Home Page Title Page Contents Page 1 of 85 Go Back Full Screen Close Quit Network Security G. Sivakumar Computer Science Department Indian Institute of Technology, Bombay Mumbai 400076, India [email protected]December 11, 2003 Outline of Talk • Some Puzzles – Key Exchange – Mutual Authentication • Internet Security Overview – Threats, Vulnerabilities, Requirements – Site Security Assurance • Cryptography and Cryptographic Protocols – Asymmetric (Public-Key Encryption), Signatures – Session Keys (Diffie-Hellman) • Network Security Mechanisms – Firewalls, SSL, Proxies, ... • IIT Bombay Network Case Study
74
Embed
Network Security - CSE, IIT Bombaysiva/talks/ace2003.pdfRFC 2196 Site Security Handbook Guidelines for any organization joining Internet 1. Risk Assessment (Assets/Threats) 2. Security
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Home Page
Title Page
Contents
JJ II
J I
Page 1 of 85
Go Back
Full Screen
Close
Quit
Network SecurityG. Sivakumar
Computer Science DepartmentIndian Institute of Technology, Bombay
Security Mechanisms• System Security:“Nothing bad happens to my computers and equipment”
virus, trojan-horse, logic/time-bombs, ...
• Network Security:
– Authentication Mechanisms“you are who you say you are”
– Access ControlFirewalls, Proxies “who can do what”
• Data Security: “for your eyes only”
– Encryption, Digests, Signatures, ...
Home Page
Title Page
Contents
JJ II
J I
Page 17 of 85
Go Back
Full Screen
Close
Quit
Cryptography and DataSecurity
• sine qua non[without this nothing :-]
• Historically who used first? (L & M )
• Code Language injoint families!
Home Page
Title Page
Contents
JJ II
J I
Page 18 of 85
Go Back
Full Screen
Close
Quit
Symmetric/Private-KeyAlgorithms
Home Page
Title Page
Contents
JJ II
J I
Page 19 of 85
Go Back
Full Screen
Close
Quit
Asymmetric/Public-KeyAlgorithms
• Keys are duals (lock with one, unlock with other)
• Cannot infer one from other easily
• How to encrypt? How to sign?
Home Page
Title Page
Contents
JJ II
J I
Page 20 of 85
Go Back
Full Screen
Close
Quit
Signing a DocumentDigital Signature (like signing a cheque).
Home Page
Title Page
Contents
JJ II
J I
Page 21 of 85
Go Back
Full Screen
Close
Quit
Verifying a Signature
• How to get thepublic key?
• Exam cancelled email with phone number!
• NeedKey Management(models of trust).
Home Page
Title Page
Contents
JJ II
J I
Page 22 of 85
Go Back
Full Screen
Close
Quit
One way Functions
Mathematical Equivalents
• Factoring large numbers (product of 2 large primes)
• Discrete Logarithms
Home Page
Title Page
Contents
JJ II
J I
Page 23 of 85
Go Back
Full Screen
Close
Quit
One-way Functions• Computingf(x) = y is easy.
• Eg. y = 4x mod 13 (If x is 3, y is —?)
n 4n mod 13 10n mod 131 4 102 3 93 12 124 9 35 10 46 1 17 4 10... ... ...
• Note: need not work with numbers bigger than 13 at all!
• But given y = 11, finding suitable x is not easy!
• Can do by brute-force (try all possibilities!)
• No method that ismuch better known yet!
Home Page
Title Page
Contents
JJ II
J I
Page 24 of 85
Go Back
Full Screen
Close
Quit
RSA Encryption ExamplePick 2 primes (p = 251, q = 269).Let n = p ∗ q = 67519 andφ(n) = (p− 1) ∗ (q − 1) = 67000.Picke = 50253 (relatively prime toφ(n)).Computed = e−1 mod φ(n) = 27917 (only one suchd exists, with(e ∗d) mod φ(n) = 1.Interesting number-theoretic property for anym < n is the following
((me) mod n)d mod n = m = ((md) mod n)e mod n
Therefore toencrypt a messagem take it 2 chars at a time (16 bits, so lessthan 65536) and computeE(m) = me mod n.This is thepublic key (the numberse, n).Decrypting is done bym = D(E(m)) = E(m)d mod n and is easy only ifd (private key) is known.
Home Page
Title Page
Contents
JJ II
J I
Page 25 of 85
Go Back
Full Screen
Close
Quit
RSA Small Examplep = 47q = 71n = p * q = 3337
φ(n) = 3220e = 79 (relatively prime to 3220)d = 1019 ( 79 * 1019 = 1 mod 3220)
m = 688123456789m1 = 688c1 = 68879 mod 3337 = 1570d1 = 15701019 mod 3337 = 688
How difficult (how many multiplications and what size numbers) is it to com-pute the last two exponents?
Home Page
Title Page
Contents
JJ II
J I
Page 26 of 85
Go Back
Full Screen
Close
Quit
Network SecurityMechanism Layers
Crptograhphic Protocolsunderly all security mechanisms. Real Challenge todesign good ones forkey establishment, mutual authenticationetc.
Home Page
Title Page
Contents
JJ II
J I
Page 27 of 85
Go Back
Full Screen
Close
Quit
Motivation for Session keysCombine Symmetric (fast) and Asymmetric (very slow) Methods using session(ephemeral) keys for the following additional reasons.
• Limit available cipher text(under a fixed key) for cryptanalytic attack;
• Limit exposurewith respect to both time period and quantity of data, in theevent of (session) key compromise;
• Avoid long-term storageof a large number of distinct secret keys (in thecase where one terminal communicates with a large number of others), bycreating keys only when actually required;
• Create independence across communicationssessions or applications. Noreplay attacks.
How to establish session keys over insecure medium where adversary is listen-ing to everything?Can be done even without any public key!Randomizationto rescue (like inCSMA/CD of Ethernet).
Home Page
Title Page
Contents
JJ II
J I
Page 28 of 85
Go Back
Full Screen
Close
Quit
Diffie-Hellman KeyEstablishment Protocol
Home Page
Title Page
Contents
JJ II
J I
Page 29 of 85
Go Back
Full Screen
Close
Quit
Man-in-the-middle attack
• Authentication was missing!
• Can be solved if Kasparov and Anand know each other’s public key(Needham-Schroeder).
• Yes, but different attack possible.
Home Page
Title Page
Contents
JJ II
J I
Page 30 of 85
Go Back
Full Screen
Close
Quit
Needham-SchroederProtocol
Home Page
Title Page
Contents
JJ II
J I
Page 31 of 85
Go Back
Full Screen
Close
Quit
Attack by Lowe (1995)
Home Page
Title Page
Contents
JJ II
J I
Page 32 of 85
Go Back
Full Screen
Close
Quit
Why Are Security ProtocolsOften Wrong?
They aretrivial programs built from simple primitives,BUT, they are compli-cated by
• concurrency
• a hostile environment
– a bad user controls the network
– Concern: active attacks masquerading, replay, man-in-middle, etc.
• vague specifications
– we have to guess what is wanted
• Ill-defined concepts
Protocol flaws rather than cryptosystem weaknessesFormal Methodsneeded!
Home Page
Title Page
Contents
JJ II
J I
Page 33 of 85
Go Back
Full Screen
Close
Quit
Online Voting ProtocolsAre we ready for elections via Internet?
• George Bush(Nov 2000, dimpled chads)
• Pervez Musharaf(April 2002)
• Gujarat(Dec 12, 2002)
E-Voting Protocols Requirements
• No loss of votes already cast (reliability)
• No forging of votes (authentication)
• No modification of votes cast (integrity)
• No multiple voting
• No vote secrecy violation (privacy)
• No vulnerability to vote coercion
• No vulnerability to vote selling or trading protocols (voter is an adversary)
• No loss of ability to cast and accept more votes (availability, no denial ofservice)
Home Page
Title Page
Contents
JJ II
J I
Page 34 of 85
Go Back
Full Screen
Close
Quit
Other Desirable Propertiesmust not only be correct and secure, but also be seen to be so by skeptical (buteducated and honest) outsiders.
• Auditability:
Failure or procedural error can be detected and corrected, especially theloss of votes.
• Verifiability: Should be able to prove
– My vote was counted
– All boothes were counted
– The number of votes in each booth is the same as the number of peoplewho voted
– No one I know who is ineligible to vote did so
– No one voted twice
– ...
without violating anonymity, privacy etc.Zero Knowledge Proofs
Home Page
Title Page
Contents
JJ II
J I
Page 35 of 85
Go Back
Full Screen
Close
Quit
The Victim: An organizationon Internet
• Assume company’s domain name isushacomm.co.in
• Has legal IP addresses obtained from ISP.
• Has 20-30 machines and runs servicesemail, www, ftp, ...
• Goal: Break-in on some machines
Home Page
Title Page
Contents
JJ II
J I
Page 36 of 85
Go Back
Full Screen
Close
Quit
Map the Victim’s network• Find the IP addresses of machines
Authoritative answers can be found from:ushacomm.co.in nameserver = hansel.ushacomm.co.inushacomm.co.in nameserver = gretel.ushacomm.co.inhansel.ushacomm.co.in internet address = 202.54.54.177gretel.ushacomm.co.in internet address = 202.54.54.188
Home Page
Title Page
Contents
JJ II
J I
Page 37 of 85
Go Back
Full Screen
Close
Quit
Probe further> server 202.54.54.177Default Server: [202.54.54.177]Address: 202.54.54.177
> ls ushacomm.co.in.[[202.54.54.177]]$ORIGIN ushacomm.co.in.ftpsrv 1H IN A 202.54.54.186hansel 1H IN A 202.54.54.177ubestftp 1H IN A 202.54.54.178gretel 1H IN A 202.54.54.188
• Now we know 4 machines addresses
• Can probe each of them using (ping, finger, telnet, ..)
NAMEnmap - Network exploration tool and security scanner
SYNOPSISnmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>
DESCRIPTIONNmap is designed to allow system administrators and curi<AD>ous individuals to scan large networks to determine whichhosts are up and what services they are offering. nmapsupports a large number of scanning techniques such as:UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounceattack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep,Xmas Tree, SYN sweep, and Null scan. See the Scan Typessection for more details. nmap also offers a number ofadvanced features such as remote OS detection via TCP/IPfingerprinting, stealth scanning, dynamic delay andretransmission calculations, parallel scanning, detectionof down hosts via parallel pings, decoy scanning, portfiltering detection, fragmentation scanning, and flexible...
Home Page
Title Page
Contents
JJ II
J I
Page 39 of 85
Go Back
Full Screen
Close
Quit
Example of Nmap’s powerInteresting ports on (202.54.54.187):Port State Protocol Service21 open tcp ftp25 open tcp smtp53 open tcp domain80 open tcp http135 open tcp loc-srv139 open tcp netbios-ssn1032 open tcp iad31352 open tcp lotusnote
TCP Sequence Prediction: Class=trivial time dependencyDifficulty=15 (Easy)
Sequence numbers: C061748 C061B90 C062018 C06247C C062918 C062D72Remote operating system guess: Windows NT4 / Win95 / Win98
Home Page
Title Page
Contents
JJ II
J I
Page 40 of 85
Go Back
Full Screen
Close
Quit
What next?• A chain is as strong as itsweakestlink.
• Known vulnerabilites for many OS, Applications.
• rootshell.composts new exploits regularly.
• Break intoonemachine first, then easier to attack rest.