Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 715: Network Systems Security

Similar presentations

Presentation on theme: "CSCE 715: Network Systems Security"— Presentation transcript:

1 CSCE 715: Network Systems Security
Chin-Tser Huang University of South Carolina

2 Next Topic in Cryptographic Tools
Symmetric key encryption Asymmetric key encryption Hash functions and message digest Nonce 09/27/2011

3 A Scenario of Replay Attack
Alice authorizes a transfer of funds from her account to Bob’s account An eavesdropping adversary makes a copy of this message Adversary replays this message at some later time 09/27/2011

4 Replay Attacks Adversary takes past messages and plays them again
whole or part of message to same or different receiver Encryption algorithms not enough to counter replay attacks 09/27/2011

5 Freshness Identifiers
Sender attaches a freshness identifier to message to help receiver determine whether message is fresh Three types of freshness identifiers nonces timestamps sequence numbers 09/27/2011

6 Nonces A random number generated for a special occasion
Need to be unpredictable and not used before Disadvantage is not suitable for sending a stream of messages Mostly used in challenge-response protocols 09/27/2011

7 Timestamps Sender attaches an encrypted real-time timestamp to every message Receiver decrypts timestamp and compares it with current reading if difference is sufficiently small, accept message otherwise discard message Problem is synchronization between sender and receiver 09/27/2011

8 Sequence Numbers Sender attaches a monotonically increasing counter value to every message Sender needs to remember last used number and receiver needs to remember largest received number 09/27/2011

9 Operation of Sequence Numbers
Sender increments sequence number by 1 after sending a message Receiver compares sequence number of received message with largest received number If larger than largest received number, accept message and update largest received number If less than largest received number, discard message 09/27/2011

10 Problem with Sequence Numbers
IPsec uses sequence number to counter replay attacks However reorder can occur in IP Messages with larger sequence number may arrive before messages with smaller sequence numbers When reordered messages with smaller sequence numbers arrive later, they will be discarded 09/27/2011

11 Anti-Replay Window Protocol in IPsec
Protect IPsec messages against replay attacks and counter the problem of reorder Sender puts a sequence number in every message Receiver uses a sliding window to keep track of the received sequence numbers 09/27/2011

12 Comparison with TCP Sliding Window
Purpose: TCP sliding window is used for flow control, while anti-replay window for countering replay attack Size: TCP sliding window is of dynamic size, while anti-replay window is of static size (64 recommended by IPsec) 09/27/2011

13 Comparison with TCP Sliding Window
Unit: TCP sliding window is byte-oriented, while anti-replay window is packet-oriented Retransmission: same sequence number used in TCP sliding window, while new sequence number used in anti-replay window 09/27/2011

14 (advertised by receiver)
TCP Sliding Window offered window (advertised by receiver) usable window 1 2 3 4 5 6 7 8 9 10 11 can’t send until sent, not ACKed window moves sent and acknowledged can send ASAP 09/27/2011

15 Anti-Replay Window w is window size r is right edge of window
1 2 3 • • • w sequence numbers • • • • • • received before r-w+1 right edge r not yet received assumed received w is window size r is right edge of window Assume s is sequence number of next received message Three cases to consider 09/27/2011

16 Cases of Anti-Replay Window
Case i: if s is smaller than sequence numbers in window, discard message s 1 w s r 09/27/2011

17 Cases of Anti-Replay Window
Case ii: s is in window if s has not been received yet, then deliver message s if s has been received, then discard message s 1 w s s r (discard) (deliver) 09/27/2011

18 Cases of Anti-Replay Window
Case iii: if s is larger than sequence numbers in window, then deliver message s and slide the window so that s becomes its new right edge window before shift 1 1 w w r s window after shift 09/27/2011

19 Properties of Anti-Replay Window Protocol
Discrimination: receiver delivers at most one copy of every message sent by sender w-Delivery: receiver delivers at least one copy of each message that is neither lost nor suffered a reorder of degree w or more, where w is window size 09/27/2011

20 Problem with Anti-Replay Window
Receiver gets s, where s >> r Window shifts to right Many good messages that arrive later will be discarded window before shift window after shift 1 w 1 w s r discarded good msgs 09/27/2011

21 Automatic Shift vs. Controlled Shift
Automatic shift: window automatically shifts to the right to cover the newly received sequence number without any consideration of how far the newly received sequence number is ahead Controlled shift: if the newly received sequence number is far ahead, discard it without shifting window in the hope that those skipped sequence numbers may arrive later 09/27/2011

22 Three Properties of Controlled Shift
Adaptability receiver determines whether to sacrifice a newly received message according to the current characteristics of the environment Rationality receiver sacrifices only when messages that could be saved are more than messages that are sacrificed Sensibility receiver stops sacrificing if it senses that the messages it means to save are not likely to come 09/27/2011

23 Additional Case with Controlled Shift
Case iv: s is more than w positions to the right of window receiver estimates number of good messages it is going to lose if it shifts the window to s if the estimate is larger than d+1, where d is the counter of discarded messages, and d+1 is less than dmax, then receiver discards this message and increments d by 1 otherwise, receiver delivers the message, shifts the window to the right, and resets d to 0 09/27/2011

24 Another Problem with Anti-Replay Window
Computer may reset due to transient fault or power loss If either sender or receiver is reset and restarts from 0, then synchronization on sequence numbers is lost 09/27/2011

25 Scenario of Sender Reset
If p is reset, unbounded number of fresh messages are discarded by q p q seq# : 50 seq# : 50 49 48 3 2 1 • • • reset seq# : 0 fresh messages yet discarded by q 09/27/2011

26 Scenario of Receiver Reset
If q is reset, it can accept unbounded number of replayed messages inserted by adversary p q seq# : 50 seq# : 50 49 48 3 2 1 • • • reset seq# : 0 replayed yet accepted by q 09/27/2011

27 Overcome Reset Problems
IPsec Working Group: if reset, the Security Association (SA) is deleted and a new one is established -- very expensive Our solution: periodically push current state of SA into persistent memory (e.g. hard drive); if reset, restore state of SA from this memory 09/27/2011

28 SAVE and FETCH When SAVE is executed, the last sequence number or right edge of window will be stored in persistent memory When FETCH is executed, the last stored sequence number or right edge of window will be loaded from persistent memory into memory 09/27/2011

29 SAVE at Sender s is sequence number at p
Every Kp messages, p executes SAVE(s) to store current s in persistent memory Choose appropriate Kp such that in spite of execution delay, SAVE(s) is guaranteed to complete before message numbered s+Kp is sent 09/27/2011

30 FETCH at Sender When p wakes up after reset, p executes FETCH(s) to fetch s stored in persistent memory After FETCH(s) completes, p executes SAVE(s+2Kp) and waits After SAVE(s+2Kp) completes, p can send next message using seq# s+2Kp 09/27/2011

31 Convergence of Sender Assume when p resets, SAVE(s) has not yet completed, and the last sent seq# is s+t t < Kp otherwise SAVE(S) should have completed When p wakes up, s-Kp will be fetched Therefore, adding 2Kp to fetched seq# guarantees that next sent seq# is fresh 09/27/2011

32 Convergence of Sender Assume when p resets, SAVE(s) has completed, and the last sent seq# is s+u u < Kp otherwise SAVE(S+Kp) should have started When p wakes up, s will be fetched Therefore, adding 2Kp to fetched seq# guarantees that next sent seq# is fresh 09/27/2011

33 Convergence of Sender 09/27/2011

34 Results of SAVE and FETCH
When p is reset, some sequence numbers will be abandoned by p, but no message sent from p to q will be discarded provided no message reorder occurs When q is reset, the number of discarded messages is bounded by 2Kq When p or q is reset, no replayed message will be accepted by q 09/27/2011

35 Next Class Address Resolution Protocol (ARP) and its security problems
Secure ARP Read paper on website 09/27/2011

Download ppt "CSCE 715: Network Systems Security"

Similar presentations

Ads by Google