800 likes | 823 Views
Learn about the various attacks on the TCP/IP protocol suite, including malware, phishing, and denial of service. Explore software-based attacks like viruses and worms, hardware-based attacks on BIOS and USB devices, and attacks on virtualized systems. Discover how to protect against these attacks and safeguard your data and systems.
E N D
Security Credit: most slides from Forouzan, TCP/IP protocol suit TCP/IP Protocol Suite
Phishing: Masquerading as a well-known site to obtain a user’ personal info. Denial of Service: Intentionally blocking a site to prevent business activities. Loss of control: an intruder gains control of a system. Loss of data: Steal or delete. Criminal Expoits and Attacks TCP/IP Protocol Suite
Attacks • Software Based Attackes • Malware – Malicious software – damaging or annoying software. Viruses or worms. • Hardware Based Attacks • Bios, USB devices, NAS, Cell phones • Attacks on Virtualized Systems
Software based attacks: Viruses • Attaches to a legitimate software (carrier, a program or document) and then replicates through other programs, devices, emails, instant messaging, etc. • Computer crashes, destruction of HD, fill up HD, Reduce security settings allowing others to come in, reformat HD, etc. • File infecting virus attaches to executables (such as cascade virus), resident virus loaded into RAM (such as Randex, Meve, MrKlunky), Boot virus infects MBR (Polyboot.B , AntiEXE), companion virus adds program to OS replacing legitimate OS programs (Stator, Asimove.1539), Macro virus written in any macro scripting (Melissa.A, Bablas.Pc). • Polymorphic virus changes itself to avoid detection
Worms Stand alone programs Takes advantage of the OS/application vulnerabilities. Worms uses networks to send copies of itself slowing down networks. While virus requires user action to start an infected program, worms do not (can start executing itself). Worms as they travel through internet can leave a payload behind on each system which can delete files or allow remote controlling of the system.
Concealing malware Trojan horses, rootkits, logic bombs and privilege escalation.
Trojan Horse Installed with the knowledge of the user. A program advertised as a utility but actually does something else (screen saver, calendar, player, etc.). These programs may do a legitimate activity, but also might capture credit card info, etc and send it.
Rootkits Programs installed on computers that takes control of certain aspects of the computer by replacing OS utilities. Sony installed a program on their CDs (2005) preventing copying of the CD by operating system routines. Others used this idea and created their own, or added features to Sony’s program. Rootkits do not spread themselves. Very difficult to remove from HD. Boot from another device and see if problems disappear.
Logic Bombs Lies Dormant until triggered by an event such as a date, person fired, etc. Usually done by employees. Very difficult to discover before triggered. Embedded in large programs.
Privilege Escalation Either change own privilege to higher level, or use another employees higher privilege. Done by exploiting vulnerabilities of OS.
Malware for profit • Spam, spyware and botnets • Spam • Waste of time, checking and deleting. Email lists are sold by many ISPs, and other sites.
Spyware • Tracking software installed without the knowledge of the user. Advertises and Collects and distributes personal information. Harder to detect and remove than viruses. Causes the computer to slow down, freezes up, new browser toolbars or menus installed, hijacked homepage and increased popups. • Adware – a software that delivers advertising for gambling sites or pornography. Keeps track of browsing behavior and reports to give specific pop-ups for merchandize. • Keyloggers. A small hardware attached to the keyboard interface or a resident software that monitors and logs each keystroke.
Botnets Programs that render your computer to be controlled remotely. The computer is called a zombie. Thousands of zombie computers under the control of a single attacker is called a botnet. Attackers use internet relay chat (IRC) to remotely control the zombies. Zombies are used for spamming, spreading malware, denying services, etc.
Hardware based attacks • BIOS • BIOS can be flashed with viruses or rootkits. Flashing the bios can render the computer useless until it is replaced. You can write protect BIOS to prevent this from happening. • USB devices • NAS and SANs can get all malware discussed. • Cell phones – infected messages, launch attacks, make calls, etc.
Attacks on Virtualized systems • Operating system virtualization with virtual machine • Storage virtualization • Multiple os on the same machine. However, existing anti virus/spam software do not work. • Additional concern – one existing virtual machine may infect another. • Protection approaches: • Hypervisor-runs on the physical machine and manages the virtual machines. • Run security software such as a firewall on the physical machine
Wiretapping Replay – sending packets captured from previous session such as username and password. Buffer overflow: sending more data than receiver expects, thereby storing values in memory buffer. Address spoofing. Faking IP source address Name spoofing. Misspelling of a well-known name or poisoning name server. SYN flood – sending stream of TCP SYN Key breaking – guessing password Port Scanning – to find vulnerability Packet Interception – man in the middle attack. Techniques used TCP/IP Protocol Suite
Goals of a security • Confidentiality – protect our confidential information in storage and transmission. • Integrity – Information is not changed unintentionally. Only changed by authorized people. • Availability – Information should be available to authorized users. TCP/IP Protocol Suite
Encryption Digital Signatures Firewall Intrusion detection systems Packet inspection and content scanning VPN Security Techniques TCP/IP Protocol Suite
28.1 CRYPTOGRAPHY The word cryptography in Greek means “secret writing.” The term today refers to the science and art of transforming messages to make them secure and immune to attacks. The topics discussed in this section include: Symmetric-Key Cryptography Asymmetric-Key Cryptography Comparison TCP/IP Protocol Suite
Figure 28.1Cryptography components TCP/IP Protocol Suite
Note: In cryptography, the encryption/decryption algorithms are public; the keys are secret. TCP/IP Protocol Suite
Note: In symmetric-key cryptography, the same key is used by the sender (for encryption) and the receiver (for decryption). The key is shared. TCP/IP Protocol Suite
Figure 28.2Symmetric-key cryptography TCP/IP Protocol Suite
Note: In symmetric-key cryptography, the same key is used in both directions. TCP/IP Protocol Suite
Figure 28.3Caesar cipher TCP/IP Protocol Suite
Figure 28.4Transpositional cipher TCP/IP Protocol Suite
Is a block cipher Takes 64-bit plaintext and creates a 64-bit ciphertext. The cipher key is a 56-bit key. It uses 16 rounds, each round mixes and swapps (left half with right half) Data encryption Standard (DES) TCP/IP Protocol Suite
Figure 28.5DES (Data Encryption Standard) TCP/IP Protocol Suite
Note: The DES cipher uses the same concept as the Caesar cipher, but the encryption/ decryption algorithm is much more complex. TCP/IP Protocol Suite
The secret key is personal and unshared. Symmetric key scheme would require n(n-1)/2 keys, for a million people it would require half a billion shared secret keys. Whereas, in asymmetric scheme we would only require a million secret keys. Asymmetric ciphers use two keys, private and public. Asymmetric is much slower. Both symmetric and asymmetric can be used if need to be. Think: if you want to send a secret symmetric key, you can use asymmetric. Asymmetric-key ciphers TCP/IP Protocol Suite
Protocols • IPSec (internet Security Protocol) operates in the network layer. Used in VPN. • IP sec supports Authentication Header (AH) protocal and Encapsulation Security Payload (ESP) protocol • The SSL (Secure Socket Layer) protocol serves as a security for transferring encrypted data. • WEP (Wired Equivalent Privacy) standard. Data stream is encrypted with RC4 algorithm. RC4 is simple, it is not very secure. • WPA (Wi-Fi Protected Access) specification and AES (Advanced Encryption standard) It more secure for encrypting wireless data. TCP/IP Protocol Suite
Figure 28.8Public-key cryptography TCP/IP Protocol Suite
Note: Symmetric-key cryptography is often used for long messages. TCP/IP Protocol Suite
Note: Asymmetric-key algorithms are more efficient for short messages. TCP/IP Protocol Suite
Note: Digital signature can provide authentication, integrity, and nonrepudiation for a message. TCP/IP Protocol Suite
28.3 DIGITAL SIGNATURE Digital signature can provide authentication, integrity, and nonrepudiation for a message. The topics discussed in this section include: Signing the Whole Document Signing the Digest TCP/IP Protocol Suite
Figure 28.12Signing the whole document TCP/IP Protocol Suite
Note: Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied. TCP/IP Protocol Suite
Figure 28.13Hash function TCP/IP Protocol Suite
Figure 28.14Sender site TCP/IP Protocol Suite
The digest is much shorter than the message. The message itself may not lend itself to asymmetric cryptography because it is too long. Figure 28.15Receiver site TCP/IP Protocol Suite
Message of arbitrary length is made into a fixed length message. MD2, MD4, MD5 SHA (Secure Hash Algorithm) developed by NIST. Hash functions TCP/IP Protocol Suite
If alice signs a message then denies it, the message can be verified. That means we have to keep the messages. A trusted center can be created. Alice send the digitally signed message to the trusted center who verifies it, saves a copy of the message, recreates the message with its own signature and send to bob. Bob can verify the trusted center’s public key. Non-repudiation TCP/IP Protocol Suite
28.5 KEY MANAGEMENT In this section we explain how symmetric keys are distributed and how public keys are certified. The topics discussed in this section include: Symmetric-Key Distribution Public-Key Certification Kerberos TCP/IP Protocol Suite
Note: A symmetric key between two parties is useful if it is used only once; it must be created for one session and destroyed when the session is over. TCP/IP Protocol Suite
Figure 28.19Diffie-Hellman method TCP/IP Protocol Suite
Note: The symmetric (shared) key in the Diffie-Hellman protocol is K = G xy mod N. TCP/IP Protocol Suite
Example 1 Let us give an example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume G = 7 and N = 23. The steps are as follows: 1. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21. 2. Alice sends the number 21 to Bob. 3. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4. 4. Bob sends the number 4 to Alice. 5. Alice calculates the symmetric key K = 43 mod 23 = 18. 6. Bob calculates the symmetric key K = 216 mod 23 = 18. The value of K is the same for both Alice and Bob; G xy mod N = 718 mod 23 = 18. TCP/IP Protocol Suite
Figure 28.20Man-in-the-middle attack TCP/IP Protocol Suite
Key distribution center A typical operation with a KDC involves a request from a user to use some service. The KDC will use cryptographic techniques to authenticate requesting users as themselves. It will also check whether an individual user has the right to access the service requested. If the authenticated user meets all prescribed conditions, the KDC can issue a ticket permitting access. KDCs mostly operate with symmetric encryption. In most (but not all) cases the KDC shares a key with each of all the other parties. The KDC produces a ticket based on a server key. The client receives the ticket and submits it to the appropriate server. The server can verify the submitted ticket and grant access to the user submitting it. Security systems using KDCs include Kerberos. (Actually, Kerberos partitions KDC functionality between two different agents: the AS (Authentication Server) and the TGS (Ticket Granting Service).) TCP/IP Protocol Suite