Docstoc

CSCE 790 Computer Network Security

Document Sample
CSCE 790 Computer Network Security Powered By Docstoc
					       CSCE 715:
Network Systems Security

        Chin-Tser Huang
       huangct@cse.sc.edu

    University of South Carolina
Security of
Hash Functions and MAC
   Brute-force attacks
        strong collision resistance hash have cost
          m/
         2 2
                have proposal for hardware MD5 cracker
                128-bit hash looks vulnerable, 160-bit better
        MACs with known message-MAC pairs
                can either attack keyspace or MAC
                at least 128-bit MAC is needed for security


02/16/2009                                                       2
Security of
Hash Functions and MAC
   Cryptanalytic attacks exploit structure
        like block ciphers want brute-force attacks to be
         the best alternative
   Have a number of analytic attacks on iterated
    hash functions
        CVi = f[CVi-1, Mi]; H(M)=CVN
        typically focus on collisions in function f
        like block ciphers is often composed of rounds
        attacks exploit properties of round functions

02/16/2009                                                   3
Keyed Hash Functions as MACs
   Desirable to create a MAC using a hash
    function rather than a block cipher
        hash functions are generally faster
        not limited by export controls on block ciphers
   Hash includes a key along with the message
   Original proposal:
     KeyedHash = Hash(Key|Message)
      some weaknesses were found with this proposal

   Eventually led to development of HMAC

02/16/2009                                                 4
HMAC
   Specified as Internet standard RFC2104
   Use hash function on the message:
     HMACK = Hash[(K+ XOR opad) ||
                      Hash[(K+ XOR ipad)||M)]]
      K is the key padded out to size
        +

      opad, ipad are specified padding constants

   Overhead is just 3 more hash compression
    function calculations than the message alone
    needs
   Any of MD5, SHA-1, RIPEMD-160 can be used

02/16/2009                                          5
HMAC Structure




02/16/2009       6
Security of HMAC
   Security of HMAC relates to that of the
    underlying hash algorithm
   Attacking HMAC requires either:
        brute force attack on key used
        birthday attack (but since keyed would need to
         observe a very large number of messages)
   Choose hash function used based on speed
    versus security constraints


02/16/2009                                                7
Hash and MAC Algorithms
   Hash Functions
        condense arbitrary size message to fixed size
        by processing message in blocks
        through some compression function
        either custom or block cipher based
   Message Authentication Code (MAC)
        fixed sized authenticator for some message
        to provide authentication for message
        by using block cipher mode or hash function


02/16/2009                                               8
See How Cryptographic Tools
Really Works
   OpenSSL is a general-purpose
    cryptographic library with
    implementations of
        Symmetric ciphers: 3DES, AES, …
        Asymmetric ciphers: RSA, DH, …
        Hash functions: MD5, SHA-1, …



02/16/2009                                 9
Next Topic in Cryptographic Tools
   Symmetric key encryption
   Asymmetric key encryption
   Hash functions and message digest
   Nonce




02/16/2009                              10
A Scenario of Replay Attack
   Alice authorizes a transfer of funds from
    her account to Bob’s account
   An eavesdropping adversary makes a
    copy of this message
   Adversary replays this message at some
    later time


02/16/2009                                 11
Replay Attacks
   Adversary takes past messages and
    plays them again
        whole or part of message
        to same or different receiver
   Encryption algorithms not enough to
    counter replay attacks


02/16/2009                                12
Freshness Identifiers
   Sender attaches a freshness identifier to
    message to help receiver determine
    whether message is fresh
   Three types of freshness identifiers
        nonces
        timestamps
        sequence numbers

02/16/2009                                 13
Nonces
   A random number generated for a
    special occasion
   Need to be unpredictable and not used
    before
   Disadvantage is not suitable for sending
    a stream of messages
   Mostly used in challenge-response
    protocols

02/16/2009                                 14
Timestamps
   Sender attaches an encrypted real-time
    timestamp to every message
   Receiver decrypts timestamp and compares it
    with current reading
        if difference is sufficiently small, accept message
        otherwise discard message
   Problem is synchronization between sender
    and receiver

02/16/2009                                                     15
Sequence Numbers
   Sender attaches a monotonically
    increasing counter value to every
    message
   Sender needs to remember last used
    number and receiver needs to
    remember largest received number


02/16/2009                               16
Operation of Sequence Numbers
   Sender increments sequence number by 1
    after sending a message
   Receiver compares sequence number of
    received message with largest received
    number
        If larger than largest received number, accept
         message and update largest received number
        If less than largest received number, discard
         message

02/16/2009                                                17
Problem with Sequence Numbers
   IPsec uses sequence number to counter
    replay attacks
   However reorder can occur in IP
   Messages with larger sequence number may
    arrive before messages with smaller
    sequence numbers
   When reordered messages with smaller
    sequence numbers arrive later, they will be
    discarded

02/16/2009                                        18
Operation of Sequence Numbers
   Sender increments sequence number by 1
    after sending a message
   Receiver compares sequence number of
    received message with largest received
    number
        If larger than largest received number, accept
         message and update largest received number
        If less than largest received number, discard
         message

02/16/2009                                                19
Problem with Sequence Numbers
   IPsec uses sequence number to counter
    replay attacks
   However reorder can occur in IP
   Messages with larger sequence number may
    arrive before messages with smaller
    sequence numbers
   When reordered messages with smaller
    sequence numbers arrive later, they will be
    discarded

02/16/2009                                        20
Anti-Replay Window Protocol
in IPsec
   Protect IPsec messages against replay
    attacks and counter the problem of
    reorder
   Sender puts a sequence number in
    every message
   Receiver uses a sliding window to keep
    track of the received sequence numbers

02/16/2009                               21
Comparison with TCP Sliding
Window
   Purpose: TCP sliding window is used
    for flow control, while anti-replay
    window for countering replay attack
   Size: TCP sliding window is of dynamic
    size, while anti-replay window is of
    static size (64 recommended by IPsec)


02/16/2009                               22
Comparison with TCP Sliding
Window
   Unit: TCP sliding window is byte-
    oriented, while anti-replay window is
    packet-oriented
   Retransmission: same sequence
    number used in TCP sliding window,
    while new sequence number used in
    anti-replay window

02/16/2009                                  23
TCP Sliding Window

                               offered window
                           (advertised by receiver)

                                             usable window

1    2         3   4      5      6       7        8      9   10    11       …
                                                              can’t send until
   sent and        sent, not ACKed                            window moves
acknowledged                                 can send ASAP




02/16/2009                                                                       24
      Anti-Replay Window
                     1 2 3 •••        w
sequence
         •••                                         •••
numbers
                                                received before
                    r-w+1        right edge r
                                                not yet received

                                                assumed received
         w is window size
         r is right edge of window
         Assume s is sequence number of next received
          message
         Three cases to consider

      02/16/2009                                                   25
Cases of Anti-Replay Window
   Case i: if s is smaller than sequence
    numbers in window, discard message s

                 1          w



             s               r




02/16/2009                                  26
Cases of Anti-Replay Window
   Case ii: s is in window
        if s has not been received yet, then deliver
         message s
        if s has been received, then discard message s
                          1                    w



                           s           s       r
                       (discard)   (deliver)



02/16/2009                                                27
Cases of Anti-Replay Window
   Case iii: if s is larger than sequence numbers
    in window, then deliver message s and slide
    the window so that s becomes its new right
    edge
                 window before shift
             1          1              w         w



                                       r         s
                            window after shift


02/16/2009                                           28
Properties of
Anti-Replay Window Protocol
   Discrimination:
    receiver delivers at most one copy of
    every message sent by sender
   w-Delivery:
    receiver delivers at least one copy of
    each message that is neither lost nor
    suffered a reorder of degree w or more,
    where w is window size
02/16/2009                                  29
Problem with Anti-Replay Window
       Receiver gets s, where s >> r
       Window shifts to right
       Many good messages that arrive later will be
        discarded
        window before shift                             window after shift
    1                         w                     1                        w



                              r                                              s
                                  discarded good msgs

02/16/2009                                                                       30
Automatic Shift vs. Controlled Shift
   Automatic shift: window automatically
    shifts to the right to cover the newly received
    sequence number without any consideration
    of how far the newly received sequence
    number is ahead
   Controlled shift: if the newly received
    sequence number is far ahead, discard it
    without shifting window in the hope that
    those skipped sequence numbers may arrive
    later
02/16/2009                                        31
Three Properties of Controlled Shift
   Adaptability
        receiver determines whether to sacrifice a newly
         received message according to the current
         characteristics of the environment
   Rationality
        receiver sacrifices only when messages that could
         be saved are more than messages that are
         sacrificed
   Sensibility
        receiver stops sacrificing if it senses that the
         messages it means to save are not likely to come
02/16/2009                                                  32
Additional Case with Controlled Shift
   Case iv: s is more than w positions to the
    right of window
        receiver estimates number of good messages it is
         going to lose if it shifts the window to s
        if the estimate is larger than d+1, where d is the
         counter of discarded messages, and d+1 is less
         than dmax, then receiver discards this message
         and increments d by 1
        otherwise, receiver delivers the message, shifts
         the window to the right, and resets d to 0

02/16/2009                                                33
Another Problem with
Anti-Replay Window
   Computer may reset due to transient
    fault or power loss
   If either sender or receiver is reset and
    restarts from 0, then synchronization on
    sequence numbers is lost




02/16/2009                                  34
   Scenario of Sender Reset
           If p is reset, unbounded number of
            fresh messages are discarded by q


        p                                                  q
  seq# : 50                                             seq# : 50
                  49 48     •••     3    2    1    0
reset
  seq# : 0
                    fresh messages yet discarded by q


   02/16/2009                                                       35
 Scenario of Receiver Reset
        If q is reset, it can accept unbounded
         number of replayed messages

                               inserted by
     p                         adversary                 q
seq# : 50                                            seq# : 50
                49 48    •••       3    2    1   0           reset
                                                     seq# : 0
                   replayed yet accepted by q


 02/16/2009                                                          36
Overcome Reset Problems
   IPsec Working Group: if reset, the
    Security Association (SA) is deleted and
    a new one is established -- very
    expensive
   Our solution: periodically push current
    state of SA into persistent memory (e.g.
    hard drive); if reset, restore state of SA
    from this memory
02/16/2009                                   37
SAVE and FETCH
   When SAVE is executed, the last
    sequence number or right edge of
    window will be stored in persistent
    memory
   When FETCH is executed, the last
    stored sequence number or right edge
    of window will be loaded from
    persistent memory into memory

02/16/2009                                 38
SAVE at Sender
   s is sequence number at p
   Every Kp messages, p executes SAVE(s)
    to store current s in persistent memory
   Choose appropriate Kp such that in spite
    of execution delay, SAVE(s) is
    guaranteed to complete before
    message numbered s+Kp is sent

02/16/2009                                 39
FETCH at Sender
   When p wakes up after reset, p
    executes FETCH(s) to fetch s stored in
    persistent memory
   After FETCH(s) completes, p executes
    SAVE(s+2Kp) and waits
   After SAVE(s+2Kp) completes, p can
    send next message using seq# s+2Kp

02/16/2009                                   40
Convergence of Sender
   Assume when p resets, SAVE(s) has not
    yet completed, and the last sent seq# is
    s+t
        t < Kp otherwise SAVE(S) should have
         completed
   When p wakes up, s-Kp will be fetched
   Therefore, adding 2Kp to fetched seq#
    guarantees that next sent seq# is fresh

02/16/2009                                      41
Convergence of Sender
   Assume when p resets, SAVE(s) has
    completed, and the last sent seq# is
    s+u
        u < Kp otherwise SAVE(S+Kp) should have
         started
   When p wakes up, s will be fetched
   Therefore, adding 2Kp to fetched seq#
    guarantees that next sent seq# is fresh

02/16/2009                                     42
   Convergence of Sender

SAVE(s-Kp)                                     SAVE(s)
ends                                           ends
     s                       s+t                  s+u s+Kp
                                                                  sequence
                                                                  number
                t (t < Kp)                                        at process p
                                      u (u < Kp)

   SAVE(s)                   reset                 reset SAVE(s+Kp)
   starts                    occurs      or        occurs starts
                             here                  here



   02/16/2009                                                                    43
Results of SAVE and FETCH
   When p is reset, some sequence numbers will
    be abandoned by p, but no message sent
    from p to q will be discarded provided no
    message reorder occurs
   When q is reset, the number of discarded
    messages is bounded by 2Kq
   When p or q is reset, no replayed message
    will be accepted by q

02/16/2009                                    44
Next Class
   Address Resolution Protocol (ARP) and
    its security problems
   Secure ARP
   Read paper on website




02/16/2009                                  45

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:8/6/2011
language:English
pages:45