440 likes | 617 Views
EE579T Network Security 6: Hiding in Plain Sight. Prof. Richard A. Stanley. Thought for the Day. “I never give ‘em hell. I just tell the truth and they think it’s hell.” Harry S. Truman. Overview of Tonight’s Class. Review last week’s lesson Look at network security in the news
E N D
EE579TNetwork Security6: Hiding in Plain Sight Prof. Richard A. Stanley WPI
Thought for the Day “I never give ‘em hell. I just tell the truth and they think it’s hell.” Harry S. Truman WPI
Overview of Tonight’s Class • Review last week’s lesson • Look at network security in the news • Course project discussions • Hiding in plain sight • Secure protocols • Hiding information WPI
Last Week... • Attacking a network is no different from robbing a bank; you have to plan if you expect to be successful • There are three basic steps to planning, which is called vulnerability assessment: • Acquire the target (case the joint) • Scan for vulnerabilities (find the entry points) • Identify poorly protected data (enumeration) • This applies if you are inside or outside the protected perimeter! WPI
Security Last Week-1 • FBI counterintellingence agent Robert Hanssen arrested for espionage • What can we learn from this? • He wasn’t caught because he was careless • He knew all the tricks used to catch spies • He was arrogant (Philby book) • He did “exceptionally grave” damage to the nation, and is probably directly responsible for at least two people being executed • So what does that have to do with network security? WPI
Network Security Last Week- 1 • “Anna” virus writer’s mayor praises him, calls event a “joke,” offers job! • U.K.'s Terrorism Act 2000 classifies those who put lives in danger through computer manipulation as terrorists. • VBS_Valentin.A exploits hole in older Outlook and Outlook Express versions • runs in preview window • deletes every file stored on a PC on the 8th, 14th, 23rd and 29th of every month. WPI
Network Security Last Week- 2 • NSA warns it can't keep up with rapid changes in IT • Kournikova virus inspires copy-cat spammers. Are we surprised? • Sm0ked Vandals say more attacks to come • Canadian security e-mailer Neurocom pulled an alert concerning a Hotmail vulnerability WPI
Course Projects - 1 • Port scanning technology • Sullivan, Toomey • Extensible authentication protocol • Mizar, Hirsch, Tummala • Honey Pot • Kaps, Gaubatz • Wired/Wireless security comparison • Azevedo, Nguyen, H. Tummala WPI
Course Projects - 2 • SOHO network security • Davis, Syversen, Kintigh • Sniffing switched networks • Michaud, Lindsay, VanRandwyk • Broadband access security • Sumeet, Nurmit, Harsh • Trojan Horse security • Aparma, Subramanian WPI
Course Projects - 3 • Java security • Malloy • Router security • Mansour, • DDoS Security • Gorse, Pushee • Network Security Processors • McLaren, Brown WPI
Projects -4 • Network cryptography • Lee WPI
HTTP • Hypertext transfer protocol • 4-stage transaction • Establish a connection • Client issues a request • Server issues a response to the request • Server terminates the connection WPI
HTTP Characteristics • Stateless • Supports dynamic formats • Client sends list of formats it recognizes • Server replies, using appropriate format if it can • Human-readable • Generic protocol • Message formats independent of protocol WPI
Secure HTTP • Extends HTTP instruction set to support secure transmission • Uses signature, encryption, message sender, and authenticity checks for security • Uses both symmetric & asymmetric keys • Supports certificates and key signing • Supports end-to-end encryption • Useful only with HTTP WPI
How S-HTTP Creates Messages • Server obtains plain-text message it will send to the client • Server processes client’s crypto preferences and keying material, which client provided during initial handshake connection • Server processes its own crypto preferencec and keying material WPI
How S-HTTP Recovers Messages • Client tries to match transmission against its crypto preferences provided to server • If no match, tries to match message against client’s current crypto preferences & keys • If still no match, client tries to decrypt message using server’s previously-stated crypto preferences WPI
S-HTTP Key Arrangements • In-band key • server encrypts session key with client’s public key and sends session key to client • Externally arranged key • server and client manually exchange secret key prior to session • In-band keying is by far the more common WPI
Secure Sockets Layer • Developed by Netscape • Open, nonproprietary protocol, like S-HTTP • Provides data encryption, server & client authentication, message integrity • Compatible with firewalls & tunneling • Can be layered between HTTP and other application protocols and TCP/IP WPI
SSL and the Internet Protocol Stack HTTP, SMTP, Telnet, FTP, etc. Application layer Secure socket layer SSL TCP, UDP Transport layer Network layer IP, ICMP, IGMP Data-link layer ARP, RARP Physical layer WPI
SSL Services • Server authentication w/digital certificates • Transmission security w/encryption • Data integrity across end-to-end connections • SSL uses RSA private-key encryption WPI
Client.Hello message • Sent by client to server • Server evaluates info in message • If client supports an encryption type that is supported by the server, and other SSL protocols match server, server sends reply • Reply is encrypted with client’s public key • Reply includes server’s public key and connection info WPI
Server.Hello response • Client receives, sends another request to server • Second request encrypted with server’s public key from Client.Hello message • Requests session key from server WPI
Server response • Session key, encrypted with client’s public key • Communications proceeds securely using the protocol of the application running above SSL • How do you know when this has happened? • The URL will have an “s” appended to <scheme>, e.g. https vs. http WPI
SSL Security Pointers • Secure all the auth-clients ports • An auth-client port lets anyone who can connect to that port do SSL authentication as if they were you, and use your certificate • Secure all client mode ports • A client mode port lets anyone who can connect to the port transmit to other ports as if they were your machine WPI
So, with these protocols, everything is OK, right? Not quite. WPI
One Worry • This is a stegosaurus • We need to worry about steganography WPI
Steganography • “Covered writing” • from the Greek steganos and graphos • steganos = covered (or roofed) • graphos = writing • Includes such arcana as invisible ink, hollow heels in shoes, open codes • A real problem for network security, as we shall see WPI
Null Cipher Example News Eight Weather: Tonight increasing snow. Unexpected precipitation smothers eastern towns. Be extremely cautious and use snowtires especially heading east. The highways are knowingly slippery. Highway evacuation is suspected. Police report emergency situations in downtown ending near Tuesday. Decodes as: Newt is upset because he thinks he is President. WPI
Actual WWII Null Cipher Apparently neutral's protest is thoroughly discounted and ignored. Isman hard hit. Blockade issue affects pretext for embargo on by products, ejecting suets and vegetable oils. Decodes as: Pershing sails from NY June 1. WPI
Another Example S0: S1: Result: WPI
Interesting, but So What? • What if we were to replace the least significant bits of a complex data file with information we wanted to transmit secretly? • File compression • Lossless (e.g., GIF, BMP) • Lossy (e.g. MPEG, JPEG) • Downgrading information--how can you be sure what you downgraded? WPI
King’s College, Cambridge (UK) The image in which another image will be hidden using steganography WPI
Stego Summary • Careful comparison of the two King’s College photos shows the stego image is slightly less sharp than the original • Careful examination of the Pentagon aerial photos shows the recovered image is slightly less sharp than the original • BUT…you knew what to look for WPI
Stego Implications • How can you be sure that what has been downgraded does not hide other information? • Steganography can be used as a covert channel that is very hard to find • Steganography also provides a tool that can be used to watermark a complex file WPI
Fortunately, Steganography is so complex and hard to implement that is not likely the average hacker or crook would be able to exploit it. Equally fortunately, we have discovered that the moon is made of green cheese. WPI
Other Stego Uses • Covert information distribution • eBay images have been found which contain stego information believed to be messages to terrorist cells • Much of the imagery on the Internet contains stego data, which could be executables • Don’t get too cute -- why would you suddenly start trading pictures with someone? WPI
Some Thoughts • What about Bell and Lapadula’s model? • No write down? • No read up? • The Internet thrives on visual imagery. What does this imply for security based on what we have studied tonight? • Why did it take 15 years to catch Hanssen? How long would it find to uncover stego? WPI
Summary • Protocols exist to provide end-to-end security over the Internet and other hop-by-hop networks • The existence of such protocols is not a guarantee of security • Steganography is one way for information to leak out of a system • Steganography can be very hard to find, but it is very easy to implement at low cost WPI
Homework - 1 1. Using the Internet, conduct a survey of steganography tools available for download, and -- to the best of your ability based on the descriptions provided -- compare and contrast them. 2. How would you protect your network against steganography, both looking inwards and looking outwards? WPI
Assignment for Next Week • Finalize your project outlines, with the members of your team. Hand in next week. • Read Chapter 16 in the course text. • Next week’s topic: An Introduction to Network-Based Attacks WPI