pw-link-layer - uw computer sciences user...
TRANSCRIPT
todayPasswords
Network security intro
/ Ethernet, MAC, ARP, WiFi
passwords
pw use cases
Encrypt AES-GCM
IVM
K
C,T
Encrypt AES-GCM
IVM
pw
C,T
Create account:username,pw
Password-based symmetric encryption
[server, desktop, or web service]
How does the server store the pw?
pbkdf
PBKDF(pw, salt):
[password-based key derivation function]
H H Kpw || salt H
repeat c timestruncate if needed
pw-based encryptionEnc(pw,M,R): salt || R’ = R K = PBKDF(pw,salt) C = Enc’(K,M,R’) Return (salt,C)
Dec(pw,C): salt || C’ = C K = PBKDF(pw,salt) M = Dec’(K,C’) Return M
PBKDF + symmetric encryption → pw-based encryption
Enc'/Dec' is some authenticated encryption scheme, like AES-GCM
Attacks?
dictionary attackDictionaryAttack(D,C,T): for pw* in D: M* = Dec(pw*,C,T) if M* ≠ error: return pw,M*
Decrypt AES-GCM
CT
K
M or error
Given an authenticated encryption output (C,T), dictionary D of possible password
Enumerate D in order of likelihood
Test each candidate password
pw distribution
From an Imperva study of released RockMe.com password database (2010)
password storagePassword storage + PBKDF
Increase number of iterations: Hc(salt || pw)
Use a slower computation / scrypt, bcrypt / Slower than SHA2, use lots of memory, hard to parallelize
Costs? Benefits?
Facebook’s Password Onion
$cur = ‘password’ $cur = md5($cur) $salt = randbytes(20) $cur = hmac_sha1($cur, $salt) $cur = remote_hmac_sha256($cur, $secret) $cur = scrypt($cur, $salt) $cur = hmac_sha256($cur, $salt)
[A. Muffet, https://video.adm.ntnu.no/pres/54b660049af94]
User Pythia Server
user,pw
Web Server
uid,blind(pw)
z = Fk(uid,pw)
[The Pythia PRF Service, 2015, Everspaugh, et. al]
k
Protecting passwords
Separates password database and key Permits key rotation without changing passwords
UniversityofWisconsinCS642
Gettingstartedonnetworksecurity
802.11
Internetprotocolstack
AddressresolutionprotocolandARPspoofing
Man-in-the-middle
Internet
backbone
ISP1 ISP2
Localareanetwork(LAN)
Internet
Ethernet
802.11BGP(bordergatewayprotocol)
DNS(domainnamesystem)
Alice
Bob
TCP/IP
Internetthreatmodels
backbone
ISP1 ISP2
(1)Malicioushosts
backbone
Internetthreatmodels
ISP1 ISP2
(1)Malicioushosts
(2)Subvertedroutersorlinks
Internetthreatmodels
backbone
ISP1 ISP2
(1)Malicioushosts
(2)Subvertedroutersorlinks
(3)MaliciousISPsorbackbone
Internetprotocolstack
Application HTTP,FTP,SMTP,SSH,etc.
Transport TCP,UDP
Network IP,ICMP,IGMP
Link 802x(802.11,Ethernet)
Application
Transport
Network
Link
Application
Transport
Network
Link
Network
Link
Internetprotocolstack
Application
TCP
IP
Ethernet
userdata
userdataApplhdr
userdataApplhdr
TCPhdr
userdataApplhdr
TCPhdr
IPhdr
userdataApplhdr
TCPhdr
IPhdrENethdr
ENettlr
TCPsegment
IPdatagram
Ethernetframe
14 20 20
46to1500bytes
Ethernet
CarrierSense,MultipleAccesswithCollisionDetection(CSMA/CD)
Taketurnsusingbroadcastchannel(thewire)
Detectcollisions,jam,andrandombackoff
Securityissues?
Ethernet
IPdatagramENethdr
ENettlr Ethernetframe
destinationaddress
sourceaddress
type CRC
4266
Mediaaccesscontrol(MAC)addresses48bits
Type=whatisdatapayload(0x0800=IPv4,0x0806=ARP,0x86DD=IPv6)
32bitCyclicRedundancyCheck(CRC)checksum
802.2LLCframeformatslightlydifferent,butsimilarideas
MACaddresses
• Hardware(ethernetcard/WiFicard)initializedwithMACaddress
• But:mostnetworkcardspermitchangingMACaddress
3byte2controlbits&OID
3byteNICidentifier
MACspoofing
• ManyLANs,WiFisuseMAC-basedaccesscontrols
Courtesyofwikibookshttp://en.wikibooks.org/wiki/Changing_Your_MAC_Address/Mac_OS_X
Internetprotocolstack
Application
TCP
IP
Ethernet
userdata
userdataApplhdr
userdataApplhdr
TCPhdr
userdataApplhdr
TCPhdr
IPhdr
userdataApplhdr
TCPhdr
IPhdrENethdr
ENettlr
TCPsegment
IPdatagram
Ethernetframe
14 20 20
46to1500bytes
IPv4
dataENethdr
ENettlr
EthernetframecontainingIPdatagram
IPhdr
4-bitversion
4-bithdrlen
8-bittypeofservice
16-bitidentification
16-bittotallength(inbytes)
3-bitflags
13-bitfragmentationoffset
8-bittimetolive(TTL)
8-bitprotocol
16-bitheaderchecksum
32-bitsourceIPaddress
32-bitdestinationIPaddress
options(optional)
Addressresolutionprotocol
IProuting:FigureoutwheretosendanIPpacketbasedondestinationaddress.
LinklayerandIPmustcooperatetoroutepackets
ARPenablesthiscooperationbymappingIPstoMACs
32-bitIPaddress
48-bitMACaddress
ARP
Addressresolutionprotocol
enetdestenetsrc
typehwtype
prottype
hwsize
protsize
op
enetsender
ipsenderenettarget
iptarget
CRCpad
frametype=0x0806(ARP)
6 6 2 2 2 1 1 2
6 4 6 4 18 4
hwtype,prot(ocol)typespecifywhattypesofaddresseswe’relookingup
opspecifieswhetherthisisanARPrequest,ARPreply
enetdestis0xFFFFFFFFFFFFforbroadcast
ARPcaches
• HostsmaintaincacheofARPdata– justatablemappingbetweenIPsandMACs
ARPhasnoauthentication
• Easytosniffpacketson(non-switched)ethernet
• Whatelsecanwedo?
EasyDenialofService(DoS):SendARPreplyassociatinggateway192.168.1.1withanon-usedMACaddress
ARPhasnoauthentication
• Easytosniffpacketson(non-switched)ethernet
• Whatelsecanwedo?
192.168.1.2MAC2
192.168.1.3MAC3
192.168.1.1MAC1
ActiveMan-in-the-Middle:
ARPreplytoMAC2192.168.1.1->MAC3
ARPreplytoMAC1192.168.1.2->MAC3
Nowtraffic“routed”throughmaliciousbox
802.11(wifi)
http://technet.microsoft.com/en-us/library/cc757419(WS.10).aspx
STA=stationBSS=basicservicesetDS=distributionserviceESS=extendedserviceset
SSID(servicesetidentifier)identifiesthe802.11network
802.11association
AP
Proberequest
SSID:“linksys”,BSSID:MAC1
AuthrequestMAC1
Authresponse
AssociaterequestMAC1
Associateresponse
802.11association AP
802.11eviltwins
APBasicidea: -AttackerpretendstobeanAPtointercepttrafficorcollectdata
EviltwinProberequest
AuthrequestMAC2
MAC1
MAC2SSID:“linksys”,BSSID:MAC1SSID:“linksys”,BSSID:MAC2
ChooseoneofMAC1,MAC2
…
TwoAPsforsamenetwork
802.11eviltwins
APBasicidea: -AttackerpretendstobeanAPtointercepttrafficorcollectdata
EviltwinProberequest
SSID:“linksys”,BSSID:MAC1
AuthrequestMAC2
MAC1
MAC2
SSID:“linksys”,BSSID:MAC2ChooseoneofMAC1,MAC2
…
Basicattack:rogueAP
recap
Password based key derivation protocol (PBKDF) / Dictionary attacks / bcrypt, scrypt
Network Security / Ethernet sniffing / ARP cache poisoning, MitM, DoS / WiFi Evil Twins
Exit slips / 1 thing you learned / 1 thing you didn't understand