Download Network Security 5 and more Exams Computer Networks in PDF only on Docsity!
Computer Science 161 Spring 2019 Popa & Weaver
Network
Security
Computer Science 161 Spring 2019 Popa & Weaver
Reminder:
HTTPS Connection (SSL / TLS)
- Browser (client) connects via TCP to Amazon’s HTTPS server
- Client picks 256-bit random number RB, sends over list of crypto protocols it supports
- Server picks 256-bit random number RS, selects protocols to use for this session
- Server sends over its certificate
- (all of this is in the clear)
- (^) Client now validates cert 2 SYN SYN ACK ACK Browser Amazon Server Hello. My rnd # = R B. I support (TLS+RSA+AES128+SHA1) (^) or (SSL+RSA+3DES+MD5) (^) or … My rnd # = R S. Let ’s use TLS+RSA+AES128+SHA Here ’s my cert ~2- KB of^ data
Computer Science 161 Spring 2019 Popa & Weaver
Alternative: Ephemeral Key Exchange via
Diffie-Hellman
- For Diffie-Hellman (DHE), server generates random a, sends public parameters and ga^ mod p
- Signed with server’s private key
- Browser verifies signature
- Browser generates random b, computes PS = gab mod p, sends gb^ mod p to server
- Server also computes PS = gab^ mod p
- Remainder is as before: from PS, RB, and RS, browser & server derive symm. cipher keys (CB, CS) and MAC integrity keys (IB, IS), etc… 4 Browser Here’ s my cert ~2- KB of^ data gb (^) mod p PS PS {M 1 , MAC(M 1 ,IB)} CB MAC( dialog ,IS) MAC( dialog ,IB) {g, p, g a^ mod p} (^) K -1Amazon … Amazon Server
Computer Science 161 Spring 2019 Popa & Weaver
Cipher Suite
Negotiation
- Chrome's cipher-suite information
- Client sends to the server
- Server then choses which one it wants
- It should pick the common mode that both prefer based on order
- First is a dummy to keep servers honest
- Then its the bulk encryption only options
- Then key exchanges w encryption mode
- Description is key exchange, signature (if necessary), and then bulk cipher & hash
Computer Science 161 Spring 2019 Popa & Weaver
And Sabotaged pRNGs...
- Let us assume the server is using DHE...
- If an attacker can know^ a , they have all the information needed to decrypt the traffic:
- Since PS = gab, and can see gb.
- TLS spews a lot of "random" numbers publicly as well
- Nonces in the crypto, Rs, etc...
- If the server uses a bad pRNG which is both sabotaged and doesn't have rollback resistance ...
- Dual_EC DRBG where you know the secret used to create the generator...
- ANSI X9.31: An AES based one with a secret key...
- (^) Attacker sees the handshake, sees subsequent PRNG calls, works backwards to get the secret
- Attack of the week: DUHK
- https://blog.cryptographyengineering.com/2017/10/23/attack-of-the-week-duhk/
Computer Science 161 Spring 2019 Popa & Weaver
Forward Secrecy Modes...
- The real benefit from DHE/ECDHE "forward secret" modes
- Reminder: Forward Secrecy: Even if the attacker later compromises the server's private key, the attacker can't compromise previous traffic
- It makes it far more difficult to use even after an attacker compromises the server's private key
- Attacker has to be a full MitM: Do the handshake to the client and a separate one for the server
Computer Science 161 Spring 2019 Popa & Weaver
The Easy DoS on a System:
Resource Consumption...
- Bad Dude has an account on your computer...
- And wants to disrupt your work on Project 2...
- He runs this simple program:
- while(1):
- Write random junk to random files
- (uses disk space, thrashes the disk)
- Allocate a bunch of RAM and write to it
- fork()
- (creates more processes to run)
- Only defense is some form of quota or limits: The system itself must enforce some isolation
Computer Science 161 Spring 2019 Popa & Weaver
The Network DOS
Computer Science 161 Spring 2019 Popa & Weaver
DoS & Networks
- How could you DoS a target’s Internet access?
- Send a zillion packets at them
- Internet lacks^ isolation^ between traffic of different users!
- What resources does attacker need to pull this off?
- At least as much sending capacity ( bandwidth ) as the bottleneck link of the target’s Internet connection
- Attacker sends maximum-sized packets
- Or: overwhelm the rate at which the bottleneck router can process packets
- Attacker sends minimum-sized packets!
- (in order to maximize the packet arrival rate)
Computer Science 161 Spring 2019 Popa & Weaver
Defending Against Network DoS
- Suppose an attacker has access to a beefy system with high-speed Internet access (a “big pipe”).
- They pump out packets towards the target at a very high rate.
- What might the target do to defend against the onslaught?
- Install a network filter to discard any packets that arrive with attacker’s IP address as their source
- E.g., drop * 66.31.33.7: -> :*
- Or it can leverage any other pattern in the flooding traffic that’s not in benign traffic
- Attacker’s IP address = means of identifying misbehaving user^
Computer Science 161 Spring 2019 Popa & Weaver
It’s Not A “Level Playing Field”
- When defending resources from exhaustion, need to beware of asymmetries, where attackers can consume victim resources with little comparable effort
- Makes DoS easier to launch
- Defense costs much more than attack
- Particularly dangerous form of asymmetry: amplification
- Attacker leverages system’s own structure to pump up the load they induce on a resource
Computer Science 161 Spring 2019 Popa & Weaver
Amplification
- Example of amplification: DNS lookups
- Reply is generally much bigger than request
- Since it includes a copy of the reply, plus answers etc.
- Attacker spoofs DNS request to a patsy DNS server, seemingly from the target
- Small attacker packet yields large flooding packet
- Doesn’t increase # of packets, but total volume
- Note #1: these examples involve blind spoofing
- So for network-layer flooding, generally only works for UDP-based protocols (can’t establish a TCP connection)
- Note #2: victim doesn’t see spoofed source addresses
- Addresses are those of actual intermediary systems^
Computer Science 161 Spring 2019 Popa & Weaver
Transport-Level Denial-of-Service
- Recall TCP’s 3-way connection establishment handshake
- Goal: agree on initial sequence numbers Client (initiator) SYN, SeqNum = x SYN + ACK, SeqNum = y, Ack = x + 1 ACK, Ack = y + 1 Server Server creates state associated with connection here (buffers, timers, counters) Attacker doesn’t even need to send this ack
Computer Science 161 Spring 2019 Popa & Weaver
Transport-Level Denial-of-Service
- Recall TCP’s 3-way connection establishment handshake
- Goal: agree on initial sequence numbers
- So a single SYN from an attacker suffices to force the server to spend some memory Client (initiator) SYN, SeqNum = x SYN + ACK, SeqNum = y, Ack = x + 1 ACK, Ack = y + 1 Server Server creates state associated with connection here (buffers, timers, counters) Attacker doesn’t even need to send this ack