These slides give some overview on the the concepts which were in Crytography and network security. I have prepared these slides by the experiece after refer the text bbok as well as resources from the net. Added figures directly from the references. I would like to acknowledge all the authors by originally.
3. Three Key Objectives
• Confidentiality
– Data confidentiality
– Privacy
• Integrity
– Data integrity
– System integrity
• Availability
• Additional concepts
– Authenticity
– Accountability
4. Passive Attacks
• Passive attacks do not affect system resources
– Eavesdropping, monitoring
• Two types of passive attacks
– Release of message contents
– Traffic analysis
• Passive attacks are very difficult to detect
– Message transmission apparently normal
• No alteration of the data
– Emphasis on prevention rather than detection
• By means of encryption
5. Active Attacks
• Active attacks try to alter system resources or affect
their operation
– Modification of data, or creation of false data
• Four categories
– Masquerade
– Replay
– Modification of messages
– Denial of service: preventing normal use
• A specific target or entire network
• Difficult to prevent
– The goal is to detect and recover
7. Model for Network Security
• using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used by
the algorithm
3. develop methods to distribute and share the
secret information
4. specify a protocol enabling the principals to use
the transformation and secret information for a
security service
8. Feistel Cipher
8
Goes through a number of rounds, say 16 rounds.
A Feistel cipher encrypts a plaintext block as:
: E ( ) : ( )
16 2 1
The decryption will be:
D ( )
1 1 1 1
1 2 1
k
k
m
c m m
c
1 1
1
6
1 2 16
c
( )
c
( )
The descryption algorithm is the same as the
encryption algorithm, but uses round keys in the
reverse order.
9. Mathematical Description of Round i
9
L R i
L R
Let and be the input of round , and
i i
1 1
i i
L
R
i i
1
R
L F R K
i i
i
1 1
1
and the output.
We have
:
i L R
( , )
:
:
( , )
Or, (
L
i
i
, where
i i
1
x y x F y k
y
x y y x
: ( , )
(
( , )
, ).
: ( , )
( , ).
1 1
Not
,
e
)
that and .
i
i
i
i
i
R
10. DES: The Data Encryption Standard
• Most widely used block cipher in the world.
• Adopted by NIST in 1977.
• Based on the Feistel cipher structure with 16 rounds
of processing.
• Block = 64 bits
• Key = 56 bits
• What is specific to DES is the design of the F function
and how round keys are derived from the main key.
10
12. Initial Permutation IP
• IP: the first step of the encryption.
• It reorders the input data bits.
• The last step of encryption is the inverse of IP.
• IP and IP-1 are specified by tables (see Stallings
book, Table 3.2) DES
14. Round Keys Generation
• Main key: 64 bits.
• 56-bits are selected and permuted using Permuted Choice One
(PC1); and then divided into two 28-bit halves.
• In each round:
– Left-rotate each half separately by either 1 or 2 bits
according to a rotation schedule.
– Select 24-bits from each half, and permute the
combined 48 bits.
– This forms a round key.
18. The function of DES
L R K
The and each have 32 bits, and the round key 48 bits.
18
F R K
The function, on input and , produces 32 bits:
F ( R , K )
P S E K
where :
(
expands 32 bits o 4
)
t
E
R
F
8 bits;
: shrinks it back to 32 bits;
: permutes the 32 bits.
S
P
19. Design Principles of DES
• To achieve high degree of diffusion and
confusion.
• Diffusion: making each plaintext bit affect as
many ciphertext bits as possible.
• Confusion: making the relationship between
the encryption key and the ciphertext as
complex as possible.
1
20. 2DES
• Consider 2DES with two keys:
C = EK2(EK1(P))
• Decryption: P = DK1(DK2(C))
• Key length: 56 x 2 = 112 bits
• This should have thwarted brute-force attacks?
• Wrong!
20
21. Meet-in-the-Middle Attack on 2DES
• 2-DES: C = EK2(EK1(P))
• Given a known pair (P, C), attack as follows:
– Encrypt P with all 256 possible keys for K1.
– Decrypt C with all 256 possible keys for K2.
– If EK1’(P) = DK2’(C), try the keys on another (P’, C’).
– If works, (K1’, K2’) = (K1, K2) with high probability.
– Takes O(256) steps; not much more than attacking 1-DES.
21
P E K 1 E K 2 C
22. 22
3DES with 2 keys
A straightforward implementation would be :
c E E E m
: ( )
k k k
1 2 1
c E D E m
In practice : : ( )
k k k
1 2 1
Also referred to as EDE encryption
Reason : if k k
, then
3DE
1 2
S
1DES.
Thus, a 3DES software can be used as a single-DES.
Standardized in ANSI X9.17 & ISO 8732.
No practical attacks are known.
23. 23
3 2 1
3DES with 3 keys
Encryption: : ( ) .
If , it becomes 3DES with 2 keys.
1 3
If , it becomes the regular DES.
1 2 3
So, it is backward compatible with both 3DES with 2 keys
and
k k k c E D E m
k k
k k k
the regular DES.
Some internet applications adopt 3DES with three keys;
e.g. PGP and S / MIME.
24. RC5 Algorithm
• Three parts:-
– Key Expansion
– Encryption Algorithm
– Decryption Algorithm
• Fast symmetric block cipher
– Same key for encryption and decryption
– Plaintext and ciphertext are fixed-length bit sequences (blocks)
25. Parameters of RC5
– RC5 – w/r/b
• E.g. RC5 – 32/16/10
– w = 32 bits
– r = 16 rounds
– b = 10-byte (80-bit) secret key variable
– t = 2 (r + 1) = 2 (16 + 1) = 34 rounds
26. Important parameters in details
• “w”(bits) – variable word size
• Allowable choice for “w” in RC5– 16,32 and 64
• Suggested 32
• “Two” word input (plaintext) block size – 64-bit
plaintext
• “Two” word output (ciphertext) block size – 64-bit
ciphertext
• Design accepts all w > 0
• Variable word size can exploit longer word length of
processors like 64 – bit processors.
27. Important parameters in details
• “r” – variable number of rounds
• Tradeoff between high speed and high security.
• Allowed values 0-255
• Suggested – 12
• Higher the number of rounds provides increased level
of security.
• “S” – Expanded key table – derived from user’s secret
key.
• “t” – The size of table “S” (depends on “r”)
– t = 2 ( r + 1 ) words.
28. RC5 Algorithm – Key Expansion
• Requirements of key expansion
– Filling the expanded key table array S[0…t – 1]
with random binary words
• “t” – Size of table “S” => 2 ( r+1 )
– S table is not an “S-box” like DES.
• Entries in S sequentially, one at a time.
– Random binary words are derived from the K.
29. RC5 Algorithm
• Encryption Algorithm
– Two w-bit words are denoted as A and B
A = A + S[0];
B = B + S[1];
for i = 1 to r do
A = (( A ⊕ B ) <<< B ) + S[ 2 * i ];
B = (( B ⊕ A) <<< A ) + S[ 2 * i + 1];
The output is in the registers A and B.
Work is done on both A and B, unlike DES
where only half input is updated.
30. RC5 Algorithm
• Decryption Algorithm
– (easily derived from encryption)
– Two w-bit words are denoted as A and B
for i = r downto 1 do
B = (( B – S[ 2 * i + 1 ]) >>> A) ⊕ A;
A = (( A – S[ 2 * i ] >>> B) ⊕ B;
B = B - S[1];
A = A - S[0];
The output is in the registers A and B.
31. Blowfish
• a symmetric block cipher designed by Bruce
Schneier in 1993/94
• characteristics
– fast implementation on 32-bit CPUs
– compact in use of memory
– simple structure eases analysis/implemention
– variable security by varying key size
• has been implemented in various products
32. Blowfish Key Schedule
• uses a 32 to 448 bit key
• used to generate
– 18 32-bit subkeys stored in K-array Kj
– four 8x32 S-boxes stored in Si,j
• key schedule consists of:
– initialize P-array and then 4 S-boxes using pi
– XOR P-array with key bits (reuse as needed)
– loop repeatedly encrypting data using current P & S and
replace successive pairs of P then S values
– requires 521 encryptions, hence slow in rekeying
34. Blowfish Encryption
• uses two primitives: addition & XOR
• data is divided into two 32-bit halves L0 & R0
for i = 1 to 16 do
Ri = Li-1 XOR Pi;
Li = F[Ri] XOR Ri-1;
L17 = R16 XOR P18;
R17 = L16 XOR i17;
• where
F[a,b,c,d] = ((S1,a + S2,b) XOR S3,c) + S4,a
35. CAST-128
• 64-bit iterated block cipher
• key: 40 bits up to 128 bits (increments of 8 bits)
• 12 up to 16 rounds
• Feistel Network structure
• designed by C. Adams and S.Tavares (1996)
• S-box design procedure patented by Entrust
Technologies Inc: U.S. patent 5,511,123, filed Aug. 4,
1994, issued Apr. 3, 1996
36. CAST-128
• CAST-128 is part of the GnuPG suite of cryptographic
algorithms (nicknamed CAST-5)
• CAST-128 uses fixed 8x32-bit S-boxes: for encryption
and decryption (S1, S2, S3, S4) and for the key
schedule (S5, S6, S7, S8)
• round operations: +, -, <<<,
• three round functions: f1, f2 and f3
• An official algorithm for use with the Canadian
Government:
38. CAST-256
• a former candidate to the Advanced Encryption
Standard (AES) Development Process (1997)
• 128-bit iterated block cipher
• 128-, 192- and 256-bit key
• 48 rounds for all key sizes
• generalized Feistel Network structure
• S-box design procedure patented by Entrust
Technologies Inc: U.S. patent 5,511,123, filed Aug. 4,
1994, issued Apr. 3, 1996
40. Motivation
• symmetric encryption is used to provide
message confidentiality
• Placement of encryption function
• Traffic confidentiality
• Key distribution
41. Confidentiality using Symmetric Encryption
• What to encrypt and where the encryption function
should be located
• consider typical scenario:
(1) Eavesdropping by
members
(2) dial-in,
then intrude
(4) Monitor traffic
(3) Tap into wire
42. Typical scenario and attacks
• consider typical scenario
– workstations on LANs access other workstations &
servers on LAN
– LANs interconnected using switches/routers
– with external lines or radio/satellite links
• consider attacks and placement in this scenario
– snooping from another workstation
– use dial-in to LAN or server to snoop
– use external router link to enter & snoop
– monitor and/or modify traffic one external links
43. Placement of encryption
• have two major placement alternatives
• link encryption
– encryption occurs independently on every link
– implies must decrypt traffic between links
– requires many devices, but paired keys for all links
• end-to-end encryption
– encryption occurs between original source and
final destination
– need devices at each end with shared keys
45. Problems with routing
• In a packet-switching network, we need packet header
to route packets
– Link encryption: so packet must be decrypted before
routing
• Vulnerable at each switch node
– End-to-end encryption: must leave headers in clear,
so network can correctly route information
• hence although contents protected, traffic pattern is not
protected
• ideally want both at once
– end-to-end protects data contents over entire path
and provides authentication
– link protects traffic flows from monitoring
46. Placement of encryption over OSI model
• can place encryption function at various layers in OSI Reference
Model
47. OSI model and packetization
Application level
encryption
TCP level
encryption Link level
encryption
49. Traffic Analysis
• In packet-switching network, the packet
header cannot be encrypted
• Traffic analysis is monitoring of
communications flows between parties
– Ex. know who is talking to whom in military usage
• Traffic analysis reveals
– Identities of partners
– How frequently the partners are communicating
– Message pattern, message length, quantity of
messages, …
50. Defense against traffic analysis
• link encryption obscures header details
– but overall traffic volumes in networks and at end-points
is still visible
Traffic padding
51. Key Distribution
• symmetric schemes require both parties to
share a common secret key
• issue is how to securely distribute this key
• often secure system failure due to a break in
the key distribution scheme
52. Key Distribution methods
• given parties A and B have various key
distribution alternatives:
1. A can select key and physically deliver to B
2. third party can select & physically deliver key to A
& B
3. if A & B have communicated previously can use
previous key to encrypt a new key
4. if A & B have secure communications with a third
party C, C can relay key between A & B
Not suitable
for large
systems
Initial
distribution?
53. Scale of key distribution problem
• A network with N hosts
=> N(N-1)/2 pairs
• Node-level encryption
N(N-1)/2
• Application-level
encryption
– 10 applications/node
54. Key distribution center (KDC)
KDC shares a unique key (master key) with each user to distribute
secret key (session key) between a pair of users:
scale of key distribution problem reduces to N
Key distribution
center (KDC)
EMK1 (Secret key)
EMK2 (Secret key)
Secret key Secret key
55. Key Distribution Scenario
nonce: an identifier
that differs for each request
Session key Identifier for A (ex. address)
Master key Ka Master key Kb
(avoid replay attack)
1. Verify the original request
2. Avoid replay attack
57. Session key lifetime
• Short session key lifetime
– Key exchanges frequently => more secure
• Long session key lifetime
– Reduce key exchange time, and network capacity
• Two connection protocol (session<connection)
– Connectionless protocol (ex. UDP, HTTP)
• Not to use a new key for each session, use a given session key
for a fixed period of time
– Connection-oriented protocol (ex. TCP)
• The same key for the connection; or update the key
periodically if the connection has long lifetime
58. Transparent key control scheme
• End-to-end encrypt at network (transport) layer, which is
transparent to users
? No authentication
60. Decentralized key control
• KDC trusted?
• Decentralized: assume there is one master key
for each pair of end systems
session key
shared master key
Nonce for authentication
Master key are used for a short time, cryptanalysis is difficult
62. Introduction to public-key cryptosystems
• Recall: symmetric ciphers
– One secret key, shared by sender and receivers
(symmetric)
– Based on substitution and permutation
– Problem:
• Key distribution
• Digital signature: a kind of signature used in paper document
• Deffie and Hellman proposed the public-key
cryptosystem to address the above two problems
in 1976
63. Preview of public-key systems
• Features of public-key system
– Asymmetric: a public key and a private key
– Algorithm based on mathematical functions
• Fallacies
– Public-key is more secure than symmetric encryption
– Public-key encryption is a general-purpose technique
that will make symm. encrypt. obsolete
– Key distribution is trivial is easier for public-key
encryption than symmetric encryption
64. Public-key encryption
• One-key for encryption
• A different but related key for decryption
– It is computational infeasible to determine the decryption
key given the crypto. algorithm and the encryption key
65. Steps in public-key encryption
1. Each user generates a pair of keys for encryption
and decryption
(In RSA, these two keys can exchange 加解密皆可)
2. One key (public key) is announced publicly. The
other key is kept private.
Q: key distribution problem? (Chap. 10)
3. Bob sends encrypted message to Alice using
Alice’s public key.
4. Only Alice can decrypt the message using her
private key.
67. Math. formulation of public-key system
Y = EKU (X)
b
X = DKR (Y)
b
What E and D can achieve this?
68. Requirement for public-key cryptography
• Diffie and Hellman (1976) proposed the system without
the algorithm for E and D. They laid out the requirement:
– It is computationally easy to generate a pair of keys
– It is computationally easy for a sender to encrypt
– It is computationally easy for a receiver to decrypt
– It is computationally infeasible for an opponent, knowing the
public key, to determine the private key
– It is computationally infeasible for an opponent, knowing the
public key and ciphtertext, to recover the plaintext
Y = EKU (X)
b
X = DKR (Y)
b
69. The algorithms that satisfy public-key
requirement
• RSA (Rivest-Shamir-Adleman) 1978
– Number theory
• Elliptic curve cryptography
70. Trap-door one-way function
• Public-key encryption is a one-way function
– Every function value has a unique inverse
Y=f(X): easy
domain target
X=f-1 (Y): infeasible ( > polynomial time)
• It is hard to determine the complexity to compute the inverse
• Not a traditionally complexity problem, which focuses on the
worst-case or average-case complexity
71. Trap-door one-way function (cont.)
• Open a trap-door using the private key…
Y=f(X): easy
domain target
X=f-1 (Y): infeasible ( > polynomial time)
-1 (Y): easy if trap-door K is known
X=fK
( ~ polynomial time)
72. Public-key system for authentication 身份
認證
• Recall: the problem of digital signature
• Only Bob has the private key
to encrypt !!!
(server as
digital signature)
74. Public-key cryptanalysis
• Brute-force attack: search the private key
– Solution: use large keys
– Tradeoffs: complexity of encrypt/decrypt using
large keys security using large keys
– Public-key system are currently too slow for
general-purpose use, only used for key
management and signature application
• Compute private key given the public key
– Not proved to be infeasible
75. Public-key cryptanalysis (cont.)
• Probable-message attack
– Ex. encrypt 56-bit DES key
Public-key
encryption
56-bit
DES key
C
Public-key
Attack:
Public-key
encryption
C1
Public-key
000…000
000…001
000…010
000…011
….
111…111
Try all
DES Key
C2
C3
…
Ck= C
Solution: append things
in the plaintext
76. RSA
• by Rivest, Shamir & Adleman of MIT in 1977
• best known & widely used public-key scheme
• based on exponentiation in a finite (Galois) field over
integers modulo a prime
– nb. exponentiation takes O((log n)3) operations (easy)
• uses large integers (eg. 1024 bits)
• security due to cost of factoring large numbers
– nb. factorization takes O(e log n log log n) operations (hard)
77. RSA Key Setup
• each user generates a public/private key pair by:
• selecting two large primes at random - p, q
• computing their system modulus N=p.q
– note ø(N)=(p-1)(q-1)
• selecting at random the encryption key e
• where 1<e<ø(N), gcd(e,ø(N))=1
• solve following equation to find decryption key d
– e.d=1 mod ø(N) and 0≤d≤N
• publish their public encryption key: KU={e,N}
• keep secret private decryption key: KR={d,p,q}
78. RSA Use
• to encrypt a message M the sender:
– obtains public key of recipient KU={e,N}
– computes: C=Me mod N, where 0≤M<N
• to decrypt the ciphertext C the owner:
– uses their private key KR={d,p,q}
– computes: M=Cd mod N
• note that the message M must be smaller
than the modulus N (block if needed)
79. Why RSA Works
• because of Euler's Theorem:
• aø(n)mod N = 1
– where gcd(a,N)=1
• in RSA have:
– N=p.q
– ø(N)=(p-1)(q-1)
– carefully chosen e & d to be inverses mod ø(N)
– hence e.d=1+k.ø(N) for some k
• hence :
Cd = (Me)d = M1+k.ø(N) = M1.(Mø(N))q = M1.(1)q =
M1 = M mod N
80. RSA Example
1. Select primes: p=17 & q=11
2. Compute n = pq =17×11=187
3. Compute ø(n)=(p–1)(q-1)=16×10=160
4. Select e : gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160
Value is d=23 since 23×7=161= 10×160+1
6. Publish public key KU={7,187}
7. Keep secret private key KR={23,17,11}
81. RSA Example cont
• sample RSA encryption/decryption is:
• given message M = 88 (nb. 88<187)
• encryption:
C = 887 mod 187 = 11
• decryption:
M = 1123 mod 187 = 88
82. Exponentiation
• can use the Square and Multiply Algorithm
• a fast, efficient algorithm for exponentiation
• concept is based on repeatedly squaring base
• and multiplying in the ones that are needed to
compute the result
• look at binary representation of exponent
• only takes O(log2 n) multiples for number n
– eg. 75 = 74.71 = 3.7 = 10 mod 11
– eg. 3129 = 3128.31 = 5.3 = 4 mod 11
84. RSA Key Generation
• users of RSA must:
– determine two primes at random - p, q
– select either e or d and compute the other
• primes p,q must not be easily derived from
modulus N=p.q
– means must be sufficiently large
– typically guess and use probabilistic test
• exponents e, d are inverses, so use Inverse
algorithm to compute the other
85. RSA Security
• three approaches to attacking RSA:
– brute force key search (infeasible given size of
numbers)
– mathematical attacks (based on difficulty of
computing ø(N), by factoring modulus N)
– timing attacks (on running of decryption)
86. Factoring Problem
• mathematical approach takes 3 forms:
– factor N=p.q, hence find ø(N) and then d
– determine ø(N) directly and find d
– find d directly
• currently believe all equivalent to factoring
– have seen slow improvements over the years
• as of Aug-99 best is 130 decimal digits (512) bit with GNFS
– biggest improvement comes from improved algorithm
• cf “Quadratic Sieve” to “Generalized Number Field Sieve”
– barring dramatic breakthrough 1024+ bit RSA secure
• ensure p, q of similar size and matching other constraints
87. Timing Attacks
• developed in mid-1990’s
• exploit timing variations in operations
– eg. multiplying by small vs large number
– or IF's varying which instructions executed
• infer operand size based on time taken
• RSA exploits time taken in exponentiation
• countermeasures
– use constant exponentiation time
– add random delays
– blind values used in calculations
88. The Diffie-Hellman Algorithm
• Discovered by Whitfield Diffie and Martin Hellman
– “New Directions in Cryptography”
• Diffie-Hellman key agreement protocol
– Exponential key agreement
– Allows two users to exchange a secret key
– Requires no prior secrets
– Real-time over an untrusted network
89. Implementation
• P and G are both publicly available numbers
– P is at least 512 bits
• Users pick private values a and b
• Compute public values
– x = ga mod p
– y = gb mod p
• Public values x and y are exchanged
90.
91. Implementation
• Compute shared, private key
– ka = ya mod p
– kb = xb mod p
• Algebraically it can be shown that ka = kb
– Users now have a symmetric secret key to encrypt
93. Example
• Two Internet users, Alice and Bob wish to
have a secure conversation.
– They decide to use the Diffie-Hellman protocol
94. Example
• Alice and Bob get public numbers
– P = 23, G = 9
• Alice and Bob compute public values
– X = 94 mod 23 = 6561 mod 23 = 6
– Y = 93 mod 23 = 729 mod 23 = 16
• Alice and Bob exchange public numbers
95. Applications
• Diffie-Hellman is currently used in many
protocols, namely:
– Secure Sockets Layer (SSL)/Transport Layer
Security (TLS)
– Secure Shell (SSH)
– Internet Protocol Security (IPSec)
– Public Key Infrastructure (PKI)
96. Pseudorandom numbers
• One of a sequence of numbersgenerated by
some algorithm so as to have an even
distribution over some range of values and
minimal correlation between successive
values.Pseudorandom numbers are used in
simulation and encryption.
97. Malicious Software
What is the concept of defense: The parrying of
a blow. What is its characteristic feature:
Awaiting the blow.
—On War, Carl Von Clausewitz
99. Viruses and Other Malicious Content
• computer viruses have got a lot of publicity
• one of a family of malicious software
• effects usually obvious
• have figured in news reports, fiction, movies
(often exaggerated)
• getting more attention than deserve
• are a concern though
100. Viruses
• piece of software that infects programs
– modifying them to include a copy of the virus
– so it executes secretly when host program is run
• specific to operating system and hardware
– taking advantage of their details and weaknesses
• a typical virus goes through phases of:
– dormant
– propagation
– triggering
– execution
101. Worms
• Replicating program that propagates over net
– using email, remote exec, remote login
• has phases like a virus:
– dormant, propagation, triggering, execution
– propagation phase: searches for other systems, connects
to it, copies self to it and runs
• may disguise itself as a system process
• concept seen in Brunner’s “Shockwave Rider”
• implemented by Xerox Palo Alto labs in 1980’s
102. Virus Structure
• components:
– infection mechanism - enables replication
– trigger - event that makes payload activate
– payload - what it does, malicious or benign
• prepended / postpended / embedded
• when infected program invoked, executes
virus code then original program code
• can block initial infection (difficult)
• or propogation (with access controls)
106. Macro Virus
• became very common in mid-1990s since
– platform independent
– infect documents
– easily spread
• exploit macro capability of office apps
– executable program embedded in office doc
– often a form of Basic
• more recent releases include protection
• recognized by many anti-virus programs
107. E-Mail Viruses
• more recent development
• e.g. Melissa
– exploits MS Word macro in attached doc
– if attachment opened, macro activates
– sends email to all on users address list
– and does local damage
• then saw versions triggered reading email
• hence much faster propagation
108. Virus Countermeasures
• prevention - ideal solution but difficult
• realistically need:
– detection
– identification
– removal
• if detect but can’t identify or remove, must
discard and replace infected program
109. Anti-Virus Evolution
• virus & antivirus tech have both evolved
• early viruses simple code, easily removed
• as become more complex, so must the
countermeasures
• generations
– first - signature scanners
– second - heuristics
– third - identify actions
– fourth - combination packages
110. Generic Decryption
• runs executable files through GD scanner:
– CPU emulator to interpret instructions
– virus scanner to check known virus signatures
– emulation control module to manage process
• lets virus decrypt itself in interpreter
• periodically scan for virus signatures
• issue is long to interpret and scan
– tradeoff chance of detection vs time delay
113. Worms
• replicating program that propagates over net
– using email, remote exec, remote login
• has phases like a virus:
– dormant, propagation, triggering, execution
– propagation phase: searches for other systems, connects
to it, copies self to it and runs
• may disguise itself as a system process
• concept seen in Brunner’s “Shockwave Rider”
• implemented by Xerox Palo Alto labs in 1980’s
114. Morris Worm
• one of best know worms
• released by Robert Morris in 1988
• various attacks on UNIX systems
– cracking password file to use login/password to
logon to other systems
– exploiting a bug in the finger protocol
– exploiting a bug in sendmail
• if succeed have remote shell access
– sent bootstrap program to copy worm over
116. Recent Worm Attacks
• Code Red
– July 2001 exploiting MS IIS bug
– probes random IP address, does DDoS attack
• Code Red II variant includes backdoor
• SQL Slammer
– early 2003, attacks MS SQL Server
• Mydoom
– mass-mailing e-mail worm that appeared in 2004
– installed remote access backdoor in infected systems
• Warezov family of worms
– scan for e-mail addresses, send in attachment
118. Mobile Phone Worms
• first appeared on mobile phones in 2004
– target smartphone which can install s/w
• they communicate via Bluetooth or MMS
• to disable phone, delete data on phone, or
send premium-priced messages
• CommWarrior, launched in 2005
– replicates using Bluetooth to nearby phones
– and via MMS using address-book numbers
119. Worm Countermeasures
• overlaps with anti-virus techniques
• once worm on system A/V can detect
• worms also cause significant net activity
• worm defense approaches include:
– signature-based worm scan filtering
– filter-based worm containment
– payload-classification-based worm containment
– threshold random walk scan detection
– rate limiting and rate halting
122. Distributed Denial of Service Attacks
(DDoS)
• Distributed Denial of Service (DDoS) attacks
form a significant security threat
• making networked systems unavailable
• by flooding with useless traffic
• using large numbers of “zombies”
• growing sophistication of attacks
• defense technologies struggling to cope
125. Constructing an Attack Network
• must infect large number of zombies
• needs:
1. software to implement the DDoS attack
2. an unpatched vulnerability on many systems
3. scanning strategy to find vulnerable systems
– random, hit-list, topological, local subnet
126. DDoS Countermeasures
• three broad lines of defense:
1. attack prevention & preemption (before)
2. attack detection & filtering (during)
3. attack source traceback & ident (after)
• huge range of attack possibilities
• hence evolving countermeasures
127. Intruders
• significant issue for networked systems is
hostile or unwanted access
• either via network or local
• can identify classes of intruders:
– masquerader
– misfeasor
– clandestine user
• varying levels of competence
128. Intruders
• clearly a growing publicized problem
– from “Wily Hacker” in 1986/87
– to clearly escalating CERT stats
• may seem benign, but still cost resources
• may use compromised system to launch other
attacks
• awareness of intruders has led to the
development of CERTs
129. Intrusion Techniques
• aim to gain access and/or increase privileges
on a system
• basic attack methodology
– target acquisition and information gathering
– initial access
– privilege escalation
– covering tracks
• key goal often is to acquire passwords
• so then exercise access rights of owner
130. Password Guessing
• one of the most common attacks
• attacker knows a login (from email/web page etc)
• then attempts to guess password for it
– defaults, short passwords, common word searches
– user info (variations on names, birthday, phone, common
words/interests)
– exhaustively searching all possible passwords
• check by login or against stolen password file
• success depends on password chosen by user
• surveys show many users choose poorly
131. Password Capture
• another attack involves password capture
– watching over shoulder as password is entered
– using a trojan horse program to collect
– monitoring an insecure network login
• eg. telnet, FTP, web, email
– extracting recorded info after successful login (web
history/cache, last number dialed etc)
• using valid login/password can impersonate user
• users need to be educated to use suitable
precautions/countermeasures
132. Intrusion Detection
• inevitably will have security failures
• so need also to detect intrusions so can
– block if detected quickly
– act as deterrent
– collect info to improve security
• assume intruder will behave differently to a
legitimate user
– but will have imperfect distinction between
134. Audit Records
• fundamental tool for intrusion detection
• native audit records
– part of all common multi-user O/S
– already present for use
– may not have info wanted in desired form
• detection-specific audit records
– created specifically to collect wanted info
– at cost of additional overhead on system
135. Statistical Anomaly Detection
• threshold detection
– count occurrences of specific event over time
– if exceed reasonable value assume intrusion
– alone is a crude & ineffective detector
• profile based
– characterize past behavior of users
– detect significant deviations from this
– profile usually multi-parameter
136. Audit Record Analysis
• foundation of statistical approaches
• analyze records to get metrics over time
– counter, gauge, interval timer, resource use
• use various tests on these to determine if
current behavior is acceptable
– mean & standard deviation, multivariate, markov
process, time series, operational
• key advantage is no prior knowledge used
137. Rule-Based Intrusion Detection
• observe events on system & apply rules to
decide if activity is suspicious or not
• rule-based anomaly detection
– analyze historical audit records to identify usage
patterns & auto-generate rules for them
– then observe current behavior & match against
rules to see if conforms
– like statistical anomaly detection does not require
prior knowledge of security flaws
138. Rule-Based Intrusion Detection
• rule-based penetration identification
– uses expert systems technology
– with rules identifying known penetration,
weakness patterns, or suspicious behavior
– compare audit records or states against rules
– rules usually machine & O/S specific
– rules are generated by experts who interview &
codify knowledge of security admins
– quality depends on how well this is done
139. Distributed Intrusion Detection
• traditional focus is on single systems
• but typically have networked systems
• more effective defense has these working
together to detect intrusions
• issues
– dealing with varying audit record formats
– integrity & confidentiality of networked data
– centralized or decentralized architecture
142. Password Management
• front-line defense against intruders
• users supply both:
– login – determines privileges of that user
– password – to identify them
• passwords often stored encrypted
– Unix uses multiple DES (variant with salt)
– more recent systems use crypto hash function
• should protect password file on system
143. Managing Passwords - Education
• can use policies and good user education
• educate on importance of good passwords
• give guidelines for good passwords
– minimum length (>6)
– require a mix of upper & lower case letters,
numbers, punctuation
– not dictionary words
• but likely to be ignored by many users
144. Managing Passwords - Computer
Generated
• let computer create passwords
• if random likely not memorisable, so will be
written down (sticky label syndrome)
• even pronounceable not remembered
• have history of poor user acceptance
• FIPS PUB 181 one of best generators
– has both description & sample code
– generates words from concatenating random
pronounceable syllables
145. Managing Passwords - Reactive
Checking
• reactively run password guessing tools
– note that good dictionaries exist for almost any
language/interest group
• cracked passwords are disabled
• but is resource intensive
• bad passwords are vulnerable till found
146. Managing Passwords - Proactive
Checking
• most promising approach to improving
password security
• allow users to select own password
• but have system verify it is acceptable
– simple rule enforcement (see earlier slide)
– compare against dictionary of bad passwords
– use algorithmic (markov model or bloom filter) to
detect poor choices
147. Firewall
• Effective means of protecting local network of
systems from network-based security threats
from outer world
– while providing (limited) access to the outside
world (the Internet)
148. Need of Firewall
• Internet connectivity is a must for most people and
organizations
– especially for me
• But a convenient Internet connectivity is an invitation for
intruders and hackers
– yet another example of tradeoff between convenience and
security
– Question: What do we mean by “convenient” Internet
connection?
• Firewall basically provides us an option to play within the
spectrum of this tradeoff
149. Firewall Basics
• The firewall is inserted between the internal
network and the Internet (a choke point)
– Establish a controlled link and protect the network
from Internet-based attacks
• keeps unauthorized users away,
• imposes restrictions on network services; only authorized
traffic is allowed
– Location for monitoring security-related events
• auditing, alarms can be implemented
– some firewalls supports IPSec, so VPNs can be
implemented firewall-to-firewall
– some firewalls support NAT (not so security related)
• Open discussion: can’t we put one firewall for
each station within the local network? What are
pros and cons?
150. Firewall Characteristics
• Design goals:
– All traffic from inside from/to outside must pass through
the firewall
– Only authorized traffic (defined by the local security policy)
will be allowed to pass
– The firewall itself should be immune to penetration (use of
trusted system with a secure operating system)
151. Firewall Limitations
• cannot protect from attacks bypassing it
– typical example: dial-in, dial-out
• cannot protect against internal threats
– e.g. fired sysadmin
• cannot protect against transfer of all virus
infected programs or files
– because of heavy traffic and huge range of O/S & file
types
152. Types of Firewalls
• Packet-filtering routers
• Application-level gateways
• Circuit-level gateways (not common, so
skipped)
153. Packet-filtering Router
• Foundation of any firewall system
• Applies a set of rules to each incoming IP packet and then
forwards or discards the packet (in both directions)
• The packet filter is typically set up as a list of rules based
on matches to fields in the IP or TCP header
• context is not checked
• Two default policies (discard or forward)
154. Packet-filtering Router
• Filtering rules are based on
– Source and Destination IP addresses
– Source and destination ports (services) and transport
protocols (TCP or UDP)
– Router’s physical interface
• Rules are listed and a match is tried to be found
starting with the first rule
– Action is either forward or discard
– Generally first matching rule is applied
– If no match, then default policy is used
• Default is either discard or forward
155. Packet Filtering Examples
21
21
{our hosts}
{our hosts}
{our hosts}
For data traffic in passive mode
156. Stateful Inspection
• Example E shows that
>1024 ports need to be opened
– not only due to FTP, all services have such a structure
• <1024 ports are for servers, a client using a service should use a
local port number between 1024 and 16383
• So the firewall should keep track of the currently
opened >1024 ports
• A stateful inspection firewall keeps track of outbound
TCP connection with local port numbers in a table and
allow inbound traffic for >1024 ports if there is an
entry in that table (see next slide for an example
table)
158. Packet-filtering Router
• Advantages:
– Simplicity
– High speed
– Transparency to users
• Disadvantages
– Difficulty of setting up packet filter rules
• configuration is error-prone
– a port is either open or close; no application layer
flexibility
– IP address spoofing
• attacker uses an internal IP address and hopes that packet
penetrates into the system
• countermeasure: do not accept internal IPs from external interface
159. Application-level Gateway
• Application-level Gateway (proxy server)
– Acts as a relay of application-level traffic
• Proxy obtains application specific information from the
user and relays to the server
– Optionally authenticates the users
• Only allowable applications can pass through
– Feature-based processing is possible
• Additional processing overhead on each connection
160. Bastion Host
• A system identified by the firewall administrator as a
critical strong point in the network security
– Used in various firewall configuration (we’ll see now)
• The bastion host serves as a platform for an
application-level gateway
– i.e. a proxy
• Potentially exposed to "hostile" elements, hence is
secured to withstand this
– Trusted system
– Carefully configured and maintained
161. Firewall Configurations
• In addition to the use of simple configuration
of a single system (single packet filtering
router or single gateway), more complex
configurations are possible
162. Screened host firewall system (dual-homed
bastion host)
• Only packets from and to the bastion host are
allowed to pass through the router
• The bastion host performs authentication and proxy
functions
163. Dual-homed Bastion Host
• Good security because of two reasons:
– This configuration implements both packet-level and
application-level filtering
– An intruder must generally penetrate two separate
systems in order to get to the internal network
• This configuration also has flexibility in providing
direct Internet access to a public information server,
e.g. Web server
– by configuring the router
164. Screened-subnet Firewall System
• securer
• creates an isolated sub-network between routers
– Internet and private network have access to this subnet
– Traffic across the subnet is blocked
– This subnet is called DMZ (demilitarized zone)
• Internal network is invisible to the Internet
DMZ
Outside packet
filtering router
Inside packet
filtering router
165. Host-Based Firewalls
• Software module to secure individual hosts
– filter packet flows
– Available as add-on for many OSs
• Often used on servers
• Advantages:
– additional layer of protection to organizational
firewall
– tailored filter rules for specific host needs
– protection from both internal / external attacks
166. Personal Firewall
• controls traffic flow to/from PC/workstation
• for both home or corporate use
• software module on PC
– or in home cable/ADSL router/gateway
• typically less complex than standalone
firewalls
• primary role to deny unauthorized access
– may also monitor/detect/block malware activity