1 / 26

Class 16 Deniable Authentication CIS 755: Advanced Computer Security Spring 2014

Class 16 Deniable Authentication CIS 755: Advanced Computer Security Spring 2014. Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S14/. Administrative stuff. Office hours moved on Monday Will be 3 – 4:30 Quiz today (last 15 minutes). Multiple Join/Bootstrap Attack. A, B, C. Join.

akiva
Download Presentation

Class 16 Deniable Authentication CIS 755: Advanced Computer Security Spring 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Class 16Deniable AuthenticationCIS 755: Advanced Computer SecuritySpring 2014 Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S14/

  2. Administrative stuff • Office hours moved on Monday • Will be 3 – 4:30 • Quiz today (last 15 minutes)

  3. Multiple Join/Bootstrap Attack A, B, C Join Join D, E, F Never let nodes re-join/get more contacts!

  4. Harvesting Attack Never contact anyone except neighbors!

  5. Confirmation Attack Are you in the secret network? Yes Never respond to anyone except neighbors!

  6. secret secret secret !! XX !! ?? Covert Auth. Hi! ?? Hi? Hi?

  7. secret ?? BridgeSPA Bridges

  8. Ongoing problems • SilentKnock MitM vulnerability • Bridge TLS distinguishability • Other solutions? • TCP fragmentation, apparently • obfsproxy

  9. SilentKnock • Software has exploitable bugs (!) • Firewalls can not protect services that should be externally accessible • Can we prevent unauthorized users from accessing the service? • Can we prevent them from even detecting the service?

  10. Problem Overview X BUG Big evil untrusted Internet

  11. TCP 3-way handshake SYN (25) Client Server SMTP (port 25) SYN-ACK Mail software ACK (25) Web (port 80) Data (25)

  12. What is Port Knocking? Code: 666, 777, 888 Code: 666, 777, 888 Client SYN (666) Server SYN (777) SMTP (closed) SMTP (port 25) SYN (25) SYN (888) Mail software SYN (25) Web (port 80) SYN-ACK

  13. Covert Authentication • Dining Freemasons: • Alice is able to authenticate to Bob using a shared secret without Mallory being aware that an authentication took place • Bob is unaware that Alice tries to authenticate if Bob does not share a secret with Alice

  14. Problem Statement • Design a port knocking system that provides • Authentication • Replay protection • Non-detection • Practical implementation • Formal threat model • Provable security

  15. Security of Port Knocking E. Vasserman, N. Hopper, J. Laxson, and J. Tyra – SilentKnock: practical, provably undetectable authentication • Computationally bounded adversary may: • observe many authenticated sessions • arbitrarily inject, delete, and reorder messages • Cannot distinguish a port knocking client/server pair from those using ordinary TCP/IP, plus some out-of-band authentication mechanism

  16. Security Definition C S keyed A Hidden world (implementation) Plausible world (ideal security) C S Queue A

  17. Implementation Overview • “Simulate” shared signaling by steganographically embedding a MAC into TCP SYN packet • Application-transparent proxies: • sknockproxy (client) automatically detects “protectable” streams • sknockd (server) decodes/verifies embedded MAC • Userspace implementation

  18. System Overview Client Server

  19. Packet Filter Hooks • sknockd • Listen for SYN, FIN, RST • Passively examines only those packets • sknockproxy • Listen for all packets going to given IP/port pair • Modifies all packets in stream of interest • Server-optimized

  20. Steganographic Embedding Linux 2.6 TCP SYN packet header with embedded MAC

  21. Timestamp Encoding Details • Only get to modify lowest byte • Must delay packet dispatch • Re-transmitted SYN packets must have the same sequence number but different timestamp • Re-encode retransmitted packets and delay dispatch again

  22. Replay Protection • Two-field counter (C1 || C2) • C1 = C2 = 0 at first server connection • De-synchronization can occur if SYN or SYN-ACK is lost • Auto-resynchronization using timed counter field

  23. Optimizations • MAC pre-computation for first connection • Background MAC computations for future connections (not yet implemented) • Counter values and passwords are known for future connections, can AES-encrypt them while waiting for connection • Can even store in config file!

  24. sknockd Timing Results

  25. Known Limitations • Only protects start of connection (TCP hijacking still possible) • Limited MAC size • Identity binding: IP addresses • Distinguishability by packet-modifying adversary

  26. Questions? Reading discussion

More Related