CSCE 715: Network Systems Security

1
CSCE 715Network Systems Security

• Chin-Tser Huang
• huangct_at_cse.sc.edu
• University of South Carolina

2
Security ofHash Functions and MAC

• Brute-force attacks
• strong collision resistance hash have cost 2m/2
• have proposal for hardware MD5 cracker
• 128-bit hash looks vulnerable, 160-bit better
• MACs with known message-MAC pairs
• can either attack keyspace or MAC
• at least 128-bit MAC is needed for security

3
Security ofHash Functions and MAC

• Cryptanalytic attacks exploit structure
• like block ciphers want brute-force attacks to be
  the best alternative
• Have a number of analytic attacks on iterated
  hash functions
• CVi fCVi-1, Mi H(M)CVN
• typically focus on collisions in function f
• like block ciphers is often composed of rounds
• attacks exploit properties of round functions

4
Keyed Hash Functions as MACs

• Desirable to create a MAC using a hash function
  rather than a block cipher
• hash functions are generally faster
• not limited by export controls on block ciphers
• Hash includes a key along with the message
• Original proposal
• KeyedHash Hash(KeyMessage)
• some weaknesses were found with this proposal
• Eventually led to development of HMAC

5
HMAC

• Specified as Internet standard RFC2104
• Use hash function on the message
• HMACK Hash(K XOR opad)
• Hash(K XOR ipad)M)
• K is the key padded out to size
• opad, ipad are specified padding constants
• Overhead is just 3 more hash compression function
  calculations than the message alone needs
• Any of MD5, SHA-1, RIPEMD-160 can be used

6
HMAC Structure
7
Security of HMAC

• Security of HMAC relates to that of the
  underlying hash algorithm
• Attacking HMAC requires either
• brute force attack on key used
• birthday attack (but since keyed would need to
  observe a very large number of messages)
• Choose hash function used based on speed versus
  security constraints

8
Hash and MAC Algorithms

• Hash Functions
• condense arbitrary size message to fixed size
• by processing message in blocks
• through some compression function
• either custom or block cipher based
• Message Authentication Code (MAC)
• fixed sized authenticator for some message
• to provide authentication for message
• by using block cipher mode or hash function

9
See How Cryptographic ToolsReally Works

• OpenSSL is a general-purpose cryptographic
  library with implementations of
• Symmetric ciphers 3DES, AES,
• Asymmetric ciphers RSA, DH,
• Hash functions MD5, SHA-1,

10
Next Topic in Cryptographic Tools

• Symmetric key encryption
• Asymmetric key encryption
• Hash functions and message digest
• Nonce

11
A Scenario of Replay Attack

• Alice authorizes a transfer of funds from her
  account to Bobs account
• An eavesdropping adversary makes a copy of this
  message
• Adversary replays this message at some later time

12
Replay Attacks

• Adversary takes past messages and plays them
  again
• whole or part of message
• to same or different receiver
• Encryption algorithms not enough to counter
  replay attacks

13
Freshness Identifiers

• Sender attaches a freshness identifier to message
  to help receiver determine whether message is
  fresh
• Three types of freshness identifiers
• nonces
• timestamps
• sequence numbers

14
Nonces

• A random number generated for a special occasion
• Need to be unpredictable and not used before
• Disadvantage is not suitable for sending a stream
  of messages
• Mostly used in challenge-response protocols

15
Timestamps

• Sender attaches an encrypted real-time timestamp
  to every message
• Receiver decrypts timestamp and compares it with
  current reading
• if difference is sufficiently small, accept
  message
• otherwise discard message
• Problem is synchronization between sender and
  receiver

16
Sequence Numbers

• Sender attaches a monotonically increasing
  counter value to every message
• Sender needs to remember last used number and
  receiver needs to remember largest received
  number

17
Operation of Sequence Numbers

• Sender increments sequence number by 1 after
  sending a message
• Receiver compares sequence number of received
  message with largest received number
• If larger than largest received number, accept
  message and update largest received number
• If less than largest received number, discard
  message

18
Problem with Sequence Numbers

• IPsec uses sequence number to counter replay
  attacks
• However reorder can occur in IP
• Messages with larger sequence number may arrive
  before messages with smaller sequence numbers
• When reordered messages with smaller sequence
  numbers arrive later, they will be discarded

19
Operation of Sequence Numbers

• Sender increments sequence number by 1 after
  sending a message
• Receiver compares sequence number of received
  message with largest received number
• If larger than largest received number, accept
  message and update largest received number
• If less than largest received number, discard
  message

20
Problem with Sequence Numbers

• IPsec uses sequence number to counter replay
  attacks
• However reorder can occur in IP
• Messages with larger sequence number may arrive
  before messages with smaller sequence numbers
• When reordered messages with smaller sequence
  numbers arrive later, they will be discarded

21
Anti-Replay Window Protocolin IPsec

• Protect IPsec messages against replay attacks and
  counter the problem of reorder
• Sender puts a sequence number in every message
• Receiver uses a sliding window to keep track of
  the received sequence numbers

22
Comparison with TCP Sliding Window

• Purpose TCP sliding window is used for flow
  control, while anti-replay window for countering
  replay attack
• Size TCP sliding window is of dynamic size,
  while anti-replay window is of static size (64
  recommended by IPsec)

23
Comparison with TCP Sliding Window

• Unit TCP sliding window is byte-oriented, while
  anti-replay window is packet-oriented
• Retransmission same sequence number used in TCP
  sliding window, while new sequence number used in
  anti-replay window

24
TCP Sliding Window
offered window
(advertised by receiver)
usable window
1
2
3
4
5
6
7
8
9
10
11

cant send until
sent, not ACKed
window moves
sent and
acknowledged
can send ASAP
25
Anti-Replay Window
1
w
2
3

sequence numbers


received before
right edge r
r-w1
not yet received
assumed received

• w is window size
• r is right edge of window
• Assume s is sequence number of next received
  message
• Three cases to consider

26
Cases of Anti-Replay Window

• Case i if s is smaller than sequence numbers in
  window, discard message s

1
w
s
r
27
Cases of Anti-Replay Window

• Case ii s is in window
• if s has not been received yet, then deliver
  message s
• if s has been received, then discard message s

1
w
s
r
s
(deliver)
(discard)
28
Cases of Anti-Replay Window

• Case iii if s is larger than sequence numbers in
  window, then deliver message s and slide the
  window so that s becomes its new right edge

window before shift
1
w
1
w
window after shift
29
Properties of Anti-Replay Window Protocol

• Discrimination
• receiver delivers at most one copy of every
  message sent by sender
• w-Delivery
• receiver delivers at least one copy of each
  message that is neither lost nor suffered a
  reorder of degree w or more, where w is window
  size

30
Problem with Anti-Replay Window

• Receiver gets s, where s gtgt r
• Window shifts to right
• Many good messages that arrive later will be
  discarded

window before shift
window after shift
1
w
1
w
r
discarded good msgs
31
Automatic Shift vs. Controlled Shift

• Automatic shift window automatically shifts to
  the right to cover the newly received sequence
  number without any consideration of how far the
  newly received sequence number is ahead
• Controlled shift if the newly received sequence
  number is far ahead, discard it without shifting
  window in the hope that those skipped sequence
  numbers may arrive later

32
Three Properties of Controlled Shift

• Adaptability
• receiver determines whether to sacrifice a newly
  received message according to the current
  characteristics of the environment
• Rationality
• receiver sacrifices only when messages that could
  be saved are more than messages that are
  sacrificed
• Sensibility
• receiver stops sacrificing if it senses that the
  messages it means to save are not likely to come

33
Additional Case with Controlled Shift

• Case iv s is more than w positions to the right
  of window
• receiver estimates number of good messages it is
  going to lose if it shifts the window to s
• if the estimate is larger than d1, where d is
  the counter of discarded messages, and d1 is
  less than dmax, then receiver discards this
  message and increments d by 1
• otherwise, receiver delivers the message, shifts
  the window to the right, and resets d to 0

34
Another Problem with Anti-Replay Window

• Computer may reset due to transient fault or
  power loss
• If either sender or receiver is reset and
  restarts from 0, then synchronization on sequence
  numbers is lost

35
Scenario of Sender Reset

• If p is reset, unbounded number of fresh messages
  are discarded by q

p
q
seq 50
seq 50
49
48
3
2
1
0

reset
seq 0
fresh messages yet discarded by q
36
Scenario of Receiver Reset

• If q is reset, it can accept unbounded number of
  replayed messages

inserted by adversary
p
q
seq 50
seq 50
49
48
3
2
1
0

reset
seq 0
replayed yet accepted by q
37
Overcome Reset Problems

• IPsec Working Group if reset, the Security
  Association (SA) is deleted and a new one is
  established -- very expensive
• Our solution periodically push current state of
  SA into persistent memory (e.g. hard drive) if
  reset, restore state of SA from this memory

38
SAVE and FETCH

• When SAVE is executed, the last sequence number
  or right edge of window will be stored in
  persistent memory
• When FETCH is executed, the last stored sequence
  number or right edge of window will be loaded
  from persistent memory into memory

39
SAVE at Sender

• s is sequence number at p
• Every Kp messages, p executes SAVE(s) to store
  current s in persistent memory
• Choose appropriate Kp such that in spite of
  execution delay, SAVE(s) is guaranteed to
  complete before message numbered sKp is sent

40
FETCH at Sender

• When p wakes up after reset, p executes FETCH(s)
  to fetch s stored in persistent memory
• After FETCH(s) completes, p executes SAVE(s2Kp)
  and waits
• After SAVE(s2Kp) completes, p can send next
  message using seq s2Kp

41
Convergence of Sender

• Assume when p resets, SAVE(s) has not yet
  completed, and the last sent seq is st
• t lt Kp otherwise SAVE(S) should have completed
• When p wakes up, s-Kp will be fetched
• Therefore, adding 2Kp to fetched seq guarantees
  that next sent seq is fresh

42
Convergence of Sender

• Assume when p resets, SAVE(s) has completed, and
  the last sent seq is su
• u lt Kp otherwise SAVE(SKp) should have started
• When p wakes up, s will be fetched
• Therefore, adding 2Kp to fetched seq guarantees
  that next sent seq is fresh

43
Convergence of Sender
44
Results of SAVE and FETCH

• When p is reset, some sequence numbers will be
  abandoned by p, but no message sent from p to q
  will be discarded provided no message reorder
  occurs
• When q is reset, the number of discarded messages
  is bounded by 2Kq
• When p or q is reset, no replayed message will be
  accepted by q

45
Next Class

• Address Resolution Protocol (ARP) and its
  security problems
• Secure ARP
• Read paper on website