Overview of Cryptography and Network Security Ch. Rupa VRSEC
Jul 15, 2015
Three Key Objectives
• Confidentiality– Data confidentiality
– Privacy
• Integrity– Data integrity
– System integrity
• Availability
• Additional concepts– Authenticity
– Accountability
Passive Attacks
• Passive attacks do not affect system resources– Eavesdropping, monitoring
• Two types of passive attacks– Release of message contents
– Traffic analysis
• Passive attacks are very difficult to detect– Message transmission apparently normal
• No alteration of the data
– Emphasis on prevention rather than detection• By means of encryption
Active Attacks
• Active attacks try to alter system resources or affect their operation– Modification of data, or creation of false data
• Four categories– Masquerade– Replay– Modification of messages– Denial of service: preventing normal use
• A specific target or entire network
• Difficult to prevent– The goal is to detect and recover
Model for Network Security
• using this model requires us to: 1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used by the algorithm
3. develop methods to distribute and share the secret information
4. specify a protocol enabling the principals to use the transformation and secret information for a security service
Feistel Cipher
8
16 2 1
1 1 1 1
1 2 1
Goes through a number of rounds, say 16 rounds.
A Feistel cipher encrypts a plaintext block as:
: E ( ) : ( )
The decryption will be:
D ( )
k
k
m
c m m
c
11 1
6
1 2 16
( )
( )
The descryption algorithm is the same as the
encryption algorithm, but uses round keys in the
reverse order.
c
c
Mathematical Description of Round i
9
1 1
1
1 1
1
Let and be the input of round , and
and the output.
We have
:
( , )
:
:
( , )
Or, (
i i
i i
i i
i i
i
i
i i
i
iL R
L R i
L R
L
L
R
R L F R K
1
1 1
, where
: ( , ) ( , ).
: ( , ) ( , ).
Not
,
e
)
that and .
( , )
i
i
i
i
i
x y y
x y y x
x F y k
R
DES: The Data Encryption Standard
• Most widely used block cipher in the world.
• Adopted by NIST in 1977.
• Based on the Feistel cipher structure with 16 rounds of processing.
• Block = 64 bits
• Key = 56 bits
• What is specific to DES is the design of the F function and how round keys are derived from the main key.
10
Initial Permutation IP
• IP: the first step of the encryption.
• It reorders the input data bits.
• The last step of encryption is the inverse of IP.
• IP and IP-1 are specified by tables (see Stallings book, Table 3.2) DES
Round Keys Generation
• Main key: 64 bits.
• 56-bits are selected and permuted using Permuted Choice One (PC1); and then divided into two 28-bit halves.
• In each round:
– Left-rotate each half separately by either 1 or 2 bits according to a rotation schedule.
– Select 24-bits from each half, and permute the combined 48 bits.
– This forms a round key.
Permuted Choice One (PC1)
15
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
18
The and each have 32 bits, and the round key 48 bits.
The function, on input and , produces 32 bits:
( , )
where :
(
expands 32 bits o 4
)
t
The function of DES
L R K
F R K
F R K P S E K
E
R
F
8 bits;
: shrinks it back to 32 bits;
: permutes the 32 bits.
S
P
Design Principles of DES
• To achieve high degree of diffusion and confusion.
• Diffusion: making each plaintext bit affect as many ciphertext bits as possible.
• Confusion: making the relationship between the encryption key and the ciphertext as complex as possible.
1
2DES
• Consider 2DES with two keys:
C = EK2(EK1(P))
• Decryption: P = DK1(DK2(C))
• Key length: 56 x 2 = 112 bits
• This should have thwarted brute-force attacks?
• Wrong!
20
Meet-in-the-Middle Attack on 2DES
• 2-DES: C = EK2(EK1(P))
• Given a known pair (P, C), attack as follows:– Encrypt P with all 256 possible keys for K1.
– Decrypt C with all 256 possible keys for K2.
– If EK1’(P) = DK2’(C), try the keys on another (P’, C’).
– If works, (K1’, K2’) = (K1, K2) with high probability.
– Takes O(256) steps; not much more than attacking 1-DES.
21
EK1P CEK2
22
1 2 1
1 2 1
1 2
A straightforward implementation would be :
: ( )
In practice : : ( )
Also referred to as EDE encryption
Reason : if , then
3DE
3DES with 2 keys
k k k
k k k
c E E E m
c E D E m
k k
S 1DES.
Thus, a 3DES software can be used as a single-DES.
Standardized in ANSI X9.17 & ISO 8732.
No practical attacks are known.
23
3 2 1
1 3
1 2 3
Encryption: : ( ) .
If , it becomes 3DES with 2 keys.
If , it becomes the regular DES.
So, it is backward compatible with both 3DES with 2 keys
and
3DES with 3 keys
k k kc E D E m
k k
k k k
the regular DES.
Some internet applications adopt 3DES with three keys;
e.g. PGP and S / MIME.
RC5 Algorithm
• Three parts:-
– Key Expansion
– Encryption Algorithm
– Decryption Algorithm
• Fast symmetric block cipher
– Same key for encryption and decryption
– Plaintext and ciphertext are fixed-length bit sequences (blocks)
Parameters of RC5
– RC5 – w/r/b
• E.g. RC5 – 32/16/10
– w = 32 bits
– r = 16 rounds
– b = 10-byte (80-bit) secret key variable
– t = 2 (r + 1) = 2 (16 + 1) = 34 rounds
Important parameters in details
• “w”(bits) – variable word size• Allowable choice for “w” in RC5– 16,32 and 64
• Suggested 32
• “Two” word input (plaintext) block size – 64-bit
plaintext
• “Two” word output (ciphertext) block size – 64-bit
ciphertext
• Design accepts all w > 0
• Variable word size can exploit longer word length of
processors like 64 – bit processors.
Important parameters in details
• “r” – variable number of rounds• Tradeoff between high speed and high security.
• Allowed values 0-255
• Suggested – 12
• Higher the number of rounds provides increased levelof security.
• “S” – Expanded key table – derived from user’s secretkey.
• “t” – The size of table “S” (depends on “r”)
– t = 2 ( r + 1 ) words.
RC5 Algorithm – Key Expansion
• Requirements of key expansion
– Filling the expanded key table array S[0…t – 1]
with random binary words
• “t” – Size of table “S” => 2 ( r+1 )
– S table is not an “S-box” like DES.
• Entries in S sequentially, one at a time.
– Random binary words are derived from the K.
RC5 Algorithm
• Encryption Algorithm– Two w-bit words are denoted as A and B
A = A + S[0];
B = B + S[1];
for i = 1 to r doA = (( A⊕ B ) <<< B ) + S[ 2 * i ];
B = (( B⊕ A) <<< A ) + S[ 2 * i + 1];
The output is in the registers A and B.
Work is done on both A and B, unlike DES
where only half input is updated.
RC5 Algorithm
• Decryption Algorithm
– (easily derived from encryption)
– Two w-bit words are denoted as A and B
for i = r downto 1 do
B = (( B – S[ 2 * i + 1 ]) >>> A)⊕ A;
A = (( A – S[ 2 * i ] >>> B)⊕ B;
B = B - S[1];
A = A - S[0];
The output is in the registers A and B.
Blowfish
• a symmetric block cipher designed by Bruce Schneier in 1993/94
• characteristics
– fast implementation on 32-bit CPUs
– compact in use of memory
– simple structure eases analysis/implemention
– variable security by varying key size
• has been implemented in various products
Blowfish Key Schedule
• uses a 32 to 448 bit key
• used to generate – 18 32-bit subkeys stored in K-array Kj– four 8x32 S-boxes stored in Si,j
• key schedule consists of:– initialize P-array and then 4 S-boxes using pi
– XOR P-array with key bits (reuse as needed)
– loop repeatedly encrypting data using current P & S and replace successive pairs of P then S values
– requires 521 encryptions, hence slow in rekeying
Blowfish Encryption
• uses two primitives: addition & XOR
• data is divided into two 32-bit halves L0 & R0for i = 1 to 16 do
Ri = Li-1 XOR Pi;
Li = F[Ri] XOR Ri-1;
L17 = R16 XOR P18;
R17 = L16 XOR i17;
• whereF[a,b,c,d] = ((S1,a + S2,b) XOR S3,c) + S4,a
CAST-128
• 64-bit iterated block cipher
• key: 40 bits up to 128 bits (increments of 8 bits)
• 12 up to 16 rounds
• Feistel Network structure
• designed by C. Adams and S.Tavares (1996)
• S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996
CAST-128
• CAST-128 is part of the GnuPG suite of cryptographic algorithms (nicknamed CAST-5)
• CAST-128 uses fixed 8x32-bit S-boxes: for encryption and decryption (S1, S2, S3, S4) and for the key schedule (S5, S6, S7, S8)
• round operations: +, -, <<<,
• three round functions: f1, f2 and f3
• An official algorithm for use with the Canadian Government:
CAST-256
• a former candidate to the Advanced Encryption Standard (AES) Development Process (1997)
• 128-bit iterated block cipher
• 128-, 192- and 256-bit key
• 48 rounds for all key sizes
• generalized Feistel Network structure
• S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996
Motivation
• symmetric encryption is used to provide message confidentiality
• Placement of encryption function
• Traffic confidentiality
• Key distribution
Confidentiality using Symmetric Encryption
• What to encrypt and where the encryption function should be located
• consider typical scenario:
(1) Eavesdropping bymembers
(2) dial-in,then intrude
(3) Tap into wire
(4) Monitor traffic
Typical scenario and attacks
• consider typical scenario– workstations on LANs access other workstations &
servers on LAN
– LANs interconnected using switches/routers
– with external lines or radio/satellite links
• consider attacks and placement in this scenario– snooping from another workstation
– use dial-in to LAN or server to snoop
– use external router link to enter & snoop
– monitor and/or modify traffic one external links
Placement of encryption
• have two major placement alternatives
• link encryption– encryption occurs independently on every link
– implies must decrypt traffic between links
– requires many devices, but paired keys for all links
• end-to-end encryption– encryption occurs between original source and
final destination
– need devices at each end with shared keys
Problems with routing• In a packet-switching network, we need packet header
to route packets– Link encryption: so packet must be decrypted before
routing• Vulnerable at each switch node
– End-to-end encryption: must leave headers in clear, so network can correctly route information• hence although contents protected, traffic pattern is not
protected
• ideally want both at once– end-to-end protects data contents over entire path
and provides authentication– link protects traffic flows from monitoring
Placement of encryption over OSI model
• can place encryption function at various layers in OSI Reference Model
Traffic Analysis
• In packet-switching network, the packet header cannot be encrypted
• Traffic analysis is monitoring of communications flows between parties– Ex. know who is talking to whom in military usage
• Traffic analysis reveals– Identities of partners– How frequently the partners are communicating– Message pattern, message length, quantity of
messages, …
Defense against traffic analysis
• link encryption obscures header details
– but overall traffic volumes in networks and at end-points is still visible
Traffic padding
Key Distribution
• symmetric schemes require both parties to share a common secret key
• issue is how to securely distribute this key
• often secure system failure due to a break in the key distribution scheme
Key Distribution methods
• given parties A and B have various key distribution alternatives:
1. A can select key and physically deliver to B
2. third party can select & physically deliver key to A & B
3. if A & B have communicated previously can use previous key to encrypt a new key
4. if A & B have secure communications with a third party C, C can relay key between A & B
Not suitablefor largesystems
Initial distribution?
Scale of key distribution problem
• A network with N hosts => N(N-1)/2 pairs
• Node-level encryption N(N-1)/2
• Application-level encryption
– 10 applications/node
Key distribution center (KDC)
Key distribution center (KDC)
KDC shares a unique key (master key) with each user to distributesecret key (session key) between a pair of users:
scale of key distribution problem reduces to N
EMK1 (Secret key)
Secret key Secret key
EMK2 (Secret key)
Key Distribution Scenariononce: an identifierthat differs for each request
Session key Identifier for A (ex. address)
Master key Ka Master key Kb
(avoid replay attack)
1. Verify the original request2. Avoid replay attack
Session key lifetime
• Short session key lifetime
– Key exchanges frequently => more secure
• Long session key lifetime
– Reduce key exchange time, and network capacity
• Two connection protocol (session<connection)
– Connectionless protocol (ex. UDP, HTTP)
• Not to use a new key for each session, use a given session key for a fixed period of time
– Connection-oriented protocol (ex. TCP)
• The same key for the connection; or update the key periodically if the connection has long lifetime
Transparent key control scheme
• End-to-end encrypt at network (transport) layer, which is transparent to users
? No authentication
Decentralized key control
• KDC trusted?
• Decentralized: assume there is one master key for each pair of end systems
shared master key
session key
Master key are used for a short time, cryptanalysis is difficult
Nonce for authentication
Introduction to public-key cryptosystems
• Recall: symmetric ciphers– One secret key, shared by sender and receivers
(symmetric)
– Based on substitution and permutation
– Problem:• Key distribution
• Digital signature: a kind of signature used in paper document
• Deffie and Hellman proposed the public-key cryptosystem to address the above two problems in 1976
Preview of public-key systems
• Features of public-key system
– Asymmetric: a public key and a private key
– Algorithm based on mathematical functions
• Fallacies
– Public-key is more secure than symmetric encryption
– Public-key encryption is a general-purpose technique that will make symm. encrypt. obsolete
– Key distribution is trivial is easier for public-key encryption than symmetric encryption
Public-key encryption• One-key for encryption
• A different but related key for decryption
– It is computational infeasible to determine the decryption key given the crypto. algorithm and the encryption key
Steps in public-key encryption
1. Each user generates a pair of keys for encryption and decryption
(In RSA, these two keys can exchange 加解密皆可)
2. One key (public key) is announced publicly. The other key is kept private.
Q: key distribution problem? (Chap. 10)
3. Bob sends encrypted message to Alice using Alice’s public key.
4. Only Alice can decrypt the message using her private key.
Requirement for public-key cryptography
• Diffie and Hellman (1976) proposed the system without the algorithm for E and D. They laid out the requirement:
– It is computationally easy to generate a pair of keys
– It is computationally easy for a sender to encrypt
– It is computationally easy for a receiver to decrypt
– It is computationally infeasible for an opponent, knowing the public key, to determine the private key
– It is computationally infeasible for an opponent, knowing the public key and ciphtertext, to recover the plaintext
Y = EKU (X)b
X = DKR (Y)b
The algorithms that satisfy public-key requirement
• RSA (Rivest-Shamir-Adleman) 1978
– Number theory
• Elliptic curve cryptography
Trap-door one-way function
• Public-key encryption is a one-way function
– Every function value has a unique inverse
domain target
Y=f(X): easy
X=f-1 (Y): infeasible ( > polynomial time)
• It is hard to determine the complexity to compute the inverse• Not a traditionally complexity problem, which focuses on the worst-case or average-case complexity
Trap-door one-way function (cont.)
• Open a trap-door using the private key…
domain target
Y=f(X): easy
X=f-1 (Y): infeasible ( > polynomial time)
X=fK-1 (Y): easy if trap-door K is known
( ~ polynomial time)
Public-key system for authentication身份認證
• Recall: the problem of digital signature
• Only Bob has the private keyto encrypt !!!
(server asdigital signature)
Public-key cryptanalysis
• Brute-force attack: search the private key
– Solution: use large keys
– Tradeoffs: complexity of encrypt/decrypt using large keys security using large keys
– Public-key system are currently too slow for general-purpose use, only used for key management and signature application
• Compute private key given the public key
– Not proved to be infeasible
Public-key cryptanalysis (cont.)
• Probable-message attack
– Ex. encrypt 56-bit DES key
Public-keyencryption
56-bitDES key
C
Public-key
Attack:
Public-keyencryption
C1
Public-key
000…000000…001000…010000…011….111…111
Try allDES Key
C2
C3
…
Ck= C
Solution: append thingsin the plaintext
RSA
• by Rivest, Shamir & Adleman of MIT in 1977
• best known & widely used public-key scheme
• based on exponentiation in a finite (Galois) field over integers modulo a prime
– nb. exponentiation takes O((log n)3) operations (easy)
• uses large integers (eg. 1024 bits)
• security due to cost of factoring large numbers
– nb. factorization takes O(e log n log log n) operations (hard)
RSA Key Setup
• each user generates a public/private key pair by:
• selecting two large primes at random - p, q
• computing their system modulus N=p.q– note ø(N)=(p-1)(q-1)
• selecting at random the encryption key e• where 1<e<ø(N), gcd(e,ø(N))=1
• solve following equation to find decryption key d– e.d=1 mod ø(N) and 0≤d≤N
• publish their public encryption key: KU={e,N}
• keep secret private decryption key: KR={d,p,q}
RSA Use
• to encrypt a message M the sender:– obtains public key of recipient KU={e,N}
– computes: C=Me mod N, where 0≤M<N
• to decrypt the ciphertext C the owner:– uses their private key KR={d,p,q}
– computes: M=Cd mod N
• note that the message M must be smaller than the modulus N (block if needed)
Why RSA Works
• because of Euler's Theorem:• aø(n)mod N = 1
– where gcd(a,N)=1
• in RSA have:– N=p.q
– ø(N)=(p-1)(q-1)
– carefully chosen e & d to be inverses mod ø(N)– hence e.d=1+k.ø(N) for some k
• hence :Cd = (Me)d = M1+k.ø(N) = M1.(Mø(N))q = M1.(1)q = M1 = M mod N
RSA Example
1. Select primes: p=17 & q=11
2. Compute n = pq =17×11=187
3. Compute ø(n)=(p–1)(q-1)=16×10=160
4. Select e : gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160Value is d=23 since 23×7=161= 10×160+1
6. Publish public key KU={7,187}
7. Keep secret private key KR={23,17,11}
RSA Example cont
• sample RSA encryption/decryption is:
• given message M = 88 (nb. 88<187)
• encryption:
C = 887 mod 187 = 11
• decryption:
M = 1123 mod 187 = 88
Exponentiation
• can use the Square and Multiply Algorithm
• a fast, efficient algorithm for exponentiation
• concept is based on repeatedly squaring base
• and multiplying in the ones that are needed to compute the result
• look at binary representation of exponent
• only takes O(log2 n) multiples for number n – eg. 75 = 74.71 = 3.7 = 10 mod 11
– eg. 3129 = 3128.31 = 5.3 = 4 mod 11
RSA Key Generation
• users of RSA must:– determine two primes at random - p, q
– select either e or d and compute the other
• primes p,q must not be easily derived from modulus N=p.q– means must be sufficiently large
– typically guess and use probabilistic test
• exponents e, d are inverses, so use Inverse algorithm to compute the other
RSA Security
• three approaches to attacking RSA:
– brute force key search (infeasible given size of numbers)
– mathematical attacks (based on difficulty of computing ø(N), by factoring modulus N)
– timing attacks (on running of decryption)
Factoring Problem
• mathematical approach takes 3 forms:– factor N=p.q, hence find ø(N) and then d
– determine ø(N) directly and find d
– find d directly
• currently believe all equivalent to factoring– have seen slow improvements over the years
• as of Aug-99 best is 130 decimal digits (512) bit with GNFS
– biggest improvement comes from improved algorithm• cf “Quadratic Sieve” to “Generalized Number Field Sieve”
– barring dramatic breakthrough 1024+ bit RSA secure• ensure p, q of similar size and matching other constraints
Timing Attacks
• developed in mid-1990’s
• exploit timing variations in operations– eg. multiplying by small vs large number
– or IF's varying which instructions executed
• infer operand size based on time taken
• RSA exploits time taken in exponentiation
• countermeasures– use constant exponentiation time
– add random delays
– blind values used in calculations
• Discovered by Whitfield Diffie and Martin Hellman
– “New Directions in Cryptography”
• Diffie-Hellman key agreement protocol
– Exponential key agreement
– Allows two users to exchange a secret key
– Requires no prior secrets
– Real-time over an untrusted network
The Diffie-Hellman Algorithm
Implementation
• P and G are both publicly available numbers
– P is at least 512 bits
• Users pick private values a and b
• Compute public values
– x = ga mod p
– y = gb mod p
• Public values x and y are exchanged
Implementation
• Compute shared, private key
– ka = ya mod p
– kb = xb mod p
• Algebraically it can be shown that ka = kb
– Users now have a symmetric secret key to encrypt
Example
• Two Internet users, Alice and Bob wish to have a secure conversation.
– They decide to use the Diffie-Hellman protocol
Example
• Alice and Bob get public numbers– P = 23, G = 9
• Alice and Bob compute public values– X = 94 mod 23 = 6561 mod 23 = 6
– Y = 93 mod 23 = 729 mod 23 = 16
• Alice and Bob exchange public numbers
Applications
• Diffie-Hellman is currently used in many protocols, namely:
– Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
– Secure Shell (SSH)
– Internet Protocol Security (IPSec)
– Public Key Infrastructure (PKI)
Pseudorandom numbers
• One of a sequence of numbersgenerated by some algorithm so as to have an even distribution over some range of values and minimal correlation between successive values.Pseudorandom numbers are used in simulation and encryption.
Malicious Software
What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow.
—On War, Carl Von Clausewitz
Viruses and Other Malicious Content
• computer viruses have got a lot of publicity
• one of a family of malicious software
• effects usually obvious
• have figured in news reports, fiction, movies (often exaggerated)
• getting more attention than deserve
• are a concern though
Viruses
• piece of software that infects programs
– modifying them to include a copy of the virus
– so it executes secretly when host program is run
• specific to operating system and hardware
– taking advantage of their details and weaknesses
• a typical virus goes through phases of:
– dormant
– propagation
– triggering
– execution
Worms
• Replicating program that propagates over net
– using email, remote exec, remote login
• has phases like a virus:
– dormant, propagation, triggering, execution
– propagation phase: searches for other systems, connects to it, copies self to it and runs
• may disguise itself as a system process
• concept seen in Brunner’s “Shockwave Rider”
• implemented by Xerox Palo Alto labs in 1980’s
Virus Structure
• components:– infection mechanism - enables replication
– trigger - event that makes payload activate
– payload - what it does, malicious or benign
• prepended / postpended / embedded
• when infected program invoked, executes virus code then original program code
• can block initial infection (difficult)
• or propogation (with access controls)
Virus Classification
• boot sector
• file infector
• macro virus
• encrypted virus
• stealth virus
• polymorphic virus
• metamorphic virus
Macro Virus
• became very common in mid-1990s since
– platform independent
– infect documents
– easily spread
• exploit macro capability of office apps
– executable program embedded in office doc
– often a form of Basic
• more recent releases include protection
• recognized by many anti-virus programs
E-Mail Viruses
• more recent development
• e.g. Melissa
– exploits MS Word macro in attached doc
– if attachment opened, macro activates
– sends email to all on users address list
– and does local damage
• then saw versions triggered reading email
• hence much faster propagation
Virus Countermeasures
• prevention - ideal solution but difficult
• realistically need:
– detection
– identification
– removal
• if detect but can’t identify or remove, must discard and replace infected program
Anti-Virus Evolution
• virus & antivirus tech have both evolved
• early viruses simple code, easily removed
• as become more complex, so must the countermeasures
• generations– first - signature scanners
– second - heuristics
– third - identify actions
– fourth - combination packages
Generic Decryption
• runs executable files through GD scanner:
– CPU emulator to interpret instructions
– virus scanner to check known virus signatures
– emulation control module to manage process
• lets virus decrypt itself in interpreter
• periodically scan for virus signatures
• issue is long to interpret and scan
– tradeoff chance of detection vs time delay
Worms
• replicating program that propagates over net
– using email, remote exec, remote login
• has phases like a virus:
– dormant, propagation, triggering, execution
– propagation phase: searches for other systems, connects to it, copies self to it and runs
• may disguise itself as a system process
• concept seen in Brunner’s “Shockwave Rider”
• implemented by Xerox Palo Alto labs in 1980’s
Morris Worm
• one of best know worms
• released by Robert Morris in 1988
• various attacks on UNIX systems– cracking password file to use login/password to
logon to other systems
– exploiting a bug in the finger protocol
– exploiting a bug in sendmail
• if succeed have remote shell access– sent bootstrap program to copy worm over
Recent Worm Attacks
• Code Red– July 2001 exploiting MS IIS bug
– probes random IP address, does DDoS attack
• Code Red II variant includes backdoor
• SQL Slammer– early 2003, attacks MS SQL Server
• Mydoom– mass-mailing e-mail worm that appeared in 2004
– installed remote access backdoor in infected systems
• Warezov family of worms– scan for e-mail addresses, send in attachment
Worm Technology
• multiplatform
• multi-exploit
• ultrafast spreading
• polymorphic
• metamorphic
• transport vehicles
• zero-day exploit
Mobile Phone Worms
• first appeared on mobile phones in 2004
– target smartphone which can install s/w
• they communicate via Bluetooth or MMS
• to disable phone, delete data on phone, or send premium-priced messages
• CommWarrior, launched in 2005
– replicates using Bluetooth to nearby phones
– and via MMS using address-book numbers
Worm Countermeasures
• overlaps with anti-virus techniques
• once worm on system A/V can detect
• worms also cause significant net activity
• worm defense approaches include:– signature-based worm scan filtering
– filter-based worm containment
– payload-classification-based worm containment
– threshold random walk scan detection
– rate limiting and rate halting
Distributed Denial of Service Attacks (DDoS)
• Distributed Denial of Service (DDoS) attacks form a significant security threat
• making networked systems unavailable
• by flooding with useless traffic
• using large numbers of “zombies”
• growing sophistication of attacks
• defense technologies struggling to cope
Constructing an Attack Network
• must infect large number of zombies
• needs:
1. software to implement the DDoS attack
2. an unpatched vulnerability on many systems
3. scanning strategy to find vulnerable systems
– random, hit-list, topological, local subnet
DDoS Countermeasures
• three broad lines of defense:1. attack prevention & preemption (before)
2. attack detection & filtering (during)
3. attack source traceback & ident (after)
• huge range of attack possibilities
• hence evolving countermeasures
Intruders
• significant issue for networked systems is hostile or unwanted access
• either via network or local
• can identify classes of intruders:
– masquerader
– misfeasor
– clandestine user
• varying levels of competence
Intruders
• clearly a growing publicized problem
– from “Wily Hacker” in 1986/87
– to clearly escalating CERT stats
• may seem benign, but still cost resources
• may use compromised system to launch other attacks
• awareness of intruders has led to the development of CERTs
Intrusion Techniques
• aim to gain access and/or increase privileges on a system
• basic attack methodology – target acquisition and information gathering
– initial access
– privilege escalation
– covering tracks
• key goal often is to acquire passwords
• so then exercise access rights of owner
Password Guessing
• one of the most common attacks
• attacker knows a login (from email/web page etc)
• then attempts to guess password for it
– defaults, short passwords, common word searches
– user info (variations on names, birthday, phone, common words/interests)
– exhaustively searching all possible passwords
• check by login or against stolen password file
• success depends on password chosen by user
• surveys show many users choose poorly
Password Capture
• another attack involves password capture
– watching over shoulder as password is entered
– using a trojan horse program to collect
– monitoring an insecure network login • eg. telnet, FTP, web, email
– extracting recorded info after successful login (web history/cache, last number dialed etc)
• using valid login/password can impersonate user
• users need to be educated to use suitable precautions/countermeasures
Intrusion Detection
• inevitably will have security failures
• so need also to detect intrusions so can
– block if detected quickly
– act as deterrent
– collect info to improve security
• assume intruder will behave differently to a legitimate user
– but will have imperfect distinction between
Approaches to Intrusion Detection
• statistical anomaly detection
– threshold
– profile based
• rule-based detection
– anomaly
– penetration identification
Audit Records
• fundamental tool for intrusion detection
• native audit records
– part of all common multi-user O/S
– already present for use
– may not have info wanted in desired form
• detection-specific audit records
– created specifically to collect wanted info
– at cost of additional overhead on system
Statistical Anomaly Detection
• threshold detection
– count occurrences of specific event over time
– if exceed reasonable value assume intrusion
– alone is a crude & ineffective detector
• profile based
– characterize past behavior of users
– detect significant deviations from this
– profile usually multi-parameter
Audit Record Analysis
• foundation of statistical approaches
• analyze records to get metrics over time
– counter, gauge, interval timer, resource use
• use various tests on these to determine if current behavior is acceptable
– mean & standard deviation, multivariate, markov process, time series, operational
• key advantage is no prior knowledge used
Rule-Based Intrusion Detection
• observe events on system & apply rules to decide if activity is suspicious or not
• rule-based anomaly detection– analyze historical audit records to identify usage
patterns & auto-generate rules for them
– then observe current behavior & match against rules to see if conforms
– like statistical anomaly detection does not require prior knowledge of security flaws
Rule-Based Intrusion Detection
• rule-based penetration identification
– uses expert systems technology
– with rules identifying known penetration, weakness patterns, or suspicious behavior
– compare audit records or states against rules
– rules usually machine & O/S specific
– rules are generated by experts who interview & codify knowledge of security admins
– quality depends on how well this is done
Distributed Intrusion Detection
• traditional focus is on single systems
• but typically have networked systems
• more effective defense has these working together to detect intrusions
• issues
– dealing with varying audit record formats
– integrity & confidentiality of networked data
– centralized or decentralized architecture
Password Management
• front-line defense against intruders
• users supply both:
– login – determines privileges of that user
– password – to identify them
• passwords often stored encrypted
– Unix uses multiple DES (variant with salt)
– more recent systems use crypto hash function
• should protect password file on system
Managing Passwords - Education
• can use policies and good user education
• educate on importance of good passwords
• give guidelines for good passwords
– minimum length (>6)
– require a mix of upper & lower case letters, numbers, punctuation
– not dictionary words
• but likely to be ignored by many users
Managing Passwords - Computer Generated
• let computer create passwords
• if random likely not memorisable, so will be written down (sticky label syndrome)
• even pronounceable not remembered
• have history of poor user acceptance
• FIPS PUB 181 one of best generators– has both description & sample code
– generates words from concatenating random pronounceable syllables
Managing Passwords - Reactive Checking
• reactively run password guessing tools
– note that good dictionaries exist for almost any language/interest group
• cracked passwords are disabled
• but is resource intensive
• bad passwords are vulnerable till found
Managing Passwords - Proactive Checking
• most promising approach to improving password security
• allow users to select own password
• but have system verify it is acceptable– simple rule enforcement (see earlier slide)
– compare against dictionary of bad passwords
– use algorithmic (markov model or bloom filter) to detect poor choices
Firewall
• Effective means of protecting local network of systems from network-based security threats from outer world
– while providing (limited) access to the outside world (the Internet)
Need of Firewall
• Internet connectivity is a must for most people and organizations– especially for me
• But a convenient Internet connectivity is an invitation for intruders and hackers– yet another example of tradeoff between convenience and
security– Question: What do we mean by “convenient” Internet
connection?
• Firewall basically provides us an option to play within the spectrum of this tradeoff
Firewall Basics• The firewall is inserted between the internal
network and the Internet (a choke point)– Establish a controlled link and protect the network
from Internet-based attacks• keeps unauthorized users away,• imposes restrictions on network services; only authorized
traffic is allowed
– Location for monitoring security-related events• auditing, alarms can be implemented
– some firewalls supports IPSec, so VPNs can be implemented firewall-to-firewall
– some firewalls support NAT (not so security related)
• Open discussion: can’t we put one firewall for each station within the local network? What are pros and cons?
Firewall Characteristics
• Design goals:
– All traffic from inside from/to outside must pass through the firewall
– Only authorized traffic (defined by the local security policy) will be allowed to pass
– The firewall itself should be immune to penetration (use of trusted system with a secure operating system)
Firewall Limitations
• cannot protect from attacks bypassing it– typical example: dial-in, dial-out
• cannot protect against internal threats– e.g. fired sysadmin
• cannot protect against transfer of all virus infected programs or files– because of heavy traffic and huge range of O/S & file
types
Types of Firewalls
• Packet-filtering routers
• Application-level gateways
• Circuit-level gateways (not common, so skipped)
Packet-filtering Router• Foundation of any firewall system
• Applies a set of rules to each incoming IP packet and then forwards or discards the packet (in both directions)
• The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header
• context is not checked
• Two default policies (discard or forward)
Packet-filtering Router• Filtering rules are based on
– Source and Destination IP addresses– Source and destination ports (services) and transport
protocols (TCP or UDP)– Router’s physical interface
• Rules are listed and a match is tried to be found starting with the first rule– Action is either forward or discard– Generally first matching rule is applied– If no match, then default policy is used
• Default is either discard or forward
21
21
{our hosts}
Packet Filtering Examples
{our hosts}
{our hosts}
For data traffic in passive mode
Stateful Inspection • Example E shows that
>1024 ports need to be opened– not only due to FTP, all services have such a structure
• <1024 ports are for servers, a client using a service should use a local port number between 1024 and 16383
• So the firewall should keep track of the currently opened >1024 ports
• A stateful inspection firewall keeps track of outbound TCP connection with local port numbers in a table and allow inbound traffic for >1024 ports if there is an entry in that table (see next slide for an example table)
Packet-filtering Router
• Advantages:– Simplicity– High speed– Transparency to users
• Disadvantages– Difficulty of setting up packet filter rules
• configuration is error-prone
– a port is either open or close; no application layer flexibility
– IP address spoofing• attacker uses an internal IP address and hopes that packet
penetrates into the system• countermeasure: do not accept internal IPs from external interface
Application-level Gateway• Application-level Gateway (proxy server)
– Acts as a relay of application-level traffic
• Proxy obtains application specific information from the user and relays to the server– Optionally authenticates the users
• Only allowable applications can pass through– Feature-based processing is possible
• Additional processing overhead on each connection
Bastion Host
• A system identified by the firewall administrator as a critical strong point in the network security
– Used in various firewall configuration (we’ll see now)
• The bastion host serves as a platform for an application-level gateway
– i.e. a proxy
• Potentially exposed to "hostile" elements, hence is secured to withstand this
– Trusted system
– Carefully configured and maintained
Firewall Configurations
• In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible
Screened host firewall system (dual-homed bastion host)
• Only packets from and to the bastion host are allowed to pass through the router
• The bastion host performs authentication and proxy functions
Dual-homed Bastion Host
• Good security because of two reasons:– This configuration implements both packet-level and
application-level filtering
– An intruder must generally penetrate two separate systems in order to get to the internal network
• This configuration also has flexibility in providing direct Internet access to a public information server, e.g. Web server– by configuring the router
Screened-subnet Firewall System• securer• creates an isolated sub-network between routers
– Internet and private network have access to this subnet– Traffic across the subnet is blocked– This subnet is called DMZ (demilitarized zone)
• Internal network is invisible to the Internet
DMZ
Outside packet
filtering router
Inside packet
filtering router
Host-Based Firewalls
• Software module to secure individual hosts
– filter packet flows
– Available as add-on for many OSs
• Often used on servers
• Advantages:
– additional layer of protection to organizationalfirewall
– tailored filter rules for specific host needs
– protection from both internal / external attacks
Personal Firewall• controls traffic flow to/from PC/workstation
• for both home or corporate use
• software module on PC– or in home cable/ADSL router/gateway
• typically less complex than standalone firewalls
• primary role to deny unauthorized access– may also monitor/detect/block malware activity