Network Security Continued - PowerPoint PPT Presentation

About This Presentation
Title:

Network Security Continued

Description:

CAPTCHA -- Completely Automated Public Turing test to tell Computers and Humans Apart Below is a picture from wiki CAPTCHA Was proposed by Luis von Ahn, Manuel ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 28
Provided by: Zhen67
Learn more at: http://www.cs.fsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Network Security Continued


1
Network Security Continued
2
Authentication
  • If someone claims he is A and wants to have a
    conversation with you, how do you verify?
  • He should present something to you which you can
    check and which he can have if and only if he is
    A.
  • We can all think of certain things for our real
    friends, but does such thing exist in the
    electronic world?

3
Simple Protocol
  • Will this work suppose A and B knows each
    others public key If A wants to communicate
    with B, A sends E_pkBD_skA(P), where P is the
    plain text message.
  • Because of the digital signature scheme, B knows
    that this message is originally from A.
  • But a message that is originally from A does not
    mean that it is from A the replay attack. What
    the adversary can do is first play the message
    with you, after you are tricked to believe it is
    A, then ask for transferring 10000.

4
The solution
  • Recall that everyone has a public key and a
    private key.
  • Suppose Alice and Bob knows each others public
    key.
  • If Alice wants to setup a session with Bob, she
    sends Bob a message E_pkBAlice, R_a, meaning
    that I am Alice and I want to talk to you, where
    R_a is a number picked at random.
  • Bob replies E_pkAR_a, R_b, K_s, where R_b is a
    number picked at random and K_s is the session
    key.
  • Alice replies AES_K_sR_b.
  • (not exactly the same as Skypes protocol, but
    the idea is the same)

5
Explanations
  • Message 2. When Alice gets E_pkAR_a, R_b, K_s,
    she can decrypt it and can get R_a, R_b, K_s.
    When she sees R_a, she knows that this is the
    response she is waiting for and the sender must
    be Bob. Why?
  • Because no one except Bob knows how to decode
    E_pkBAlice, R_a to get R_a and R_a is totally
    random and it is impossible for one to guess it
    right.

6
Explainations
  • Message 3. When Bob gets AES_K_sR_b, he can use
    K_s to decode it to get R_b. Then he knows that
    this must be the message he is waiting for and
    the one who sent the first message must be Alice.
    Why?
  • Because no one except Alice knows how to decode
    E_pkAR_a, R_b, K_s to get R_b and K_s to get
    AES_K_sR_b.

7
Explanations
  • The key is, we can make sure that every message
    must be the response of the previous message.
  • After the session key is exchanged, the
    conversation can begin.

8
SSL -- Secure Sockets Layer and HTTPS
  • Build a secure connection between two sockets.
  • It is a layer between the application layer and
    the transportation layer.
  • When HTTP is run over SSL, it is HTTPS.

9
SSL
  • Twp protocols, one for establishing a secure
    connection, the other for using it.
  • Fig. 8-51. Establishing connection.
  • A-gtB. SSL version, Preferences, R_A.
  • B-gtA. SSL version, Choices, R_B. Certificate.
    Done.
  • A-gtB. E_pkBpremaster key. Change cipher.
    Finished.
  • B-gtA. Change cipher. Finished.
  • R_A, R_B, premaster key used to get the session
    key.
  • A is sure that she is talking to B. B use
    passwords to make sure that he is talking to A.

10
PGP Pretty Good Privacy
  • Used in E-mails.

EB
RSA
K_M
DA
zip
MD5
RSA
IDEA
P
11
Attacks SYN Flood
  • SYN Flood
  • TCP establishes the connection by three-way
    handshake. Client sends SYN, server receives SYN,
    sends SYN ACK, at the same time allocating memory
    for this connection.
  • If the client just send SYN, but not respond to
    the SYN ACK, the server will wait for a while and
    release the memory.
  • What if people use spoofed source IP addresses to
    send SYN packets?

12
Attacks Reflection
  • Reflection.
  • What if people use the a lot of computers sending
    SYN to server with a victims IP address as the
    source address?

13
Attacks
  • http//www.nytimes.com/2008/11/10/technology/inter
    net/10attacks.html
  • http//www.scmagazine.com/asia/news/article/419816
    /a-next-generation-dos-attack-distributed-reflecti
    on/

14
DDoS
  • DDoS Distributed Denial of Service
  • Why would any one want to do this?
  • In some cases, for bringing down service of
    competitors, or for extortion money.

15
Application Layer Attack
  • There is a particular type of attack simply ask
    bots to send requests to the victim for large
    files.
  • Now, the victim, the server, has to send large
    files therefore the bandwidth is saturated and no
    more requests can be satisfied.

16
CAPTCHA
  • One way is to see if we can distinguish human
    from bots.
  • CAPTCHA -- Completely Automated Public Turing
    test to tell Computers and Humans Apart
  • Below is a picture from wiki

17
CAPTCHA
  • Was proposed by Luis von Ahn, Manuel Blum,
    Nicholas J. Hopper, and John Langford.
  • http//www.captcha.net/captcha_crypt.pdf

18
Other things you can do
  • With the CAPTCHA idea, they actually did
    something else scan an old book, and show a
    word in the book along with one from CAPTCHA.
  • You dont know which one is from where.
  • So while you login, you help the library to
    recognize words.

19
Problem with CAPTCHA
  • The problem is that you do not want to answer a
    CAPTCHA problem every 30 mins if you are watching
    a movie.

20
The other solution
  • Ask the client to solve a puzzle, basically
    asking the client to spend some resource before
    getting service.
  • Can you design some puzzles?

21
Puzzles
  • Some puzzles include
  • Finding a string such that the first k bits of
    its SHA-1 hash are 0.
  • By controlling k, you control the difficulty of
    the puzzle.
  • A problem is that this puzzle is biased toward
    clients with fast machines.

22
Memory-bound puzzles are better
  • Memory speed varies less significantly than CPU
    speed.
  • Forcing the client to do a lot of random read
    from main memory.
  • How?

23
One memory bound puzzle
  • There is a one-to-one function F() that cannot be
    reversed.
  • Server started from x_0. x_i F(x_i-1).
  • Server sends x_k to the client. Ask him to return
    x_0.
  • It is to the best interest of the client to build
    a table, because table lookup is much faster than
    calculating the function, then search which input
    results in x_k, to get x_k-1, and so on.

24
Other solutions
  • Speak-up When system is in trouble, instead
    waiting to drown, you should speak up!
  • Meaning that you should also send a lot of
    requests.
  • The server serves the one with loudest voice.
  • From their 2006 sigcomm paper

25
Speak-up
  • Actually, every client has to pay the server some
    currency in the form of bandwidth.
  • The hope is that the clients have spare
    bandwidths but the attackers already have used up
    their bandwidths.
  • These dummy byes are a waste of resource.

26
What we are working on
  • Introducing p2p to DDoS defense.

27
A useful link
  • http//staff.washington.edu/dittrich/misc/ddos/
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Network Security Continued" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!