates going back to the root


56

Wenbing Zhao

Public-Key InfrastructuresRevocation: sometimes certificates can be revoked, due to a number of reasonsReinstatement: a revoked certificate could conceivably be reinstatedEach CA periodically issue a CRL (Certificate Revocation List) giving the serial numbers of all certificates that it has revoked

15


57

Wenbing Zhao

IPsec

IPsec (IP security): a solution for Internet securityThe complete IPsec design is a framework for multiple services, algorithms and granularities.

The major services are secrecy, data integrity, and protection from replay attacks (intruder replays a conversation). All of these are based on symmetric-key cryptography because high performance is crucial.


58

Wenbing Zhao

IPsecSecurity Association (SA): A simplex connection between two end points and has a security identifier associated with it.

If secure traffic is needed in both directions, two security associations are required. Security identifiers are carried in packets traveling on these secure connections and are used to look up keys and other relevant

IPsec can be used in either of two modesTransport mode and Tunnel mode


59

Wenbing Zhao

IPsec – Authentication Header

AH (Authentication Header): It provides integrity checking and antireplay security, but not secrecy (i.e., no data encryption)

AH in transport mode


60

Wenbing Zhao

IPsec – ESP Header

ESP (Encapsulating Security Payload): provides both authentication and confidentiality guarantee for packets. Can be used for both transport mode and tunnel mode

ESP in transport mode

ESP in tunnel mode

16


61

Wenbing Zhao

802.11 Security

WEP (Wired Equivalent Privacy): a data link-level security protocol prescribed by 802.11 standard

It is designed to make the security of a wireless LAN as good as that of a wired LAN

When 802.11 security is enabled, each station has a secret key shared with the base station

WEP encryption uses a stream cipher based on the RC4algorithmIn WEP, RC4 generates a keystream that is XORed with the plaintext to form the ciphertext


62

Wenbing Zhao

Authentication Based on a Shared Secret Key

Two-way authentication using a challenge-response protocol

Challenge-response: one party sends a random number to the other, who then transforms it in a special way and then returns the resultNonces: random numbers used just once in challenge-response protocolsAssume that Alice and Bob already share a secret key, KAB


63

Wenbing Zhao

Reflection AttackThe reflection attack: Trudy can break it if it is possible to open multiple sessions with Bob at once

This attack can be defeated by encrypting RB with KABin message 2


64

Wenbing Zhao

Authentication Using HMACs

She knows she is talking to Bob because Trudy does not know KAB and thus cannot figure out which HMAC to sendTrudy cannot subvert this protocol because she cannot force either party to encrypt or hash a value of her choice

17

Establishing a Shared Key:The Diffie-Hellman Key ExchangeDiffie-Hellman key exchange: protocol that allows strangers to establish a shared secret key

Two large numbers, n and g, where n is a prime, (n - 1)/2 is also a prime and certain conditions apply to g. These numbers may be public


66

Wenbing Zhao

Establishing a Shared Key:The Diffie-Hellman Key Exchange

The bucket brigade or man-in-the-middle attackWhen Bob gets the triple (47, 3, 28), how does he know it is from Alice and not from Trudy? There is no way he can know. Unfortunately, Trudy can exploit this fact to deceive both Alice and Bob


67

Wenbing Zhao

Authentication Using a Key Distribution Center

Needham-Schroeder authentication protocol: a multiway challenge-response protocol

By having each party both generate a challenge and respond to one, the possibility of any kind of replay attack is eliminated


68

Wenbing Zhao

Authentication Using a Key Distribution Center

The Otway-Rees authentication protocol(slightly simplified)

Addressed the weakness in Needham-Schroeder authentication protocol

18


69

Wenbing Zhao

Authentication Using Kerberos

The operation of Kerberos V4


70

Wenbing Zhao

Authentication Using Public-Key Cryptography

Mutual authentication using public-key cryptography


71

Wenbing Zhao

General Rules for Authentication Protocols Design

Have the initiator prove who she is before the responder has toHave the initiator and responder use different keys for proof, even if this means having two shared keys, KAB and K'AB

Have the initiator and responder draw their challenges from different sets. For example, the initiator must use even numbersand the responder must use odd numbersMake the protocol resistant to attacks involving a second parallel session in which information obtained in one session is used in a different one


72

Wenbing Zhao

PGP – Pretty Good Privacy

PGP in operation for sending a message

Documents

Outline EEC-484/584 Computer NetworksEEC-484/584 Computer Networks Lecture 26 Wenbing Zhao [email protected] (Lecture notes are based on materials supplied by ... Based on public-key