networking overview 1 networking overview networking overview 2 tcp/ip tcp/ip == transmission...

133
Networking Overview 1 Networking Overview

Upload: isaias-towne

Post on 16-Dec-2015

234 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 1

Networking Overview

Page 2: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 2

TCP/IP TCP/IP == Transmission Control

Protocol/Internet Protocol Almost ubiquitous protocol for

communication over network Many other networking protocols

o ATM, X.25, SS7, Sonet,…o But TCP/IP has taken over the world

Page 3: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 3

TCP/IP Here, a brief overview of TCP/IP For more info, see, for example,

o Computer Networks, Tanenbaumo Computer Networks and Internets,

Comero Computer Networking: A Top Down

Approach Featuring the Internet, Kurose and Ross

o TCP/IP Protocol Suite, Forouzan

Page 4: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 4

Why TCP/IP? Almost everywhere Author developed payphone billing

protocol in 1992o Used X.25, later ported to SS7o Today would almost certainly use

TCP/IP TCP/IP makes the world “extremely

hackable”

Page 5: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 5

OSI Reference Model In 1980, ISO

developed OSIo Computer

communication over network

Protocol layeringo Breaks problem into

small partso Layer provides

service to next higher

Modularo Makes it easy, for

example, to replace Ethernet with wireless

Page 6: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 6

OSI Reference Model Layer 7 --- Application Layer

o Links application to the communication channel

Layer 6 --- Presentation Layero How to represent bits for transmission

Layer 5 --- Session Layero Coordinate (multiple) sessions

Layer 4 --- Transport Layero Logical channel between systems

Page 7: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 7

OSI Reference Model Layer 3 --- Network Layer

o Move data from host-to-host, across network core (interconnected mesh of routers)

Layer 2 --- Data Link Layer (or Link Layer)o Move data across one “hop”

Layer 1 --- Physical Layero Transmit bits across a physical link (fiber

optic, copper cable, wireless, etc.) Note: Layers 7,6,5 often treated as one

Page 8: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 8

TCP/IP, Our Hero Layers from TCP/IP’s perspective… Application Layer --- Program trying to

communicate using TCP/IPo E.g., email servers, SSH client and server,

etc Transport Layer --- Includes TCP and

UDPo TCP provides reliable deliveryo UDP is “bare bones” transport layer protocol

Page 9: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 9

TCP/IP, Our Hero Network Layer --- Based on IP

o Deliver packets from end-to-endo To be cool, you must say “layer 3”

Data Link Layer --- One hopo “Layer 2”

Physical Layer --- The physical media

Page 10: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 10

TCP/IP Protocol Stack

TCP/IP synonymous with transport layer and network layer (combined)

For example…

Page 11: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 11

Layering (Again) Each layer adds some info

o Usually added to beginning, so called a header

Page 12: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 12

Terminology Application layer packet Transport layer TCP segment

(for example) Network layer IP datagram Data link/physical layer(s) frame We may use “packet” for all of

these

Page 13: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 13

TCP/IP Protocols: TCP, UDP, IP, ICMP

o Defined in RFCs 791 thru 793

Developed for academic researcho No thought of securityo No confidentiality, integrity, authentication, …

Page 14: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 14

TCP/IP and Security Originally, no security in TCP/IP

o Any security provided by applications But TCP/IP retrofit for security

o IPSec --- security at the “IP layer”o “Built in” security for applicationso IPSec is a bloated and complex

protocol

Page 15: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 15

TCP TCP provides reliable delivery Most familiar apps use TCP

o Web browsing (HTTP)o Secure shell (SSH)o File transfer (FTP)o Email (SMTP, POP, IMAP)o Etc., etc., etc.

For most apps, TCP saves a lot of work

Page 16: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 16

TCP Header Every TCP packet includes header

Page 17: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 17

TCP Port Numbers Source port, destination port

o 16-bit numberso Tells which “door” to send data too Source == outgoing “door”, etc.

Server application “listens” on a porto Listening ports are openo Non-listening ports are closed

Page 18: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 18

TCP Port Numbers Examples of well-known ports

o TCP port 21 --- FTPo TCP port 22 --- SSHo TCP port 23 --- telneto TCP port 25 --- SMTPo TCP port 80 --- HTTPo TCP port 6000 --- The X Window System (X11)

Note these ports are used by conventiono Could use 8080 for HTTP and not get arrestedo But both client and server must know this

Page 19: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 19

Ports Example

Note that attackers want to know which ports (“doors”) are open

Page 20: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 20

Ports To see which ports are in use

o Locally, use netstat -na

Page 21: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 21

TCP Control Bits Control bits or flags

For “3-way handshake”, and other special things

Page 22: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 22

TCP Control Bits Originally, 6 control bits

o URG --- urgent data, give it priority (or not…)

o ACK --- acknowledge earlier datao PSH --- push data thru nowo RST --- reset the connection, due to error or

an interruption (abnormal termination)o SYN --- synchronize sequence numberso FIN --- no more data, so tear down

connection

Page 23: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 23

TCP Control Bits Two additional control bits

o CWR --- congestion window reduced; due to network congestion, reduced window size

o ECE --- explicit congestion notification echo; connection is experiencing congestion

For congestion control issues

Page 24: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 24

TCP 3-Way Handshake Used to establish TCP connection

Note sequence numbers: ISNA and ISNB

o ACK and SYN flag bits used here

Page 25: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 25

TCP 3-Way Handshake Establishes “connection” Sequence numbers enable TCP to

o Make sure all packets arriveo Make sure all packets delivered in

order FIN bit used when session torn

down RST used to end in “error” cases

Page 26: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 26

Other Fields in TCP Header Data offset --- where the data begins Reserved --- reserved for future use (or

for clever attackers…) Window --- controls number of

outstanding packets; prevents one side from sending too fast (flow control)

Checksum --- error detection (uses CRC)

Page 27: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 27

Other Fields in TCP Header Urgent pointer --- if URG flag set,

tells where the urgent data is located

Options --- additional info (e.g., the max size of packet); variable size

Padding --- used to make things line up on 32-bit boundaries

Page 28: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 28

UDP UDP == User Datagram Protocol Minimal “no frills” transport

protocolo Does minimum possibleo “Connectionless”o No flow control, no congestion control,

packets can be out of order, not arrive, …

o UDP == Unreliable Damn Protocol

Page 29: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 29

UDP

Why use UDP? Low overhead

o 8 byte header vs 20 bytes (or more) for TCP No congestion control/flow control

o How can this be good?

Page 30: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 30

Where is UDP Used? Streaming audio/video

o Some packet loss is OKo Example: Real Player, UDP port 7070

Apps where low overhead is usefulo Trivial FTP (TFTP), UDP port 69o Simple Network Management Protocol

(SNMP), UDP port 161

Page 31: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 31

FTP vs UDP Which is more secure? With UDP, more work for firewalls

o Hard to track “connections”o Example: Slammer worm fit into one

376-byte UDP packet; got thru firewalls

But neither TCP nor UDP offer any “real” security (confidentiality, etc.)

Page 32: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 32

IP IP == Internet Protocol

o Not “intellectual property” IP is the network layer protocol

todayo Mostly IPv4o IPv6 used a little bit --- offers more

addresses and more securityo Here, we focus on IPv4

Page 33: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 33

IP Header Note that source and destination

addresses each 32 bits

Page 34: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 34

What is a Network? LAN == Local Area Network LANs are building blocks of networks LAN is bunch of computers connected

together by hub, switch, wireless, …o No router between computers on a LAN

Usually, small geographic area

Page 35: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 35

What is a Network? LANs are

connected by routerso Routers

move packets between LANs

Page 36: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 36

IP Addresses IP addresses are 32 bits Identify hosts (computers) on network Written in “dotted decimal” notation

o Author calls it “dotted quad” notation

Page 37: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 37

IP Addresses Every IP packet has source and

destination IP addresses Every IP address has 2 parts

o One part identifies the network (LAN)o One part identifies the specific hosto Makes routing more efficient

But which part is which?

Page 38: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 38

Netmasks Leftmost bits are network part of address Netmask (subnet mask) often used

o Uses “AND” operation

Classless Inter-Domain Routing (CIDR) notationo 10.21.0.0/16

Page 39: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 39

Packet Fragmentation Link may accept packet of max

length What if packet is too big? Fragmentation!

o Router chops packet into pieceso Reassembled at destinationo Fields in IP header identify fragments

(and how to reassemble them)

Page 40: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 40

Fragmentation Bits Don’t fragment bit

o 0 == OK to fragment, 1 == don’t fragment

More fragments bito 0 == last fragment, 1 == more

fragments Fragmentation opens door to attacks

o Firewalls/IDS do not like fragments

Page 41: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 41

Other Stuff in IP Header Version --- IPv4 or IPv6 Hlen --- total length of IP header Service Type --- for quality of service Total Length --- length of data and header Identification --- for fragment reassembly Flags --- don’t fragment, more fragments, … Fragmentation Offset --- how to reassemble

fragments

Page 42: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 42

Other Stuff in IP Header Time-to-Live (TTL) --- max number of

“hops” remaining before packet dies Protocol --- TCP or UDP Header Checksum --- error detection in

header (recomputed at each router) Source IP Address --- “from” Destination IP Address --- “to” Options --- e.g., “source routing” Padding --- pad length to multiple of 32

bits

Page 43: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 43

ICMP Internet Control Message Protocol Like the “network plumber”

o Host uses ICMP to see if another host is alive and responding

o Router uses ICMP to tell source it does not know how to route a packet

o Host can tell another host to stop sending data so fast, etc., etc.

Page 44: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 44

ICMP Same packet format as IP

o Protocol field is set to 1 Many ICMP message types

o Common types listed on next 2 slides

Page 45: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 45

ICMP Name (type number) --- explanation

o Echo reply (0) --- response to pingo Destination unreachable (3) --- IP packet

cannot be delivered (sent by router or host)o Source quench (4) --- slow down!o Redirect (5) --- send data to different routero Echo (8) --- ping (is system responding?)

Page 46: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 46

ICMP Message, type number, explanation

o Time Exceeded (11) --- TTL exceeded, or problem reassembling fragments

o Parameter Problem (12) --- bad parametero Timestamp (13) --- request system’s timeo Timestamp Reply (14) --- send system timeo Information Request (15) --- used to

determine which network a host is ono Information Reply (16) --- network IP

address

Page 47: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 47

Routing Packets How routers get packets thru

networko Like Little Red Riding Hood trying to

find the best path to grandma’s house Dynamic routing protocols

o RIP, OSPF, BGPo As if trees in the forest calculate best

path and tell Red which way to go

Page 48: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 48

Routing Packets Static routing protocols

o Hard-coded routeso Red always has to go the same way

Source routingo Source specifies route in packeto Step-by-step directions to Grandma’s

house tattooed on Red’s forehead

Page 49: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 49

NAT Network Address Translation Address-related problems

o Not enough IP addresses to go aroundo Internal network uses “illegal” or unroutable

(private) addresses Solutions: NAT

o Gateway (i.e., router or firewall) “translates” addresses

Page 50: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 50

NAT Outgoing --- gateway replaces internal

address with valid IP address Incoming --- gateway replaces valid IP

address with internal address Note that gateway must remember!

Page 51: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 51

How to Implement NAT? Map single IP address

o Every packet mapped to one IP addresso Vary source port numberso Port Address Translation (PAT)

One-to-one mappingo Internal address mapped to unique IP

address Dynamically allocate addresses

o Multiplex internal addresses to IP addresseso Not as popular as other 2 approaches

Page 52: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 52

NAT and Security NAT hides internal IP addresses

o Might be harder for attacker to map network topology

NAT of limited security valueo Attacker could take over NAT deviceo Attacker could let NAT do its job and attack

internal networko Some argue NAT harms security (IPSec)

Page 53: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 53

Firewalls: Pick Your Analogy

Network “traffic cop” Network “soccer goalie”

Page 54: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 54

Firewalls Filter based on…

o Services, addresses, data, etc., etc. May be used to protect…

o Your network from Interneto Your network from partner’s networko Your network from your networko Internet from your network

Page 55: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 55

Firewalls Attacker: “kick ball” past goalie…

Page 56: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 56

Firewalls Three types of firewalls

o Packet filter (network layer)o Stateful packet filter (transport layer)o Proxy-based firewall (application layer)

All firewalls one of these typeso In spite of marketing…

Also, Intrusion Prevention Systems (IPS)o Not quite the same as firewall

Page 57: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 57

Packet Filter Filter each packet individually

o No concept of state Can filter based on…

o Source/destination IP addresso Source/destination port (application specific)o TCP control bits (SYN, ACK, etc.)o Protocol (e.g., allow TCP, deny UDP)o Direction (incoming, outgoing)o Interface (trusted or untrusted network)

Page 58: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 58

Packet Filter Access control list (ACL), e.g.,

Allow Inside Outside Any 80 HTTP

Allow Outside Inside 80 > 1023 HTTP

Deny All All All All All

Action

Source IP

Dest IP

Source

Port

Dest Port Protoco

lAny

ACK

All

FlagBits

Start at top and work down the listo What do 1st, 2nd, 3rd lines do?

Page 59: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 59

Packet Filter Disadvantage: very limited view Consider ACL on previous slide

o Easy to kick ball past this goalieo E.g., ACK scan

Even worse with UDPo No flag bits

Advantages: speed and simplicity

Page 60: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 60

Stateful Packet Filter Improve packet filter by adding state

o State == remember something (packets) Remember each active connection

o State table: info on active connectionso Time out, typically, after 10 to 90 secondso Can see how/if new packet fits into ongoing

connectiono For example, ACK must be preceeded by

SYN

Page 61: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 61

Stateful Packet Filter With packet filter

o Attacker can “ACK scan” for open portso Send ACK packets with no prior SYN

With stateful packet filtero ACK scan failso Packets dropped since no prior SYN

Can also remember UDP “connections”

Page 62: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 62

Stateful Packet Filter Advantage: Much stronger than

packet filter Disadvantage: More work

o Often implemented in custom hardware, so speeds can be competitive

Still lacks a complete view…

Page 63: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 63

Proxy Proxy --- acts on your behalf Analogy…

o Student calls me at home late at night

o My wife answers the phoneo She tells me a student calledo Me: “Tell that $&^# to get lost!”o My wife: “He’s busy, can I take a

msg?”

Page 64: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 64

Proxy Another analogy…

o Telemarketer calls me at homeo My wife answers the phoneo She tells them to go away…o …without informing me of the call

My wife is acting as my proxy Proxy firewall is similar

Page 65: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 65

Proxy-Based Firewall Proxy can look at complete picture

o Everything packet filter seeso Everything stateful packet filter seeso Plus application level info --- can

verify that protocols are followed, data is free of malware, etc., etc.

May cache info for efficiency

Page 66: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 66

Proxy-Based Firewall Advantage: complete view Disadvantage: speed, computing power

o May limit amount of traffic it can handle, more expensive hardware, more complex, etc.

Page 67: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 67

IPS Intrusion Prevention System (IPS)

o Similar to, but not quite a firewall Analyze network traffic in real time Attack signatures/suspicious behavior

o Signatures/anomaly detection Firewall does not do this Can block suspicious communications

Page 68: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 68

Best Firewall? Try to get best from each technology

Page 69: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 69

Data Link Layer Not part of TCP/IP

o But it is a source of attacks Data Link Layer

o Move packets across one “hop”, LAN to router, router to router, etc.

o Lives in Network Interface Card (NIC)o Ethernet, 802.11 (wireless), etc.

Page 70: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 70

Ethernet Ethernet is “king of the Link Layer” Ethernet used on shared media

o Resource contention Media Access Control (MAC) addresses

o 48 bits, globally uniqueo Of form AA:BB:CC:DD:EE:FF (or “.” for “:”)o IP address is like street address, MAC

address like social security numbero Aside: Why not use IP address for

everything?

Page 71: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 71

ARP Address Resolution Protocol (ARP)

o MAC address for LAN, IP address for network ARP is used to find MAC address, given

the IP addresso Broadcast IP addresso Whoever has it, responds with MAC addresso Response is cached (for efficiency)

Page 72: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 72

ARP ARP only applies on same LAN ARP is stateless

Page 73: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 73

Hubs and Switches Both used on LAN Hub is simple/dumb device

o Broadcast to all interfaceso Simple, but wastes bandwidth

Switch is smartero Only sends data to a specific interfaceo Reduces bandwidth usage

Page 74: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 74

Hubs and Switches Hub

o Simpleo Wasteful

Switcho Complexo Saves

bandwidth

Page 75: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 75

Switches Switch stores MAC address

locationso Content Addressable Memory (CAM)

Table determined automaticallyo At first switch acts like hubo Then looks at MAC addresseso Uses this info to fill in tableo This all happens automatically

Page 76: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 76

Switch

Page 77: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 77

Wireless LAN 802.11 is king of WLAN Wireless security is difficult

o Often not secured, rogue access points, …

LAN usually has little or no securityo Maybe OK if physical access requiredo But WLAN changes all of that…o WLAN is good news for Trudy and Eve

Page 78: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 78

WLAN Regular LAN attacks work on WLAN Physical access not required! Makes hackable network more so Great news for Trudy and Eve!

o Cell phones and other wireless technology promise even more hacks

Page 79: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 79

802.11 802.11 --- 1997 @ 2Mbps 802.11a --- 1999 @ 54Mbps

o Not used much, since came out at same time as 802.11b, and 802.11b is cheaper

802.11b --- 1999 @ 11Mbpso Speed similar to traditional Ethernet

802.11g --- 2003 @ 54Mbpso Popular, combines best of 802.11a and

802.11b

Page 80: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 80

802.11 802.11i --- 2004

o Real securityo Strong encryption (AES)o Strong key exchange (TKIP)

Much stronger than WEPo WEP: “swiss cheese” of security

protocolso WEP: no integrity, poor encryption, etc.

Page 81: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 81

WEP According to Tanenbaum:

o “The 802.11 standard prescribes a data link-level security protocol called WEP (Wired Equivalent Privacy), which is designed to make the security of a wireless LAN as good as that of a wired LAN. Since the default for a wired LAN is no security at all, this goal is easy to achieve, and WEP achieves it as we shall see.”

Page 82: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 82

Security on the Internet TCP/IP provides no security Must retrofit Internet for security Application layer

o PGP, S/MIME, SSH, … “Socket layer”

o SSL/TLS (really part of application layer) Network layer

o IPSec

Page 83: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 83

Application Layer Security Pretty Good Privacy (PGP)

o Developed by Phil Zimmermano No backdoor?

“We don’t hire that kind of person”

Secure/Multipurpose Internet Mail Extensions (S/MIME)o Secure email

Secure Shell (SSH)o Secure “tunnel” for remote access

Page 84: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 84

SSL

Secure Socket Layer (SSL)o Developed for Web, HTTPo Can be used anywhereo Elegant security protocol

Transport Layer Security (TLS)o Same, but incompatible

Page 85: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 85

SSL Authentication, confidentiality,

integrity You use SSL all the time

o Whenever “lock” (or “key”) appears in browser

o HTTPS == HTTP with SSL Secure transactions on Internet

Page 86: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 86

SSL

Not quite the same as in CS166 or CS265…

Page 87: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 87

SSL

Page 88: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 88

A Note on Notation E(X,K) == encrypt X with symmetric key K

o Key is known to sender and receivero And nobody else

{X}Alice == encrypt X with Alice’s public keyo Key know to everybodyo Can only be decrypted with Alice’s private keyo Alice’s private key known only to Alice

Page 89: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 89

Notation h(X) == cryptographic hash function

o Provides “fingerprint” of Xo Compresses data

Certificateo Contains (at least) public key, nameo Signed by a Certificate Authority (CA)o CA vouches that corresponding private key

belongs to “name” in certificateo Anyone can verify signature (public key)

Page 90: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 90

Simple SSL-like Protocol

Alice Bob

I’d like to talk to you securely

Here’s my certificate

{KAB}Bob

protected HTTP

Is Alice sure she’s talking to Bob? Is Bob sure he’s talking to Alice?

Page 91: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 91

Simplified SSL Protocol

Alice Bob

Can we talk?, cipher list, RA

certificate, cipher, RB

{S}Bob, E(h(msgs,CLNT,K),K)

Data protected with key K

h(msgs,SRVR,K)

S is pre-master secret K = h(S,RA,RB) msgs = all previous messages CLNT and SRVR are constants

Page 92: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 92

SSL Authentication Alice authenticates Bob, not vice-versa

o How does client authenticate server?o Why does server not authenticate client?

Mutual authentication is possible: Bob sends certificate request in message 2o This requires client to have certificateo If server wants to authenticate client, server

could instead require (encrypted) password

Page 93: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 93

SSL MiM Attack

Alice Bob

RA

certificateT, RB

{S1}Trudy,E(X1,K1)

E(data,K1)

h(Y1,K1)

Q: What prevents this MiM attack? A: Bob’s certificate must be signed by a

certificate authority (such as Verisign) What does browser do if signature not valid? What does user do if signature is not valid?

Trudy

RA

certificateB, RB

{S2}Bob,E(X2,K2)

E(data,K2)

h(Y2,K2)

Page 94: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 94

SSL vs IPSec IPSec discussed next

o Lives at the network layer (part of the OS)o Has encryption, integrity, authentication, etc.o Is overly complex (including serious flaws)

SSL (and IEEE standard known as TLS)o Lives at socket layer (part of user space)o Has encryption, integrity, authentication, etc.o Has a simpler specification

Page 95: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 95

SSL vs IPSec IPSec implementation

o Requires changes to OS, but no changes to applications SSL implementation

o Requires changes to applications, but no changes to OS SSL built into Web application early on

(Netscape) IPSec used in VPN applications (secure tunnel) Reluctance to retrofit applications for SSL Reluctance to use IPSec due to complexity and

interoperability issues Result? Internet less secure than it should

be!

Page 96: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 96

IPSec

Page 97: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 97

IPSec and SSL IPSec lives at

the network layer

IPSec is transparent to applications

application

transport

network

link

physical

SSL

OS

User

NIC

IPSec

Page 98: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 98

IPSec and Complexity IPSec is a complex protocol Over-engineered

o Lots of generally useless extra features Flawed

o Some significant security issues Interoperability is serious challenge

o Defeats the purpose of having a standard! Complex Did I mention, it’s complex?

Page 99: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 99

IKE and ESP/AH Two parts to IPSec IKE: Internet Key Exchange

o Mutual authenticationo Establish shared symmetric keyo Two “phases” like SSL session/connection

ESP/AHo ESP: Encapsulating Security Payload for

encryption and/or integrity of IP packetso AH: Authentication Header integrity only

Page 100: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 100

IKE

Page 101: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 101

IKE IKE has 2 phases

o Phase 1 IKE security association (SA)o Phase 2 AH/ESP security association

Phase 1 is comparable to SSL session Phase 2 is comparable to SSL connection Not an obvious need for two phases in IKE If multiple Phase 2’s do not occur, then it is

more expensive to have two phases!

Page 102: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 102

IKE Phase 1 Four different “key” options

o Public key encryption (original version)o Public key encryption (improved version)o Public key signatureo Symmetric key

For each of these, two different “modes”o Main modeo Aggressive mode

There are 8 versions of IKE Phase 1!

Evidence that IPSec is over-engineered?

Page 103: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 103

IKE Phase 1 We discuss 1 of 8 phase 1 variants

o Public key signatureso Both main and aggressive modes

Page 104: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 104

IKE Phase 1 Uses ephemeral Diffie-Hellman to

establish session keyo Provides perfect forward secrecy (PFS)

Let a be Alice’s Diffie-Hellman exponent Let b be Bob’s Diffie-Hellman exponent Let g be generator and p prime Recall that p and g are public

Page 105: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 105

IKE Phase 1: Digital Signature (Main Mode)

CP = crypto proposed, CS = crypto selected IC = initiator “cookie”, RC = responder “cookie” K = h(IC,RC,gab mod p,RA,RB) SKEYID = h(RA, RB, gab mod p) proofA = [h(SKEYID,ga,gb,IC,RC,CP,“Alice”)]Alice

Alice Bob

IC, CP

IC,RC, CS

IC,RC, ga mod p, RA

IC,RC, E(“Alice”, proofA, K)

IC,RC, gb mod p, RB

IC,RC, E(“Bob”, proofB, K)

Page 106: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 106

IKE Phase 1: Public Key Signature (Aggressive Mode)

Main difference from main modeo Not trying to protect identitieso Cannot negotiate g or p

Alice Bob

IC, “Alice”, ga mod p, RA, CP

IC,RC, “Bob”, RB,

gb mod p, CS, proofB

IC,RC, proofA

Page 107: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 107

Main vs Aggressive Modes Main mode MUST be implemented Aggressive mode SHOULD be

implementedo In other words, if aggressive mode is not

implemented, “you should feel guilty about it”

Might create interoperability issues For public key signature authentication

o Passive attacker knows identities of Alice and Bob in aggressive mode

o Active attacker can determine Alice’s and Bob’s identity in main mode

Page 108: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 108

IPSec

After IKE Phase 1, we have an IKE SA After IKE Phase 2, we have an IPSec SA Both sides have a shared symmetric key Now what?

o We want to protect IP datagrams But what is an IP datagram?

o From the perspective of IPSec…

Page 109: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 109

IP Review

Where IP header is

IP header data

IP datagram is of the form

Page 110: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 110

IP and TCP Consider HTTP traffic (over TCP) IP encapsulates TCP TCP encapsulates HTTP

IP header TCP hdr HTTP hdr app data

IP header data

IP data includes TCP header, etc.

Page 111: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 111

AH vs ESP AH

o Authentication Headero Integrity only (no confidentiality)o Integrity-protect everything beyond IP

header and some fields of header (why not all fields?)

ESPo Encapsulating Security Payloado Integrity and confidentialityo Protects everything beyond IP headero Integrity-only by using NULL encryption

Page 112: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 112

ESP’s NULL Encryption

According to RFC 2410o NULL encryption “is a block cipher the origins of which

appear to be lost in antiquity”o “Despite rumors”, there is no evidence that NSA

“suppressed publication of this algorithm”o Evidence suggests it was developed in Roman times as

exportable version of Caesar’s ciphero Can make use of keys of varying lengtho No IV is requiredo Null(P,K) = P for any P and any key K

Security people have a strange sense of humor!

Page 113: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 113

Why Does AH Exist? (1)

Cannot encrypt IP headero Routers must look at the IP headero IP addresses, TTL, etc.o IP header exists to route packets!

AH protects immutable fields in IP headero Cannot integrity protect all header fieldso TTL, for example, must change

ESP does not protect IP header at all

Page 114: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 114

Why Does AH Exist? (2) ESP encrypts everything beyond the IP

header (if non-null encryption) If ESP encrypts, firewall cannot look at

TCP header (e.g., port numbers) Why not use ESP with null encryption?

o Firewall sees ESP header, but does not know whether null encryption is used

o End systems know, but not firewalls Aside 1: Do firewalls reduce security? Aside 2: Is IPSec compatible with NAT?

Page 115: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 115

Why Does AH Exist? (3)

The real reason why AH existso At one IETF meeting “someone from

Microsoft gave an impassioned speech about how AH was useless…”

o “…everyone in the room looked around and said `Hmm. He’s right, and we hate AH also, but if it annoys Microsoft let’s leave it in since we hate Microsoft more than we hate AH.”

Page 116: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 116

IPSec Will it save us?

o According to the author: “No!” Even if universally implemented,

many problems remaino E.g., software (need I say more?)

But it is step in the right direction

Page 117: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 117

Kerberos

Page 118: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 118

Kerberos In Greek mythology, Kerberos is 3-

headed dog that guards entrance to Hadeso “Wouldn’t it make more sense to guard the

exit?” In security, Kerberos is an authentication

system based on symmetric key cryptoo Originated at MITo Based on work by Needham and Schroedero Relies on a trusted third party (TTP)

Page 119: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 119

Motivation for Kerberos Authentication using public keys

o N users N key pairs Authentication using symmetric keys

o N users requires about N2 keys Symmetric key case does not scale! Kerberos based on symmetric keys but

only requires N keys for N userso But must rely on TTPo Advantage is that no PKI is required

Page 120: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 120

Kerberos KDC Kerberos Key Distribution Center or

KDCo Acts as a TTPo TTP must not be compromised!o KDC shares symmetric key KA with Alice, key

KB with Bob, key KC with Carol, etc.o Master key KKDC known only to KDCo KDC enables authentication and session keyso Keys for confidentiality and integrityo In practice, the crypto algorithm used is DES

Page 121: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 121

Kerberos Tickets KDC issues a ticket containing info

needed to access a network resource KDC also issues ticket-granting

tickets or TGTs that are used to obtain tickets

Each TGT containso Session keyo User’s IDo Expiration time

Every TGT is encrypted with KKDCo TGT can only be read by the KDC

Page 122: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 122

Kerberized Login Alice enters her password… …then Alice’s workstation

o Derives KA from Alice’s passwordo Uses KA to get TGT for Alice from the KDC

Alice can then use her TGT (credentials) to securely access network resources

Plus: Security is transparent to Alice Minus: KDC must be secure it’s

trusted!

Page 123: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 123

Kerberized Login

Alice

Alice’s

Alice wants

password

a TGT

E(SA,TGT,KA)

KDC

Key KA derived from Alice’s password KDC creates session key SA

Workstation decrypts SA, TGT, forgets KA

TGT = E(“Alice”,SA, KKDC)

Computer

Page 124: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 124

Alice Requests Ticket to Bob

Alice

Talk to Bob

I want totalk to Bob

REQUEST

REPLY

KDC

REQUEST = (TGT, authenticator) whereauthenticator = E(timestamp,SA)

REPLY = E(“Bob”,KAB,ticket to Bob, SA) ticket to Bob = E(“Alice”,KAB,KB) KDC gets SA from TGT to verify timestamp

Computer

Page 125: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 125

Alice Uses Ticket to Bob

ticket to Bob, authenticator

E(timestamp + 1,KAB)

ticket to Bob = E(“Alice”,KAB, KB) authenticator = E(timestamp, KAB) Bob decrypts “ticket to Bob” to get KAB

which he then uses to verify timestamp

Alice’s Computer

Bob

Page 126: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 126

Kerberos Session key SA used for authentication Can also be used for

confidentiality/integrity Timestamps used for mutual

authentication Recall that timestamps reduce number of

messageso Acts like a nonce that is known to both sideso Note: time is a security-critical parameter!

Page 127: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 127

Kerberos Questions

When Alice logs in, KDC sends E(SA,TGT,KA) where TGT = E(“Alice”,SA,KKDC)

Q: Why is TGT encrypted with KA?A: Extra work and no added security!

In Alice’s Kerberized login to Bob, why can Alice remain anonymous?

Why is “ticket to Bob” sent to Alice? Where is replay prevention in Kerberos?

Page 128: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 128

Kerberos Alternatives Could have Alice’s workstation remember

password and use that for authenticationo Then no KDC requiredo But hard to protect password on workstationo Scaling problem

Could have KDC remember session key instead of putting it in a TGTo Then no need for TGTso But stateless KDC is big feature of Kerberos

Page 129: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 129

Kerberos Keys In Kerberos, KA = h(Alice’s password) Could instead generate random KA and

o Compute Kh = h(Alice’s password)o And workstation stores E(KA, Kh)

Then KA need not change (on workstation or KDC) when Alice changes her password

But E(KA, Kh) subject to password guessing This alternative approach is often used in

applications (but not in Kerberos)

Page 130: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 130

Kerberos Issues? What if… Trudy gets Alice’s “credentials”?

o No problem!o Credentials encrypted with KKDC

Trudy breaks into Alice’s machine?o Session key SA is cachedo This breaks authentication

Page 131: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 131

Conclusion TCP/IP very flexible TCP/IP not designed for security

o Highly hackable SSL, IPSec, etc., help

o But many problems remain

Page 132: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 132

Summary TCP/IP, OSI Ref. Model, Layers, … Protocols: TCP, UDP, IP, ICMP Ports, well-known ports TCP flags/control bits 3-way handshake Unreliable Damn Protocol

Page 133: Networking Overview 1 Networking Overview Networking Overview 2 TCP/IP  TCP/IP == Transmission Control Protocol/Internet Protocol  Almost ubiquitous

Networking Overview 133

Summary IP, IP addresses, fragments, etc. ICMP, “plumbing” Routing, NAT, Firewalls Ethernet, hub, switch, MAC address,

ARP WLAN and 802.11 PGP, SSH, S/MIME SSL and IPSec