august 27, 2007 school of engineering,caislab.kaist.ac.kr/lecture/2007/fall/ice615... · -handbook...

Network Security ? Week 1

Network Security

Prof Chan Yeob Yeun

August 27, 2007

School of Engineering,

Information and Communications University

¨ Information Security Group, ICU2 / 81

Prof Chan Yeob Yeun

Education

Royal Holloway, University of London (2000)

Ph.D. in Information Security supervised by Professor Fred Piper and Professor Chris Mitchell

Royal Holloway, University of London (1996)

MSc. in Information Security

Professional Careers

Professor at ICU (2007 - )

Technical Advisor to LG Electronics, Mobile Handset R&D Centre (2007 - )

Vice President / Research Fellow, LG Electronics (2005-2007)

World First Development for the Mobile TV with CAS including DVB-H, TDMB, MediaFLO

Leader of Wireless Security, Toshiba Telecommunication Research LAB (2000-2004)

Visiting Research Professor, ICU (2004)

Industrial Supervisor at University of London and University of Bristol (2001-2004)

Industrial Security Mentor at Mobile Virtual Centre of Excellence (2001-2004)


Course

Title : Network Security (ICE615)

Credit/Hour : 3/3

Prof : Prof Chan Yeob Yeun (x6192)

Email: [email protected]

TA : Hyunrok Lee (x6236)

Email: [email protected]

Hour : Mon. / Wed., 14:30 - 16:00

Web page :

http://caislab.icu.ac.kr/Lecture/data/2007/fall/ice615


Syllabus 1. Course Description

This course offers how to evaluate a variety of vulnerabilities over the existing network and how to constructsecurity protocols and their applications by using crypto algorithms, digital signature and hash function toguarantee integrity of information and authentication of network entities including WLAN security, MobileSecurity, WPAN Security and Ubiquitous Security. Moreover, every student can get the knowledge how tobulid a typical network security protocols like Kerberos, SSL, TLS and IPSEC and network securitymechanism like Firewall and IDS.

2. TextbookA. Main Textbook : - Cryptography and Network Security ? Principles and Practices, William Stallings, Pearson Education

International, 4th Ed., ISBN 0-13-202322-9,2006- Handouts

B. Recommended Reading Material - Handbook of Applied Cryptography, A.J.Menezes, P.C. van Oorschot, S.A.Vanstone, CRC Press, 1997, ISBN 0-

8493-8523-7 - Network Security : Private Communication in a Public World, C. Kaufmann, R. Perlman, M. Speciner, Prentice

Hall, ISBN 0-13-046019-2, 2nd Ed., 2002- Handbook of Elliptic and Hyperelliptic Curve Cryptography, H. Cohen, G. Frey et al, Chapman & Hall/CRC,

ISBD 1-58488-518-1, 2006- Security for Ubiquitous Computing, F. Stajano, Wiley, 2002, ISBN 0-470-84493-0

3. Test and Evaluation- Midterm Exam: 15% - Quiz:5% - Final Exam:25% - Homework: 15% - Term Project : 15% -Term Paper : 20%,

Attendance and short questions : 5% (Total : 100%)


Weekly Lecture Plan

Wk Contents Cmt Wk Contents Cmt

1

(8/27,29)

Introduction to Information Security & Network Security

9

(10/29,31)

Applications of Security III Hw#3

2

(9/3,5)

PKC and Digital Signature TP Plan 10

(11/5,7)

Applications of Security IV

3

(9/10,12)

New PKCs and Semantic Security

Hw#1 11

(11/12,14)

SSL and TLS HW#4

4

(9/17,19)

Security Protocols 12

(11/19,21)

IPSec and SET

5

(10/1,3)

TP Contest #1 TP Rep#1 13

(11/26,28)

Firewall and IDS

6

(10/10)

Midterm Exam 14

(12/3,5)

TP Contest #2 TP paper

7

(10/15,17)

Applications of Security I HW#2 15

(12/12)

Final Exam

8

(10/22,24)

Applications of Security II


What is Network Security ?

Layer 2Layer 1 Layer 3 Layer 4 Layer 5 Layer 6 Layer 7

Confidentiality Authentication Integrity Non-repudiation Access Control

Encryption AuthenticationExchange

Data Integrity

Digital Signature Access Control

Traffic Control

Routing Control

Trust Security Label Detection Anti-Spam Recovery

Notarizations

Physical ApplicationDatalink Network Transport Session Presentation


Security Requirements - Confidentiality

Attacker (Eavesdropper)

※ Pictures are taken from the CryptMail User's Guide, Copyright (C) 1994 Utimaco Belgium,

Eavesdropping

A B

E

¡ Keeping information secret from all but those who are authorized to it.¡


Security Requirements - Authentication

Impersonation

A B

E

Entity authentication (or identification) : Corroboration of the identity of an entity (e.g., a person, a computer terminal, etc)

Message authentication : Corroboration the source of information also known as data origin authentication

= data integrity


Security Requirements - Integrity

¡ Ensuring information has not been altered by unauthorized or unknown means.¡

Modification

A B

E


Security Requirements - Non-repudiation

Repudiation

A B

I sent this message to you

No, I didn¡t receive it.

¡ Preventing the denial of previous commitment or actions.¡


1. Introduction to Information Security (1/3)

The word Cryptology stems from Greek meaning ¡ hidden word¡ .

Cryptology splits into two: Cryptography and Cryptanalysis.

Cryptography is the study of mathematical techniques related to aspects of information security such as confidentiality, integrity, authentication, availability, accountability and non-repudiation.


History of Cryptologic Research (I) (2/3)

1900BC : Non-standard hieroglyphics

1500BC : Mesopotamian pottery glazes

50BC : Caesar cipher

1518 : Trithemius¡ cipher book

1558 : Keys invented

1583 : Vigenere¡s book

1790 : Jefferson wheel

1854 : Playfair cipher

1857 : Beaufort¡s cipher

1917 : Friedman¡s Riverbank Labs

1917 : Vernam one-time pads


History of Cryptologic Research (II) (3/3)

1919 : Hegelin machines

1921 : Hebern machines

1929 : Hill cipher

1973 : Feistel networks

1976 : Public Key Cryptography

1977 : DES

1979 : Secret Sharing

1985 : Zero Knowledge

1990 : Differential Cryptanalysis

1994 : Linear Cryptanalysis

1997 : Triple-DES

1998 ~ 2001 : AES

2001 ~ : Side Channel Attacks

2005 : Collusion Search Attack of SHA-1


Encrypt DecryptAlice Bob

Eve

Encryption Key Decryption Key

plaintext ciphertext

Basic Communication Scenario

Enemy orEavesdropper

plaintext

1.1 Secure Communications


1.2 Symmetric Key Cryptography

Encryption and decryption keys are known to both i.e. Encryption key = Decryption key

communicating parties (Alice and Bob).

All of the classical (pre-1970) cryptosystems are symmetric.

Examples : DES and AES (Rijndael)

A Secret should be shared (or agreed) between the communicating parties.


1.3 Asymmetric Key Cryptography

Public key encryption (invented in the late 1970s), involves a different model.

Private Key - known only to the owner

Public Key - known to anyone in the systems with assurance

Sender encrypts the message by the Public Key of the receiver

Only the receiver can decrypt the message by her/his Private Key

Encryption key ≠ Decryption Key


1.4 Message Authentication Codes (MACs)

MACs are designed to enable the recipient of a message to verify its origin and integrity.

A MAC algorithm takes a secret key and a message as input and outputs a MAC (appended to the message as a type of integrity check).

If recipient has the same secret key, the MAC can be computed on received message and compared with sent value.


Given arbitrary length m, compute constant length digest d = h(m)

Desirable properties

h(m) easy to compute given m

One-way: given h(m), hard to find m

Weakly collision free: given h(m) and m, hard to find m¡ s.t. h(m) = h(m¡)

Strongly collision free: hard to find any x, y s.t. h(x) = h(y)

Example use: password database, file distribution

Common algorithms: MD5, SHA

1.4.1 Hash Functions


1.5 Digital signatures

Digital signatures are also a kind of public key cryptography.

For a digital signature algorithm, keys are again generated in pairs: public verification keys and private signing keys.

Private signature key of sender applied to message to yield a digital signature of the message.

Sent with message.

Any recipient with public verification key can check origin and integrity of the message.


1.6 MACs and Signatures

Whilst both MACs and signatures provide integrity and origin protection for data, they have different characteristics.

A MAC relies on shared secrets, and hence is appropriate in a point-to-point environment.

A signature enables the origin and integrity of a message to be independently checked by many recipients, and hence fits well to a broadcast or multicast environment.


1.7 Non-repudiation

Digital signatures can also provide non-repudiation.

Since verifier has only the public key, they cannot create signatures (compare with MACs).

Hence a digitally signed message may be of value as long term evidence of an event, which cannot be repudiated by the originator of the signature.


1.8 Authentication protocols

An authentication protocol is a cryptography-based exchange of messages, designed to enable participants to verify who it is they are communicating with.

Typically the protocols use MACs or signatures to protect individual messages.

However, apart from use of cryptography, means are required to verify that messages are not replays of old (valid) messages.


1.9 Security threats and services

All cryptographic schemes are designed to counter security threats.

Threats include:

Eavesdropping on communications

Masquerade

Manipulation of communications

Repudiation

DoS


1.10 Addressing threats by Cryptanalysis

A ¡Security service¡ is a term for the provision of protection against a threat.

Examples include:

Confidentiality (to defeat eavesdropping);

Entity authentication (to defeat masquerade);

Integrity protection (to defeat manipulation);

Non-repudiation (to defeat repudiation).

Security services include as follows:

Encryption can provide confidentiality;

Authentication protocols can provide entity authentication;

MACs or digital signatures can provide integrity protection;

Digital signatures can provide non-repudiation.


1.11 Key management and PKIs

Any use of cryptography requires the generation and distribution of key material (key management).

Key management for public key cryptography rather different than for ¡secret key¡ cryptography.

Key management for secret key cryptography involves confidential and reliable transfer of secret keys.

Key management for public key cryptography is simpler ? public keys are not secret.

However public keys still need to be reliably transferred.


1.12 Public key certificates

The Certificate Authority (CA) signs a concatenation of the public key, client name, and expiry date to form a public key certificate.

Anyone who verifies a public key certificate then has a reliable copy of the public key of the certificate owner.

Certificates (i.e. data structures signed by a Trusted Third Party, i.e. CA) can be used for things other then public keys.

An Attribute Authority can create Attribute Certificates, granting the owner privileges.

E.g. a network operator could sign an attribute certificate saying that a particular software vendor is reliable.


1.13 Authorisation and access control

Authorisation is a term relating to the notion of access control.

Any system will often need to make a decision about whether another entity should be allowed to perform a particular action.

This is normally referred to as access control.


Alice wants to talk to Bob

Needs to convince him of her identity

Both have private key k

Naive scheme

Alice Bob

Vulnerability?

¡ I am Alice¡ , x, E(x, k)


Symmetric Key Authentication


Eve can listen in and impersonate Alice later

Alice Bob

Eve

¡ I am Alice¡ , x, E(x, k)

Replay Attack



Preventing Replay Attacks

Bob can issue a challenge phrase to Alice

Alice Bob

¡ I am Alice¡

E(x, k)

x



Trivia Developed in 80¡s by MIT¡s Project Athena

Used on all Andrew machines

Mythic three-headed dog guarding the entrance to Hades

Uses DES, 3DES

Key Distribution Center (KDC) Central keyserver for a Kerberos domain

Authentication Service (AS) Database of all master keys for the domain

Users¡ master keys are derived from their passwords

Generates ticket-granting tickets (TGTs)

Ticket Granting Service (TGS) Generates tickets for communication between principals

¡slaves¡ (read only mirrors) add reliability

¡cross-realm¡ keys obtain tickets in others Kerberos domains

1.14 Kerberos


1.14.1 Kerberos Authentication Steps

Kerberos

ServerClient

TGS

TGT Service TKT

Service REQ


1.14.2 Kerberos Tickets

What is a ticket? Owner (Instance and Address)

A key for a pair of principles

A lifetime (usually ~1 day) of the key Clocks in a Kerberos domain must be roughly synchronized

Contains all state (KDC is stateless)

Encrypted for server

Ticket-granting-ticket (TGT) Obtained at beginning of session

Encrypted with secret KDC key

A needs TGT

E(kA,TGS, kA), TGTA

A AS


1.14.3 Kerberos ? A wants to talk to B

First, get ticket from TGS

Then, use the ticket

E({A,B}, kA,TGS), TGTA

E(kA,B, kA,TGS), TKTA,B

A TGS

E({A,B}, kA,B), TKTA,BE(m, kA,B)

E(m, kA,B)

A B


1.15 Diffie-Hellman Key Agreement

History

Developed by Whitfield Diffie, Martin Hellman

Published in 1976 paper ¡New Directions in Cryptography¡

Allows negotiation of secret key over insecure network

Algorithm

Public parameters Prime p

Generator g of

Alice chooses random secret a, sends Bob ga mod p

Bob chooses random secret b, sends Alice gb mod p

Alice computes (gb)a, Bob computes (ga)b ? this is the key

Difficult for eavesdropper Eve to compute gab

*pZ


1.15.1 Diffie-Hellman Weakness

Man-in-the-Middle attack

Assume Eve can intercept and modify packets

Eve intercepts ga and gb, then sends Alice and Bob gc

Now Alice uses gac, Bob uses gbc, and Eve knows both

Defense requires mutual authentication

Back to key distribution problem


1.16 Wireless Network Architecture

Internet

NetworkOperator

users

M-Commerce


1.17 Wireless Security by using PKI

users

Server

Wireless security will extend PKI to mobile users


1.18 Summary of Information Security

Confidentiality to keep information private

Authentication to prove the identity of an individual or an application

Integrity to prove that information has not been manipulated

Non-repudiation to ensure that information cannot be disowned

Cryptography

Digital Certificates

Digital signatures

Digital signatures and certificates


1.19 Summary of cryptographic primitives

Unkeyed Primitives

Symmetric-key Primitives

Public-key Primitives

arbitrary length hash functions

1-way permutations

RNG, PUF(*)

symmetric-key ciphers

arbitrary length (keyed) hash functions(MAC)

Identification primitives

Identification primitives

signatures

public-key ciphers

SecurityPrimitives

block ciphers

stream ciphers

signatures

(*) RNG(Random Number Generator), PUF(Physically Unclonable Function)


Network architecture is layered

Lower layer vulnerabilities are inherited at higher levels

Describing exploitable features and vulnerabilities in the scope of each layer makes sense

Example: TCP/IP v.4 is dominant design in use

Many vulnerabilities can't be prevented without a major

transition to a completely new design, or are hard problems

Most core vulnerabilities can't really be fixed

This is an important design consideration for any application that needs to use network

2. Introduction to Network Security


2. Evolution of Attack2. Evolution of Attack


2. Hacker¡s Motivation

1. From a hobby to a profitable industry

2. From annoying to destructive

3. From playing to stealing

4. From simplicity to complexity


2. Trends of IT Security2. Trends of IT Security

Efficient work style,competitiveness

2000

Users

National security,calculation use

Reliability ofsystems

E-commerceEconomic infrastructure

Lifelines for society, economy, and daily life

Exclusive systems Big, host types C/S types PC, Internet Mobile & Ubiquitous

Government

Banking, transportation, energy sectors

Large enterprises

Small/mediumenterprises

Personal use

Role of information systems

Direction of IT security

Protection of military data.

Availability for critical infrastructure

Availability for IT systems in corporations

Network security for e-commerce

Security fore-government

Safe/reliable society

1950

InternetPC

Mobile/Ubiquitous


2. Tools & Technology


Collapse Of Trust

Hacking of Internet Banking

Cyber Terror

Homepage DefacementPrivacy Infringement

Stealing Social Security Number,Information Leakage ofPersonal and Customer's information

Temptation

Digital Fraud

PhishingPharming

Sphere and Shield

Illegal Spam MailsAdvertisement Mobile Message

SpywareAdware

CyberCyberSeven Seven SinsSins

ID Theft

Forgery and alteration ofCivil Affairs Documents

2. Seven Sins in Cyber Space2. Seven Sins in Cyber Space2. Seven Sins in Cyber Space2. Seven Sins in Cyber Space


2. Security, Privacy, Trust in Smart Environments2. Security, Privacy, Trust in Smart Environments

How to manage security, privacy, and trust?


2. Ubiquitous Network Demo2. Ubiquitous Network Demo


Every interactions be storedEvery interactions be stored

Ubiquity

Invisibility

Sensing

Memory Amplification

Infra will be everywhere, affecting everyday lifeInfra will be everywhere, affecting everyday life

No idea when or where they use the computerNo idea when or where they use the computer

Sense what we do, say, typeSense what we do, say, type

u-SocietyIntervene with Personal, Intimate Experience Intervene with Personal, Intimate Experience

Security, Privacy, TrustSecurity, Privacy, Trust

Changes in smart environmentsChanges in smart environments

No physical and cognitive signs for data collections

Trade off between privacy and usability

2. Issues in Smart Environments2. Issues in Smart Environments2. Issues in Smart Environments2. Issues in Smart Environments


Trade-Off : Risk, Cost , Performance High Level Dependability without

high cost- Highly interconnected system

Only the right people get access at any time to the right informationwith the best possible performance and at the lowest possible cost

Access!Speed!

Confidence& ControlRisk CostPerformance

Performance vs. Cost

2. New Paradigm for u2. New Paradigm for u--Security (I)Security (I)2. New Paradigm for u2. New Paradigm for u--Security (I)Security (I)


Patching Security Function after implementation

- Endless patches for vulnerability is not answer

- Cause end-user's burden for security

- Reconfigurable Security

PreventionPrevention RecoverRecover

Embedded Security

2. New Paradigm for u2. New Paradigm for u--Security (II)Security (II)2. New Paradigm for u2. New Paradigm for u--Security (II)Security (II)

Needs for new Security Model, Method

- Principal of mutual suspicion vs. Concept of perimeter defense

- end-to-end Security

100% Prevention is not possible

- Need prevention and recovery system

- Minimize damage & Quick Recovery


2. Vulnerabilities in U2. Vulnerabilities in U--NetworkNetwork2. Vulnerabilities in U2. Vulnerabilities in U--NetworkNetwork

Risks Type of Intrusion Problem Countermeasures

Theft or Stolen Confidentiality

Authentication

Device holders have authentication information

Entity (or device) authentication/Cryptography

Illegal Access Point Authentication 1-way authentication Mutual authentication

IP Spoofing Confidentiality Radiation of RF signal to unwanted user

Cryptography

(D)DoS Availability Degraded availability Availability

Trojan Horse, Worm, Virus Availability, Confidentiality, Integrity Degraded availability & integrity Anti-Virus program

Attack by harmful signal Availability Interfered communication channel Spread Spectrum-Frequency Hopping

Resource consumption attack Availability Out of battery power Availability

Revealing Location or ID-information

Confidentiality Privacy Anonymity


2. Security Engineering in U-Network2. Security Engineering in U-Network

Security requirement Special Requirement in U-network

Basic Authentication Mutual authentication, use of dynamic key, Wireless PKI, device authentication, Central authentication, QoS

Confidentiality Key management, light weight cryptography, secure DB, mobile cryptography

Integrity Integrity mechanism for U-network

Additional Availability DoS attack, Priority management in access control, Differentiated service

Control of delegate Entity authentication and authorization

Access control

Anonymity Transfer of real ID information

Safe roaming Global roaming, DRM, CAS, Seamless secure roaming


OSI Model

7 layers

Old

Applications often have properties of several layers at once

Makes classification difficult, confusing

TCP/IP Model

"DoD" model (Department of Defense)

5 layers

2.1 Network Model


OSI: Open Systems Interconnection

ISO standard

Layered approach provides:

Simplification

Abstraction

Each layer talks only to the equivalent layer somewhere else

Division of responsibilities

Standardization and interchangeability of equipment from different makers

2.2 OSI 7-Layer Model


Application

Presentation

Session

Transport

Network

Data Link

Physical

The 7 Layers

2.2.1 OSI 7-Layer


Specifies the physical signals (electrical, optical, etc...)

Type

Levels

Speed

Cables if any

Range

Examples:

Ethernet coaxial cable specification

2.3 Physical Layer


Disconnection

Cut cable

Barrier to radio waves

Availability

Eavesdropping

Tap in cable

Confidentiality

Interference and Jamming

e.g., provide 120 V AC in cable to cause damage

Selective jamming

Availability

Interception

Splice in cable, with attacker in-between

"man-in-the-middle"

Can also work on wireless networks (see later)

Can selectively remove or modify messages

Integrity

Physical integrity difficult to guarantee

Pressurized pipes, etc...

Integrity of radio waves

2.3.1 Physical Layer Risks


How to transmit data between two stations in the same segment

Two components

MAC (Media Access Control)

Control which station receives which data

Which station has permission to transmit

MAC addresses uniquely identify stations (in theory)

LLC (Logical Link Control)

frame synchronization

Data unit is called a frame

flow control

error checking

Data Link Layer

2.4 Data Link Layer


On a shared medium, how do you know if it's "your turn" to talk?

What if two stations send messages at the same time?

Collision

Approaches to Manage Contention

CSMA/CD

Carrier Sense Multiple Access with Collision Detection

CSMA/CA

Carrier Sense Multiple Access with Collision Avoidance

Token Passing

OFDM

Orthogonal Frequency Division Multiplexing

MAC Risks

2.4.1 MAC Risks (1/2)


Address Resolution Protocol (ARP) vulnerabilities are a design

problem. There is nothing you can do from the implementation

standpoint to avoid them

This applies to both wireless and wired networks.

You can defend stations by:

Generating an alert when the protocol is abused

Welcome to the world of intrusion detection!

Using static IP-MAC pairs (in effect disabling ARP)

Configuring the network to put sensitive, important or trusted hosts and servers on a different subnet than other hosts

ARP is not used or relayed between subnets

This may include hosts used by privileged users

2.4.2 MAC Risks (2/2)


Spoofed management frames in 802.11 wireless networks are

easy, common

Many automated tools available to disrupt wireless networks at the link

layer

De-authenticate stations, etc...

Wireless networks are a more attractive target due to the lack of a well-defined physical boundary

Harder to secure the link layer

More on this later in the section on wireless networks

LLC Risks: 802. 11 Frames

2.4.3 LLC Risks


Routing between segments

Forwarding

Addressing

Internetworking

Error handling

Congestion control

Packet sequencing

Data units are called "packets"

2.5 Network Layer


We'll discuss IPv4, although other protocols can be used at

this level

IP features

Network addresses

IP spoofing: Any station can send packets pretending to be from any IP address

Fragmentation: Firewalls and intrusion detection systems (IDS) may

reassemble packets differently from how the attacked operating systems do it

IP Components:

ICMP: Internet Control Message Protocol (Not Authenticated!)

Denial of service by sending forged ICMP unreachable packets

2.5.1 Network Layer Vulnerability


Transport layer components dependent on IP:

UDP: User Datagram Protocol

TCP: Transmission Control Protocol

Reliability

retransmissions, etc...

Error recovery

Flow control

2.6 Transport Layer


Transport layer protocolsUDP

Best effort delivery

Letter in the mail, hope it gets there (and does most of the time) ? Connectionless

UDP does not in itself introduce new vulnerabilities, but makes the exploitation of IP layer vulnerabilities easy.

Makes applications more difficult to design to prevent amplification and ping-pong effects

When is UDP needed?

Domain Name System: Normal hosts query DNS servers using UDP in

practice

UDP also used for other DNS functions (more on this later)

Streaming video, Voice-over-IP

TCP Reliable

Receiver uses sequence numbers to correctly reorder segments and remove duplicates

Establishes connections and monitors deliveries

Similar to packages requiring signatures at delivery

2.6.1 Transport Layer Vulnerability


Session

Handles connections between applications

Presentation

Handles encoding, encryption, etc...

Application

DNS, RPC, NFS, Routing, IPSec

Other Layers

2.7 Other Layers


You can't authenticate based on host names

You can't rely on DNS as per the original RFCs

DNS is more vulnerable if hosted outside your network

Some attacks (IP spoofing) prevented by ingress filtering

Don't accept packets from outside, pretending to originate from inside the network

Except if DNS server is hosted outside the network!

No defense then

With a UDP packet, a notice can be sent

Other packet to tell slave the new version number ("SOA RR")

Zone transfer still uses TCP

Lower protocol vulnerabilities can then be exploited to load desired

information into secondary servers/slaves

TCP session hijacking

ARP poisoning (if on same network segment)

As previous attacks, but now the timing can be controlled by the attacker thanks

to notify function

Administrative attacks against registrar (see Domain Hijacking: A step-by-step

guide, akin to social engineering attacks)

2.7.1 DNS Vulnerability


¡ Network Information Services (NIS) clients download the necessary username and password data from the NIS server to verify each user login"

How much can you trust the client?

Doesn't encrypt the username/password information sent to the clients with each login

All users have access to the encrypted passwords stored on the NIS server

Crack at leisure

Active Directory can specify mechanism

Authentication mechanisms

Kerberos (requires infrastructure support)

NULL sessions (no passwords)

2.7.2 NIS Vulnerability


Sun's Remote Procedure Calls (RPC)

Microsoft's RPC

92 entries in ICAT ("rpc") as of May 2004

Example:

saned in sane-backends 1.0.7 and earlier does not check the IP address of the connecting host during the SANE_NET_INIT RPC call, which allows remote attackers to use that call even if they are restricted in saned.conf.

And we know how insecure IP-based restriction can be anyway!

2.7.3 RPC Vulnerability


Root on a client machine could be trusted as root on the server!

Remote user ID is trusted as correct

use the root_squash option in exports

Replaces "root" with "nobody"

On by default in RedHat 9+

Root on a client machine can assume the identity of any other user (su) and change that user's files

Solution: Share ("export") only directories where everything belongs to root (with the above squash option)

other squash options available

Setuid programs: blocked by "nosuid" option

2.7.4 NFS Vulnerability


Routing information must have:

Integrity

Authenticity

Authorization

Timeliness

Resist replay attacks

An attacker can send a packet specifying the return route

The attacker may control one of the "routers" on the return route

Attacker needs to send a single valid packet for that new route to be used for the entire TCP connection

Initial sequence number just has to be guessed correctly once

TCP session sniffing

Man-in-the-middle attack

?On-the-fly packet modification

?Dropping packets selectively, or all packets

2.7.5 Secure Routing Requirements


Send a message to all gateways, saying the gateway to network

A has made network A unreachable

Send another message advertising that you can reach network

A cheaply

You will start receiving all traffic for network A

Forward the traffic to the original gateway, after doing whatever

you want to do with it

2.7.5.1 MIM Routing Attack


Open Shortest Path First (OSPF) is an authenticated link

state protocol (RFC 2328) running directly on top of IP

(proto 89) and using multicasts instead of broadcasts

Alternative to Routing Information Protocol (RIP)

Methods:

1. Password (plain text), vulnerable to sniffers

2. Keyed MD5 (a.k.a. HMAC-MD5)

K is a shared secret key (padded with zeros)

T is the message

H() is a hash function like MD5

F(K, T) is a function that pre-mixes T and K

Idea: Along with message, send also H(F(K,T)). Routers that know K can verify the integrity of T, as well as authenticate the message.

See RFC 1828

Similar to TCP MD5 signature option (RFC 2385)

2.7.5.2 Authentication in OSPF


5 layers:

Application (combines presentation and session)

Transport

Network

Data Link

Physical

We will use this one as it is less ambiguous

2.8 TCP/IP Model


History

Standard libraries and protocols for encryption and authentication

Secure Sockets Layer (SSL) originally developed by Netscape

SSL v3 draft released in 1996

Transport Layer Security (TLS) formalized in RFC2246 (1999)

Uses

HTTPS, IMAP, SMTP, etc

Issues

Proxies?

2.8.1 SSL/TLS


Negotiates use of many different algorithms

Encryption

Server-to-client authentication

Protects against man-in-the-middle

Uses public key cryptosystems

Keys distributed informally

kept in ~/.ssh/known_hosts

Signatures not used for trust relations

Client-to-server authentication

Can use many different methods

Password hash

Public key

Kerberos tickets

2.8.2 Secure Shell (SSH)


Protection at the network layer

Applications do not have to be modified to get security

Actually a suite of protocols

IP Authentication Header (AH)

Uses secure hash and symmetric key to authenticate datagram payload

IP Encapsulating Security Payload (ESP)

Encrypts datagram payload with symmetric key

Internet Key Exchange (IKE)

Does authentication and negotiates private keys

2.8.3 IPSec


1.18 Summary of Network SecurityConuntermeasures

Terminals Theft Terminals holders have authentication information

Illegal Access Point One way authentication

IP Spoofing Radiation of RF signal to unauthorised users

DoS Unable to access the network

Authentication and Cryptography

Mutual Authentication

Cryptography

Authorised Availability Trojan Horse, Worm, Virus

Degraded integrity and availability Anti-Virus Program Attack by harmful Signal

Interrupted communications channel Spread Spectrum Frequency Hopping Revealing Location or ID Information

Interrupted communications channel Anonymity


Quizzes

What is Diffie-Hellman Problem?

Describe Man in the Middle Attack for the DH

How to overcome Man in the Middle Attack for the DH

The aim of authentication in routing protocols is mainly to guarantee which one of these?

a) Confidentialityb) Integrityc) Availabilityd) Auditability


Term Project - examples

Securing Mobile SIM/USIM lock for the mobile operators and vendors

Securing Key management for the Mobile Ad-hoc Network (MANET)

Implementing secure email by using RSA, ElGamal, AES

Implementing mutual authentication VoIP by using Diffie-Hellman as well as securing communications by using AES

Pros and Cons for ID based schemes/digital signatures

Analysis of WLAN Security

Study on Mobile Security including GSM, 3GPP, CDMA with DRM, CAS

Study on Trusted Computing

Study on Denial of Service Attacks and possible conuterrmeasures

Discuss X.509 certificates, CA¡s certification validation and web of trust

Analysis of Hash functions and the future directions

Analysis of secret sharing schemes and on-line secret sharing schemes

Securing Key management for the Mobile Ad-hoc Network (MANET) by using ID based schemes in conjunction with secret sharing schemes

Security Applications for MANET, WPAN, RFID, Bluetooth, IrDA, IrFM, Mobile TV, DRM and CAS


Mobile TV


World First 3G + DVB-H


World First 3G + DVB-H (May 2006)