Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1
EEC-484/584Computer Networks
Lecture 26
Wenbing [email protected]
(Lecture notes are based on materials supplied by Dr. Louise Moser at UCSB and Prentice-Hall)
9 December 2005 EEC484/584
2
Wenbing Zhao
Outline
Today’s topicsWeb SecuritySocial issuesReview for final exam
Final Exam: Dec 14, 6:00-8:00pmChapters 7 and 8
Final hard deadline for project 1 and project 2(improvement only): Dec 14, midnightRecords of your course work will be posted on the course Web site. If there is any mistake, please contact me as soon as possible
9 December 2005 EEC484/584
3
Wenbing Zhao
Web Security
ThreatsSecure NamingSSL – The Secure Sockets LayerMobile Code Security
9 December 2005 EEC484/584
4
Wenbing Zhao
Threats
Web server is compromised and Web page is replacedDenial of Service attackSteal confidential data such as credit card infoPropagation of false information over Internet
2
9 December 2005 EEC484/584
5
Wenbing Zhao
Secure Naming
Normal situation An attack based on breaking into DNS and modifying Bob's record
9 December 2005 EEC484/584
6
Wenbing Zhao
Secure NamingDNS spoofing: tricking a DNS server into installing a false IP addressPoisoned cache: a cache that holds an intentionally false IP address
9 December 2005 EEC484/584
7
Wenbing Zhao
Secure Naming
DNS has some preliminary barrier for DNS spoofingFirst, DNS server checks to see that the reply bears the correct IP source address of the top-level server
− But since Trudy can put anything she wants in that IP field, she can defeat that test easily since the IP addresses of the top-level servers have to be public
Second, to allow DNS servers to tell which reply goes with which request, all requests carry a sequence number
− To spoof Alice's ISP, Trudy has to know its current sequence number
9 December 2005 EEC484/584
8
Wenbing Zhao
Secure Naming
How Trudy spoofs Alice's ISP
3
9 December 2005 EEC484/584
9
Wenbing Zhao
DNSsec (DNS security)Based on public-key cryptography. Every DNS zone has a public/private key pairAll information sent by a DNS server is signed with the originating zone's private key, so the receiver can verify its authenticity
9 December 2005 EEC484/584
10
Wenbing Zhao
DNSsecDNSsec offers three fundamental services:
Proof of where the data originated: verifies that the data being returned has been approved by the zone's ownerPublic key distribution: storing and retrieving public keys securelyTransaction and request authentication: guards against playback and spoofing attacks
Secrecy is not an offered service since all the information in DNS is considered public
9 December 2005 EEC484/584
11
Wenbing Zhao
DNSsecDNS records are grouped into sets called RRSets (Resource Record Sets), with all the records having the same name, class and type being lumped together in a setAn RRSet may contain multiple A records, for example, if a DNS name resolves to a primary IP address and a secondary IP addressEach RRSet is cryptographically hashed (e.g., using MD5 or SHA-1). The hash is signed by the zone's private key (e.g., using RSA)The unit of transmission to clients is the signed RRSet
9 December 2005 EEC484/584
12
Wenbing Zhao
DNSsecUpon receipt of a signed RRSet, the client can verify whether it was signed by the private key of the originating zone. If the signature agrees, the data are acceptedSince each RRSet contains its own signature, RRSetscan be cached anywhere, even at untrustworthy servers, without endangering the security
4
9 December 2005 EEC484/584
13
Wenbing Zhao
DNSsecThe RRSets are extended with several new record types
KEY record: holds the public key and other infoSIG record: holds the signed hash according to the algorithm specified in the KEY recordCERT record: can be used for storing (e.g., X.509) certificates
9 December 2005 EEC484/584
14
Wenbing Zhao
Self-Certifying Names
Self-certifying URL: The essence of the idea is that each URL contains a cryptographic hash of the server's name and public key as part of the URL
The hash is computed by concatenating the DNS name of the server with the server's public key and running the result through the SHA-1 function to get a 160-bit hashA string of 32 characters can hold the 160-bit SHA-1 hash
9 December 2005 EEC484/584
15
Wenbing Zhao
SSL—The Secure Sockets LayerSSL (Secure Sockets Layer): a security package for secure communication over Internet. It is widely used
Introduced in 1995, Netscape Communications Corp
SSL builds a secure connection between two sockets, including
Parameter negotiation between client and serverMutual authentication of client and serverSecret communicationData integrity protection
9 December 2005 EEC484/584
16
Wenbing Zhao
SSL—The Secure Sockets LayerHTTPS (Secure HTTP): HTTP over SSL
Sometimes it is available at a new port (443) instead of the standard port (80)
Layers (and protocols) for home user using HTTPS
5
9 December 2005 EEC484/584
17
Wenbing Zhao
SSL—The Secure Sockets Layer
SSL consists of two subprotocols, one for establishing a secure connection and one for using itSSL supports multiple cryptographic algorithms
The strongest one uses triple DES with three separate keys for encryption and SHA-1 for message integrity
− This combination is mostly used for banking and other applications in which the highest security is required
For ordinary e-commerce applications, RC4 is used with a 128-bit key for encryption and MD5 is used for message authentication
SSL Connection Establishment Subprotocolkey used for encrypting data is derived from the premaster key combined with both nonces in a complex way
Data Transmission Using SSLMAC: a secret key derived from the two nonces and premaster key is concatenated with the compressed text and the result hashed with the agreed-on hashing algorithm
16 KB each
9 December 2005 EEC484/584
20
Wenbing Zhao
SSL and TLS
In 1996, Netscape Communications Corp. turned SSL over to IETF for standardization. The result was TLS (Transport Layer Security)
It is described in RFC 2246.The changes made to SSL were relatively small, but just enough that SSL version 3 and TLS cannot interoperateThe TLS version is also known as SSL version 3.1
6
9 December 2005 EEC484/584
21
Wenbing Zhao
Java Applet SecurityApplets inserted into a Java Virtual Machine interpreter inside the browser
9 December 2005 EEC484/584
22
Wenbing Zhao
ActiveX SecurityActiveX: Win32 programs that can be embedded into Web pages. Its security is based on code signing
Code signing: Each ActiveX control is accompanied by a digital signature—a hash of the code that is signed by its creator using public key cryptographyWhen an ActiveX control shows up, the browser first verifies thesignature to make sure it has not been tampered with in transitIf the signature is correct, the browser then checks its internal tables to see if the program's creator is trusted or there is a chain of trust back to a trusted creatorUsers got to choose whether to enable trusted ActiveX or notOnce an ActiveX program is enabled, it can do anything it wants
9 December 2005 EEC484/584
23
Wenbing Zhao
Social Issues
PrivacyFreedom of SpeechCopyright
9 December 2005 EEC484/584
24
Wenbing Zhao
Anonymous RemailersUsers who wish anonymity chain requests through multiple anonymous remailers
7
SteganographySteganography - The science of hiding messages
From the Greek words for “covered writing”
Three zebras and a tree Three zebras, a tree, and the complete text of five plays
by William Shakespeare
SteganographyHow does this steganographic channel work?
The original color image is 1024 x 768 pixels. Each pixel consists of three 8-bit numbers, one each for the red, green, and blue intensity of that pixel. The pixel's color is formed by the linear superposition of the three colors. The steganographic encoding method uses the low-order bit of each RGB color value as a covert channel. Thus, each pixel has room for 3 bits of secret information, one in the red value, one in the green value, and one in the blue value. With an image of this size, up to 1024 × 768 × 3 bits or 294,912 bytes of secret information can be stored in it
9 December 2005 EEC484/584
27
Wenbing Zhao
Review of Chapters 7 & 8
Application layerDNS, Email, HTTP, Multimedia
Network securitySymmetric-key algorithms, cipher modesPublic-key algorithms, digital signatures, message digest, public key management Communications security (IPsec, firewall, VPN, 802.11 security)Authentication protocols, PGP, SSL
9 December 2005 EEC484/584
28
Wenbing Zhao
DNS – The Domain Name System
Hierarchical domain-based naming scheme and distributed database system for implementing itMaps symbolic names (ASCII strings) to network addresses, i.e., maps hostnames and email addresses to IP addresses
8
9 December 2005 EEC484/584
29
Wenbing Zhao
The DNS Name SpaceEach domain is named by the path upward from it to the unnamed root. E.g., eng.sun.com.Domain names can be absolute (end with period), or relativeDomain names are case insentive. Component names <= 63 chars. Full path names <= 255 chars
9 December 2005 EEC484/584
30
Wenbing Zhao
Resource RecordsEvery domain has set of resource recordsResolver returns set of resource record
Domain-name, Time_to_live, Type, Class, Value
9 December 2005 EEC484/584
31
Wenbing Zhao
Electronic MailTwo subsystems
User agents – allow users to read and send email. Message transfer agents – move messages from source to destination
SMTP – simple mail transfer protocolProblems with email
Email spoofingOpen relay problems
9 December 2005 EEC484/584
32
Wenbing Zhao
MIME – Encoding Binary Messages
Base64 encoding or ASCII armor:Groups of 24 bits are broken up into four 6-bit units, with each unit being sent as a legal ASCII characterThe coding is ''A'' for 0, ''B'' for 1, and so on, followed by the 26 lower-case letters, the ten digits, and finally + and / for 62 and 63, respectivelyThe == and = sequences indicate that the last group contained only 8 or 16 bits, respectivelyCarriage returns and line feeds are ignored,
Quoted-printable encoding: For messages that are almost entirely ASCII but with a few non-ASCII characters
This is just 7-bit ASCII, with all the characters above 127 encoded as an equal sign followed by the character's value as two hexadecimal digits
9
9 December 2005 EEC484/584
33
Wenbing Zhao
HyperText Transfer ProtocolHTTP – HyperText Transfer Protocol
It specifies what messages clients may send to servers and what responses they get back in returnEach interaction consists of one ASCII request, followed by one RFC 822 MIME-like responseDefined in RFC 2616
HTTPConnection
− In HTTP 1.0: make connection, sends a request, gets a response, tears down connection
− In HTTP 2.0: connection can be reusedMethods: had some provision for object-oriented programmingMessage header
9 December 2005 EEC484/584
34
Wenbing Zhao
HTTP Methods
The built-in HTTP request methodsMethod names are case sensitive!
9 December 2005 EEC484/584
35
Wenbing Zhao
Performance EnhancementCaching
Save pages that have been requested in case they are used againClient-side technique
Server replicationReplicate server’s contents at multiple locationsSometimes called mirroring
Content delivery networksDeliver contents for their providers to end users efficiently for a feeWhole process starts with URL replacement so all contents point to a CDN serverOn receiving client’s request, the request is redirected to the closest proxy server
9 December 2005 EEC484/584
36
Wenbing Zhao
Audio CompressionTwo ways to do audio compression
Waveform coding: the signal is transformed mathematically by a Fourier transform into its frequency components. Perceptual coding: based on the science of psychoacoustics(how people perceive sound)
− Frequency masking and temporal masking− MP3 (MPEG audio layer 3) is based on perceptual coding
10
9 December 2005 EEC484/584
37
Wenbing Zhao
Streaming Audio The media player buffers input from the media server and plays from the buffer rather than directly from the network
9 December 2005 EEC484/584
38
Wenbing Zhao
Voice over IP
The H323 protocol stack
9 December 2005 EEC484/584
39
Wenbing Zhao
Video CompressionRequirements on encoding and decoding
Decoding happens a lot and it must be fastFor most of video documents, it is OK if the encoding algorithm is complex and time consumingFor real-time multimedia, encoding must also be fast and efficientEncode/decode process need not be invertible
A video is just a sequence of images plus soundA good algorithm for encoding a single image is a good starting point. When the decoded output is not exactly the same as original input, the system is said to be lossyJPEG – Joint Photographic Experts Group
9 December 2005 EEC484/584
40
Wenbing Zhao
The MPEG Standard
MPEG-1 output consists of four kinds of framesI (Intracoded) frames: self-contained JPEG-encoded still picturesP (Predictive) frames: block-by-block difference with the last frameB (Bidirectional) frames: differences between the last and next frameD (DC-coded) frames: block averages used for fast forward
11
9 December 2005 EEC484/584
41
Wenbing Zhao
An Introduction to CryptographyPlaintext: message to be encryptedKey: string of characters used to encrypt the messageCiphertext: encrypted messageDK(EK(P)) = P
9 December 2005 EEC484/584
42
Wenbing Zhao
Introduction to CryptographyCryptanalysis problems
Ciphertext-only: cryptanalyst has a quantity of ciphertextand no plaintextKnown plaintext: cryptanalyst has some matched ciphertextand plaintextChosen plaintext: cryptanalyst has the ability to encrypt pieces of plaintext of his own choosing
Encryption methodsSubstitution ciphersTransposition ciphers
9 December 2005 EEC484/584
43
Wenbing Zhao
One-Time Pads
One-time pad: way to construct an unbreakable cipherChoose a random bit string as the keyConvert the plaintext into a bit stringCompute the XOR of these two strings, bit by bitThe resulting ciphertext cannot be broken, because in a sufficiently large sample of ciphertext, each letter will occur equally often, as will every digram, every trigram, and so on, =>There is simply no information in the message because all possible plaintexts of the given length are equally likely
9 December 2005 EEC484/584
44
Wenbing Zhao
Quantum Cryptography
12
9 December 2005 EEC484/584
45
Wenbing Zhao
Symmetric-Key Algorithms
DES – The Data Encryption StandardAES – The Advanced Encryption StandardCipher ModesOther CiphersCryptanalysis
9 December 2005 EEC484/584
46
Wenbing Zhao
Cipher Modes
Despite all the complexity, AES and DES (or any block cipher) is basically a monoalphabeticsubstitution cipher using big charactersElectronic Code Book ModeCipher Block Chaining ModeCipher Feedback ModeStream Cipher ModeCounter Mode
9 December 2005 EEC484/584
47
Wenbing Zhao
RSARivest, Shamir, Adleman, 1978: a good method for public-key cryptographyRSA method:
Choose two large primes, p and q (typically 1024 bits)Compute n = p × q and z = (p-1) × (q-1)Choose a number relatively prime to z and call it dFind e such that e × d = 1 mod z
To encrypt a message, P, Compute C = Pe (mod n)To decrypt C, compute P = Cd (mod n)The public key consists of the pair (e, n)The private key consists of the pair (d, n)
9 December 2005 EEC484/584
48
Wenbing Zhao
Digital SignaturesRequirement on digital signatures: one party can send a signed message to another party in such a way that the following conditions hold:
The receiver can verify the claimed identity of the sender.The sender cannot later repudiate the contents of the messageThe receiver cannot possibly have concocted the message himself
13
9 December 2005 EEC484/584
49
Wenbing Zhao
Digital Signatures
Digital signatures with symmetric-key cryptography
Digital signatures using public-key cryptography9 December 2005 EEC484/584
50
Wenbing Zhao
Message DigestsOften, authentication is needed but secrecy is notMessage digest (MD): using a one-way hash function that takes an arbitrarily long piece of plaintext and from it computes a fixed-length bit string
Given P, it is easy to compute MD(P)Given MD(P), it is effectively impossible to find PGiven P no one can find P’ such that MD(P’) = MD(P)A change to the input of even 1 bit produces a very different output
9 December 2005 EEC484/584
51
Wenbing Zhao
Message DigestsMD5 is the fifth in a series of message digests designed by Ronald Rivest (1992). MD5 generates a 128-bit fixed valueSHA-1: Secure Hash Algorithm 1, developed by National Security Agency (NSA) and blessed by NIST. It generates 160-bit message digest
9 December 2005 EEC484/584
52
Wenbing Zhao
The Birthday AttackHow many messages need to be generated to find a collision for an m-bit message digest?
Only 2m/2, NOT 2m, using the birthday attack
Birthday attack. Generally, if there is some mapping between inputs and outputs with n inputs and k possible outputs,
There are n(n-1)/2 input pairsIf n(n-1)/2 > k, the chance of having at least one match is pretty good. Thus, approximately, a match is likely for n > sqr(k)
14
9 December 2005 EEC484/584
53
Wenbing Zhao
Problems with Public-Key Management
If Alice and Bob do not know each other, how do they get each other’s public keys to start the communication process ?
It is essential Alice gets Bob’s public key, not someone else’s
A way for Trudy to subvert public-key encryption
9 December 2005 EEC484/584
54
Wenbing Zhao
CertificatesCertification Authority (CA): an organization that certifies public keys
It certifies the public keys belonging to people, companies, or even attributesCA does not need to be on-line all the time
A possible certificate and its signed hash
9 December 2005 EEC484/584
55
Wenbing Zhao
Public-Key InfrastructuresHierarchical PKIA chain of trust/certification path: A chain of certificates going back to the root
9 December 2005 EEC484/584
56
Wenbing Zhao
Public-Key InfrastructuresRevocation: sometimes certificates can be revoked, due to a number of reasonsReinstatement: a revoked certificate could conceivably be reinstatedEach CA periodically issue a CRL (Certificate Revocation List) giving the serial numbers of all certificates that it has revoked
15
9 December 2005 EEC484/584
57
Wenbing Zhao
IPsec
IPsec (IP security): a solution for Internet securityThe complete IPsec design is a framework for multiple services, algorithms and granularities.
The major services are secrecy, data integrity, and protection from replay attacks (intruder replays a conversation). All of these are based on symmetric-key cryptography because high performance is crucial.
9 December 2005 EEC484/584
58
Wenbing Zhao
IPsecSecurity Association (SA): A simplex connection between two end points and has a security identifier associated with it.
If secure traffic is needed in both directions, two security associations are required. Security identifiers are carried in packets traveling on these secure connections and are used to look up keys and other relevant
IPsec can be used in either of two modesTransport mode and Tunnel mode
9 December 2005 EEC484/584
59
Wenbing Zhao
IPsec – Authentication Header
AH (Authentication Header): It provides integrity checking and antireplay security, but not secrecy (i.e., no data encryption)
AH in transport mode
9 December 2005 EEC484/584
60
Wenbing Zhao
IPsec – ESP Header
ESP (Encapsulating Security Payload): provides both authentication and confidentiality guarantee for packets. Can be used for both transport mode and tunnel mode
ESP in transport mode
ESP in tunnel mode
16
9 December 2005 EEC484/584
61
Wenbing Zhao
802.11 Security
WEP (Wired Equivalent Privacy): a data link-level security protocol prescribed by 802.11 standard
It is designed to make the security of a wireless LAN as good as that of a wired LAN
When 802.11 security is enabled, each station has a secret key shared with the base station
WEP encryption uses a stream cipher based on the RC4algorithmIn WEP, RC4 generates a keystream that is XORed with the plaintext to form the ciphertext
9 December 2005 EEC484/584
62
Wenbing Zhao
Authentication Based on a Shared Secret Key
Two-way authentication using a challenge-response protocol
Challenge-response: one party sends a random number to the other, who then transforms it in a special way and then returns the resultNonces: random numbers used just once in challenge-response protocolsAssume that Alice and Bob already share a secret key, KAB
9 December 2005 EEC484/584
63
Wenbing Zhao
Reflection AttackThe reflection attack: Trudy can break it if it is possible to open multiple sessions with Bob at once
This attack can be defeated by encrypting RB with KABin message 2
9 December 2005 EEC484/584
64
Wenbing Zhao
Authentication Using HMACs
She knows she is talking to Bob because Trudy does not know KAB and thus cannot figure out which HMAC to sendTrudy cannot subvert this protocol because she cannot force either party to encrypt or hash a value of her choice
17
Establishing a Shared Key:The Diffie-Hellman Key ExchangeDiffie-Hellman key exchange: protocol that allows strangers to establish a shared secret key
Two large numbers, n and g, where n is a prime, (n - 1)/2 is also a prime and certain conditions apply to g. These numbers may be public
9 December 2005 EEC484/584
66
Wenbing Zhao
Establishing a Shared Key:The Diffie-Hellman Key Exchange
The bucket brigade or man-in-the-middle attackWhen Bob gets the triple (47, 3, 28), how does he know it is from Alice and not from Trudy? There is no way he can know. Unfortunately, Trudy can exploit this fact to deceive both Alice and Bob
9 December 2005 EEC484/584
67
Wenbing Zhao
Authentication Using a Key Distribution Center
Needham-Schroeder authentication protocol: a multiway challenge-response protocol
By having each party both generate a challenge and respond to one, the possibility of any kind of replay attack is eliminated
9 December 2005 EEC484/584
68
Wenbing Zhao
Authentication Using a Key Distribution Center
The Otway-Rees authentication protocol(slightly simplified)
Addressed the weakness in Needham-Schroeder authentication protocol
18
9 December 2005 EEC484/584
69
Wenbing Zhao
Authentication Using Kerberos
The operation of Kerberos V4
9 December 2005 EEC484/584
70
Wenbing Zhao
Authentication Using Public-Key Cryptography
Mutual authentication using public-key cryptography
9 December 2005 EEC484/584
71
Wenbing Zhao
General Rules for Authentication Protocols Design
Have the initiator prove who she is before the responder has toHave the initiator and responder use different keys for proof, even if this means having two shared keys, KAB and K'AB
Have the initiator and responder draw their challenges from different sets. For example, the initiator must use even numbersand the responder must use odd numbersMake the protocol resistant to attacks involving a second parallel session in which information obtained in one session is used in a different one
9 December 2005 EEC484/584
72
Wenbing Zhao
PGP – Pretty Good Privacy
PGP in operation for sending a message