CSE 123bCSE 123bCommunications Software Communications Software Spring 2004Spring 2004Lecture 15: Network Security ILecture 15: Network Security IStefan SavageStefan SavageJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 2AdministrativaAdministrativaz Homework at the front of classz Project #2 due dateJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 3OverviewOverviewz What is network security?z Communications channel vulnerabilities◆ End-to-end cryptographyz System software vulnerabilities◆ Perimeter defensesz Protocol vulnerabilities◆ Deliberate Misinformationz Denial-of-ServiceJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 4Network Security?Network Security?z What properties do we want?◆ Confidentiality, Integrity, Authenticity◆ Access control◆ Availability◆ Non-repudiation?◆ Consistency?◆ Privacy?z What is challenging about the network environment?◆ Exposure/sharing◆ Anonymity◆ FragilityJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 5Approaches at 10,000 ftApproaches at 10,000 ftz Physical security◆ Tackle the problem of sharing directlyz “Security through obscurity”◆ Hope no-one will find out what you’re doing!z Throw math at the problem◆ Cryptographyz Why is security difficult?◆ It’s a negative goal: can you be sure there are no flaws?◆ Often assumptions turn out to be invalidJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 6Taxonomy of attacksTaxonomy of attacksz Vulnerability◆ Design◆ Implementation◆ Configurationz Means of exploitation◆ Interception◆ Interruption◆ Modification◆ Fabricationz Result◆ Increased access◆ Disclosure of information◆ Corruption of information◆ Denial-of-service◆ Resource theftExample:IIS UnicodeBuffer overflowJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 7Communications channel Communications channel vulnerabilitiesvulnerabilitiesz Confidentiality◆ Attacker can intercept messages (passwords, data)◆ Easy on local network; harder at a distancez Integrity◆ Attacker can change messages unbeknownst to sender/receiver◆ Marginally harder attack – must intercept or stop forwarding of legitimate messagesz Authenticity◆ Attacker can “pretend” to be a user illegitimately◆ EasyJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 8Basic Encryption for Basic Encryption for ConfidentialityConfidentialityz Cryptographer chooses functions E, D and keys KE, KD◆ Solving D(C, x) = M should be hard without xz Cryptanalyst try to “break” the system◆ Depends on what is known: E and D, M and C?SenderPlaintext (M)EncryptE(M,KE)Ciphertext (C)ReceiverPlaintext (M)DecryptD(C, KD)June 1, 2004 CSE 123b – Lecture 15 – Network Security I 9Symmetric Key Functions Symmetric Key Functions (DES, IDEA, AES)(DES, IDEA, AES)z KE, KD = K; E(M,K) = {M}K, D({M}K,K) = Mz Key must be communicated to both parties, but must be secret to everyone else (key distribution problem)z Encryption/decryption fast and have equivalent costz Also called secret-key or shared-key cryptographyPlaintextEncrypt withsecret keyCiphertextPlaintextDecrypt withsecret keyJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 10Asymmetric Key Functions Asymmetric Key Functions (RSA)(RSA)z KE= secret key (SK) KD = public key (PK)◆ E(M,SK) = {M}SK, D({M}SK,PK) = M◆ E(M,PK) = {M}PK, D({M}PK,SK) = Mz DES 100 times faster than RSA in software◆ Typically, PK/SK used to exchange symmetric key, which is used for the conversation◆ PK can be exchanged “in the clear” (issues?)PlaintextEncrypt withpublic keyCiphertextPlaintextDecrypt withprivate keyJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 11IntegrityIntegrity(MD5, SHA)(MD5, SHA)z Verify that a message has not been modified◆ Much stronger than checksum (difference?)z Message digest/ characteristic function/ one-way hash: ◆ H(M) = h◆ h, H ≠> M (inversion resistance) [also called one-way]◆ M ≠> M’, s.t. H(M)=H(M’) (collision resistance)◆ Additional mechanism to prevent attacker from also modifying hash» encrypt h, or» h = H(M,K), K is a secret key known by both sender and receiverJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 12AuthenticityAuthenticitySymmetric (secret) keys Symmetric (secret) keys z Three-way handshake for mutual authentication◆ Client and server share secrets, e.g., login passwordClient ServerClientId, E(x, CHK)E(y + 1, CHK)E(SK, SHK)E(x + 1, SHK), E(y, SHK)Client authenticatesserver hereServer authenticatesclient hereSession keyexchangedJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 13AuthenticityAuthenticityAsymmetric (public) keysAsymmetric (public) keysz Notice that we reversed the role of the keys (and the math just works out) so only one party can send the message but anyone can check it’s authenticityPlaintextEncrypt withPRIVATE keyCiphertextPlaintextDecrypt withPUBLIC keyJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 14Digital signaturesDigital signaturesz Encryption can be expensive, e.g., RSA 1Kbpsz To speed up, let’s just encrypt the message digest/hash instead!z Absolutely critical that hash is “cryptographically strong”◆ Inversion resistance, collision resistance ◆ Related to size of hashJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 15Example: SSLExample: SSLz Transport layer secure channel z Connection setup◆ Negotiate encryption algorithm◆ Server provides SSL certificate» Certification Authority (CA), CA signature, principal, principals public key and timeout ◆ Client validates certificate (digital signature) using well-known public-key for CA , ◆ If valid, can use principal’s public key to negotiate session keyz Symmetric session key used to encrypt channel z Who is trying to establish trust with whom here?June 1, 2004 CSE 123b – Lecture 15 – Network Security I 16SystemSystem--level vulnerabilitieslevel vulnerabilitiesz How often is security break caused by breaking crypto?◆ Why/where is strength/weakness of crypto important?z Implementation bugs principal technical source of host compromises◆ Buffer overflow◆ Unchecked parameters◆ Randomness assumptions◆ Race conditionz Ideally: patch/fix all the hosts so no vulnerabilities can be exploitedJune 1, 2004 CSE 123b – Lecture 15 – Network Security I 17Buffer OverflowBuffer Overflowz Victim offers some service (e.g. HTTP) which accepts data from the networkz Uses a fixed,