Chapters 9 and 8 SambaSMB, Network Security

1
Chapters 9 and 8Samba/SMB, Network Security

• Professor Rick Han
• University of Colorado at Boulder
• rhan_at_cs.colorado.edu

2
Announcements

• HW 5 a possibility
• Programming Assignment 3 due May 2
• Lecture slides from last week online after class
• In Chapter 8, read all sections.
• Next, Samba/SMB, Network Security

3
Recap of Previous Lecture

• An example caching policy for an HTTP proxy
• Conditional GET with If-Modified-Since header
• Proxy returns page from its cache only if that
  page is not expired and its Last-Modified is more
  recent than If-Modified-Since date
• Otherwise, proxy forwards conditional GET to
  server, who either replies with
• New page, or
• Status 340 Not Modified
• Network Address Translation (NAT)
• Outbound Substitute NATs IP address and TCP
  port for the packets source IP and source TCP
  port
• Inbound Substitute NATs IP addr and TCP port
  for packets dest IP and dest TCP port

4
Recap of Previous Lecture (2)

• NAT
• Static NATs map an inbound packets dest IP and
  dest TCP port to a internal hosts fixed IP addr
  and TCP port
• Enables a Web server behind a NAT to serve Web
  pages to external hosts
• Adds security risk
• Dynamic NATs provide a firewall masquerading
  capability
• In absence of fixed mappings, external hosts
  cant make an inbound connection to any internal
  host
• Internal hosts can still make outbound TCP
  connections

5
Samba/SMB

• Server Message Block (SMB) Protocol
• File sharing protocol that ships with Microsoft
  OSs
• Basis for Network Neighborhood
• Application-layer protocol over TCP/UDP/IP
• Open-source SAMBA Server suite enables other OSs
  such as Linux to speak SMB
• Enables an MS client to access files on a UNIX
  server very useful!

6
Samba/SMB (2)

• For historical reasons, SMB first ran across the
  NETBIOS API, which then ran across various
  network protocols, e.g. TCP/UDP, IPX, SNA,
  DECnet, etc.
• SMB packets can be framed in NETBIOS packets
  which are encapsulated by TCP/UDP
• NETBIOS over TCP/UDP is called NBT

SMB
NETBIOS
TCP/UDP, IPX, SNA or
7
Samba/SMB (3)

• Newer version of SMB Windows 2000 now runs SMB
  natively on top of TCP/UDP
• no NETBIOS framing
• renamed to Common Internet FileSystem (CIFS)
• CIFS actually refers to entire suite of
  protocols file/printer-sharing, service
  announcement, naming, authentication,
  authorization
• Supports older version of SMB too, to maintain
  compatibility

SMB (Windows 2000)
TCP/UDP
8
Samba/SMB (4)

• NBT creates an abstraction a virtual LAN, even
  if actual nodes are distributed over wide area
• NBT provides 3 services over a virtual LAN
• Naming Service
• Datagram Distribution Service
• Session Service
• NBT Naming Service
• Broadcast wheres anchor? Here I am
• Point-to-point required to bridge subnets,
  because broadcasts are typically confined to a
  subnet
• A NETBIOS Name Server (NBNS) provides name-to-IP
  mappings for a NETBIOS virtual LAN
• Also called WINS in MS terminology

9
Samba/SMB (5)

• NBT Naming Service (cont.)
• Runs on UDP port 137 NETBIOS naming queries are
  encapsulated in UDP then IP
• NBT Datagram Service
• Runs over UDP port 138
• Point-to-point and multicast are straightforward
  within a LAN
• Multicast across IP subnets requires a bridging
  agent a NETBIOS Datagram Distribution Server
  (NBDD)
• Multicast datagrams are sent to NBDD, which gets
  list of hosts in multicast group from NBNS, then
  sends point-to-point to each host
• WINS messed up its implementation of NBDD (as of
  May 2001) some group members wont receive
  multicast

10
Samba/SMB (6)

• NBT Session Service
• Runs over TCP port 139
• Implements file sharing
• Simple sequence of events
• Source X gives NETBIOS name of destination Y to
  NBT Name Service and gets back IP address of Y
• Source X establishes a TCP connection with Y
• Source X sends a NETBIOS SESSION SERVICE REQUEST
  to Y. Y accepts request.
• X and Y exchange files via SMB.
• SMB packets consist of 0xFF then the letters
  SMB followed by a command and data
• Commands are patterned after DOS I/O commands,
  and include OPEN, CLOSE, DELETE, etc.

11
Samba/SMB (7)

• SMB
• Several dialects of SMB, so there is always a
  negotiation phase to make sure SMB client speaks
  the same dialect as SMB server
• Network Neighborhood is supported by a Browsing
  Service
• Browsing is organized in terms of IP subnets and
  Workgroups.
• A "Workgroup" is a set of NBT nodes on an IP
  subnet that shares the same Workgroup name.
• On each subnet, the Workgroup members hold an
  "election," which involves sending group
  datagrams via the NBT Datagram Service.
• A Domain Master Browser enables browsing across
  subnets

12
Samba/SMB (8)

• CIFS
• Removes NETBIOS/NBT
• Also, replaces NETBIOS services with
  standard-based services
• Example NBNS is replaced with Dynamic DNS
• SAMBA
• Racing to stay compatible with latest MS twist on
  CIFS, e.g. Windows 2000
• See www.samba.org for more info

13
Network Security

• Classic properties of secure systems
• Confidentiality
• Encrypt message so only sender and receiver can
  understand it.
• Authentication
• Both sender and receiver need to verify the
  identity of the other party in a communication
  are you really who you claim to be?
• Authorization
• Does a party with a verified identity have
  permission to access (r/w/x/) information? Gets
  into access control policies.

14
Network Security (2)

• Classic properties of secure systems (cont.)
• Integrity
• During a communication, can both sender and
  receiver detect whether a message has been
  altered?
• Non-Repudiation
• Originator of a communication cant deny later
  that the communication never took place
• Availability
• Guaranteeing access to legitimate users.
  Prevention of Denial-of-Service (DOS) attacks.

15
Cryptography
plaintext
ciphertext
plaintext

• Encryption algorithm also called a cipher
• Cryptography has evolved so that modern
  encryption and decryption use secret keys
• Only have to protect the keys! gt Key
  distribution problem
• Cryptographic algorithms can be openly published

plaintext
ciphertext
plaintext
Key KA
Key KB
16
Cryptography (2)

• Cryptography throughout history
• Julius Caesar cipher replaced each character by
  a character cyclically shifted to the left.
  Weakness?
• Easy to attack by looking at frequency of
  characters

• Mary Queen of Scots put to death for treason
  after Queen Elizabeths Is spymaster cracked her
  encryption code
• WWII Allies break German Enigma code and
  Japanese naval code
• Enigma code machine (right)

17
Cryptography (3)

• Cryptanalysis Type of attacks
• Brute force try every key
• Ciphertext-only attack
• Attacker knows ciphertext of several messages
  encrypted with same key (but doesnt know
  plaintext).
• Possible to recover plaintext (also possible to
  deduce key) by looking at frequency of ciphertext
  letters
• Known-plaintext attack
• Attackers observes pairs of plaintext/ciphertext
  encrypted with same key.
• Possible to deduce key and/or devise algorithm to
  decrypt ciphertext.

18
Cryptography (4)

• Cryptanalysis Type of attacks
• Chosen-plaintext attack
• Attacker can choose the plaintext and look at the
  paired ciphertext.
• Attacker has more control than known-plaintext
  attack and may be able to gain more info about
  key
• Adaptive Chosen-Plaintext attack
• Attacker chooses a series of plaintexts, basing
  the next plaintext on the result of previous
  encryption
• Differential cryptanalysis very powerful
  attacking tool
• But DES is resistant to it
• Cryptanalysis attacks often exploit the
  redundancy of natural language
• Lossless compression before encryption removes
  redundancy

19
Cryptography (5)

• Symmetric or Secret-Key Cryptography
• Both sender and receiver keys are the same KAKB
• Data Encryption Standard (DES)
• Encodes plaintext in 64-bit chunks using a 64-bit
  key (56 bits 8 bits parity)
• Uses permutation or transposition of characters
• abcd ? dbac
• Was cracked in 1997
• Triple-DES put the output of DES back as input
  into DES again, loop again

20
Cryptography (6)

• Public-Key Cryptography
• Host who wants data sent to it advertises a
  public encryption key Kpublic
• Decryption algorithm has the property that only a
  private key Kprivate can decrypt the ciphertext
• Based on the difficulty of factoring the product
  of two prime s
• Even though attacker knows the public key Kpublic
  and the encryption algorithm, the attacker still
  does not know the private key Kprivate
• Example RSA encryption algorithm