CSCE 715:Network Systems Security

Chin-Tser Huanghuangct@cse.sc.edu

University of South Carolina

09/23/2010 2

See How Cryptographic ToolsReally Works

OpenSSL is a general-purpose cryptographic library with implementations of Symmetric ciphers: 3DES, AES, … Asymmetric ciphers: RSA, DH, … Hash functions: MD5, SHA-1, …

09/23/2010 3

Next Topic in Cryptographic Tools

Symmetric key encryption Asymmetric key encryption Hash functions and message

digest Nonce

09/23/2010 4

A Scenario of Replay Attack

Alice authorizes a transfer of funds from her account to Bob’s account

An eavesdropping adversary makes a copy of this message

Adversary replays this message at some later time

09/23/2010 5

Replay Attacks

Adversary takes past messages and plays them again whole or part of message to same or different receiver

Encryption algorithms not enough to counter replay attacks

09/23/2010 6

Freshness Identifiers

Sender attaches a freshness identifier to message to help receiver determine whether message is fresh

Three types of freshness identifiers nonces timestamps sequence numbers

09/23/2010 7

Nonces A random number generated for a

special occasion Need to be unpredictable and not

used before Disadvantage is not suitable for

sending a stream of messages Mostly used in challenge-response

protocols

09/23/2010 8

Timestamps Sender attaches an encrypted real-time

timestamp to every message Receiver decrypts timestamp and

compares it with current reading if difference is sufficiently small, accept

message otherwise discard message

Problem is synchronization between sender and receiver

09/23/2010 9

Sequence Numbers

Sender attaches a monotonically increasing counter value to every message

Sender needs to remember last used number and receiver needs to remember largest received number

09/23/2010 10

Operation of Sequence Numbers

Sender increments sequence number by 1 after sending a message

Receiver compares sequence number of received message with largest received number If larger than largest received number,

accept message and update largest received number

If less than largest received number, discard message

09/23/2010 11

Problem with Sequence Numbers

IPsec uses sequence number to counter replay attacks

However reorder can occur in IP Messages with larger sequence number

may arrive before messages with smaller sequence numbers

When reordered messages with smaller sequence numbers arrive later, they will be discarded

09/23/2010 12

Anti-Replay Window Protocolin IPsec

Protect IPsec messages against replay attacks and counter the problem of reorder

Sender puts a sequence number in every message

Receiver uses a sliding window to keep track of the received sequence numbers

09/23/2010 13

Comparison with TCP Sliding Window

Purpose: TCP sliding window is used for flow control, while anti-replay window for countering replay attack

Size: TCP sliding window is of dynamic size, while anti-replay window is of static size (64 recommended by IPsec)

09/23/2010 14

Comparison with TCP Sliding Window

Unit: TCP sliding window is byte-oriented, while anti-replay window is packet-oriented

Retransmission: same sequence number used in TCP sliding window, while new sequence number used in anti-replay window

09/23/2010 15

TCP Sliding Window

1 2 3 4 5 6 7 8 9 10

11

…

offered window(advertised by

receiver)usable window

sent, not ACKed

acknowledgedsent and

can send ASAP

can’t send untilwindow moves

09/23/2010 16

Anti-Replay Window

w is window size r is right edge of window Assume s is sequence number of next received

message Three cases to consider

1 w

right edge r

2 3 • • •sequencenumbers

not yet received

received before

assumed received

• • •• • •

r-w+1

09/23/2010 17

Cases of Anti-Replay Window Case i: if s is smaller than sequence

numbers in window, discard message s

1 w

s r

09/23/2010 18

Cases of Anti-Replay Window Case ii: s is in window

if s has not been received yet, then deliver message s

if s has been received, then discard message s 1 w

s rs

(deliver)(discard)

09/23/2010 19

Cases of Anti-Replay Window Case iii: if s is larger than sequence

numbers in window, then deliver message s and slide the window so that s becomes its new right edge

1 w

srr

window before shift

11 ww

window after window after shiftshift

09/23/2010 20

Properties of Anti-Replay Window Protocol

Discrimination: receiver delivers at most one copy

of every message sent by sender w-Delivery: receiver delivers at least one copy

of each message that is neither lost nor suffered a reorder of degree w or more, where w is window size

09/23/2010 21

Problem with Anti-Replay Window

Receiver gets s, where s >> r Window shifts to right Many good messages that arrive later

will be discarded

discarded good msgs

1 w

r

window before shift

s

11 wwwindow after window after shiftshift

09/23/2010 22

Automatic Shift vs. Controlled Shift

Automatic shift: window automatically shifts to the right to cover the newly received sequence number without any consideration of how far the newly received sequence number is ahead

Controlled shift: if the newly received sequence number is far ahead, discard it without shifting window in the hope that those skipped sequence numbers may arrive later

09/23/2010 23

Three Properties of Controlled Shift

Adaptability receiver determines whether to sacrifice a

newly received message according to the current characteristics of the environment

Rationality receiver sacrifices only when messages that

could be saved are more than messages that are sacrificed

Sensibility receiver stops sacrificing if it senses that the

messages it means to save are not likely to come

09/23/2010 24

Additional Case with Controlled Shift

Case iv: s is more than w positions to the right of window receiver estimates number of good messages

it is going to lose if it shifts the window to s if the estimate is larger than d+1, where d is

the counter of discarded messages, and d+1 is less than dmax, then receiver discards this message and increments d by 1

otherwise, receiver delivers the message, shifts the window to the right, and resets d to 0

09/23/2010 25

Another Problem with Anti-Replay Window

Computer may reset due to transient fault or power loss

If either sender or receiver is reset and restarts from 0, then synchronization on sequence numbers is lost

09/23/2010 26

Scenario of Sender Reset

If p is reset, unbounded number of fresh messages are discarded by q

49 48 3 2 1 0

p q

seq# : 50• • •

seq# : 50

fresh messages yet discarded by q

seq# : 0

reset

09/23/2010 27

Scenario of Receiver Reset If q is reset, it can accept unbounded

number of replayed messages

49 48 3 2 1 0

p q

inserted by

adversary

seq# : 50• • •

seq# : 50

replayed yet accepted by q

seq# : 0

reset

09/23/2010 28

Overcome Reset Problems

IPsec Working Group: if reset, the Security Association (SA) is deleted and a new one is established -- very expensive

Our solution: periodically push current state of SA into persistent memory (e.g. hard drive); if reset, restore state of SA from this memory

09/23/2010 29

SAVE and FETCH When SAVE is executed, the last

sequence number or right edge of window will be stored in persistent memory

When FETCH is executed, the last stored sequence number or right edge of window will be loaded from persistent memory into memory

09/23/2010 30

SAVE at Sender

s is sequence number at p Every Kp messages, p executes

SAVE(s) to store current s in persistent memory

Choose appropriate Kp such that in spite of execution delay, SAVE(s) is guaranteed to complete before message numbered s+Kp is sent

09/23/2010 31

FETCH at Sender

When p wakes up after reset, p executes FETCH(s) to fetch s stored in persistent memory

After FETCH(s) completes, p executes SAVE(s+2Kp) and waits

After SAVE(s+2Kp) completes, p can send next message using seq# s+2Kp

09/23/2010 32

Convergence of Sender Assume when p resets, SAVE(s) has

not yet completed, and the last sent seq# is s+t t < Kp otherwise SAVE(S) should have

completed When p wakes up, s-Kp will be fetched Therefore, adding 2Kp to fetched

seq# guarantees that next sent seq# is fresh

09/23/2010 33

Convergence of Sender Assume when p resets, SAVE(s) has

completed, and the last sent seq# is s+u u < Kp otherwise SAVE(S+Kp) should

have started When p wakes up, s will be fetched Therefore, adding 2Kp to fetched

seq# guarantees that next sent seq# is fresh

09/23/2010 34

Convergence of Sender

t (t < Kp) u (u < Kp)

s+t s+u s+Kp s

SAVE(s+Kp) starts

sequence number at process p

or SAVE(s) starts

SAVE(s) ends

SAVE(s-Kp) ends

reset occurs here

reset occurs here

09/23/2010 35

Results of SAVE and FETCH When p is reset, some sequence

numbers will be abandoned by p, but no message sent from p to q will be discarded provided no message reorder occurs

When q is reset, the number of discarded messages is bounded by 2Kq

When p or q is reset, no replayed message will be accepted by q

09/23/2010 36

Next Class

Address Resolution Protocol (ARP) and its security problems

Secure ARP Read paper on website