Internet Security - Farkas1 CSCE 813 Internet Security TCP/IP.
CSCE 715: Network Systems Security
description
Transcript of CSCE 715: Network Systems Security
09/23/2010 2
See How Cryptographic ToolsReally Works
OpenSSL is a general-purpose cryptographic library with implementations of Symmetric ciphers: 3DES, AES, … Asymmetric ciphers: RSA, DH, … Hash functions: MD5, SHA-1, …
09/23/2010 3
Next Topic in Cryptographic Tools
Symmetric key encryption Asymmetric key encryption Hash functions and message
digest Nonce
09/23/2010 4
A Scenario of Replay Attack
Alice authorizes a transfer of funds from her account to Bob’s account
An eavesdropping adversary makes a copy of this message
Adversary replays this message at some later time
09/23/2010 5
Replay Attacks
Adversary takes past messages and plays them again whole or part of message to same or different receiver
Encryption algorithms not enough to counter replay attacks
09/23/2010 6
Freshness Identifiers
Sender attaches a freshness identifier to message to help receiver determine whether message is fresh
Three types of freshness identifiers nonces timestamps sequence numbers
09/23/2010 7
Nonces A random number generated for a
special occasion Need to be unpredictable and not
used before Disadvantage is not suitable for
sending a stream of messages Mostly used in challenge-response
protocols
09/23/2010 8
Timestamps Sender attaches an encrypted real-time
timestamp to every message Receiver decrypts timestamp and
compares it with current reading if difference is sufficiently small, accept
message otherwise discard message
Problem is synchronization between sender and receiver
09/23/2010 9
Sequence Numbers
Sender attaches a monotonically increasing counter value to every message
Sender needs to remember last used number and receiver needs to remember largest received number
09/23/2010 10
Operation of Sequence Numbers
Sender increments sequence number by 1 after sending a message
Receiver compares sequence number of received message with largest received number If larger than largest received number,
accept message and update largest received number
If less than largest received number, discard message
09/23/2010 11
Problem with Sequence Numbers
IPsec uses sequence number to counter replay attacks
However reorder can occur in IP Messages with larger sequence number
may arrive before messages with smaller sequence numbers
When reordered messages with smaller sequence numbers arrive later, they will be discarded
09/23/2010 12
Anti-Replay Window Protocolin IPsec
Protect IPsec messages against replay attacks and counter the problem of reorder
Sender puts a sequence number in every message
Receiver uses a sliding window to keep track of the received sequence numbers
09/23/2010 13
Comparison with TCP Sliding Window
Purpose: TCP sliding window is used for flow control, while anti-replay window for countering replay attack
Size: TCP sliding window is of dynamic size, while anti-replay window is of static size (64 recommended by IPsec)
09/23/2010 14
Comparison with TCP Sliding Window
Unit: TCP sliding window is byte-oriented, while anti-replay window is packet-oriented
Retransmission: same sequence number used in TCP sliding window, while new sequence number used in anti-replay window
09/23/2010 15
TCP Sliding Window
1 2 3 4 5 6 7 8 9 10
11
…
offered window(advertised by
receiver)usable window
sent, not ACKed
acknowledgedsent and
can send ASAP
can’t send untilwindow moves
09/23/2010 16
Anti-Replay Window
w is window size r is right edge of window Assume s is sequence number of next received
message Three cases to consider
1 w
right edge r
2 3 • • •sequencenumbers
not yet received
received before
assumed received
• • •• • •
r-w+1
09/23/2010 17
Cases of Anti-Replay Window Case i: if s is smaller than sequence
numbers in window, discard message s
1 w
s r
09/23/2010 18
Cases of Anti-Replay Window Case ii: s is in window
if s has not been received yet, then deliver message s
if s has been received, then discard message s 1 w
s rs
(deliver)(discard)
09/23/2010 19
Cases of Anti-Replay Window Case iii: if s is larger than sequence
numbers in window, then deliver message s and slide the window so that s becomes its new right edge
1 w
srr
window before shift
11 ww
window after window after shiftshift
09/23/2010 20
Properties of Anti-Replay Window Protocol
Discrimination: receiver delivers at most one copy
of every message sent by sender w-Delivery: receiver delivers at least one copy
of each message that is neither lost nor suffered a reorder of degree w or more, where w is window size
09/23/2010 21
Problem with Anti-Replay Window
Receiver gets s, where s >> r Window shifts to right Many good messages that arrive later
will be discarded
discarded good msgs
1 w
r
window before shift
s
11 wwwindow after window after shiftshift
09/23/2010 22
Automatic Shift vs. Controlled Shift
Automatic shift: window automatically shifts to the right to cover the newly received sequence number without any consideration of how far the newly received sequence number is ahead
Controlled shift: if the newly received sequence number is far ahead, discard it without shifting window in the hope that those skipped sequence numbers may arrive later
09/23/2010 23
Three Properties of Controlled Shift
Adaptability receiver determines whether to sacrifice a
newly received message according to the current characteristics of the environment
Rationality receiver sacrifices only when messages that
could be saved are more than messages that are sacrificed
Sensibility receiver stops sacrificing if it senses that the
messages it means to save are not likely to come
09/23/2010 24
Additional Case with Controlled Shift
Case iv: s is more than w positions to the right of window receiver estimates number of good messages
it is going to lose if it shifts the window to s if the estimate is larger than d+1, where d is
the counter of discarded messages, and d+1 is less than dmax, then receiver discards this message and increments d by 1
otherwise, receiver delivers the message, shifts the window to the right, and resets d to 0
09/23/2010 25
Another Problem with Anti-Replay Window
Computer may reset due to transient fault or power loss
If either sender or receiver is reset and restarts from 0, then synchronization on sequence numbers is lost
09/23/2010 26
Scenario of Sender Reset
If p is reset, unbounded number of fresh messages are discarded by q
49 48 3 2 1 0
p q
seq# : 50• • •
seq# : 50
fresh messages yet discarded by q
seq# : 0
reset
09/23/2010 27
Scenario of Receiver Reset If q is reset, it can accept unbounded
number of replayed messages
49 48 3 2 1 0
p q
inserted by
adversary
seq# : 50• • •
seq# : 50
replayed yet accepted by q
seq# : 0
reset
09/23/2010 28
Overcome Reset Problems
IPsec Working Group: if reset, the Security Association (SA) is deleted and a new one is established -- very expensive
Our solution: periodically push current state of SA into persistent memory (e.g. hard drive); if reset, restore state of SA from this memory
09/23/2010 29
SAVE and FETCH When SAVE is executed, the last
sequence number or right edge of window will be stored in persistent memory
When FETCH is executed, the last stored sequence number or right edge of window will be loaded from persistent memory into memory
09/23/2010 30
SAVE at Sender
s is sequence number at p Every Kp messages, p executes
SAVE(s) to store current s in persistent memory
Choose appropriate Kp such that in spite of execution delay, SAVE(s) is guaranteed to complete before message numbered s+Kp is sent
09/23/2010 31
FETCH at Sender
When p wakes up after reset, p executes FETCH(s) to fetch s stored in persistent memory
After FETCH(s) completes, p executes SAVE(s+2Kp) and waits
After SAVE(s+2Kp) completes, p can send next message using seq# s+2Kp
09/23/2010 32
Convergence of Sender Assume when p resets, SAVE(s) has
not yet completed, and the last sent seq# is s+t t < Kp otherwise SAVE(S) should have
completed When p wakes up, s-Kp will be fetched Therefore, adding 2Kp to fetched
seq# guarantees that next sent seq# is fresh
09/23/2010 33
Convergence of Sender Assume when p resets, SAVE(s) has
completed, and the last sent seq# is s+u u < Kp otherwise SAVE(S+Kp) should
have started When p wakes up, s will be fetched Therefore, adding 2Kp to fetched
seq# guarantees that next sent seq# is fresh
09/23/2010 34
Convergence of Sender
t (t < Kp) u (u < Kp)
s+t s+u s+Kp s
SAVE(s+Kp) starts
sequence number at process p
or SAVE(s) starts
SAVE(s) ends
SAVE(s-Kp) ends
reset occurs here
reset occurs here
09/23/2010 35
Results of SAVE and FETCH When p is reset, some sequence
numbers will be abandoned by p, but no message sent from p to q will be discarded provided no message reorder occurs
When q is reset, the number of discarded messages is bounded by 2Kq
When p or q is reset, no replayed message will be accepted by q
09/23/2010 36
Next Class
Address Resolution Protocol (ARP) and its security problems
Secure ARP Read paper on website