11Attacks & DefensesEE 122: Intro to Communication NetworksFall 2007 (WF 4-5:30 in Cory 277)Vern PaxsonTAs: Lisa Fowler, Daniel Killebrew & Jorge Ortizhttp://inst.eecs.berkeley.edu/~ee122/Materials with thanks to Jennifer Rexford, Ion Stoica,and colleagues at Princeton and UC Berkeley2Announcements• Homework #4 due Friday, 3:50PM• Project #2, phase 2 extended to Monday Dec 10– There will be no further extensions• Send in your requests for the Final Review nextlecture!• Sharpen your pencils/claws for the courseevaluation next lecture! (at 5:15PM)• I will have office hours Fri Dec 14, but not WedDec 12– Please send email for appointment if needed23Goals of Today’s Lecture• Public Key Infrastructure (PKI)• Putting it all together: how does https work?• Attacks: compromising systems– Buffer overflows– Logic errors– Social engineering– Automated attacks: worms & bots• Attacks: denial-of-service (DoS)– Network layer (DDoS)– Transport layer (SYN flooding)– Application layer (one defense: CAPTCHAs)4Public Key Infrastructure (PKI)• Public key crypto is very powerful …• … but the realities of distributing the public keysturn out to be quite hard• PKI: System managing public key distribution on awide-scale⇒Trust distribution mechanism– Confidentiality ⇒ via Encryption– Integrity ⇒ via Digital Signatures– Non–Repudiation ⇒ via Digital Signature– Authentication ⇒ via Digital Certificates35Managing Trust• The most solid level of trust is rooted in our directpersonal experience– E.g., Alice’s trust that Bob is who they say they are– Clearly doesn’t scale to a global network!• In its absence, we rely on delegation– Alice trusts Bob’s identity because Charlie attests to it ….– …. and Alice trusts Charlie6Managing Trust, con’t• Trust is not particularly transitive– Should Alice trust Bob because she trusts Charlie …– … and Charlie vouches for Donna …– … and Donna says Eve is trustworthy …– … and Eve vouches for Bob’s identity?• Two models of delegating trust– Rely on your set of friends and their friendso “Web of trust” -- e.g., PGP– Rely on trusted, well-known authorities (and their minions)o “Trusted root” -- e.g., HTTPS47PKI Conceptual Framework• Trusted-Root PKI:– Basis: well-known public key serves as root of a hierarchy– Managed by a Certificate Authority (CA)• To publish a public key, ask the CA to digitally signa statement indicating that they agree (“certify”) thatit’s indeed your key– This is a certificate for your key (certificate = bunch of bits)o Includes both your public key and the signed statement– Anyone can verify the signature• Delegation of trust to the CA– They’d better not screw up (duped into signing bogus key)– They’d better have procedures for dealing with stolen keys– Note: can build up a hierarchy of signing8Components of a PKI59Digital Certificate• Signed data structure that binds an entity withits corresponding public key– Signed by a recognized and trusted authority, i.e.,Certification Authority (CA)– Provide assurance that a particular public keybelongs to a specific entity• Example: certificate of entity Y Cert = E({nameY, KYpublic}, KCAprivate)– KCAprivate: private key of Certificate Authority– nameY: name of entity Y– KYpublic: public key of entity Yo In fact, they may sign whatever glob of bits you give them• Your browser has a bunch of CAs wired into it10Certification Authority• People, processes responsible for creation,delivery and management of digital certificates• Organized in an hierarchy– To verify signature chain, follow hierarchy up to rootCA-1 CA-2Root CA611Registration Authority• People & processes responsible for:–Authenticating the identity of new entities(users or computing devices), e.g.,o By phone, or physical presence + ID–Issuing requests to CA for certificates• The CA must trust the RegistrationAuthority12Certificate Repository• A database accessible to all users of aPKI• Contains:–Digital certificates–Policy information associated with certs–Certificate revocation informationo Vital to be able to identify certs that havebeen compromisedo Usually done via a revocation list713Putting It All Together - HTTPS• What happens when you click onhttps://www.amazon.com?• https = “Use HTTP over SSL/TLS”• SSL = Secure Socket Layer• TLS = Transport Layer Security• Successor to SSL, and compatible with it• RFC 4346• Provides security layer (authentication,encryption) on top of TCP• Fairly transparent to the app14HTTPS Connection (SSL/TLS), con’t• Browser (client) connectsvia TCP to Amazon’sHTTPS server• Client sends over list ofcrypto protocols itsupports• Server picks protocols touse for this session• Server sends over itscertificate• (all of this is in the clear)SYNSYN ACKACKBrowser AmazonHello. I support(TLS+RSA+AES128+SHA1) or(SSL+RSA+3DES+MD5) or …Let’s useTLS+RSA+AES128+SHA1Here’s my cert~1 KB of data815Inside the Server’s Certificate• Name associated with cert (e.g., Amazon)• Amazon’s public key (RSA exponent e, modulus n)• A bunch of auxiliary info (physical address, type ofcert, expiration time)• URL to revocation center to check for revoked keys• Name of certificate’s signatory (who signed it)• A public-key signature of a hash (MD5) of all this– Constructed using the signatory’s private RSA key16Validating Amazon’s Identity• Browser retrieves cert belonging to the signatory– These are hardwired into the browser• If it can’t find the cert, then warns the user that sitehas not been verified– And may ask whether to continue– Note, can still proceed, just without authentication• Browser uses public key in signatory’s cert todecrypt signature– Compares with its own MD5 hash of Amazon’s cert• Assuming signature matches, now have highconfidence it’s indeed Amazon …– … assuming signatory is trustworthy917HTTPS Connection (SSL/TLS), con’t• Browser constructs a randomsession key K• Browser encrypts K usingAmazon’s public key• Browser sends E(K, {n, e}) toserver• Browser displays• All subsequent communicationencrypted w/ symmetric cipher(e.g., AES128) using key K– E.g., client can authenticate usinga password• (what step is missing?)Browser AmazonHere’s my cert~1 KB of dataE(K, {n,e})KKE(password …, K)E(response …, K)Agreed18Host
View Full Document
Unlocking...