Network(Security(Protocols(



Similar documents
Names vs. Addresses. Flat vs. Hierarchical Space. Domain Name System (DNS) Computer Networks. Lecture 5: Domain Name System

Domain Name System DNS

DNS: Domain Name System

Domain Name System (DNS) Reading: Section in Chapter 9

CMPE 80N: Introduction to Networking and the Internet

Domain Name System (or Service) (DNS) Computer Networks Term B10

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

Domain Name System Richard T. B. Ma

The Application Layer: DNS

FTP: the file transfer protocol

Naming and the DNS. Focus. How do we name hosts etc.? Application Presentation Topics. Session Domain Name System (DNS) /URLs

How To Map Between Ip Address And Name On A Domain Name System (Dns)

C 1. Last Time. CSE 486/586 Distributed Systems Domain Name System. Review: Causal Ordering. Review: Causally Ordered Multicast.

CS 43: Computer Networks Naming and DNS. Kevin Webb Swarthmore College September 17, 2015

Domain Name System (DNS) RFC 1034 RFC

DNS. Spring 2016 CS 438 Staff 1

DNS and P2P File Sharing

Chapter 2 Application Layer

Network programming, DNS, and NAT. Copyright University of Illinois CS 241 Staff 1

CS244A Review Session Routing and DNS

internet technologies and standards

Ch 6: Networking Services: NAT, DHCP, DNS, Multicasting

DNS and electronic mail. DNS purposes

Ch 6: Networking Services: NAT, DHCP, DNS, Multicasting, NTP

DNS: Domain Name System

The Domain Name System

Domain Name System (DNS)

Communicating Applications

2.5 DNS The Internet s Directory Service

K-Root Name Server Operations

Domain Name System Security

COS 461: Computer Networks

FTP: the file transfer protocol

Application Layer. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross

The Domain Name System

Network Layer, Part 1 Internet Architecture. History

Resilient Networking. Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning. Securing DNS Split-Split-DNS DNSSEC.

CSE/ISE 311: Systems Administra5on Networking 2

INTERNET DOMAIN NAME SYSTEM

IPv6 support in the DNS

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

CS 348: Computer Networks. - DNS; 22 nd Oct Instructor: Sridhar Iyer IIT Bombay

How to launch and defend against a DDoS

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, DNS & IPv6.

Internet-Praktikum I Lab 3: DNS

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

Chapter 2: outline. 2.6 P2P applications 2.7 socket programming with UDP and TCP

DNS : Domain Name System

The Domain Name System (DNS)

DOMAIN NAME SECURITY EXTENSIONS

The Domain Name System

Names & Addresses. Names & Addresses. Names vs. Addresses. Identity. Names vs. Addresses. CS 194: Distributed Systems: Naming

Application-layer protocols

The Application Layer. CS158a Chris Pollett May 9, 2007.

DNS Basics. DNS Basics

Review of Networking Basics. Yao Wang Polytechnic University, Brooklyn, NY11201

Applications and Services. DNS (Domain Name System)

Communications and Networking

Hostnames. HOSTS.TXT was a bottleneck. Once there was HOSTS.TXT. CSCE515 Computer Network Programming. Hierarchical Organization of DNS

The Domain Name System (DNS)

Distributed Denial of Service Attacks

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

IP addresses have hierarchy (network & subnet) Internet names (FQDNs) also have hierarchy. and of course there can be sub-sub-!!

HW2 Grade. CS585: Applications. Traditional Applications SMTP SMTP HTTP 11/10/2009

IP addressing and forwarding Network layer

Networking Basics and Network Security

Socket = an interface connection between two (dissimilar) pipes. OS provides this API to connect applications to networks. home.comcast.

CloudFlare advanced DDoS protection

How do I get to

Internetworking with TCP/IP Unit 10. Domain Name System

IPv6 Support in the DNS. Workshop Name Workshop Location, Date

Chapter 16 Route Health Injection

The Transport Layer. Antonio Carzaniga. October 24, Faculty of Informatics University of Lugano Antonio Carzaniga

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

Introduction to IP networking

Computer Networks Prof. S. Ghosh Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture - 34 DNS & Directory

Transcription:

Network(Security(Protocols( Mike(Freedman( COS(461:(Computer(Networks( Lectures:((MW(10A10:50am(in(Architecture(N101( hep://www.cs.princeton.edu/courses/archive/spr13/cos461/( Network(Security( ApplicaJon(layer( EAmail:(PGP,(using(a(webAofAtrust( Web:(HTTPAS,(using(a(cerJficate(hierarchy( Transport(layer( Transport(Layer(Security/(Secure(Socket(Layer( Network(layer( IP(Sec( Network(infrastructure( DNSASec(and(BGPASec( 2! EncrypJon(and(MAC/Signatures( ConfidenJality((EncrypJon)( Sender:(( ((Compute(C(=(Enc K (M)( ((Send(C( Receiver:( ((Recover(M(=(Dec K (C)( Auth/Integrity((MAC(/(Signature)( Sender:(( ((Compute(s(=(Sig K (Hash((M))( ((Send(<M,(s>( Receiver:( ((Compute(s (=(Ver K (Hash((M))(( ((Check(s (==(s( These(are(simplified(forms(of(the(actual(algorithms( 5! Email(Security:( PreEy(Good(Privacy((PGP)( 6! Basic(Security(ProperJes( 3! Basic(Security(ProperJes( 4! EAMail(Security( 7! Sender(and(Receiver(Keys( 8! Confiden'ality:(( Authen'city:(( Integrity:5 Confiden'ality:(Concealment(of(informaJon(or(resources( Authen'city:(IdenJficaJon(and(assurance(of(origin(of(info( Integrity:(Trustworthiness(of(data(or(resources(in(terms(of( prevenjng(improper(and(unauthorized(changes( Security(goals( ConfidenJality:(only(intended(recipient(sees(data( Integrity:(data(cannot(be(modified(en(route( AuthenJcity:(sender(and(recipient(are(who(they(say( If(the(sender(knows(the( receiver s(public(key( ConfidenJality( Receiver(authenJcaJon( If(the(receiver(knows( the(sender s(public(key( Sender(authenJcaJon( Sender(nonArepudiaJon( Availability:5( Non9repudia'on:5 Access5control:( Availability:5Ability(to(use(desired(informaJon(or(resource( Non9repudia'on:(Offer(of(evidence(that(a(party(indeed(is( sender(or(a(receiver(of(certain(informajon( Access5control:(FaciliJes(to(determine(and(enforce(who(is( allowed(access(to(what(resources((host,(sozware,(network,( )( Security(nonAgoals( Timely(or(successful(message(delivery( Avoiding(duplicate((replayed)(message( (Since(eAmail(doesn t(provide(this(anyway!)( 1 2

Sending(an(EAMail(Securely( 9! Public(Key(CerJficate( 10! HTTP(Threat(Model( 13! HTTPAS:(Securing(HTTP( 14! Sender(digitally(signs(the(message( Using(the(sender s(private(key( Sender(encrypts(the(data( Using(a(oneAJme(session(key( Sending(the(session(key,(encrypted(with(the( receiver s(public(key( Sender(converts(to(an(ASCII(format( ConverJng(the(message(to(base64(encoding( (Email(messages(must(be(sent(in(ASCII)( Binding(between(idenJty(and(a(public(key( IdenJty (is,(for(example,(an(eamail(address( Binding (ensured(using(a(digital(signature( Contents(of(a(cerJficate( IdenJty(of(the(enJty(being(cerJfied( Public(key(of(the(enJty(being(cerJfied( IdenJty(of(the(signer( Digital(signature( Digital(signature(algorithm(id( Eavesdropper(( Listening(on(conversaJon((confidenJality)( ManAinAtheAmiddle(( Modifying(content((integrity)( ImpersonaJon( Bogus(website((authenJcaJon,(confidenJality)( HTTP(sits(on(top(of(secure( channel((ssl/tls)( heps://(vs.(hep://( TCP(port(443(vs.(80( All((HTTP)(bytes(encrypted( and(authenjcated( No(change(to(HTTP(itself!( Where(to(get(the(key???( HTTP5 Secure5Transport5 Layer5 TCP5 IP5 Link5layer5 Web(of(Trust(for(PGP( 11! 12! Learning(a(Valid(Public(Key( 15! Hierarchical(Public(Key(Infrastructure( 16! Decentralized(soluJon( ProtecJon(against(government(intrusion( No(central(cerJficate(authoriJes( Customized(soluJon( Individual(decides(whom(to(trust,(and(how(much( MulJple(cerJficates(with(different(confidence(levels( KeyAsigning(parJes!( Collect(and(provide(public(keys(in(person( Sign(other s(keys,(and(get(your(key(signed(by(others( HTTP(Security( What(is(that(lock?( Securely(binds(domain(name(to(public(key((PK)( If(PK(is(authenJcated,(then(any(message(signed(by(that( PK(cannot(be(forged(by(nonAauthorized(party( Believable(only(if(you(trust(the(aEesJng(body( Bootstrapping(problem:((Who(to(trust,(and(how(to(tell(if( this(message(is(actually(from(them?( Public(key(cerJficate(( Binding(between(idenJty(and(a(public(key( IdenJty (is,(for(example,(a(domain(name( Digital(signature(to(ensure(integrity( CerJficate(authority( Issues(public(key(cerJficates(and(verifies(idenJJes( Trusted(parJes((e.g.,(VeriSign,(GoDaddy,(Comodo)( Preconfigured(cerJficates(in(Web(browsers( 3 4

Public(Key(CerJficate( 17! 18! Comments(on(HTTPS( 21! 22! Transport(Layer(Security((TLS)( Based(on(the(earlier(Secure(Socket(Layer( (SSL)(originally(developed(by(Netscape( HTTPS(authenJcates(server,(not(content( If(CDN((Akamai)(serves(content(over(HTTPS,( customer(must(trust(akamai(not(to(change(content( SymmetricAkey(crypto(aZer(publicAkey(ops( Handshake(protocol(using(public(key(crypto( SymmetricAkey(crypto(much(faster((100A1000x)( HTTPS(on(top(of(TCP,(so(reliable(byte(stream( Can(leverage(fact(that(transmission(is(reliable(to( ensure:(each(data(segment(received(exactly(once( Adversary(can t(successfully(drop(or(replay(packets( IP(Security( TLS(Handshake(Protocol( 19! TLS(Record(Protocol( 20! IP(Security( 23! IPSec( 24! Send(new(random(value,(( list(of(supported(ciphers( Send(preAsecret,(encrypted( under(pk( Create(shared(secret(key( from(preasecret(and(random( Switch(to(new(symmetricA key(cipher(using(shared(key( Send(new(random(value,((((( digital(cerjficate(with(pk( Create(shared(secret(key( from(preasecret(and(random( Switch(to(new(symmetricA key(cipher(using(shared(key( Messages(from(applicaJon(layer(are:( Fragmented(or(coalesced(into(blocks( OpJonally(compressed( IntegrityAprotected(using(an(HMAC( Encrypted(using(symmetricAkey(cipher( Passed(to(the(transport(layer((usually(TCP)( Sequence(#s(on(recordAprotocol(messages( Prevents(replays(and(reorderings(of(messages( There(are(range(of(appAspecific(security(mechanisms( eg.(tls/https,(s/mime,(pgp,(kerberos,( ( But(security(concerns(that(cut(across(protocol(layers( Implement(by(the(network(for(all(applicaJons?( ((( ( ( (((Enter(IPSec!( General(IP(Security(framework( Allows(one(to(provide( Access(control,(integrity,(authenJcaJon,(originality,( and(confidenjality(( Applicable(to(different(semngs( Narrow(streams:(Specific(TCP(connecJons( Wide(streams:((All(packets(between(two(gateways( 5 6

IPSec(Uses( 25! Benefits(of(IPSec( 26! Replay(ProtecJon(is(Hard( 29! 30! If(in(a(firewall/router:( Strong(security(to(all(traffic(crossing(perimeter( Resistant(to(bypass( Below(transport(layer( Transparent(to(applicaJons( Can(be(transparent(to(end(users( Can(provide(security(for(individual(users( Goal:(Eavesdropper(can t(capture(encrypted(packet( and(duplicate(later( Easy(with(TLS/HTTP(on(TCP:((Reliable(byte(stream( But(IP(Sec(at(packet(layer;(transport(may(not(be(reliable( IP(Sec(soluJon:((Sliding(window(on(sequence(# s( All(IPSec(packets(have(a(64Abit(monotonic(sequence(number( Receiver(keeps(track(of(which(seqno s(seen(before( [lastest( (windowsize(+(1(,((latest](;((((windowsize(typically(64(packets( Accept(packet(if(( seqno(>(latest((((and(update(latest)( Within(window(but(has(not(been(seen(before( If(reliable,(could(just(remember(last,(and(accept(iff(last(+(1( DNS(Security( IP(Security(Architecture( 27! EncapsulaJng(Security(Payload((ESP)( 28! Hierarchical(Naming(in(DNS( DNS(Root(Servers( SpecificaJon(quite(complex( Mandatory(in(IPv6,(opJonal(in(IPv4( Two(security(header(extensions:( AuthenJcaJon(Header((AH)( ConnecJonless(integrity,(origin(authenJcaJon( MAC(over(most(header(fields(and(packet(body( AnJAreplay(protecJon( EncapsulaJng(Security(Payload((ESP)( These(properJes,(plus(confidenJality( Transport(mode:(Data(encrypted,(but(not(header( AZer(all,(network(headers(needed(for(rouJng!( Can(sJll(do(traffic(analysis,(but(is(efficient( Good(for(hostAtoAhost(traffic( Tunnel(mode:(Encrypts(enJre(IP(packet( Add(new(header(for(next(hop( Good(for(VPNs,(gatewayAtoAgateway(security( unnamed root com edu org ac uk zw arpa west foo bar generic domains east my my.east.bar.edu country domains ac cam usr usr.cam.ac.uk 12.34.56.0/24 inaddr 12 34 56 31 13(root(servers((see(hEp://www.rootAservers.org/)( Labeled(A(through(M( E NASA Mt View, CA F Internet Software C. Palo Alto, CA (and 17 other locations) B USC-ISI Marina del Rey, CA L ICANN Los Angeles, CA A Verisign, Dulles, VA C Cogent, Herndon, VA (also Los Angeles) D U Maryland College Park, MD G US DoD Vienna, VA H ARL Aberdeen, MD K RIPE London (+ Amsterdam, Frankfurt) J Verisign, ( 11 locations) I Autonomica, Stockholm (plus 3 other locations) m WIDE Tokyo 32 7 8

DoS(aEacks(on(DNS(Availability( 33! Defense:(ReplicaJon(and(Caching( 34! DNS(Integrity(and(the(TLD(Operators( 37! DNS(Integrity:(Cache(Poisoning( 38! Feb.(6,(2007( Botnet(aEack(on(the(13(Internet(DNS(root(servers( Lasted(2.5(hours( None(crashed,(but(two(performed(badly:( garoot((dod),(((laroot(((icann)( Most(other(root(servers(use(anycast( source: wikipedia! If(domain(name(doesn t(exist,(dns(should( return(nxdomain((nonaexistant(domain)(msg( Verisign(instead(creates(wildcard(records(for( all(.com(and(.net(names(not(yet(registered( September(15( (October(4,(2003( RedirecJon(for(these(domain(names(to(Verisign( web(portal:(( to(help(you(search ( And(serve(you(ads and(get( sponsored (search( Verisign(and(online(adverJsing(companies(make($$( Was(answer(from(an(authoritaJve(server?( Or(from(somebody(else?( DNS(cache(poisoning( Client(asks(for(www.evil.com( Nameserver(authoritaJve(for(www.evil.com(returns( addijonal(secjon(for((www.cnn.com,(1.2.3.4,(a)( Thanks!((I(won t(bother(check(what(i(asked(for( DenialAofAService(AEacks(on(Hosts( DoS5 Source5 DNS5Query5 SrcIP:5DoS5Target5 5555(605bytes)5 40((amplificaJon( DNS5 Server5 DNS5Response5 (30005bytes)5 DoS5 Target5 580,000(open(resolvers(on(Internet(((KaminskyAShiffman 06)( 355 PrevenJng(AmplificaJon(AEacks( akacker5 prevent5 ip5spoofing5 ip spoofed packets! victim! replies! open5 amplifier5 disable5 open5amplifiers5 36! DNS(Integrity:(DNS(Hijacking( To(prevent(cache(poisoning,(client(remembers:( The(domain(name(in(the(request( A(16Abit(request(ID((used(to(demux(UDP(response)(( DNS(hijacking( 16(bits:((65K(possible(IDs( What(rate(to(enumerate(all(in(1(sec?((64B/packet( 64*65536*8(/(1024(/(1024(=(32(Mbps( PrevenJon:(also(randomize(DNS(source(port( Kaminsky(aEack:(this(source(port (wasn t(random( 39! Let s(strongly(believe(the(answer!( Enter(DNSSEC( DNSSEC(protects(against(data(spoofing(and( corrupjon( DNSSEC(also(provides(mechanisms(to( authenjcate(servers(and(requests( DNSSEC(provides(mechanisms(to(establish( authenjcity(and(integrity( 40! http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html! 9 10

PKADNSSEC((Public(Key)( 41! Verifying(the(Tree( 425 The(DNS(servers(sign(the(hash(of(resource( record(set(with(its(private((signature)(keys( Public(keys(can(be(used(to(verify(the(SIGs( Leverages(hierarchy:( AuthenJcity(of(name(server s(public(keys(is( established(by(a(signature(over(the(keys(by(the( parent s(private(key( In(ideal(case,(only(roots (public(keys(need(to(be( distributed(outaofaband( Ques'on:55www.cnn.com555?5 dns.cs.princeton.edu src.cs.princeton.edu5 stub5 5resolver5 xxx.xxx.xxx.xxx5 resolver5 transac'on55 signatures5 add5to5cache5 5(root)5 5555555555ask5.com5server5 5SIG5(ip5addr5and5PK5of5.com5server)5.com5 ask5cnn.com5server5555 SIG5(ip5addr5and5PK5of5cnn.com5server)5 SIG5(xxx.xxx.xxx.xxx)5 cnn.com5 Conclusions( 43! Security(at(many(layers( ApplicaJon,(transport,(and(network(layers( Customized(to(the(properJes(and(requirements( Exchanging(keys( Public(key(cerJficates( CerJficate(authoriJes(vs.(Web(of(trust( Next(Jme( Interdomain(rouJng(security( Learn(more:(take(COS(432(in(the(fall!( 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information