1. CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina

2. 08/24/2010(C) 2010 Chin-Tser Huang2 What Can Go Wrong… …when your computer y receive or is waiting for a message m? m Internet x y ?

3. 08/24/2010(C) 2010 Chin-Tser Huang3 Message Loss Adversary A can discard m in its transit m x y A

4. 08/24/2010(C) 2010 Chin-Tser Huang4 Message Interception Adversary A can get a copy of m when m passes by m x y m m A

5. 08/24/2010(C) 2010 Chin-Tser Huang5 Message Modification Adversary A can arbitrarily modify the content of m to become m’ m x y m’ A

6. 08/24/2010(C) 2010 Chin-Tser Huang6 Message Insertion Adversary A can arbitrarily fabricate a message m, pretending that m was sent by x x y m src: x dst: y A

7. 08/24/2010(C) 2010 Chin-Tser Huang7 Message Replay Adversary A can replay a message m that has been sent earlier by x and received by y x y m m A

8. 08/24/2010(C) 2010 Chin-Tser Huang8 Denial-of-Service Attack Adversary A can send huge amount of messages to y to block m from arriving at y In the case of botnet attack, the adversary instructs many bots to send messages to y simultaneously x y m ……………… ????? A

9. 08/24/2010(C) 2010 Chin-Tser Huang9 More Scenarios In one case, x wants y to be able to verify message m is sent by a legitimate party but not able to determine identity of x m x y Internet src: ? dst: y

10. 08/24/2010(C) 2010 Chin-Tser Huang10 More Scenarios In another case, y wants to be able to prove to third party z that y receives message m from x m x y Internet z x sent to y m

11. 08/24/2010(C) 2010 Chin-Tser Huang11 Network Security Is Great… Protect messages from interception in their transit Provide desired level of privacy for user or data Detect and discard messages that are modified, inserted, or replayed Disallow unauthorized access to local system resource and sensitive data

12. 08/24/2010(C) 2010 Chin-Tser Huang12 …But Hard To Achieve Many layers in network architecture Many different media of network connection Adversary’s location hard to determine New attacks keep emerging Cryptographic overhead

13. 08/24/2010(C) 2010 Chin-Tser Huang13 Attacks, Mechanisms, and Services Security attack: any action that compromises security of information owned by an organization Security mechanism: a mechanism designed to detect, prevent, or recover from a security attack Security service: a service that enhances security of data processing systems and information transfers of an organization Security service uses one or more security mechanisms to counter security attack

14. 08/24/2010(C) 2010 Chin-Tser Huang14 Type of Attacks Passive attacks Traffic analysis Message interception Active attacks Message loss Message modification Message insertion Message replay Denial-of-Service attack

15. 08/24/2010(C) 2010 Chin-Tser Huang15 Network Security Services Confidentiality Integrity Authentication Anti-replay … Availability Access control Non-repudiation Anonymity

16. 08/24/2010(C) 2010 Chin-Tser Huang16 Confidentiality Keep message known only to the receiver and secret to anyone else To counter message interception

17. 08/24/2010(C) 2010 Chin-Tser Huang17 Integrity When receiver receives message m, receiver can verify that m is intact after sent by sender To counter message modification

18. 08/24/2010(C) 2010 Chin-Tser Huang18 Authentication When receiver receives message m, receiver can verify that m is indeed sent by the sender recorded in m To counter message insertion

19. 08/24/2010(C) 2010 Chin-Tser Huang19 Anti-replay When receiver receives message m, receiver can verify m is not a message that was sent and received before To counter message replay

20. 08/24/2010(C) 2010 Chin-Tser Huang20 Availability Property of a system or a resource being accessible and usable upon demand by an authorized entity To counter denial-of-service attack

21. 08/24/2010(C) 2010 Chin-Tser Huang21 Access Control Mechanism to enforce access rights to resources and data Users can access resources and data to which they have access rights Users cannot access resources and data to which they don’t have access rights

22. 08/24/2010(C) 2010 Chin-Tser Huang22 Non-repudiation Sender non-repudiation: When receiver receives message m, receiver gets proof that sender of m ever sent m Receiver of m can show proof to third- party so that sender of m cannot repudiate

23. 08/24/2010(C) 2010 Chin-Tser Huang23 Non-repudiation Receiver non-repudiation: When receiver receives message m, sender gets proof that receiver of m ever receives m Sender of m can show proof to third- party so that receiver of m cannot repudiate

24. 08/24/2010(C) 2010 Chin-Tser Huang24 Anonymity Identity of sender is hidden from receiver When receiver receives message m, receiver has no clue about sender of m

25. 08/24/2010(C) 2010 Chin-Tser Huang25 Network Protocols Abstractions of communication between two processes over a network Define message formats Define legitimate sequence of messages Take care of physical details of different network hardware and machines Separate tasks in complex communication networks For example, FTP and ARP

26. 08/24/2010(C) 2010 Chin-Tser Huang26 Protocol Layering Many problems need to be solved in a communication network These problems can be divided into smaller sets and different protocols are designed for each set of problem Protocols can be organized into layers to keep them easy to manage

27. 08/24/2010(C) 2010 Chin-Tser Huang27 Properties of Protocol Layer Functions of each layer are independent of functions of other layers Thus each layer is like a module and can be developed independently Each layer builds on services provided by lower layers Thus no need to worry about details of lower layers -- transparent to this layer

28. 08/24/2010(C) 2010 Chin-Tser Huang28 Protocol Stack: OSI Model Application Presentation Session Transport Network Data link Physical

29. 08/24/2010(C) 2010 Chin-Tser Huang29 Communicating End Hosts Application Presentation Session Transport Network Data link Physical Application Presentation Session Transport Network Data link Physical Network Data link Physical Host Router

30. 08/24/2010(C) 2010 Chin-Tser Huang30 Verification of Network Protocols Many complex protocols perform multiple functions with multiple messages It is desirable to verify that a protocol can correctly perform functions that it was designed for Particularly important for security protocols

31. 08/24/2010(C) 2010 Chin-Tser Huang31 Traditional Ways of Network Protocol Specification Plain English Time charts Programming languages

32. 08/24/2010(C) 2010 Chin-Tser Huang32 Shortcomings of Plain English Ambiguity Different words can have similar meanings process p sends message m to process q process p transmits message m to process q process p forwards message m to process q process p delivers message m to process q Same word can have different meanings process p sends message m to process q process p sends file f to process q

33. 08/24/2010(C) 2010 Chin-Tser Huang33 Shortcoming of Time Chart Not scalable Many legitimate sequences of messages Cannot list all possible legitimate sequences when the number of sequences grows exponentially

34. 08/24/2010(C) 2010 Chin-Tser Huang34 Shortcoming of Using Programming Language Hard to prove correctness of protocol specification For example, protocol specified in C language may involve overlap, and may involve transmission delay

35. 08/24/2010(C) 2010 Chin-Tser Huang35 Formal Ways of Network Protocol Specification BAN logic Abstract Protocol Notation

36. 08/24/2010(C) 2010 Chin-Tser Huang36 BAN Logic Invented by Burrows, Abadi, and Needham Use logical constructs and postulates to analyze authentication protocols and uncover various protocol weaknesses

37. 08/24/2010(C) 2010 Chin-Tser Huang37 Logical Constructs Assume P and Q are network agents, X is a message, and K is an encryption key P believes X: P acts as if X is true, and may assert X in other messages P has jurisdiction over X: P's beliefs about X should be trusted P said X: At one time, P transmitted (and believed) message X, although P might no longer believe X P sees X: P receives message X, and can read and repeat X {X} K : X is encrypted with key K fresh(X): X was sent recently key(K, P Q): P and Q may communicate with shared key K

38. 08/24/2010(C) 2010 Chin-Tser Huang38 Examples of Postulates If P believes key(K, P Q), and P sees {X} K, then P believes (Q said X) If P believes (Q said X) and P believes fresh(X), then P believes (Q believes X) If P believes (Q has jurisdiction over X) and P believes (Q believes X), then P believes X If P believes that Q said, the concatenation of X and Y, then P also believes that Q said X, and P also believes that Q said Y

39. 08/24/2010(C) 2010 Chin-Tser Huang39 Shortcomings of BAN Logic High level of abstraction Need for a protocol idealization step, in which the user is required to transform each message in a protocol into formulas Can only verify a round every time

40. 08/24/2010(C) 2010 Chin-Tser Huang40 Abstract Protocol Notation Presented by Mohamed Gouda in the book Elements of Network Protocol Design Formal and scalable Proof of correctness of protocol specification can be easily done using state transition diagram

41. 08/24/2010(C) 2010 Chin-Tser Huang41 Communication Model A network of processes and two unbounded FIFO channels between every two processes process p … process q … - - - - - - - Set of messages

42. 08/24/2010(C) 2010 Chin-Tser Huang42 Process Specification Each process in a protocol is specified as follows process px inp : … : var : … : begin [] … [] end

43. 08/24/2010(C) 2010 Chin-Tser Huang43 Action Execution Specified as  Satisfy three conditions Atomic: actions in the whole protocol are executed one at a time; one action cannot start while another action execution is in progress Non-deterministic: an action is executed only when its guard is true Fair: if guard of an action is continuously true, then the action is eventually executed

44. 08/24/2010(C) 2010 Chin-Tser Huang44 State Transition Diagram Define semantic of a protocol State is defined by a value for each variable in protocol and by a message set for each channel in protocol Transition is movement from current state to next state triggered by an action execution

45. 08/24/2010(C) 2010 Chin-Tser Huang45 An Example Protocol process p var ready: boolean {init. ready=true} txt, t: integer begin ready  txt := any; send rqst(txt) to q; ready := false []rcv rply(t) from q  {use text t in received message} ready := true end process q var t: integer begin rcv rqst(t) from p  t := any; send rply(t) to p end

46. 08/24/2010(C) 2010 Chin-Tser Huang46 State Transition Diagram of Example Protocol T.0 :ready  ch.p.q =  ch.q.p = T.1 :~ready  ch.p.q =  ch.q.p = T.2 :~ready  ch.p.q =  ch.q.p =

47. 08/24/2010(C) 2010 Chin-Tser Huang47 Adversary Model Adversary can change contents of protocol channels by executing the following actions a finite number of times Message loss: lose an original message Message modification: modify the field of an original message to cause a modified message Message replay: replace an original message by another original message to cause a replayed message Message insertion: add to a channel a finite number of arbitrary messages

48. 08/24/2010(C) 2010 Chin-Tser Huang48 Prove Correctness of Secure Protocol Execution of adversary actions may lead the protocol to a bad state Protocol is said to be correct if it converges to its good cycle in a finite number of steps after adversary finishes executing its actions

49. 08/24/2010(C) 2010 Chin-Tser Huang49 Next Class Network security tools to counter the effects of adversary actions Cryptography backgrounds of network security tools Read Ch. 2