Computer Security Lectures 11+12 Network Security Jussipekka Leiwo leiwo@cs.vu.nl

Network threats Network controls Firewalls Internet security Outline

Network threats Causes of security problems: Sharing of resources and workload Complexity of systems and interconnection mechanisms Unknown security perimeter Multiple points of attacks Anonymity of attackers Unknown access paths to resources

What could be attacked? local nodes connected via local communications links to a local area network which also has local data storage, local processes, and local devices. The LAN is also connected to a network gateway that gives access via network communications links to network control resources, network routers, and network resources, such as databases.

What can an attacker do? Intercept data in transit Modify data in transit Gain unauthorized access to programs or data in remote hosts Modify programs or data in remote hosts Insert communications Replay previous communication Block selected traffic Block all traffic Run a program at a remote host

By what means? Wiretapping Impersonation Message confidentiality violations Message integrity violations Hacking Code integrity violations Denial of service

Wiretapping Passive vs. active wiretapping Cable packet sniffing inductance Does multiplexing help? Microwave Satellite communications Optical fibre

Impersonation Authentication foiled by guessing Authentication foiled by eavesdropping Nonexistent authentication Use of well-known authentication Use of trusted authentication

Message confidentiality violations Misdelivery Exposure in processing systems Traffic flow analysis

Message integrity violations Change content of a message Change part of the content of a message Replace a message Reuse an old message Change the apparent source of a message Redirect a message Destroy or delete a message

By means of Active wiretap Trojan horse Impersonation Pre-empted host Pre-empted workstation

Hacking hacker vs. cracker Hacking tools Automated attacks Distributed automated attacks Are they a real threat?

Code integrity violations User is typically unaware of the content of the downloaded file File downloading may happen without user s permission File downloading may happen without user s permission

Denial of service Connectivity Flooding Routing problems Disruption of service

Network controls Encryption Access control Authorization and authorization Traffic Control Data integrity

Encryption Link encryption End-to-end encryption Security within hosts Message exposed in sending host Message encrypted in sending host Message exposed in intermediate nodes Message encrypted in intermediate nodes Role of user By sending host, invisible to user Host maintains encryption One facility for all users Can be implemented in HW All or no messages encrypted Requires one key per host pair Provides node authentication By sending process, user involved User must find algorithm User must select encryption Software implementation User chooses granularity of application Implementation concerns Requires one key per user pair Provides user authentication

Access control Port protection Automated call-back Differentiated access rights Silent modem Firewalls

Authentication and authorization Threats: Impersonation of a server by a rogue process Interception or modification of data exchanged Replay of previous authentication exchange Example solutions: Kerberos SESAME DCE

Kerberos A secret key based service for providing authentication in a network, originally by MIT During a login session, user A accesses remote resources (e.g. hosts, file servers) over an insecure network. Each resource needs to authenticate A, but A s workstation performs the authentication on A s behalf transparently to A.

V1-V3 obsolete, V4 and V5 conceptually similar but different in implementation. Components: Key Distribution Center (KDC) that runs on a physically secure node, often implements Ticket Granting Service (TGS) A library of subroutines used by distributed applications which want to authenticate their users. Operational principles: User A logs into a workstation by providing a username and password Workstation (A-WS) obtains information from KDC used by processes to access remote resources on behalf of the user.

Some modified applications: Telnet (RFC854) BSD r-tools NFS (RFC1094) Replicated KDCs Realms inter-realm authentication is not allowed Key version numbers

Encryption for privacy and integrity Kerberos V4 uses Plaintext Cipher Block Chaining (PCBC) encryption to achieve both privacy and integrity in a single cryptographic transformation: C1 = E(m1 IV) Cn = E(mn-1 mn cn-1) If the final block decrypts properly, integrity is guaranteed However, PCBC is not fully capable of detecting integrity violations in case of block reordering

Encryption for integrity only DES-CBC integrity checking requires computation of the full DES value of the message On software, DES is too slow and Kerberos designers wanted something faster The Kerberos integrity checking algorithm was developed for Kerberos, however never fully specified Only source code is available, hence nobody has bothered to analyze it

Differences of V4 and V5 Message specification Naming Delegation of rights Ticket lifetime Key versions One password can result in different master key in different realms Some cryptographic optimizations

Cryptographic algorithms V4 assumes use of DES, V5 allows different algorithms and variable length key-fields in messages Algorithms of V4 are fixed against known weaknesses.

SESAME SESAME = A Secure European System for Applications in a Multi-vendor Environment Partly funded by European Commission under it s RACE programme. Developed in co-operation by Bull, ICL and Siemens

Operation principles: A user authenticates to the Authentication Server (AS) AS returns user a token used to prove his identity The user presents the token to a Privilege Attribute Server (PAS) to obtain a guaranteed set of access rights contained in a Privilege Attribute Certificate (PAC) User presents the PAC to the target application whenever requesting access to a protected resource The target application makes an access control decision based on the user s security attributes contained in the PAC and access control information (e.g. ACL) attached to the controlled resource.

Supports delegation of access rights and public key certificates Relationship to Kerberos Some SESAME components can be accessed through Kerberos V5 and can use both Kerberos V5 and SESAME data structures SESAME extends heterogeneity, access control, scalability of public key systems, audit and delegation to Kerberos. Accessed through the GSS-API

DCE Security Distributed Computing Environment (DCE) is a product of Open Software Foundation (OSF) incorporated into a number of products from different vendors DCE security is conceptually similar to Kerberos and Kerberos V5 is one of the components of DCE security.

As Kerberos is designed mostly for authentication, modular design of DCE allows dealing with authentication, encryption and authorization, as architecturally separate. Incorporates (conceptual) Privilege Server and Registration Server into the KDC Privilege server: To get the principal s UUID (Universal User ID) and groups to which principal belongs to the Kerberos ticket in a secure way

Registration server To provide a combined database for a KDC and corresponding Privilege Server Access control lists: DCE provides a platform-independent encoding of (128 bit long) names of formats used by specific systems (e.g. 32 bit UID, GID) DCE also translates names to UUID Makes heavy use of Kerberos V5 AUTHORIZATION-DATA field.

Traffic control Pad traffic Routing control

Data Integrity Sequence numbers etc. Checksums Cryptographic checksums Digital signatures Notarization

Firewalls In the good ol days, cities were protected by thick walls, and houses were separated from each other by firewalls that prevented of, for example, spread of fire throughout the city Single point of control where network traffic is examined, could help in the maintenance of security

Physical world analogies: Passport (and visa) checking at borders Apartments are often locked at the entrance in addition to each door Properties: All traffic from inside to outside, and vice versa, must pass through a firewall Only authorized traffic, as defined by the local security policy, will be allowed to pass The firewall itself is immune to penetration

Firewall components Firewall policy Packet filters Application gateways

Firewall policy Service access policy (high level policy): The TCP/IP protocols and services that should be allowed or denied from the protected network How these services should be used How exceptions of the policy are handled Firewall design policy (low level policy): How the firewall actually enforces the service access policy

Packet filtering Applies a set of rules to incoming packets to decide whether forwarded or disgarded. IP packets usually filter based in the IP header information, such as Protocol number Source and destination IP addresses Source and destination port numbers TCP connection flags Other options

Packet filter is stateless For example Nr. Type Source addr. Dest. addr. Source port Dest. port Action 1 tcp * 123.4.5.6 >1023 23 Permit 2 tcp * 123.4.5.7 >1023 25 Permit 3 tcp * 123.4.5.8 >1023 25 Permit 4 tcp 129.6.48.25 4 123.4.5.9 >1023 119 Permit 5 udp * 123.4.*.* >1023 123 Permit 6 * * * * * Deny

Application Gateways internetworking device that interconnects one network to another for a specific application A gateway must understand and implement the corresponding application protocol From the client s point of view, the AG is like a server From the server s point of view, the AG is like a client Works at the application or transport layer Application-level gateway (proxy server) circuit-level gateway

For example Client Proxy Server Request Authentication Session Session Relay Bastion host An exposed firewall system that hosts an application gateway Must be confiured to be particularly secure Usually, a secure operating system Code and files must be protected from outside attacks Firewall code is the only software permitted to run

Different levels of security: Security level Services No security Unrestricted access Traffic interception Packet filters Authenticated traffic PF, Application or circuit-level gateways Restricted access PF, AG and email and name gateways Tamperproof firewall Special purpose OS for firewall Extended security Additional security protocols (VPN) Isolation No access Stateful inspection vs. application gateways In addition to packet headers, inspection is based on both transport and application level headers and data Maintains information about past packets First packet in a connection is examined

Proxy Servers An AG residing in a proxy server typically hosts a number of proxy servers Usually, require modification on the clients Advantages of Proxy Servers AG only allows those TCP/IP protocols and services for which a Proxy Server exists Prevents use on unreliable network services Prevents implementation of untrusted services behind the firewall Application protocols can be screened and filtered

For example, FTP GET is allowed but PUT denied Preventation of Java applets and ActiveX controls Disadvantages of Proxy Servers Not good at handling UDP-based applications Not good at handling proprietary application protocols For example, Lotus Notes, SQLnet,SAP

Dual-Homed firewall Intranet R R Internet Bastion Host Inner network segment Outer network segment

Intranet Screened host firewall Bastion Host R Internet R Inner network segment Outer network segment

Intranet Screened subnet firewall R Bastion Host R Internet R Inner network segment Outer network segment

Limitations No protection agains internal attacks No protection outside the perimeter No protection if compromised No protection against data-driven attacks, such as computer viruses, malicious content, or macro viruses

Internet security IETF Security Area IP Security Transport level security

IETF Security Area An Open Specification for PGP (openpgp) Authenticated Firewall Traversal (aft) Common Authentication Technology (cat) IP Security Policy (ipsp) IP Security Protocol (ipsec) IP Security Remote Access (ipsra) Intrusion Detection Exchange Format (idwg) Kerberized Internet Negotiation of Keys (kink) Kerberos WG (krb-wg)

One Time Password Authentication (otp) Public-Key Infrastructure (X.509) (pkix) S/MIME Mail Security (smime) Secure Network Time Protocol (stime) Secure Shell (secsh) Securely Available Credentials (sacred) Security Issues in Network Event Logging (syslog) Simple Public Key Infrastructure (spki) Transport Layer Security (tls) Web Transaction Security (wts) XML Digital Signatures (xmldsig)

IP Security (RFC 2401) Components: IP Encapsulating Security Payload (ESP) IP Authentication Header (AH) Cryptographic key and security Association (SA) Management procedures Modes of operation: Transport mode Tunnel mode

IP ESP (RFC 2406) Provides: Confidentiality Data Origin authentication Connectionless integrity Anti-replay service Limited traffic flow confidentiality

IP ESP packet format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Security Parameters Index (SPI) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Sequence Number +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Payload Data* (variable) + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Padding (0-255 bytes) +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Pad Length Next Header +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Authentication Data (variable) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

IP ESP Header placement Transport mode ------------------------------------------------- IPv4 orig IP hdr ESP ESP ESP (any options) Hdr TCP Data Trailer Auth ------------------------------------------------- <----- encrypted ----> <------ authenticated -----> --------------------------------------------------------- IPv6 orig hop-by-hop,dest*, dest ESP ESP IP hdr routing,fragment. ESP opt* TCP Data Trailer Auth --------------------------------------------------------- <---- encrypted ----> <---- authenticated ---->

Tunnel mode ----------------------------------------------------------- IPv4 new IP hdr* orig IP hdr* ESP ESP (any options) ESP (any options) TCP Data Trailer Auth ----------------------------------------------------------- <--------- encrypted ----------> <----------- authenticated ----------> ------------------------------------------------------------ IPv6 new* new ext orig* orig ext ESP ESP IP hdr hdrs* ESP IP hdr hdrs * TCP Data Trailer Auth ------------------------------------------------------------ <--------- encrypted -----------> <---------- authenticated ---------->

IP AH (RFC 2402) Provides: Connectionless integrity Data origin authentication (Optionally) protection against replays May be applied Alone In acombination with IP ESP In a nested fashion (tunnel mode)

IP AH packet format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Next Header Payload Len RESERVED +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Security Parameters Index (SPI) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Sequence Number Field +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Authentication Data (variable) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

IP AH Header placement Transport mode --------------------------------- IPv4 orig IP hdr (any options) AH TCP Data --------------------------------- <------- authenticated -------> except for mutable fields ------------------------------------------------------------ IPv6 hop-by-hop, dest*, dest orig IP hdr routing, fragment. AH opt* TCP Data ------------------------------------------------------------ <---- authenticated except for mutable fields ----------->

Tunnel Mode ------------------------------------------------ IPv4 new IP hdr* orig IP hdr* (any options) AH (any options) TCP Data ------------------------------------------------ <- authenticated except for mutable fields --> in the new IP hdr -------------------------------------------------------------- IPv6 ext hdrs* ext hdrs* new IP hdr* if present AH orig IP hdr* if present TCP Data -------------------------------------------------------------- <-- authenticated except for mutable fields in new IP hdr ->

ISAKMP et al. ISAKMP (RFC 2408) defines exchanges of key generation and authentication data independently of specific protocols Oakley (RFC2412) defines a series of key exchanges that provide different services SKEME (no RFC) describes a particular key exchange technique IKE (RFC 2409) interprets parts of Oakley and SKEME in ISAKMP

Transport level security Secure Shell (SSH) Secure Sockets Layer (SSL) Private Communication Technology (PCT) Transport Layer Security Protocol (TLS)

Secure Shell (SSH) For securely logging in to a remote host Strong authentication and secure communication over an insecure channel Replaces rlogin, rsh, rcp and rdist, often telnet X11 and other TCP/IP connections can be secured using the Integrated Port Forwarding feature Manually distributed, preconfigured public keys

SSH Overview Host key = typically 1024 bit RSA key to bind a connection to a specific host Server key = typically a 768 bit RSA key changing every hour to prevent decrypting of recorded traffic in case of a host key compromise Server key is never saved on a disk The client compares the received host key against the database of manually distributed and preconfigured public host keys Depending on the configuration, the client can automatically add or reject unknown keys

Session key = a 256 bit random number Client chooses an encryption algorithm of those supported by the server, typically Blowfish, DES, 3DES The client pads the key with random bytes, double encrypts it with host and server RSA keys and sends to the client Server decrypts the message to recover the session key and sends an encrypted confirmation to the client Supports also user authentication: Password-only authentication where a password is transmitted over the channel, transparently encrypted by SSH RSA authentication where server generates the client a random number encrypted with the public key of the user for a challenge and the client must reply with a correct MD5 hash

value of the decrypted challenge and other data that binds the result to the current session IETF Secure Shell WG working with SSH Transport Layer Protocol and SSH Authentication Protocol

SSH Transport Layer Protocol Provides cryptographic host authentication, data confidentiality and integrity protection Does not provide user authentication User authentication protocol is layered on top of SSH Transport Layer Protocol Supports a number of compression, encryption, message authentication and key exchange algorithms

Protocol execution:

Secure Socket Layer (SSL) Extends security into the BSD sockets Authentication of peer entities Exchange of secret keys Use of exchanged keys to authenticate and encrypt data streams communicated between communicating peer entities Developed by Netscape Corporation, currently in v3.0 (v1.0 for inside use only)

Positioning of SSL protocols

SSL functions Communicating peers can authenticate each other using public key cryptography The confidentiality of the transmitted data is protected as the connection is transparently encrypted after the initial handshake and session key determination

The integrity of transmitted data is protected as messages are transparently authenticated and integrity-checked with MACs. No protection against traffic analysis attacks Client and server must know that the other party is using SSL. Three ways of knowing this: Use dedicated port numbers reserved by the IANA Use normal port numbers and negotiate security options as part of the application protocol Use a TCP option to negotiate the use of security protocol during the TCP/IP connection establishment phase.

1. SSL Record protocol Receives data from higher layer protocols and deals with data fragmentation, compression, authentication and encryption:

Each SSL record contains Content type, Protocol version number Length Data payload (optionally compressed and encrypted) Message Authentication Code Other SSL Protocols may be layered on top of SSL Record protocol

Private Communication Technology (PCT) Microsoft Corporation 1995 Only slightly different from SSL2.0 PCT Record protocol to encapsulate handshake and application data into PCT records PCT handshake protocol, layered on top of PCT Record Protocol, to authenticate the server to the and agree on encryption and MAC algorithms and keys.

2. Transport Layer Security WG To establishe a Transport Layer Security (TLS) Protocol using SSL, PCT, and SSH as a basis. Not many modifications suggested for SSL. Major modifications suggested into TLS: HMAC construction should be used FORTEZZA token-based KEA should be removed from the specification (is propriotary and unpublished) TLS record protocol should be separated from TLS handshake protocol

TLS Record protocol: Takes messages to be transmitted, fragments and optionally compresses them, computes MAC and attaches it to the message and encrypts the result and transmits it. TLS Handshake protocol: Used for negotiating the session state that consists of the session identifier, a peer certificate, a compression method, a cipher spec, a master key and a resumable-flag. Consists of three subprotocols. TLS Change sipher spec protocol TLS alert protocol TLS handshake protocol