csce 715 network systems security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
CSCE 715: Network Systems Security PowerPoint Presentation
Download Presentation
CSCE 715: Network Systems Security

Loading in 2 Seconds...

play fullscreen
1 / 45

CSCE 715: Network Systems Security - PowerPoint PPT Presentation


  • 106 Views
  • Uploaded on

CSCE 715: Network Systems Security. Chin-Tser Huang huangct@cse.sc.edu University of South Carolina. Security of Hash Functions and MAC. Brute-force attacks strong collision resistance hash have cost 2 m / 2 have proposal for hardware MD5 cracker

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CSCE 715: Network Systems Security' - thy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
csce 715 network systems security

CSCE 715:Network Systems Security

Chin-Tser Huang

huangct@cse.sc.edu

University of South Carolina

security of hash functions and mac
Security ofHash Functions and MAC
  • Brute-force attacks
    • strong collision resistance hash have cost 2m/2
      • have proposal for hardware MD5 cracker
      • 128-bit hash looks vulnerable, 160-bit better
    • MACs with known message-MAC pairs
      • can either attack keyspace or MAC
      • at least 128-bit MAC is needed for security
security of hash functions and mac1
Security ofHash Functions and MAC
  • Cryptanalytic attacks exploit structure
    • like block ciphers want brute-force attacks to be the best alternative
  • Have a number of analytic attacks on iterated hash functions
    • CVi = f[CVi-1, Mi]; H(M)=CVN
    • typically focus on collisions in function f
    • like block ciphers is often composed of rounds
    • attacks exploit properties of round functions
keyed hash functions as macs
Keyed Hash Functions as MACs
  • Desirable to create a MAC using a hash function rather than a block cipher
    • hash functions are generally faster
    • not limited by export controls on block ciphers
  • Hash includes a key along with the message
  • Original proposal:

KeyedHash = Hash(Key|Message)

    • some weaknesses were found with this proposal
  • Eventually led to development of HMAC
slide5
HMAC
  • Specified as Internet standard RFC2104
  • Use hash function on the message:

HMACK = Hash[(K+ XOR opad) ||

Hash[(K+ XOR ipad)||M)]]

    • K+ is the key padded out to size
    • opad, ipad are specified padding constants
  • Overhead is just 3 more hash compression function calculations than the message alone needs
  • Any of MD5, SHA-1, RIPEMD-160 can be used
security of hmac
Security of HMAC
  • Security of HMAC relates to that of the underlying hash algorithm
  • Attacking HMAC requires either:
    • brute force attack on key used
    • birthday attack (but since keyed would need to observe a very large number of messages)
  • Choose hash function used based on speed versus security constraints
hash and mac algorithms
Hash and MAC Algorithms
  • Hash Functions
    • condense arbitrary size message to fixed size
    • by processing message in blocks
    • through some compression function
    • either custom or block cipher based
  • Message Authentication Code (MAC)
    • fixed sized authenticator for some message
    • to provide authentication for message
    • by using block cipher mode or hash function
see how cryptographic tools really works
See How Cryptographic ToolsReally Works
  • OpenSSL is a general-purpose cryptographic library with implementations of
    • Symmetric ciphers: 3DES, AES, …
    • Asymmetric ciphers: RSA, DH, …
    • Hash functions: MD5, SHA-1, …
next topic in cryptographic tools
Next Topic in Cryptographic Tools
  • Symmetric key encryption
  • Asymmetric key encryption
  • Hash functions and message digest
  • Nonce
a scenario of replay attack
A Scenario of Replay Attack
  • Alice authorizes a transfer of funds from her account to Bob’s account
  • An eavesdropping adversary makes a copy of this message
  • Adversary replays this message at some later time
replay attacks
Replay Attacks
  • Adversary takes past messages and plays them again
    • whole or part of message
    • to same or different receiver
  • Encryption algorithms not enough to counter replay attacks
freshness identifiers
Freshness Identifiers
  • Sender attaches a freshness identifier to message to help receiver determine whether message is fresh
  • Three types of freshness identifiers
    • nonces
    • timestamps
    • sequence numbers
nonces
Nonces
  • A random number generated for a special occasion
  • Need to be unpredictable and not used before
  • Disadvantage is not suitable for sending a stream of messages
  • Mostly used in challenge-response protocols
timestamps
Timestamps
  • Sender attaches an encrypted real-time timestamp to every message
  • Receiver decrypts timestamp and compares it with current reading
    • if difference is sufficiently small, accept message
    • otherwise discard message
  • Problem is synchronization between sender and receiver
sequence numbers
Sequence Numbers
  • Sender attaches a monotonically increasing counter value to every message
  • Sender needs to remember last used number and receiver needs to remember largest received number
operation of sequence numbers
Operation of Sequence Numbers
  • Sender increments sequence number by 1 after sending a message
  • Receiver compares sequence number of received message with largest received number
    • If larger than largest received number, accept message and update largest received number
    • If less than largest received number, discard message
problem with sequence numbers
Problem with Sequence Numbers
  • IPsec uses sequence number to counter replay attacks
  • However reorder can occur in IP
  • Messages with larger sequence number may arrive before messages with smaller sequence numbers
  • When reordered messages with smaller sequence numbers arrive later, they will be discarded
operation of sequence numbers1
Operation of Sequence Numbers
  • Sender increments sequence number by 1 after sending a message
  • Receiver compares sequence number of received message with largest received number
    • If larger than largest received number, accept message and update largest received number
    • If less than largest received number, discard message
problem with sequence numbers1
Problem with Sequence Numbers
  • IPsec uses sequence number to counter replay attacks
  • However reorder can occur in IP
  • Messages with larger sequence number may arrive before messages with smaller sequence numbers
  • When reordered messages with smaller sequence numbers arrive later, they will be discarded
anti replay window protocol in ipsec
Anti-Replay Window Protocolin IPsec
  • Protect IPsec messages against replay attacks and counter the problem of reorder
  • Sender puts a sequence number in every message
  • Receiver uses a sliding window to keep track of the received sequence numbers
comparison with tcp sliding window
Comparison with TCP Sliding Window
  • Purpose: TCP sliding window is used for flow control, while anti-replay window for countering replay attack
  • Size: TCP sliding window is of dynamic size, while anti-replay window is of static size (64 recommended by IPsec)
comparison with tcp sliding window1
Comparison with TCP Sliding Window
  • Unit: TCP sliding window is byte-oriented, while anti-replay window is packet-oriented
  • Retransmission: same sequence number used in TCP sliding window, while new sequence number used in anti-replay window
tcp sliding window
TCP Sliding Window

offered window

(advertised by receiver)

usable window

1

2

3

4

5

6

7

8

9

10

11

can’t send until

sent, not ACKed

window moves

sent and

acknowledged

can send ASAP

anti replay window
Anti-Replay Window
  • w is window size
  • r is right edge of window
  • Assume s is sequence number of next received message
  • Three cases to consider

1

w

2

3

• • •

sequence

numbers

• • •

• • •

received before

right edge r

r-w+1

not yet received

assumed received

cases of anti replay window
Cases of Anti-Replay Window
  • Case i: if s is smaller than sequence numbers in window, discard message s

1

w

s

r

cases of anti replay window1
Cases of Anti-Replay Window
  • Case ii: s is in window
    • if s has not been received yet, then deliver message s
    • if s has been received, then discard message s

1

w

s

s

r

(discard)

(deliver)

cases of anti replay window2

r

s

Cases of Anti-Replay Window
  • Case iii: if s is larger than sequence numbers in window, then deliver message s and slide the window so that s becomes its new right edge

window before shift

1

1

w

w

window after shift

properties of anti replay window protocol
Properties of Anti-Replay Window Protocol
  • Discrimination:
  • receiver delivers at most one copy of every message sent by sender
  • w-Delivery:
  • receiver delivers at least one copy of each message that is neither lost nor suffered a reorder of degree w or more, where w is window size
problem with anti replay window

s

Problem with Anti-Replay Window
  • Receiver gets s, where s >> r
  • Window shifts to right
  • Many good messages that arrive later will be discarded

window before shift

window after shift

1

w

1

w

r

discarded good msgs

automatic shift vs controlled shift
Automatic Shift vs. Controlled Shift
  • Automatic shift: window automatically shifts to the right to cover the newly received sequence number without any consideration of how far the newly received sequence number is ahead
  • Controlled shift: if the newly received sequence number is far ahead, discard it without shifting window in the hope that those skipped sequence numbers may arrive later
three properties of controlled shift
Three Properties of Controlled Shift
  • Adaptability
    • receiver determines whether to sacrifice a newly received message according to the current characteristics of the environment
  • Rationality
    • receiver sacrifices only when messages that could be saved are more than messages that are sacrificed
  • Sensibility
    • receiver stops sacrificing if it senses that the messages it means to save are not likely to come
additional case with controlled shift
Additional Case with Controlled Shift
  • Case iv: s is more than w positions to the right of window
    • receiver estimates number of good messages it is going to lose if it shifts the window to s
    • if the estimate is larger than d+1, where d is the counter of discarded messages, and d+1 is less than dmax, then receiver discards this message and increments d by 1
    • otherwise, receiver delivers the message, shifts the window to the right, and resets d to 0
another problem with anti replay window
Another Problem with Anti-Replay Window
  • Computer may reset due to transient fault or power loss
  • If either sender or receiver is reset and restarts from 0, then synchronization on sequence numbers is lost
scenario of sender reset
Scenario of Sender Reset
  • If p is reset, unbounded number of fresh messages are discarded by q

p

q

seq# : 50

seq# : 50

49

48

3

2

1

0

• • •

reset

seq# : 0

fresh messages yet discarded by q

scenario of receiver reset
Scenario of Receiver Reset
  • If q is reset, it can accept unbounded number of replayed messages

inserted by

adversary

p

q

seq# : 50

seq# : 50

49

48

3

2

1

0

• • •

reset

seq# : 0

replayed yet accepted by q

overcome reset problems
Overcome Reset Problems
  • IPsec Working Group: if reset, the Security Association (SA) is deleted and a new one is established -- very expensive
  • Our solution: periodically push current state of SA into persistent memory (e.g. hard drive); if reset, restore state of SA from this memory
save and fetch
SAVE and FETCH
  • When SAVE is executed, the last sequence number or right edge of window will be stored in persistent memory
  • When FETCH is executed, the last stored sequence number or right edge of window will be loaded from persistent memory into memory
save at sender
SAVE at Sender
  • s is sequence number at p
  • Every Kp messages, p executes SAVE(s) to store current s in persistent memory
  • Choose appropriate Kp such that in spite of execution delay, SAVE(s) is guaranteed to complete before message numbered s+Kp is sent
fetch at sender
FETCH at Sender
  • When p wakes up after reset, p executes FETCH(s) to fetch s stored in persistent memory
  • After FETCH(s) completes, p executes SAVE(s+2Kp) and waits
  • After SAVE(s+2Kp) completes, p can send next message using seq# s+2Kp
convergence of sender
Convergence of Sender
  • Assume when p resets, SAVE(s) has not yet completed, and the last sent seq# is s+t
    • t < Kp otherwise SAVE(S) should have completed
  • When p wakes up, s-Kp will be fetched
  • Therefore, adding 2Kp to fetched seq# guarantees that next sent seq# is fresh
convergence of sender1
Convergence of Sender
  • Assume when p resets, SAVE(s) has completed, and the last sent seq# is s+u
    • u < Kp otherwise SAVE(S+Kp) should have started
  • When p wakes up, s will be fetched
  • Therefore, adding 2Kp to fetched seq# guarantees that next sent seq# is fresh
results of save and fetch
Results of SAVE and FETCH
  • When p is reset, some sequence numbers will be abandoned by p, but no message sent from p to q will be discarded provided no message reorder occurs
  • When q is reset, the number of discarded messages is bounded by 2Kq
  • When p or q is reset, no replayed message will be accepted by q
next class
Next Class
  • Address Resolution Protocol (ARP) and its security problems
  • Secure ARP
  • Read paper on website