430 likes | 575 Views
CSCE 715: Network Systems Security. Chin-Tser Huang huangct@cse.sc.edu University of South Carolina. A Security Problem in Network. An adversary that has access to a network can insert new messages, modify current messages, or replay old messages in the network
E N D
CSCE 715:Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina
A Security Problem in Network • An adversary that has access to a network can insert new messages, modify current messages, or replay old messages in the network • These inserted, modified, and replayed messages can go undetected until they cause severe damage to network • The physical location of the adversary in network may never be determined • Cannot be mitigated by end-to-end security scheme • Example: denial-of-service attacks
Denial-of-Service (DoS) Attacks • Aimed to deny normal service provided by the target computer • Communication-stopping attacks • ARP spoofing attack • Resource-exhausting attacks • Smurf attack • SYN attack
Ping Protocol • Allow any computer to check whether any other computer in the Internet is up • Any computer x can send a “ping” message to any computer y which replies by sending back a “pong” message (thus x knows y is up) • In ping message: src = x and dst = y • In pong message: src = y and dst = x ping(x, y) x y pong(y, x)
Broadcast Ping Protocol • If in ping message dst = “all”, a copy of ping is broadcast to every computer • Each computer replies by sending back a pong, and x is flooded with pong messages • In ping message: src = x and dst = “all” • In pong messages: src = y, y’ and dst = x y´ pong(y´,x) ping(x,all) x y pong(y, x)
Smurf Attack • An adversary pretends to be x and broadcasts a ping message where src = x and dst = “all” • Thus, x is flooded with pong messages that it has not requested: a denial-of-service attack at x a ping(x,all) y´ pong(y´,x) x y pong(y, x)
R3 R2 R1 Countering Smurf Attack • Make each router check the src of each received message and discard the message if the src is suspicious src=x shouldn’t come to me a y´ ping(x, all) x y
R3 R2 R1 Clever Smurf Attack • An adversary inserts a ping(x, all) message between routers R2 and R3 • R3 thinks the message was forwarded by R2 and so accepts the message a y´ ping(x, all) x y
Countering Clever Smurf Attack • When R3 receives a message, R3 needs to determine whether message was indeed sent by R2, or was modified or replayed by an adversary between R3 and R2 • If use IPSec, will need to set up SA’s between each pair of adjacent routers: too expensive • Our solution:use hop integrityprotocol between each pair of adjacent routers
Hop Integrity • Let p, q be routers connected to same subnetwork • Detection of Message Modification: • when q receives a message m supposedly from p, q can check that m was not modified after sent • Detection of Message Replay: • when q receives a message m supposedly from p, q can check that m was not a replay of an old message
Adversary vs. Routers • The adversary can perform three types of actions to disrupt communication between two routers • Message loss • Message modification • Message replay • The routers are assumed to be secure and cannot be compromised by the adversary • The routers will execute hop integrity protocols that can detect and defeat the adversary actions
Hop Integrity Protocol • Each pair of adjacent routers need to share a secret S, which is updated periodically by the two routers using a secret exchange protocol • To each IP message sent between two adjacent routers, add a sequence number seq, and an integrity check d d := MD(S | hdr | seq | txt) d 16 bytes if MD5; 20 bytes if SHA-1 MD MD5 or SHA-1 seq 4 bytes hdr txt IP message hdr seq d txt
Architecture of Hop Integrity Protocols router p router q Applications s Application Transport Transport secret qe pe exchange secrets secrets layer Network Network integrity check qw or qs pw or ps layer Subnetwork Subnetwork .
Component of Hop Integrity Protocols • Three protocols between each pair of adjacent routers • secret exchange protocol • weak integrity protocol • strong integrity protocol
How to Exchange Secret • Each router p has a secret S that it uses for computing the digest of every msg sent to an adjacent router q • Both p and q need to know S • What if p sends secret update message to q periodically? • Problem due to message loss • What if p sends secret update message to q periodically and q sends an ack to p? • Problem due to bundling of secret exchange layer and integrity check layer
Secret Exchange Protocol • q updates secret S used by p by sending a secret update message to p every T hours • When p receives secret update message from q, p updates secret and sends an ack to q • If q does not receive ack from p for t seconds, q retransmits the secret update message
Secret Exchange Protocol S[0] q p S S[1] S[0] = S[1] = S S[0] old S[1] new BpS[0], S[1] if S = S[0] S = S[1] then S :=S[1] BqS if S[1] = S then S[0] :=S[1] S[0] = S[1] = S T hours S[0] old S[1] new BpS[0], S[1] if S = S[0] S = S[1] then S :=S[1] BqS if S[1] = S then S[0] :=S[1] S[0] = S[1] = S
Recovery from Message Loss in Secret Exchange Protocol S[0] q p S S[1] S[0] = S[1] = S S[0] old S[1] new BpS[0], S[1] t seconds S[0] = S S[1] BpS[0], S[1] if S = S[0] S = S[1] then S :=S[1] t seconds BqS S[1] = S S[0] BpS[0], S[1] if S = S[0] S = S[1] then S :=S[1] BqS if S[1] = S then S[0] :=S[1] S[0] = S[1] = S
Weak Integrity Protocol • To detect insertion and modification • Each sent msg from p to q is as follows (hd | d | txt) where p computes d as d = MD(S | hd | txt) • On receiving a msg, q checks if d = MD(S[0] | hd | txt) d = MD(S[1] | hd | txt) then q forwards msg else q discards msg
Weak Integrity Protocol S[0] q p S S[1] (hd | d | txt) . .
Strong Integrity • To detect replay, successive sequence numbers are attached to all sent msgs from p to q • Problem with reset • If p is reset, unbounded number of fresh messages are discarded by q • If q is reset, it can accept unbounded number of replayed messages • Two solutions to overcome reset • Soft sequence numbers • Hard sequence numbers
Soft Sequence Numbers • Successive sequence numbers are attached to all sent msgs from p to q: (hd | sq | txt) • q maintains three variables exp sequence number of next msg c #msgs received cmax random value changed when c reaches it • On receiving a msg, q checks if (exp sq) (c = cmax) then q forwards msg else q discards msg fi; q updates exp, c, cmax
Soft Sequence Numbers exp q p sq c cmax sq (hd | sq | txt) sq+1 c = 0 . . c = 1 . . . . c = cmax : choose new cmax, c = 0
Strong Integrity ProtocolUsing Soft Sequence Numbers • Each sent msg from p to q is as follows (hd | sq | d | txt) where p computes d as d = MD(S | hd | sq | txt) • On receiving a msg, q checks if (d = MD(S[0] | hd | sq | txt) d = MD(S[1] | hd | sq | txt) ) (exp sq c = random value cmax) then q forwards msg else q discards msg fi; q updates exp, c, cmax
Hard Sequence Numbers • To overcome reset, use two operations SAVE and FETCH • When SAVE is executed, the last sequence number will be stored in persistent memory • When FETCH is executed, the last stored sequence number will be loaded from persistent memory into memory
Strong Integrity ProtocolUsing Hard Sequence Numbers • Each sent msg from p to q is as follows (hd | sq | d | txt) where p computes d as d = MD(S | hd | sq | txt) • On receiving a msg, q checks if (d = MD(S[0] | hd | sq | txt) d = MD(S[1] | hd | sq | txt) ) (exp sq) then q forwards msg else q discards msg fi; q updates exp • p and q executes SAVE periodically • When waking up from a reset, p (or q) executes FETCH to fetch last stored seq#, executes SAVE to store next seq#, and continues after SAVE finishes
Tradeoff between Soft and Hard Sequence numbers • Soft sequence numbers are easier to implement • Do not require SAVE and FETCH operations and do not require persistent memory • Hard sequence numbers provide better security • When use soft sequence numbers, adversary has a chance, although small, to guess and get its sequence number accepted • When use hard sequence numbers, p and q stick to their sequence numbers and leave adversary no chance
Other Applications of Hop Integrity • Mobile IP • Secure multicast • Security of routing protocols
Mobile IP • A mobile computer c can visit a foreign network F other than its home network H • Msgs destined for c will be received by its home agent (HA) and forwarded to its foreign agent (FA) m m home agent (HA) c Internet m F H foreign agent (FA)
Problem with Mobile IP • Mobile computer c can send a msg thru FA • However, this msg may be filtered out by next router q because its source address is “strange” ? m q home agent (HA) c Internet m F H foreign agent (FA)
Mobile IP with Hop Integrity • With integrity check d added to msg m, q can check that m was indeed forwarded by FA • Thus, q ignores strange source of msg m and forwards m toward its ultimate destination m d m d q home agent (HA) c Internet m d F H foreign agent (FA)
Multicast • Multicast msgs are forwarded through a spanning tree from root to every multicast destination • If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability
Multicast • Multicast msgs are forwarded through a spanning tree from root to every multicast destination • If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability
Multicast • Multicast msgs are forwarded through a spanning tree from root to every multicast destination • If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability
Multicast • Multicast msgs are forwarded through a spanning tree from root to every multicast destination • If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability
Security Problem with Multicast • If adversary inserts or modifies a multicast msg between two routers in middle of tree, then only a small fraction of multicast destinations receive the inserted or modified msg
Multicast with Hop Integrity • With hop integrity, an inserted or modified multicast message will be detected and discarded at its first hop in the spanning tree
Routing Information Protocol (RIP) • Every 30 seconds, RIP process in router R’ sends its routing table in a response msg to RIP process in each adjacent R • R updates its routing table when it receives a response msg from any adjacent R’ • Security problem R R RIP RIP UDP IP IP
RIP with Hop Integrity • With hop integrity, the response msgs are protected against message modification, insertion, and replay R R RIP RIP UDP Secret Update Secret Update IP IP Integrity Check Integrity Check
Security of Routing Protocols • Hop integrity can also provide uniform protection (against message modification, insertion, and replay) for other routing protocols • OSPF protocols (Hello, Exchange, Flood) • RSVP • Better than custom security mechanisms that have been proposed for some protocols
Implementation of Hop Integrity • Implementation of hop integrity protocols in Linux kernel • Add integrity check digest and soft sequence number to IP options in IP header • Compatible with legacy routers • Flexibility of deployment
Related Works • Ingress filtering [RFC2827]: • Completes hop integrity • Secure routing [Che97, MB96, SMG97]: • Not needed if hop integrity is installed • Traceback [BLT01, SWK+01, SPS+01]: • Cannot prevent denial-of-service attacks, but can detect some of them • IPsec [KA98a]: • Has goals other than dealing with denial-of-service attacks
Next Class • Security in transport layer • SSL and TLS • Application of SSL/TLS in Web security • Read Chapter 17