Network Security Continued

Digital Signature

• You want to sign a document.• Three conditions.– 1. The receiver can verify the identity of the

sender.– 2. The sender cannot later repudiate the content

of the message.– 3. The receiver cannot make the message up.

Using Public key / Private Key

• To send P, Alice send E_B(D_A(P)).• Bob receives, decode it with his private key to

get D_A(P), encode it with Alice’s public key to get P.

Digital Signature

• Can Bob verify this is the message from Alice?– Yes, because (1) the message usually have some

format and if it is not decoded correctly it will make no sense (2) Alice can send a hash of the message to Bob and Bob can verify whether the hash matches the decoded message

Digital Signature

• If Alice later denies she sent the message P, Bob can show P and D_A(P). A third party can check if he can get P with D_A(P) and Alice’s private key. If yes, Alice is lying because Bob does not know Alice’s private key and have no way to make up D_A(P).

Is problem solved?

• How can Alice and Bob know each other’s public key?

• Can Alice send a message to Bob to ask him to send her pkB?

• No. Tom may intercept this message and return Alice a message with his key or some junk.

Solution?

• Ask someone with authority, say, C.– Alice asks C “can you tell me the public key of

Bob?”– C replies “Here you are, pkB.”

• Will this work?• No. Because how can Alice be sure that this

message is from C and not from Tom?

Solution

• Because C is well-known, Alice remembers his public key.

• So when C sends Alice the reply, he “signs” it with his private key: D_skC(pkB, I am sending you the public key of Bob as you requested).

• When Alice gets this message, she knows that this must be from C and can be trusted.

Problems?

• If everyone must contact C before the session begins, can C still handle it?

• Note that the RSA algorithm involves multiplications of large numbers and is slow.

Solution• In fact, C does not have to answer the reply in real

time.• He can send Bob a “certificate” like: D_skC[I hereby

certificate that this key ############# belongs to Bob. Bob’s IP address is ****** and his email is @@@@.]

• Later, when Bob wants to prove he is indeed Bob, he can just present this to Alice.

• Actually, it is D_skC{SHA_1[I hereby certificate that this key ############# belongs to Bob. Bob’s IP address is ****** and his email is @@@@.]} and C is called Certificate Authority (CA).

Optimizations

• Still, signing all these certificates is too much for a single machine.

• There is PKI (Public Key Infrastructure) as a tree. You have a root, Regional Authorities, and CAs.

• A node certifies the nodes under it by signing.• Chain of trust.

Authentication

• If someone claims he is A and wants to have a conversation with you, how do you verify?

• He should present something to you which you can check and which he can have if and only if he is A.

• We can all think of certain things for our real friends, but does such thing exist in the electronic world?

Simple Protocol• Will this work – suppose A and B knows each

other’s public key – If A wants to communicate with B, A sends E_pkB[D_skA(P)], where P is the plain text message.

• Because of the digital signature scheme, B knows that this message is originally from A.

• But a message that is originally from A does not mean that it is from A– the replay attack. What the adversary can do is: first play the message with you, after you are tricked to believe it is A, then ask for transferring $10000.

The solution

• Recall that everyone has a public key and a private key.• Suppose Alice and Bob knows each other’s public key.– If Alice wants to setup a session with Bob, she sends Bob a

message E_pkB[Alice, R_a], meaning that I am Alice and I want to talk to you, where R_a is a number picked at random.

– Bob replies E_pkA[R_a, R_b, K_s], where R_b is a number picked at random and K_s is the session key.

– Alice replies AES_K_s[R_b]. • (not exactly the same as Skype’s protocol, but the idea

is the same)

Explanations

• Message 2. When Alice gets E_pkA[R_a, R_b, K_s], she can decrypt it and can get R_a, R_b, K_s. When she sees R_a, she knows that this is the response she is waiting for and the sender must be Bob. Why?

• Because no one except Bob knows how to decode E_pkB[Alice, R_a] to get R_a and R_a is totally random and it is impossible for one to guess it right.

Explainations

• Message 3. When Bob gets AES_K_s[R_b], he can use K_s to decode it to get R_b. Then he knows that this must be the message he is waiting for and the one who sent the first message must be Alice. Why?

• Because no one except Alice knows how to decode E_pkA[R_a, R_b, K_s] to get R_b and K_s to get AES_K_s[R_b].

Explanations

• The key is, we can make sure that every message must be the response of the previous message.

• After the session key is exchanged, the conversation can begin.

SSL -- Secure Sockets Layer and HTTPS

• Build a secure connection between two sockets.

• It is a layer between the application layer and the transportation layer.

• When HTTP is run over SSL, it is HTTPS.

SSL• Twp protocols, one for establishing a secure connection, the other for

using it.• Fig. 8-51. Establishing connection.

1. A->B. SSL version, Preferences, R_A.2. B->A. SSL version, Choices, R_B. Certificate. Done.3. A->B. E_pkB[premaster key]. Change cipher. Finished.4. B->A. Change cipher. Finished.

• R_A, R_B, premaster key used to get the session key. • A is sure that she is talking to B. B use passwords to make sure that he is

talking to A.

PGP – Pretty Good Privacy

• Used in E-mails.

MD5 RSA IDEA

RSA

P

K_M

DAzip

EB

Attacks – SYN Flood

• SYN Flood– TCP establishes the connection by three-way

handshake. Client sends SYN, server receives SYN, sends SYN ACK, at the same time allocating memory for this connection.

– If the client just send SYN, but not respond to the SYN ACK, the server will wait for a while and release the memory.

– What if people use spoofed source IP addresses to send SYN packets?

Attacks – Reflection

• Reflection. – What if people use the a lot of computers sending

SYN to server with a victim’s IP address as the source address?

Attacks

• http://www.nytimes.com/2008/11/10/technology/internet/10attacks.html

• http://www.scmagazine.com/asia/news/article/419816/a-next-generation-dos-attack-distributed-reflection/

DDoS

• DDoS – Distributed Denial of Service• Why would any one want to do this? • In some cases, for bringing down service of

competitors, or for extortion money.

Application Layer Attack

• There is a particular type of attack – simply ask bots to send requests to the victim for large files.

• Now, the victim, the server, has to send large files therefore the bandwidth is saturated and no more requests can be satisfied.

CAPTCHA• One way is to see if we can distinguish human

from bots.• CAPTCHA -- Completely Automated Public Turing

test to tell Computers and Humans Apart • Below is a picture from wiki

CAPTCHA

• Was proposed by Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford.

• http://www.captcha.net/captcha_crypt.pdf

Other things you can do

• With the CAPTCHA idea, they actually did something else: scan an old book, and show a word in the book along with one from CAPTCHA.

• You don’t know which one is from where. • So while you login, you help the library to

recognize words.

Problem with CAPTCHA

• The problem is that you do not want to answer a CAPTCHA problem every 30 mins if you are watching a movie.

The other solution

• Ask the client to solve a puzzle, basically asking the client to spend some resource before getting service.

• Can you design some puzzles?

Puzzles

• Some puzzles include:– Finding a string such that the first k bits of its SHA-

1 hash are 0. – By controlling k, you control the difficulty of the

puzzle.– A problem is that this puzzle is biased toward

clients with fast machines.

Memory-bound puzzles are better

• Memory speed varies less significantly than CPU speed.

• Forcing the client to do a lot of random read from main memory.

• How?

One memory bound puzzle

• There is a one-to-one function F() that cannot be reversed.

• Server started from x_0. x_i = F(x_i-1). • Server sends x_k to the client. Ask him to return

x_0.• It is to the best interest of the client to build a

table, because table lookup is much faster than calculating the function, then search which input results in x_k, to get x_k-1, and so on.

Other solutions

• Speak-up: When system is in trouble, instead waiting to drown, you should speak up!

• Meaning that you should also send a lot of requests.• The server serves the one with loudest voice.• From their 2006 sigcomm paper:

Speak-up

• Actually, every client has to pay the server some currency in the form of bandwidth.

• The hope is that the clients have spare bandwidths but the attackers already have used up their bandwidths.

• These dummy byes are a waste of resource.

What we are working on

• Introducing p2p to DDoS defense.

A useful link

• http://staff.washington.edu/dittrich/misc/ddos/