Some Issues in Network Security Authentication, Fair Exchange and Intrusion Detection

Information Security Lab., CSIE, NCYU, Taiwan, R.O.C.

1

Some Issues in Network SecurityAuthentication, Fair Exchange and Intrusion Detection

Department of CSIE

National Chiayi University

Chia-Yi Taiwan R.O.C.

Chih-Hung Wang


2

Agenda

IntroductionNetwork Authentication

Password AuthenticationHuman Identification

Fair Exchange/PaymentPayment SystemsFair Exchange/Payment Protocols

Intrusion DetectionIDSA New Approach: Honeypot


3

Introduction —Authentication

AuthenticationMessage Authentication

Message Authentication Code (MAC)Digital Signature

User AuthenticationDirect

FingerprintVoiceRetina

IndirectPasswordHuman Identification SchemeKey Distribution Protocol


4

Introduction—Digital Signature

Digital Signature

Signer Recipient

Signer’s Private Key

Signature

Signer’s Public Key

Verify the signature


5

Introduction —Security Issues in Authentication

Identification (Password Authentication)Authentication Service

Kerberos (Authentication & Key Distribution)PKI (Certificates Authority)

CommunicationSSL

Payment System and CommerceSET


6

Introduction—Authentication

SSL Handshake Protocol

Authentication & Key Distribution

HTTP ServerClientBrowser

Certificatecertificate


7


SET ProtocolInternet

Cardholder

Merchant

Issuer

CertificateAuthority

Internet

Paymentnetwork

…….Acquirer

Paymentgateway


8


Three Party KDP: Kerberos

Kerberos

Authentication Server (AS)

Ticket-granting Server (TGS)

(1)Request ticket-granting ticket

(2)Ticket + session key

(3)Request service-granting ticket

(4)Ticket + session key

Once per user logon session

Once per user service session

1. User logs on to workstation and requests service on host

2. AS verifies user’s Access rights in database, creates ticket-granting ticket and session key. Results are encrypted using key derived from user’s password.

3. Workstation prompts user for password and uses password to decrypt incoming message, then sends ticket and authenticator that contains user’s name, network address, and time to TGS.

4. TGS decrypts ticket and authenticator, verifies request, then creates ticket for requested server

(5)Request service

(6)Provide server authenticator

5. Workstation sends ticket and authenticator to server

6. Server verifies that ticket and authenticator match, then grants access to service. If mutual authentication is required, server returns an authenticator


9

Introduction —Fair Exchange

One-line TTP fair payments

BuySafe. http://www.buysafe.com.tw


10

Part I

Network Authentication


11

Authentication & IdentificationPassword Authentication

Sending Plain-Password through an insecure channel

Local

Server A Serve B

Intruder X

Internet

Intruder Y

RouterRouter

Packet Sniffing


12

Authentication & IdentificationPacket Sniffing


13

Authentication & Identification

Password AuthenticationEncrypt password

Suffer from replay attack where the intruder intercepts the encrypted password and re-sends it to the server

EK(PW)

Intercept

Replay

User Server

EK(PW)


14


Password Authentication with Timestamp

Terminal Ser

ver

(1) EPK-S{Connect, T_id}

(2) EPK-T{“User Name:”}

(3) EPK-S{User-ID}

(4) EPK-T{“Password ”： , Timestamp}

(5) EPK-S{User-Password, Timestamp_U}Timestamp_U =? Timestamp


15


Human Identification SchemePassword Authentication in an insecure channel

Prover

Verifier

Network

InterceptReplay attack

Peeping attack


16

Current News (Peeping Attack)


17


Password Authentication with EncryptionAvoid intercept attack

Password Authentication with TimestampAvoid replay attack

Challenge-Response ProtocolAvoid intercept, replay & peeping attacks

Question

AnswerProver

Verifier


18

Human Identification

Users can identify themselves to a host via insecure channels without any help of auxiliary devices.

The computational complexity of identification process for the end users must be bounded to the human ability of memorizing and computations.


19


Previous WorksMatsumoto & Imai [Eurocrypt’91]

Wang, Hwang & Tsai [Eurocrypt;95]

A simple exampleW: window alphabets; SW: secret words

8 5 1 7 3 46

3 1 2 1 3 4 42

q=

a=

2 W={1,2,4,6}SW=3124A={1,2,3,4}Verify a 。 f=SW|Q|=8 |W|=4 |A|=4


20


General Case

Prover selects at least distinct question blocks randomly and uniformly out from blocks to generate the answer

Ex: |Q|=36 |W|=18 |A|=2 =10 =20

…


21

Human IdentificationSecurity

Known-A random attack


22


Our attackPassive attack

Password can be revealed in trials

8 5 1 7 3 46

3 1 2 1 3 4 42

q=

a=

2


23


Theorem1


24


Replay Challenge Attack

8 5 1 7 3 46

3 1 2 1 3 4 42

q=

a1=

2

3 2 1 1 4 3 42a2=

Not Change


25


Lemma 1: Let a and a’ be two distinct answer blocks of the same question q. If there exists an i, i<|Q|>, such that a(i) a’(i), then qW

Theorem 2: The window W of Matsumoto and Imai human identification scheme with ==1 can be found in

expected trials if an intruder replays the same question one time.Corollary 1: Similar to theorem 2, an intruder can found the window W in

expected trials if an intruder replays the same question n time


26


Case 1: |Q|=36 |W|=18 |A|=2 ==1

Case 2: |Q|=50 |W|=10 |A|=3 ==1

Value of n Expected trials in case 1 Expected trials in case 2

1 3.08107 3.78106

3 8165.32 174.2

5 65.8 3.328

7 5.3 1.19

9 1.73 1.02


27

Part II

Fair Exchange/Payment


28

Fair Exchange/Payment

Fair payments/exchangeTwo parties (buyer and merchant) exchange the electronic items in the network to each other in a fair manner

No one can gain an advantage over the other even if there are malicious actions in exchanging process

Bit by bit (simultaneously) exchange

On-line TTP (Trusted Third Party)

Off-line TTP


29

Fair Payment

Off-line TTPTTP need to participate in the exchange protocols only when the faults occur

Always able to solve the disputes

Buyer

Merchant

Normal case

$

Soft goods

Dispute

Buyer Merchant

TTP

$Soft goods

negotiate


30

Fair Payment Using Confirmation Signatures

Boyd and Foo 1998 Asiacrypt’98Convertibility

Payment1. C -> M : S(m)2. C <-> M: M verifies interactively that S(m) is valid3. M -> C : EC(Goods)4. C -> M : SigC(m)

Dispute1. M -> TTP: SigM(S(m), ETTP(Goods)) TTP converts S(m) to SigC(m)2. TTP -> M : SigC(m)3. TTP -> C : EC(Goods)

C: customer M: merchantm: purchase information

Confirmation signatures


31

Fair Payment Using Confirmation Signatures

Non-transferability

Untraceable payments

Protect the privacy of payment behavior

Payment

1. C -> M : S(m)

2. C <-> M: M verifies interactively that S(m) is valid

3. M -> C : EC(Goods)

4. C -> M : SigC(m)

Confirmation signatures with limited verifiers

General signatures with limited verifiers


32

Undeniable Signatures

Undeniable SignaturesChaum et al. 1989Require the signer’s cooperation to verify the validity of the signatureNon-transferabilityExample

The signer may sign a terrible secret and fear that his enemies will find out he said this secretSoftware protection


33

Undeniable Signatures

Undeniable SignaturesIn many applications, the proliferation of certified copies could facilitate improper uses like blackmail or industrial espionage

Others

Sender ReceiverSign a signature

Verify a signature

non-transferability


34

Designated Confirmer Signatures

Designated confirmer signaturesChaum 1994 Eurocrypt’94

Eliminate the shortcoming of the undeniable signature in that the signature can only be verified by cooperating with the original signer

For many applications, the protection of undeniable is to week


35

Designated Confirmer SignaturesSigner’s cooperation

If the signer should become unavailable, such as should refuse to cooperate, then the recipient cannot make use of the signature

Others

Sender ReceiverSign a signature

Verify a signature

non-transferabilityConfirmer

Confirm the signature

Refuse to cooperateor be absent


36

DCS Protocol Design (1/2)Signing


37

DCS Protocol Design (2/2)Confirmation


38

Confirmer Signatures with Limited Verifiers

Malicious confirmerThe confirmer may prove the correctness of the signature to the signer's adversaries

New ApproachThe signer pre-determines some verifiers whom the confirmer can convince later

signer Pre-determinedverifiers

confirmer Otherverifiers


39

Confirmer Signatures with Limited Verifiers

DefinitionLet (S, C) be a designated confirmer signature which is signed by S and can be confirmed by C. We say that (S, C,{V_i, i=1, … , n}) is a designated confirmer signature with limited verifiers if C can only convince the verifiers {V_i, i=1, … , n} whom the signer S pre-determined.

PublicationC. H. Wang and Y. C. Chen. Limiting Verifiers in Designated Confirmer Signatures. Proceedings of the Eleventh Information Security Conference, Tainan, R.O.C., pp. 67-73, May 3-4, 2001.


40

Multiple Confirmers Signatures Schemes

For very large network: (t, n) threshold multiple confirmers signatures scheme

One confirmer may create both performance and security bottlenecks

Increasing the availability and security

Signer...

Confirmers Verifiers

(t,n) threshold scheme


41

Fair Payment with Electronic Cash

Asiacrypt’2003 C.H. Wang

BuyerMerchant

1. The buyer selects the goods from merchant.2. The buyer sends the pseudo e-coins for the goods to the merchant. 3. The merchant verifies whether the pseudo e-coins are valid..

The merchant sends soft goods to the buyer

Complete (The buyer convert the pseudo e-coin to true one)

Trusted Third Party

TTP sends the merchant a transformation certificate which can be used for the conversion of the pseudo e-coins.


42


Our contributions (1/2)Previous works of fair exchange are not really suitable for many applications on network payments because they are only used to exchange the confidential data or signatures.Many payment applications need to protect the buyer's purchase privacy, which has never been considered in the previous papers.In our view, a complete solution for fair payment should contain payment actions, such as electronic cash or network credit card method, instead of simply signing the purchase information.


43


Our contributions (2/2)Propose a generic model for real fair network payments.

Apply a subtle tool of Restrictive Confirmation Signature Scheme (RCSS) to achieve the property of untraceability.

Design a new technique of pseudo e-coin to achieve fairness of exchanging the electronic cash.

Demonstrate how to construct a practical and efficient fair network payment protocol based on the Brands' e-cash scheme [Bra93b].


44

The Basic Model

Four parties involved in the protocol

Three procedures similar to a general e-cashWithdrawal

Payment

Dispute

Deposit


45

Definition of RCSS

Definition 1: Restrictive Confirmation Signature Scheme (RCSS)


46

The Concept of RCSS

Signer

Confirmer

Verifiers

Signing and verification

predeterminedby the signer

confirmationcan not confirm


47

Main Procedures

Withdrawal

Obtains the electronic coins

Blind signature


48

Main Procedures

Payment


49

Main Procedures

PaymentPseudo e-coins

In step 3, The merchant can gain a conviction that he can prove the validity of to TTP and ask TTP convert the pseudo e-coins into true e-coins if some faults occur.


50

Main Procedures

DisputeThe buyer may refuse to send the true e-coins to the merchant after he receives the valid goods.

TTP


51

Main Procedures

Deposit


52

Part III

Intrusion Detection


53

Intrusion Detection System (IDS)

The forerunner of IDS is “audit”. That is, the system records the user activities and then analyzes the record to find any suspicious intrusion.

Two intrusion detection system taxonomy :

(1)Host-Based IDS (HIDS): Host-based IDS stands on hosts, and monitor important logs, executive files and communications.

(2)Network-Based IDS (NIDS): Network-based IDS primarily monitors the network packets in real-time.


54

Taxonomy of False-Positives


55

HoneypotHoneypot uses the dummy or virtual environment (i.e. a true system of low security level) behind the firewall or on DMZ to record and observe the intruders’ behaviors. Honeypot is a system designed to be attacked, usually for the purpose of deception or alarm of intruders’ activities.


56

Hacker Attacks:Weak Password

Password guessing is that hacker either manually enters common passwords or makes programmed scripts to guess password.

Brute-force logon likes password guessing but is much faster and more powerful.

Password cracking is a much more effective method than the above methods we mentioned


57

Hacker Attacks: Denial Of Service (DoS)

Denial of service attack engages all victims’ available resources, and engulf victim with service requests and processes. This is an attempt to prevent legitimate users of a service from using that service.

The trend of DoS is DDoS. The DDoS definition: it uses many computers to launch a coordinated DoS attack against on one or more targets.


58

Hacker Attacks: The Distributed

Denial of Service (DDoS) Attack


59

Exploit software bugs

SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries without stripping potentially harmful characters first, that is, it is a trick to inject SQL query/command as an input possibly via web pages.


60

The motive and concept


61

Our ApproachWe design an intermediate dummy-host system with defense-in-depth principle. (Firewall-IDS-DS)The design concepts and advantages are: (1) The minimum defense unit is a host so that the redirection work

will not raise the load of redirection management system host (RMS host).

(2) The centralization recording work, in RMS host, will not influence the general host system on efficiency and is good for system managers to control the overall intrusive situations.

(3) A isolated trap area can avoid a great harm on internal network. The hosts outside the trap area would still be secure even if some trap area hosts are compromised.


62

Integrated Network Security

Architecture


63

Step1 Step1: If link is

diagnosed as illegitimate by firewall, the firewall disrupts the link. Only authentic links can be allowed to access to the internal network.


64

Step2

Step2: Network-Based IDS and Host-Based IDS monitor the inbound links which can successfully pass through the firewall.


65

Step3

Step3: Trap-area host observes the redirected trafficStep3-1: If there are no advanced intrusion attempts, the trap-area host will turn the links back to the original host. The HIDS and NIDS can still monitor these returned links.Step3-2: If the trap-area host finds that some intrusive activities occur, it will immediately identify the attack and take appropriate actions.


66

Agent-based IDS – AAFID2

User InterfaceMonitor

Monitor

Transceiver

Transceiver

Transceiver

Agent

AgentAgent

Agent

Agent

Agent

Agent


67

New Approach: Integrating AAFID2 and Honeyd

Win NT 4.0 Linux 2.4 Win 2000

Web Server

FTP Server

MonitorTransceiver

Transceiver

Agents

Agents

Agents

Level 1 Level 2 Level 3

Internet

MyScan Agent MyProb Agent

MyDDoS Agent

Router

Honeyd

Honeyd Virtual Servers


68

Conclusions


69

Conclusions

Other Advanced ResearchesAuthentication

Key Distribution and Management Protocols in Wireless Network

Fair Exchange/PaymentSemi-Trusted Off-line TTP

Contract Signing


70

Conclusions

Other Advanced ResearchesIntrusion Detection

Mobile Agent based IDS & Honeypot

Active IDS

Documents

Some Issues in Network Security Authentication, Fair Exchange and Intrusion Detection