network and communicaon security: https, ip sec, dns‐sec
TRANSCRIPT
NetworkandCommunica1onSecurity:HTTPS,IPSec,DNS‐Sec
Sec1on8.4
COS461:ComputerNetworksSpring2011
MikeFreedmanhJp://www.cs.princeton.edu/courses/archive/spring11/cos461/
1
Recallbasicsecurityproper1es
• Confiden'ality:Concealmentofinforma1onorresources
• Authen'city:Iden1fica1onandassuranceoforiginofinfo
• Integrity:Trustworthinessofdataorresourcesintermsofpreven1ngimproperandunauthorizedchanges
• Availability:Abilitytousedesiredinfoorresource
• Non‐repudia'on:Offerofevidencethatapartyindeedissenderorareceiverofcertaininforma1on
• Accesscontrol:Facili1estodetermineandenforcewhoisallowedaccesstowhatresources(host,soVware,network,…)
2
3
Useofencryp1onandMAC/signatures
Confiden1ality(Encryp1on)
Sender:
• ComputeC=EncK(M)• SendCReceiver:
• RecoverM=DecK(C)
Auth/Integrity(MAC/Signature)
Sender:
• Computes=SigK(Hash(M))• Send<M,s>
Receiver:
• Computers’=VerK(Hash(M))
• Checks’==s
Thesearesimplifiedformsoftheactualalgorithms
“Securing”HTTP
• Threatmodel– Eavesdropperlisteningonconversa1on(confiden1ality)– Man‐in‐the‐middlemodifyingcontent(integrity)
– Adversaryimpersona1ngdesiredwebsite(authen1ca1on,andconfiden1ality)
• EnterHTTP‐S– HTTPsitsontopofsecurechannel(SSL/TLS)– All(HTTP)byteswriJentosecurechannelareencryptedandauthen1cated
– Problem:Whatisactuallyauthen1catedtopreventimpersona1on?Whichkeysusedforcryptoprotocols?
5
Learningavalidpublickey
• Whatisthatlock?
– Securelybindsdomainnametopublickey(PK)
• BelievableonlyifyoutrusttheaJes1ngbody
• Bootstrappingproblem:Whototrust,andhowtotellifthismessageisactuallyfromthem?
– IfPKisauthen1cated,thenanymessagesignedbythatPKcannotbeforgedbynon‐authorizedparty
6
TransportLayerSecurity(TLS)(ReplacesSSL)
• Sendnewrandomvalue,listofsupportedciphers
• Sendpre‐secret,encryptedunderPK
• Createsharedsecretkeyfrompre‐secretandrandom
• Switchtonewsymmetric‐keycipherusingsharedkey
• Sendnewrandomvalue,digitalcer1ficatewithPK
• Createsharedsecretkeyfrompre‐secretandrandom
• Switchtonewsymmetric‐keycipherusingsharedkey
8
CommentsonHTTPS
• NotethatHTTPSauthen1catesserver,notcontent– IfCDN(Akamai)servescontentoverHTTPSforitscustomers,customermusttrustAkamainottochangecontent
• Switchtosymmetric‐keycryptoaVerpublic‐keyops– Symmetric‐keycryptomuchfaster(100‐1000x)
– PKcryptocanencryptmessageonlyapprox.aslargeaskey(1024bits–thisisasimplifica1on)–aVerwardsuseshybrid
• HTTPSontopofTCP,soreliablebytestream– Canleveragefactthattransmissionisreliabletoensure:eachdatasegmentreceivedexactlyonce
– Adversarycan’tsuccessfullydroporreplaypackets
9
IPSecurity
• Therearerangeofapp‐specificsecuritymechanisms
– eg.TLS/HTTPS,S/MIME,PGP,Kerberos,
• Butsecurityconcernsthatcutacrossprotocollayers
• Implementbythenetworkforallapplica1ons?
EnterIPSec!
11
IPSec
• GeneralIPSecuritymechanismframework
• Allowsonetoprovide– Accesscontrol,integrity,authen1ca1on,originality,andconfiden1ality
• Applicabletodifferentsekngs
– Narrowstreams:SpecificTCPconnec1ons
– Widestreams:Allpacketsbetweentwogateways
12
BenefitsofIPSec
• Ifinafirewall/router:– Strongsecuritytoalltrafficcrossingperimeter– Resistanttobypass
• Belowtransportlayer:transparenttoapplica1ons
• Canbetransparenttoendusers
• Canprovidesecurityforindividualusers
• Helpssecurerou1ngarchitecture
14
IPSecurityArchitecture
• Specifica1onquitecomplex(incl.RFC2401,2402,2406,2408)– MandatoryinIPv6,op1onalinIPv4
• Twosecurityheaderextensions:– Authen1ca1onHeader(AH)
• Connec1onlessintegrity,originauthen1ca1on– MACovermostheaderfieldsandpacketbody
• An1‐replayprotec1on
– Encapsula1ngSecurityPayload(ESP)• Theseproper1es,plusconfiden1ality
15
Encapsula1ngSecurityPayload(ESP)
• Transportmode:Dataencrypted,butnotheader– AVerall,networkheadersneededforrou1ng!– Candotrafficanalysisbutisefficient
– Goodforhost‐to‐hosttraffic
• Tunnelmode:Encryptsen1reIPpacket
– Addnewheaderfornexthop– GoodforVPNs,gateway‐to‐gatewaysecurity
16
Whyisreplayprotec1onhard?• Replayprotec1ongoal:Eavesdroppercan’tcaptureencryptedpacketandduplicatelater– EasywithTLS/HTTPonTCP:Reliablebytestream– ButIPSecatpacketlayer;transportmaynotbereliable
• IPSecsolu1on:Slidingwindowonsequence#’s– AllIPSecpacketshavea64‐bitmonotonicsequencenumber– Receiverkeepstrackofwhichseqno’sseenbefore
• [lastest–windowsize+1,latest];windowsizetypically64packets
– Acceptpacketif• seqno>latest(andupdatelatest)• Withinwindowbuthasnotbeenseenbefore
– Ifreliable,couldjustrememberlast,andacceptifflast+1• ButIPpacketscanbereordered.Reorderingcouldbepar1cularlybadifQoSandlow‐priority.Hence,somewindowsare1024packets.
17
HierarchicalnaminginDNS
19
com edu org ac uk zw arpa
unnamed root
bar
west east
foo my
ac
cam
usr
in- addr
12
34
56
generic domains country domains
my.east.bar.edu usr.cam.ac.uk
12.34.56.0/24
DNSRootServers• 13rootservers(seehJp://www.root‐servers.org/)• LabeledAthroughM
20
B USC-ISI Marina del Rey, CA L ICANN Los Angeles, CA
E NASA Mt View, CA F Internet Software C. Palo Alto, CA (and 17 other locations)
I Autonomica, Stockholm (plus 3 other locations)
K RIPE London (+ Amsterdam, Frankfurt)
m WIDE Tokyo
A Verisign, Dulles, VA C Cogent, Herndon, VA (also Los Angeles) D U Maryland College Park, MD G US DoD Vienna, VA H ARL Aberdeen, MD J Verisign, ( 11 locations)
DoSaJacksonDNSAvailability
• Feb.6,2007– BotnetaJackonthe13InternetDNSrootservers– Lasted2.5hours– Nonecrashed,buttwoperformedbadly:
• g‐root(DoD),l‐root(ICANN)• Mostotherrootserversuseanycast
21
DoSaJacksonend‐hostusingDNS
580,000openresolversonInternet(Kaminsky‐Shiffman’06)
DNSServerDoS
SourceDoSTarget
DNSQuerySrcIP:DoSTarget
(60bytes)
EDNSReponse
(3000bytes)
×40amplifica1on
23
aIacker
Preven1ngamplica1onaJacks
ip spoofed packets
victim
openamplifier
preventipspoofing
disableopenamplifiers
24
DNSIntegrity:DoyoutrusttheTLDoperators?
• Ifdomainnamedoesn’texist,DNSshouldreturnNXDOMAIN(non‐existantdomain)msg
• VerisigninsteadcreateswildcardDNSrecordforall.comand.netdomainnamesnotyetregistered
– September15–October4,2003
• Redirec1onforthesedomainnamestoVerisignwebportal:“tohelpyousearch”
– andserveyouads…andget“sponsored”search– Verisignandonlineadver1singcompaniesmakemoney…
25
DNSIntegrity:Wasanswerfromauthorita1veserver?• DNScachepoisoning
– Clientasksforwww.evil.com– Nameserverauthorita1veforwww.evil.comreturnsaddi1onalsec1onfor(www.cnn.com,1.2.3.4,A)
– Thanks!Iwon’tbothercheckwhatIaskedfor
26
• Topreventcachepoisoning,clientremembersdomainand16‐bitrequestID(usedtodemuxUDPresponse)
• But…
• DNShijacking– 16bits:65KpossibleIDs
• Whatratetoenumerateallin1sec?64B/packet• 64*65536*8/1024/1024=32Mbps
– Preven1on:AlsorandomizetheDNSsourceport• WindowsDNSalloc’s2500DNSports:~164MpossibleIDs• Wouldrequire80Gbps• KaminskyaJack:thissourceport…wasn’trandomaVerall
27
DNSIntegrity:Wasanswerfromauthorita1veserver?
Let’sstronglybelievetheanswer!EnterDNSSEC
• DNSSECprotectsagainstdataspoofingandcorrup1on
• DNSSECalsoprovidesmechanismstoauthen1cateserversandrequests
• DNSSECprovidesmechanismstoestablishauthen1cityandintegrity
28
PK‐DNSSEC(PublicKey)
• TheDNSserverssignthehashofresourcerecordsetwithitsprivate(signature)keys
• PublickeyscanbeusedtoverifytheSIGs
• Leverageshierarchy:– Authen1cityofnameserver’spublickeysisestablishedbyasignatureoverthekeysbytheparent’sprivatekey
– Inidealcase,onlyroots’publickeysneedtobedistributedout‐of‐band
29
Verifyingthetree
stubresolver
Ques'on:www.cnn.com?
www.cnn.comA?
resolver
.(root)ask.comserverSIG(ipaddrandPKof.comserver)
.comwww.cnn.comA?
askcnn.comserverSIG(ipaddrandPKofcnn.comserver)
cnn.com
xxx.xxx.xxx.xxx
addtocache
src.cs.princeton.edudns.cs.princeton.edu�
transac'on
signatures
slaveserverstransac'onsignatures
30