Introduction to Computer Security

(1)

Introduction to Computer Security

Network Security

Pavel Laskov

(2)

Circuit switching vs. packet switching

A B A A B B B A A B A A A A A B B B A

(3)

(4)

(5)

TCP connection synchronization

Initial handshake

Host A Host B

Send SYN seq=x

Receive SYN

Send SYN seq=y, ACK x+1

Receive SYN + ACK

Send ACK y+1

Receive ACK ... data transmission

Termination

Host A Host B

Send FIN seq=x

Receive FIN Send ACK x+1 Receive ACK

Send FIN seq=y, ACK x+1 Receive FIN + ACK

Send ACK y+1

(6)

What can go wrong: TCP session hijacking

Seq: x PSH/ACK: y (60) Seq: y PSH/ACK: x+60 (20) Seq: x+60 PSH/ACK: y+20 (30) Seq: y+20 PSH/ACK: x+90 (20) Seq: x+90 PSH/ACK: y+40 (30) Seq: y+40 PSH/ACK: x+120 (20)

A

C(A)

A

B

(7)

Example: SYN flood

(8)

Placement of security instruments

(9)

IP layer security: IPsec

Objectives:

secure connectivity of branch offices

secure remote access

Advantages:

bypass resistence

transparency to end users and applications

Disadvantages:

infrastructure support needed

performance degradation

(10)

IPsec application example

IP

Header PayloadIP

IP

HeaderHeaderIPSec Secure IPPayload

IP Head er IPSe c Head er Secu re IP Payl oad IP Head er IPSec Head er Secu re IP Paylo ad IP Header PayloadIP Networking device with IPSec User system with IPSec Networking device with IPSec

Figure 6.1 An IP Security Scenario

Public (Internet) or Private

(11)

IPsec services and protocols

Services / Protocols

AH

ESP

ESP + auth.

Access control

X

Connectionless integrity

X

Data origin authentication

X

Replay protection

X

Confidentiality

X

(12)

IPsec modes

Transport mode

Protection of packet payload

Used for end-to-end communication

Small performance overhead

Tunnel mode

Protection of entire packet (payload and headers)

Communication between gateways

Invisible to intermediate routers

Considerable performance overhead

(13)

AH service

Transport mode

orig IP

hdr routing, fragment AHhop-by-hop, dest, dest TCP Data IPv6

authenticated except for mutable fields orig IP

hdr AH TCP Data IPv4

authenticated except for mutable fields

orig IP hdr New IP

hdr AH TCP Data

IPv4

authenticated except for mutable fields in the new IP header (b) Transport Mode

orig IP

hdr extension headers(if present) TCP Data IPv6

orig IP

hdr TCP Data IPv4

(a) Before Applying AH

new IP

hdr headersext AH orig IPhdr headersext TCP Data IPv6

authenticated except for mutable fields in new IP header and its extension headers

(c) Tunnel Mode

Figure 6.6 Scope of AH Authentication

Tunnel mode

orig IP

hdr routing, fragment AHhop-by-hop, dest, dest TCP Data IPv6

authenticated except for mutable fields orig IP

hdr AH TCP Data IPv4

authenticated except for mutable fields

orig IP hdr New IP

hdr AH TCP Data

IPv4

authenticated except for mutable fields in the new IP header (b) Transport Mode

orig IP

hdr extension headers(if present) TCP Data IPv6

orig IP

hdr TCP Data IPv4

(a) Before Applying AH

new IP

hdr headersext AH orig IPhdr headersext TCP Data IPv6

authenticated except for mutable fields in new IP header and its extension headers

(c) Tunnel Mode

(14)

ESP service

Transport mode

orig IP

hdr routing, fragmenthop-by-hop, dest, IPv6 orig IP hdr IPv4 New IP hdr IPv4

(a) Transport Mode

new IP hdr headersext IPv6 authenticated encrypted authenticated encrypted authenticated encrypted authenticated encrypted (b) Tunnel Mode

Figure 6.9 Scope of ESP Encryption and Authentication

orig IP

hdr headersext TCP Data ESPtrlrauthESP ESP hdr ESP auth orig IP hdr TCP Data ESPtrlr ESP auth ESP hdr dest TCP Data TCP Data ESP trlr ESP auth ESP trlr ESP hdr ESP hdr

Tunnel mode

orig IP

hdr routing, fragmenthop-by-hop, dest, IPv6 orig IP hdr IPv4 New IP hdr IPv4

(a) Transport Mode

new IP hdr headersext IPv6 authenticated encrypted authenticated encrypted authenticated encrypted authenticated encrypted (b) Tunnel Mode

Figure 6.9 Scope of ESP Encryption and Authentication

orig IP

hdr headersext TCP Data ESPtrlrauthESP ESP hdr ESP auth orig IP hdr TCP Data ESPtrlr ESP auth ESP hdr dest TCP Data TCP Data ESP trlr ESP auth ESP trlr ESP hdr ESP hdr

(15)

Transport layer security: SSL/TLS

Objectives:

secure information transmission in Internet applications

mutual authentication in Internet applications

Advantages:

secure end-to-end communication over TCP (not limited to

HTTP)

Disadvantages:

PKI support needed

(16)

SSL architecture

SSL connection

corresponds to

TCP connections.

SSL sessions

represent an

association between a cliend and

a server. Sessions define

parameters that can be share

between connections.

(17)

SSL Record Protocol

Carries out information transfer

(18)

SSL handshake protocol

Client Server Random number Crypto info Random number Crypto info Server certificate

Request client auth.

Extract server public key

Client certificate

Hash over prev. messages

Extract client public key

Random pre-master secret

Calculate master secret Calculate master secret

Switch to master secret End handshake

(19)

Application layer security: SSH

Applications

secure remote login

secure services (e.g. FTP, copy) over an insecure network

secure port forwarding

Advantages

various authentication methods

a neat way to circumvent firewalls

Disadvantages

point-to-point only

(20)

(21)

SSH functionality

Remote Login

Username / password

Public key

Remote command execution

Remote copying (rcp)

Secure ftp service (sftp)

Remote synchronization (rsync)

Port forwarding and tunneling

Secure file system mounting (sshfs)

(22)

SSH port forwarding

Syntax:

Local forwarding:

ssh -L 1521:localhost:23 username@host

Remote forwarding:

ssh -R 1521:localhost:23 username@host

(23)

SSH port forwarding: examples

IMAP requiests for an intermal IMAP server:

ssh -L 8143:exchange.first.fraunhofer.de:993

[email protected]

Sending mail over an internal server:

ssh -L 8025:smtpserv.uni-tuebingen.de:25

[email protected]

Browsing with an external IP address:

ssh -L 8081:proxy0.first.fraunhofer.de:3128 -L

8080:proxy0.first.fraunhofer.de:3128

(24)