Title: CSCE 715: Network Systems Security
1CSCE 715Network Systems Security
- Chin-Tser Huang
- huangct_at_cse.sc.edu
- University of South Carolina
2A Security Problem in Network
- An adversary that has access to a network can
insert new messages, modify current messages, or
replay old messages in the network - These inserted, modified, and replayed messages
can go undetected until they cause severe damage
to network - The physical location of the adversary in network
may never be determined - Cannot be mitigated by end-to-end security scheme
- Example denial-of-service (DoS) attacks
3Denial-of-Service (DoS) Attacks
- Aimed to deny normal service provided by the
target computer - Communication-stopping attacks
- ARP spoofing attack
- Resource-exhausting attacks
- Smurf attack
- SYN flood attack
4Ping Protocol
- Allow any computer to check whether any other
computer in the Internet is up - Any computer x can send a ping message to any
computer y which replies by sending back a pong
message (thus x knows y is up) - In ping message src x and dst y
- In pong message src y and dst x
ping(x, y)
x
y
pong(y, x)
5Broadcast Ping Protocol
- If in ping message dst all, a copy of ping is
broadcast to every computer - Each computer replies by sending back a pong, and
x is flooded with pong messages - In ping message src x and dst all
- In pong messages src y, y and dst x
y
pong(y,x)
ping(x,all)
x
y
pong(y, x)
6Smurf Attack
- An adversary pretends to be x and broadcasts a
ping message where src x and dst all - Thus, x is flooded with pong messages that it has
not requested resulting in a denial-of-service
attack at x
y
a
ping(x,all)
pong(y,x)
x
y
pong(y, x)
7Countering Smurf Attack
- Make each router check the src of each received
message and discard the message if the src is
suspicious
srcx shouldnt come to me
y
a
ping(x, all)
x
y
8Clever Smurf Attack
- An adversary inserts a ping(x, all) message
between routers R2 and R3 - R3 thinks the message was forwarded by R2 and so
accepts the message
a
y
ping(x, all)
x
y
9Countering Clever Smurf Attack
- When R3 receives a message, R3 needs to determine
whether message was indeed sent by R2, or was
modified or replayed by an adversary between R3
and R2 - If use IPSec, will need to set up SAs between
each pair of adjacent routers too expensive - Our solution use hop integrity protocol between
each pair of adjacent routers
10Hop Integrity
- Let p, q be routers connected to same subnetwork
- Detection of Message Modification
- when q receives a message m supposedly from p, q
can check that m was not modified after sent - Detection of Message Replay
- when q receives a message m supposedly from p, q
can check that m was not a replay of an old
message
11Adversary vs. Routers
- The adversary can perform three types of actions
to disrupt communication between two routers - Message loss
- Message modification
- Message replay
- The routers are assumed to be secure and cannot
be compromised by the adversary - The routers will execute hop integrity protocols
that can detect and defeat the adversary actions
12Hop Integrity Protocol
- Each pair of adjacent routers need to share a
secret S, which is updated periodically by the
two routers using a secret exchange protocol - To each IP message sent between two adjacent
routers, add a sequence number seq, and an
integrity check d
d MD(S hdr seq txt) d 20 bytes if
SHA-1 MD appropriate HMAC function seq 4 bytes
hdr
txt
IP message
hdr
txt
seq
d
13Architecture of Hop Integrity Protocols
router p
router q
Applications
Application
s
Transport
Transport
secret
qe
pe
exchange
secrets
secrets
layer
Network
Network
integrity
check
qw
or
qs
pw
or
ps
layer
Subnetwork
Subnetwork
.
14Component of Hop Integrity Protocols
- Three protocols between each pair of adjacent
routers - secret exchange protocol
- weak integrity protocol
- strong integrity protocol
15How to Exchange Secret
- Each router p has a secret S that it uses for
computing the digest of every msg sent to an
adjacent router q - Both p and q need to know S
- What if p sends secret update message to q
periodically? - Problem due to message loss
- What if p sends secret update message to q
periodically and q sends an ack to p? - Problem due to bundling of secret exchange layer
and integrity check layer
16Secret Exchange Protocol
- q updates secret S used by p by sending a secret
update message to p every T hours - When p receives secret update message from q, p
updates secret and sends an ack to q - If q does not receive ack from p for t seconds, q
retransmits the secret update message
17Secret Exchange Protocol
S0
q
p
S
S1
S0 S1 S
S0 old S1 new
Bp?S0, S1?
if S S0 ? S S1 then S S1
Bq?S?
if S1 S then S0 S1
S0 S1 S
T hours
S0 old S1 new
Bp?S0, S1?
if S S0 ? S S1 then S S1
Bq?S?
if S1 S then S0 S1
S0 S1 S
18Recovery from Message Loss in Secret Exchange
Protocol
S0
q
p
S
S1
S0 S1 S
S0 old S1 new
Bp?S0, S1?
t seconds
S0 S ? S1
Bp?S0, S1?
if S S0? S S1 then S S1
Bq?S?
t seconds
S1 S ? S0
Bp?S0, S1?
if S S0? S S1 then S S1
Bq?S?
if S1 S then S0 S1
S0 S1 S
19Weak Integrity Protocol
- To detect insertion and modification
- Each sent msg from p to q is as follows
- (hd d txt)
- where p computes d as
- d MD(S hd txt)
- On receiving a msg, q checks
- if d MD(S0 hd txt) ?
- d MD(S1 hd txt)
- then q forwards msg
- else q discards msg
20Weak Integrity Protocol
S0
q
p
S
S1
(hd d txt)
. .
21Strong Integrity
- To detect replay, successive sequence numbers are
attached to all sent msgs from p to q - Problem with reset
- If p is reset, unbounded number of fresh messages
are discarded by q - If q is reset, it can accept unbounded number of
replayed messages - Two solutions to overcome reset
- Soft sequence numbers
- Hard sequence numbers
22Soft Sequence Numbers
- Successive sequence numbers are attached to all
sent msgs from p to q - (hd sq txt)
- q maintains three variables
- exp expected sequence number of next msg
- c msgs received
- cmax random value changed when c reaches it
- On receiving a msg, q checks
- if (exp ? sq) ? (c cmax)
- then q forwards msg
- else q discards msg
- fi q updates exp, c, cmax
23Soft Sequence Numbers
exp
q
p
sq
c
cmax
sq
(hd sq txt)
sq1
c 0
. .
c 1
. .
. .
c cmax choose new cmax, c 0
24Strong Integrity ProtocolUsing Soft Sequence
Numbers
- Each sent msg from p to q is as follows
- (hd sq d txt)
- where p computes d as
- d MD(S hd sq txt)
- On receiving a msg, q checks
- if (d MD(S0 hd sq txt) ?
- d MD(S1 hd sq txt) ) ?
- (exp ? sq ? c random value cmax)
- then q forwards msg
- else q discards msg
- fi q updates exp, c, cmax
25Hard Sequence Numbers
- To overcome reset, use two operations SAVE and
FETCH - When SAVE is executed, the last sequence number
will be stored in persistent memory - When FETCH is executed, the last stored sequence
number will be loaded from persistent memory into
memory
26Strong Integrity ProtocolUsing Hard Sequence
Numbers
- Each sent msg from p to q is as follows
- (hd sq d txt)
- where p computes d as
- d MD(S hd sq txt)
- On receiving a msg, q checks
- if (d MD(S0 hd sq txt) ?
- d MD(S1 hd sq txt) ) ? (exp ? sq)
- then q forwards msg
- else q discards msg
- fi q updates exp
- p and q executes SAVE periodically
- When waking up from a reset, p (or q) executes
FETCH to fetch last stored seq, executes SAVE to
store next seq, and continues after SAVE
finishes
27Tradeoff between Soft and Hard Sequence numbers
- Soft sequence numbers are easier to implement
- Do not require SAVE and FETCH operations and do
not require persistent memory - Hard sequence numbers provide better security
- When use soft sequence numbers, adversary has a
chance, although small, to guess and get its
sequence number accepted - When use hard sequence numbers, p and q stick to
their sequence numbers and leave adversary no
chance
28Other Applications of Hop Integrity
- Mobile IP
- Secure multicast
- Security of routing protocols
29Mobile IP
- A mobile computer c can visit a foreign network F
other than its home network H - Msgs destined for c will be received by its home
agent (HA) and forwarded to its foreign agent (FA)
m
m
home agent (HA)
c
Internet
m
F
H
foreign agent (FA)
30Problem with Mobile IP
- Mobile computer c can send a msg thru FA
- However, this msg may be filtered out by next
router q because its source address is strange
?
m
home agent (HA)
q
c
Internet
m
H
F
foreign agent (FA)
31Mobile IP with Hop Integrity
- With integrity check d added to msg m, q can
check that m was indeed forwarded by FA - Thus, q ignores strange source of msg m and
forwards m toward its ultimate destination
m
d
m
d
home agent (HA)
q
c
Internet
m
d
H
F
foreign agent (FA)
32Multicast
- Multicast msgs are forwarded through a spanning
tree from root to every multicast destination - If a destination receives a multicast msg, then
each destination receives a copy of same msg with
high probability
33Multicast
- Multicast msgs are forwarded through a spanning
tree from root to every multicast destination - If a destination receives a multicast msg, then
each destination receives a copy of same msg with
high probability
34Multicast
- Multicast msgs are forwarded through a spanning
tree from root to every multicast destination - If a destination receives a multicast msg, then
each destination receives a copy of same msg with
high probability
35Multicast
- Multicast msgs are forwarded through a spanning
tree from root to every multicast destination - If a destination receives a multicast msg, then
each destination receives a copy of same msg with
high probability
36Security Problem with Multicast
- If adversary inserts or modifies a multicast msg
between two routers in middle of tree, then only
a small fraction of multicast destinations
receive the inserted or modified msg
37Multicast with Hop Integrity
- With hop integrity, an inserted or modified
multicast message will be detected and discarded
at its first hop in the spanning tree
38Routing Information Protocol (RIP)
- Every 30 seconds, RIP process in router R sends
its routing table in a response msg to RIP
process in each adjacent R - R updates its routing table when it receives a
response msg from any adjacent R - Security problem
R?
R
RIP
RIP
UDP
IP
IP
39RIP with Hop Integrity
- With hop integrity, the response msgs are
protected against message modification,
insertion, and replay
R?
R
RIP
RIP
UDP
Secret Update
Secret Update
IP
IP
Integrity Check
Integrity Check
40Security of Routing Protocols
- Hop integrity can also provide uniform protection
(against message modification, insertion, and
replay) for other routing protocols - OSPF protocols (Hello, Exchange, Flood)
- RSVP
- Better than custom security mechanisms that have
been proposed for some protocols
41Implementation of Hop Integrity
- Implementation of hop integrity protocols in
Linux kernel - Add integrity check digest and soft sequence
number to IP options in IP header - Compatible with legacy routers
- Flexibility of deployment
42Related Works
- Ingress filtering RFC2827 and egress filtering
RFC3013 - Completes hop integrity
- Secure routing
- Not needed if hop integrity is installed
- Traceback
- Cannot prevent denial-of-service attacks, but can
detect some of them - IPsec
- Has goals other than dealing with
denial-of-service attacks
43Next Class
- Midterm Exam on Oct. 13 good luck to all of you!
- After Midterm Exam
- Security in transport layer
- SSL and TLS
- Application of SSL/TLS in Web security