CSCE 715: Network Systems Security

1
CSCE 715Network Systems Security

• Chin-Tser Huang
• huangct_at_cse.sc.edu
• University of South Carolina

2
A Security Problem in Network

• An adversary that has access to a network can
  insert new messages, modify current messages, or
  replay old messages in the network
• These inserted, modified, and replayed messages
  can go undetected until they cause severe damage
  to network
• The physical location of the adversary in network
  may never be determined
• Example denial-of-service attacks

3
Denial-of-Service (DoS) Attacks

• Aimed to deny normal service provided by the
  target computer
• Communication-stopping attacks
• ARP spoofing attack
• Resource-exhausting attacks
• Smurf attack
• SYN attack

4
Ping Protocol

• Allow any computer to check whether any other
  computer in the Internet is up
• Any computer x can send a ping message to any
  computer y which replies by sending back a pong
  message (thus x knows y is up)
• In ping message src x and dst y
• In pong message src y and dst x

ping(x, y)
x
y
pong(y, x)
5
Broadcast Ping Protocol

• If in ping message dst all, a copy of ping is
  broadcast to every computer
• Each computer replies by sending back a pong, and
  x is flooded with pong messages
• In ping message src x and dst all
• In pong messages src y, y and dst x

y
pong(y,x)
ping(x,all)
x
y
pong(y, x)
6
Smurf Attack

• An adversary pretends to be x and broadcasts a
  ping message where src x and dst all
• Thus, x is flooded with pong messages that it has
  not requested denial-of-service attack at x

y
a
ping(x,all)
pong(y,x)
x
y
pong(y, x)
7
Countering Smurf Attack

• Make each router check the src of each received
  message and discard the message if the src is
  suspicious

srcx shouldnt come to me
y
a
ping(x, all)
x
y
8
Clever Smurf Attack

• An adversary inserts a ping(x, all) message
  between routers R2 and R3
• R3 thinks the message was forwarded by R2 and so
  accepts the message

a
y
ping(x, all)
x
y
9
Countering Clever Smurf Attack

• When R3 receives a message, R3 needs to determine
  whether message was indeed sent by R2, or was
  modified or replayed by an adversary between R3
  and R2
• If use IPSec, will need to set up SAs between
  each pair of adjacent routers too expensive
• Our solution use hop integrity protocol between
  each pair of adjacent routers

10
Hop Integrity

• Let p, q be routers connected to same subnetwork
• Detection of Message Modification
• when q receives a message m supposedly from p, q
  can check that m was not modified after sent
• Detection of Message Replay
• when q receives a message m supposedly from p, q
  can check that m was not a replay of an old
  message

11
Adversary vs. Routers

• The adversary can perform three types of actions
  to disrupt communication between two routers
• Message loss
• Message modification
• Message replay
• The routers are assumed to be secure and cannot
  be compromised by the adversary
• The routers will execute hop integrity protocols
  that can detect and defeat the adversary actions

12
Hop Integrity Protocol

• Each pair of adjacent routers need to share a
  secret S, which is updated periodically by the
  two routers using a secret exchange protocol
• To each IP message sent between two adjacent
  routers, add a sequence number sq, and an
  integrity check d

d MD(S hd sq txt) d 16 bytes if MD5 20
bytes if SHA-1 MD MD5 or SHA-1 sq 4 bytes
hd
txt
IP message
hd
txt
sq
d
13
Architecture of Hop Integrity Protocols

router p

router q

Applications

Application
s





Transport

Transport






secret




qe



pe
exchange



secrets
secrets
layer

Network

Network







integrity

check

qw

or



qs

pw

or


ps





layer

Subnetwork

Subnetwork






.

14
Component of Hop Integrity Protocols

• Three protocols between each pair of adjacent
  routers
• secret exchange protocol
• weak integrity protocol
• strong integrity protocol

15
How to Exchange Secret

• Each router p has a secret S that it uses for
  computing the digest of every msg sent to an
  adjacent router q
• Both p and q need to know S
• What if p sends secret update message to q
  periodically?
• Problem due to message loss
• What if p sends secret update message to q
  periodically and q sends an ack to p?
• Problem due to bundling of secret exchange layer
  and integrity check layer

16
Secret Exchange Protocol

• q updates secret S used by p by sending a secret
  update message to p every T hours
• When p receives secret update message from q, p
  updates secret and sends an ack to q
• If q does not receive ack from p for t seconds, q
  retransmits the secret update message

17
Secret Exchange Protocol
S0
q
p
S
S1
S0 S1 S
S0 old S1 new
Bp?S0, S1?
if S S0 ? S S1 then S S1
Bq?S?
if S1 S then S0 S1
S0 S1 S
T hours
S0 old S1 new
Bp?S0, S1?
if S S0 ? S S1 then S S1
Bq?S?
if S1 S then S0 S1
S0 S1 S
18
Recovery in Secret Exchange Protocol
S0
q
p
S
S1
S0 S1 S
S0 old S1 new
Bp?S0, S1?
t seconds
S0 S ? S1
Bp?S0, S1?
if S S0? S S1 then S S1
Bq?S?
t seconds
S1 S ? S0
Bp?S0, S1?
if S S0? S S1 then S S1
Bq?S?
if S1 S then S0 S1
S0 S1 S
19
Weak Integrity Protocol

• To detect insertion and modification
• Each sent msg from p to q is as follows
• (hd d txt)
• where p computes d as
• d MD(S hd txt)
• On receiving a msg, q checks
• if d MD(S0 hd txt) ?
• d MD(S1 hd txt)
• then q forwards msg
• else q discards msg

20
Weak Integrity Protocol
S0
q
p
S
S1
(hd d txt)
. .
21
Strong Integrity

• To detect replay, successive sequence numbers are
  attached to all sent msgs from p to q
• Problem with reset
• If p is reset, unbounded number of fresh messages
  are discarded by q
• If q is reset, it can accept unbounded number of
  replayed messages
• Two solutions to overcome reset
• Soft sequence numbers
• Hard sequence numbers

22
Soft Sequence Numbers

• Successive sequence numbers are attached to all
  sent msgs from p to q
• (hd sq txt)
• q maintains three variables
• exp sequence number of next msg
• c msgs received
• cmax random value changed when c reaches it
• On receiving a msg, q checks
• if (exp ? sq) ? (c cmax)
• then q forwards msg
• else q discards msg
• fi q updates exp, c, cmax

23
Soft Sequence Numbers
exp
q
p
sq
c
cmax
sq
(hd sq txt)
sq1
c 0
. .
c 1
. .
. .
c cmax choose new cmax, c 0
24
Strong Integrity ProtocolUsing Soft Sequence
Numbers

• Each sent msg from p to q is as follows
• (hd sq d txt)
• where p computes d as
• d MD(S hd sq txt)
• On receiving a msg, q checks
• if (d MD(S0 hd sq txt) ?
• d MD(S1 hd sq txt) ) ?
• (exp ? sq ? c random value cmax)
• then q forwards msg
• else q discards msg
• fi q updates exp, c, cmax

25
Hard Sequence Numbers

• To overcome reset, use two operations SAVE and
  FETCH
• When SAVE is executed, the last sequence number
  will be stored in persistent memory
• When FETCH is executed, the last stored sequence
  number will be loaded from persistent memory into
  memory

26
Strong Integrity ProtocolUsing Hard Sequence
Numbers

• Each sent msg from p to q is as follows
• (hd sq d txt)
• where p computes d as
• d MD(S hd sq txt)
• On receiving a msg, q checks
• if (d MD(S0 hd sq txt) ?
• d MD(S1 hd sq txt) ) ? (exp ? sq)
• then q forwards msg
• else q discards msg
• fi q updates exp
• p and q executes SAVE periodically
• When waking up from a reset, p (or q) executes
  FETCH to fetch last stored seq, executes SAVE to
  store next seq, and continues after SAVE
  finishes

27
Tradeoff between Soft and Hard Sequence numbers

• Soft sequence numbers are easier to implement
• Do not require SAVE and FETCH operations and do
  not require persistent memory
• Hard sequence numbers provide better security
• When use soft sequence numbers, adversary has a
  chance, although small, to guess and get its
  sequence number accepted
• When use hard sequence numbers, p and q stick to
  their sequence numbers and leave adversary no
  chance

28
Other Applications of Hop Integrity

• Mobile IP
• Secure multicast
• Security of routing protocols

29
Mobile IP

• A mobile computer c can visit a foreign network F
  other than its home network H
• Msgs destined for c will be received by its home
  agent (HA) and forwarded to its foreign agent (FA)

m
m
home agent (HA)
c
Internet
m
F
H
foreign agent (FA)
30
Problem with Mobile IP

• Mobile computer c can send a msg thru FA
• However, this msg may be filtered out by next
  router q because its source address is strange

?
m
home agent (HA)
q
c
Internet
m
H
F
foreign agent (FA)
31
Mobile IP with Hop Integrity

• With integrity check d added to msg m, q can
  check that m was indeed forwarded by FA
• Thus, q ignores strange source of msg m and
  forwards m toward its ultimate destination

m
d
m
d
home agent (HA)
q
c
Internet
m
d
H
F
foreign agent (FA)
32
Multicast

• Multicast msgs are forwarded through a spanning
  tree from root to every multicast destination
• If a destination receives a multicast msg, then
  each destination receives a copy of same msg with
  high probability

33
Multicast

• Multicast msgs are forwarded through a spanning
  tree from root to every multicast destination
• If a destination receives a multicast msg, then
  each destination receives a copy of same msg with
  high probability

34
Multicast

• Multicast msgs are forwarded through a spanning
  tree from root to every multicast destination
• If a destination receives a multicast msg, then
  each destination receives a copy of same msg with
  high probability

35
Multicast

• Multicast msgs are forwarded through a spanning
  tree from root to every multicast destination
• If a destination receives a multicast msg, then
  each destination receives a copy of same msg with
  high probability

36
Security Problem with Multicast

• If adversary inserts or modifies a multicast msg
  between two routers in middle of tree, then only
  a small fraction of multicast destinations
  receive the inserted or modified msg

37
Multicast with Hop Integrity

• With hop integrity, an inserted or modified
  multicast message will be detected and discarded
  at its first hop in the spanning tree

38
Routing Information Protocol (RIP)

• Every 30 seconds, RIP process in router R sends
  its routing table in a response msg to RIP
  process in each adjacent R
• R updates its routing table when it receives a
  response msg from any adjacent R
• Security problem

R?
R
RIP
RIP
UDP
IP
IP
39
RIP with Hop Integrity

• With hop integrity, the response msgs are
  protected against message modification,
  insertion, and replay

R?
R
RIP
RIP
UDP
Secret Update
Secret Update
IP
IP
Integrity Check
Integrity Check
40
Security of Routing Protocols

• Hop integrity can also provide uniform protection
  (against message modification, insertion, and
  replay) for other routing protocols
• OSPF protocols (Hello, Exchange, Flood)
• RSVP
• Better than custom security mechanisms that have
  been proposed for some protocols

41
Implementation of Hop Integrity

• Implementation of hop integrity protocols in
  Linux kernel
• Add integrity check digest and soft sequence
  number to IP options in IP header
• Compatible with legacy routers
• Flexibility of deployment

42
Related Works

• Ingress filtering RFC2827
• Completes hop integrity
• Secure routing Che97, MB96, SMG97
• Not needed if hop integrity is installed
• Traceback BLT01, SWK01, SPS01
• Cannot prevent denial-of-service attacks, but can
  detect some of them
• IPsec KA98a
• Has goals other than dealing with
  denial-of-service attacks

43
Next Class

• Security in transport layer
• SSL and TLS
• Application of SSL/TLS in Web security
• Read Chapter 17