cryptography and security -...
TRANSCRIPT
Cryptography and Security
in Communication Networks
Introduction
ETTI - Master - Advanced Wireless Communications
© Octavian Catrina 2
Security concepts
value
countermeasures
vulnerabilities
IT resources
Threat agents
(Attackers) risk
wish to minimize
to
wish to abuse or/and damage
give rise to
to
imposeto reduce
threats
that exploit
that increase
leading to
may be aware of
that may be reduced by
Owners
Based on Common Criteria for IT Security Evaluation, 1999
⚫ The purpose of information
system security is to protect
IT resources against threats
related to malicious or other
human activities.
⚫ Security policies are sets of
rules that regulate how the
resources are managed and
protected.
⚫ A threat is a potential abuse
of protected resources (i.e.,
a breach of a security policy).
⚫ Threats are enabled by
system vulnerabilities.
⚫ Countermeasures are used to
reduce vulnerabilities and to
meet security policies.
© Octavian Catrina 3
Security services and mechanisms
⚫ Security services
⚫ A security service is a measure used to address a threat:
⚫ Data confidentiality: prevents unauthorized data disclosure.
⚫ Data integrity/authentication: detects unauthorized data
modification (and falsification of data origin).
⚫ Access control: prevents unauthorized use of resources.
⚫ Entity authentication: prevents impersonation (user/device).
⚫ Security mechanisms
⚫ A security mechanism is a means to provide a service:
⚫ Encryption schemes.
⚫ Message authentication (and digital signature) schemes.
⚫ Authorization and access control protocols and systems.
⚫ Authentication protocols.
⚫ Example: a data confidentiality service can be implemented
using an access control system or an encryption scheme.
© Octavian Catrina 4
Access control (AC)
⚫ Access control service
⚫ Provides protection against unauthorized use of resources:
⚫ intercepts user requests,
⚫ determines if they are authorized or not, and
⚫ allows or denies them, based on access control policies.
⚫ The AC system needs a verifiable proof that the user is
authorized to perform the requested action.
⚫ Example: The AC system authenticates Alice and then uses
her (verified) identity to look up her permissions in an access
control list stored in a local repository.
Access
Control
Access RequestAuthorized
Access Request
Allows or denies a requestaccording to AC policies
ResourcesAlice
© Octavian Catrina 5
Data confidentiality
⚫ Data confidentiality service
⚫ Prevents unauthorized disclosure of the information
(i.e., unauthorized information reading).
⚫ Methods
⚫ Access control: Physical protection to deny access to the data
storage system or to the communication channel.
⚫ Cryptography - Encryption: Apply a transformation (encryption)
such that: (1) protected data becomes indistinguishable from
random bits; (2) the inverse transformation (decryption) can be
computed only by an authorized reader.
Adversary
(Charlie)
Intercepts messages
and wants to read
them
Data confidentiality in a communication system.
Alice and Bob make sure that Charlie cannot
understand intercepted messages.
Alice Bob
© Octavian Catrina 6
Data integrity
⚫ Data integrity service
⚫ Prevents or detects unauthorized modification of the
information (i.e., unauthorized information writing).
⚫ Modification can be: insertion, deletion, and substitution.
⚫ Methods
⚫ Access control: Physical protection to deny access to the data
storage system or to the communication channel.
⚫ Cryptography - message integrity (authentication) code:
Append a tag to the message, computed as a function of the
data and a secret known only by the authorized users.
Adversary
(Charlie)
Intercepts messages
and tries to alter or
delete them
Bob can detect any modification of the
messages sent by Alice.
Alice Bob
© Octavian Catrina 7
Data-origin authentication
⚫ Data-origin authentication (message authentication)
⚫ Enables verification of the identity of the message originator,
based on evidence associated with the message.
Adversary
(Charlie)
Tries to insert
messages and claim
they come from Alice
Bob can make sure that a received message
was written by Alice, not fabricated by Charlie.
⚫ Methods
⚫ Cryptography - message authentication
code or digital signatures.
Authentication
Integrity
⚫ Implies data integrity (when a message
is modified its origin changes).
Data authentication in a communication system
Alice Bob
© Octavian Catrina 8
Entity authentication
⚫ Entity authentication service
⚫ Enable one party to verify the identity of another party, through
interactive acquisition of evidence.
Also proves that the other party is currently present (active).
⚫ Unilateral or mutual authentication.
⚫ An entity can be authenticated based on ...... what it knows (password, PIN),
what it has (magnetic card, smart card),
what it is (biometrics: fingerprints, iris recognition, ...),
or a combination of the above (multi-factor authentication).
Adversary
(Charlie)
Tries to impersonate
Alice (interactively)
Bob is assured that he
communicates with Alice.
Example:
Unilateral authentication.
Alice Bob
© Octavian Catrina 9
Non-repudiation
⚫ Non-repudiation service
⚫ Extension of authentication, which provides protection against
denial of previous commitments or actions.
E.g., deny having sent a message.
⚫ Allows resolution of disputes using a trusted third party which
can check document authenticity.
Non-repudiation
Authentication
Integrity
⚫ Non-repudiation implies both
data-origin authentication and
data integrity.
⚫ The basic objectives are similar
to those of handwritten signature
Digital signature techniques.
A6E3891F2939E38C745B
25289896CA345BEF5349
245CBA653448E349EA47
Digital signature:Handwritten signature:
© Octavian Catrina 10
Digital signatures
⚫ Digital signature schemes provide message
authentication with non-repudiation
Adversary (Charlie)
Tries to insert or modify
messages forging Alice's
signature.
Alice:
Cannot deny having created
and signed the message.
Bob:
Can check the integrity of
the message and the fact
that was signed by Alice.
Cannot forge the signature
or modify the message.
Trent:
Trusted third party for resolution of disputes.
Can check the integrity of the message and
the fact that it was signed by Alice.
© Octavian Catrina 11
Threats and attacks
⚫ Security threat
⚫ Potential violation of a security policy. E.g., vulnerabilities due
to flaws in system design, implementation, and operation.
⚫ Security attack
⚫ A realization of a threat: an action that violates security.
⚫ Two main classes: Passive attacks. Active attacks.
⚫ Passive attack
⚫ The adversary can only monitor the communication channel
(read messages, but not modify or delete them).
⚫ Threatens data confidentiality.
⚫ Active attack
⚫ The adversary attempts to delete, add, or otherwise alter the
transmission on the communication channel.
⚫ Threatens all security services.
© Octavian Catrina 12
Attacks: Interception
⚫ Interception (eavesdropping): attack on confidentiality
⚫ Unauthorized data access. Passive attack.
⚫ Basic capabilities of the adversary: receive data, packet sniffer.
⚫ Easiest for wireless channels: a standard interface within
reception range is sufficient.
⚫ Otherwise, requires network access (links, switches, routers,
hosts). May be either physical access (connect to the network,
wiretapping), or remote access (e.g., via backdoor, etc.).
⚫ Easier for broadcast multi-access network. Otherwise, modify
the data path to include a device controlled by the adversary.
Interception
(eavesdropping)
Sender
Adversary
Receiver
© Octavian Catrina 13
Attacks: Fabrication
⚫ Fabrication: attack on authenticity
⚫ Unauthorized use of an identity, generation and distribution of
messages under that identity. Active attack.
⚫ Basic capabilities: send data, impersonate legitimate party.
⚫ MAC addresses and IP addresses can be spoofed.
⚫ Easiest for wireless network: a standard interface within
transmission range is sufficient.
⚫ Otherwise, requires access to the receiver's network, either
physical (connect to the network), or remote (e.g., via Internet
connection).
Sends messages
under false
identity
Sender
Adversary
Receiver
© Octavian Catrina 14
Attacks: Modification
⚫ Modification: attack on integrity and authenticity
⚫ Intercept and modify or delete messages. Active attack.
⚫ Basic capabilities: send and receive data, deny packet delivery
for legitimate parties, impersonate legitimate party.
⚫ MAC and IP addresses can be spoofed.
⚫ Install a device on the normal data path or acquire an existing
device (switch, router, HTTP/DNS proxy, etc.).
⚫ Use some network indirection trick to modify the data path and
include the attacker's device: e.g., ARP or DNS spoofing, etc.
Modification
(tampering with
messages)
Sender
Adversary
Receiver
© Octavian Catrina 15
Attacks: Interruption
⚫ Interruption: attack on availability
⚫ Stop message flow or prevent service access. Active attack.
Interruption
Sender
Adversary
Receiver
⚫ Easy to mount, hardest to thwart. Many variants.
⚫ Basic capabilities: depend on variant.
⚫ Denial of service (DoS): use up computation or communication
resources, corrupt/delete data in transit. Requires the ability to
send to receiver, or control a network device on the data path.
⚫ Damage hardware or software. Requires physical access.
⚫ Cryptography can help a bit both the attack and the defense (!).
© Octavian Catrina 16
Example: ARP spoofing 1/2
⚫ ARP spoofing: An adversary forges ARP packets in
order to control connectivity in LANs
⚫ Redirection using ARP spoofing⚫ An attacker M makes host A map IPB to a MAC address MACB:
⚫ Impersonation: map IPB to MACM.
⚫ Denial of service: map IPB to non-existing MAC address.
Host A Attacker M
M can now impersonate B (for A-B communications)
ARP Cache:
IPB at MACM
Host B
ARP request:
Who has IPA? Tell (IPB, MACM)
ARP reply: ...
MAC frame from MACA to MACM
containing IP packet from IPA to IPB
MAC frame from MACM to MACA
containing IP packet from IPB to IPA
M poisons the ARP cache of host A
This is an example that works with
typical ARP implementations. Some
ARP implementations are vulnerable
to simpler attacks.
E.g., a server
or a router
© Octavian Catrina 17
ARP spoofing 2/2
⚫ Man-In-The-Middle (MITM) attack using ARP spoofing⚫ Enables MITM attacks against authentication and key
exchange protocols. Enables sniffing in switched LANs.
Host A MITM Attacker M
M records & forwards the packets exchanged by A and B
ARP Cache:
IPB at MACM
Host B
ARP request:
Who has IPA? Tell (IPB, MACM) ARP Cache:
IPA at MACM
ARP request:
Who has IPB? Tell (IPA, MACM)
ARP reply: ... ARP reply: ...
MAC frame from MACA to MACM
containing IP packet from IPA to IPBMAC frame from MACM to MACB
containing IP packet from IPA to IPB
MAC frame from MACM to MACA
containing IP packet from IPB to IPA
MAC frame from MACB to MACM
containing IP packet from IPB to IPA
M poisons the ARP caches of hosts A, B
After the attack, M should un-poison the
ARP caches to avoid detection
© Octavian Catrina 18
Example: IP spoofing and DoS
⚫ IP (address) spoofing attacks
⚫ Send IP packets with forged source addresses.
⚫ To impersonate hosts (e.g., trusted hosts, to deceive a firewall).
⚫ To hide the origin of an attack.
⚫ To set up DoS (denial of service) attacks.
General scenario
Host y
Victim
Host z
(if any)
Spoofed packet
SA=z DA=y
Reply packet
(if any)
Intercept
or ignore
Attacker
Host x
In general the address z can take any value:
unicast or broadcast or multicast or invalid;
global or private; assigned or not.
Reflection ("smurf") DoS attack
Host y
Victim 1
Host z
Victim 2
Spoofed packet
SA=z DA=y
Attacker
Host x
Reply packets
Use host y to attack host or network z.
Amplification: the reply is much larger than the
original packet; or y is a broadcast address.
Other variants exist.
© Octavian Catrina 19
Case study: WLAN 1/2
⚫ Fact -1: Anybody within transmission range can
send/receive to/from WLAN radio channel.
AccessPoint (AP)
Wired
LAN
WLAN
⚫ Threat 1.2: Data integrity and origin violation.
⚫ Attack: Fabrication - Address spoofing. Modification - rogue AP (active).
⚫ Policy: Detect and drop frames from unauthorized senders.
⚫ Service: Data-origin authentication.
⚫ Mechanism (802.11): Integrity check mechanism in WEP.
⚫ Threat 1.1: Confidentiality violation
(unauthorized reception of WLAN traffic).
⚫ Attack: Eavesdropping (passive).
⚫ Policy: Prevent unauthorized reception.
⚫ Service: Data confidentiality.
⚫ Mechanism (802.11): Encryption using
WEP/RC4.
© Octavian Catrina 20
Case study: WLAN 2/2
AccessPoint (AP)
Wired
LAN
WLAN
⚫ Threat 1.3: Access control violation (unauthorized network access).
⚫ Attack: Connect to WLAN, access network resources (active).
⚫ Policy: Deny unauthorized access.
⚫ Service: Authentication, authorization, and access control.
⚫ Mechanism (802.11): Authentication protocol based on WEP and
authenticated encryption (WEP).
⚫ Fact -2: Vulnerabilities due to design flaws in 802.11
security services.
⚫ Threat 2.1: Flaw in authentication protocol.
⚫ Attack: Eavesdrop and replay (active).
Defeats authentication (traffic blocked by
authenticated encryption).
⚫ Threat 2.2: WEP/RC4 vulnerability.
⚫ Attack: Key recovery (cryptanalytic attack).
⚫ Breaks all services, violates all policies.
⚫ Fixed in 802.11i: New design of security services, upgraded mechanisms.
Etc.
© Octavian Catrina 21
Next steps
⚫ Understand cryptographic algorithms
⚫ Encryption, data authentication, signature, ...
⚫ What they can do. What they cannot do.
⚫ How do they work. How can they be attacked.
⚫ How to use them correctly!
⚫ Authentication and key management protocols
⚫ How are they designed?
⚫ How can they be attacked?
⚫ Then put them all together: Security protocols
⚫ Secure channels.
⚫ Virtual Private Networks (VPNs).
⚫ Etc.