Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Published byClarissa Dean Modified over 9 years ago

Similar presentations

Presentation on theme: "CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina."— Presentation transcript:

1 CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina

2 02/16/20092 Security of Hash Functions and MAC Brute-force attacks strong collision resistance hash have cost 2 m / 2 have proposal for hardware MD5 cracker 128-bit hash looks vulnerable, 160-bit better MACs with known message-MAC pairs can either attack keyspace or MAC at least 128-bit MAC is needed for security

3 02/16/20093 Security of Hash Functions and MAC Cryptanalytic attacks exploit structure like block ciphers want brute-force attacks to be the best alternative Have a number of analytic attacks on iterated hash functions CV i = f[CV i-1, M i ]; H(M)=CV N typically focus on collisions in function f like block ciphers is often composed of rounds attacks exploit properties of round functions

4 02/16/20094 Keyed Hash Functions as MACs Desirable to create a MAC using a hash function rather than a block cipher hash functions are generally faster not limited by export controls on block ciphers Hash includes a key along with the message Original proposal: KeyedHash = Hash(Key|Message) some weaknesses were found with this proposal Eventually led to development of HMAC

5 02/16/20095 HMAC Specified as Internet standard RFC2104 Use hash function on the message: HMAC K = Hash[(K + XOR opad) || Hash[(K + XOR ipad)||M)]] K + is the key padded out to size opad, ipad are specified padding constants Overhead is just 3 more hash compression function calculations than the message alone needs Any of MD5, SHA-1, RIPEMD-160 can be used

6 02/16/20096 HMAC Structure

7 02/16/20097 Security of HMAC Security of HMAC relates to that of the underlying hash algorithm Attacking HMAC requires either: brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages) Choose hash function used based on speed versus security constraints

8 02/16/20098 Hash and MAC Algorithms Hash Functions condense arbitrary size message to fixed size by processing message in blocks through some compression function either custom or block cipher based Message Authentication Code (MAC) fixed sized authenticator for some message to provide authentication for message by using block cipher mode or hash function

9 02/16/20099 See How Cryptographic Tools Really Works OpenSSL is a general-purpose cryptographic library with implementations of Symmetric ciphers: 3DES, AES, … Asymmetric ciphers: RSA, DH, … Hash functions: MD5, SHA-1, …

10 02/16/200910 Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and message digest Nonce

11 02/16/200911 A Scenario of Replay Attack Alice authorizes a transfer of funds from her account to Bob’s account An eavesdropping adversary makes a copy of this message Adversary replays this message at some later time

12 02/16/200912 Replay Attacks Adversary takes past messages and plays them again whole or part of message to same or different receiver Encryption algorithms not enough to counter replay attacks

13 02/16/200913 Freshness Identifiers Sender attaches a freshness identifier to message to help receiver determine whether message is fresh Three types of freshness identifiers nonces timestamps sequence numbers

14 02/16/200914 Nonces A random number generated for a special occasion Need to be unpredictable and not used before Disadvantage is not suitable for sending a stream of messages Mostly used in challenge-response protocols

15 02/16/200915 Timestamps Sender attaches an encrypted real-time timestamp to every message Receiver decrypts timestamp and compares it with current reading if difference is sufficiently small, accept message otherwise discard message Problem is synchronization between sender and receiver

16 02/16/200916 Sequence Numbers Sender attaches a monotonically increasing counter value to every message Sender needs to remember last used number and receiver needs to remember largest received number

17 02/16/200917 Operation of Sequence Numbers Sender increments sequence number by 1 after sending a message Receiver compares sequence number of received message with largest received number If larger than largest received number, accept message and update largest received number If less than largest received number, discard message

18 02/16/200918 Problem with Sequence Numbers IPsec uses sequence number to counter replay attacks However reorder can occur in IP Messages with larger sequence number may arrive before messages with smaller sequence numbers When reordered messages with smaller sequence numbers arrive later, they will be discarded

19 02/16/200919 Operation of Sequence Numbers Sender increments sequence number by 1 after sending a message Receiver compares sequence number of received message with largest received number If larger than largest received number, accept message and update largest received number If less than largest received number, discard message

20 02/16/200920 Problem with Sequence Numbers IPsec uses sequence number to counter replay attacks However reorder can occur in IP Messages with larger sequence number may arrive before messages with smaller sequence numbers When reordered messages with smaller sequence numbers arrive later, they will be discarded

21 02/16/200921 Anti-Replay Window Protocol in IPsec Protect IPsec messages against replay attacks and counter the problem of reorder Sender puts a sequence number in every message Receiver uses a sliding window to keep track of the received sequence numbers

22 02/16/200922 Comparison with TCP Sliding Window Purpose: TCP sliding window is used for flow control, while anti-replay window for countering replay attack Size: TCP sliding window is of dynamic size, while anti-replay window is of static size (64 recommended by IPsec)

23 02/16/200923 Comparison with TCP Sliding Window Unit: TCP sliding window is byte- oriented, while anti-replay window is packet-oriented Retransmission: same sequence number used in TCP sliding window, while new sequence number used in anti-replay window

24 02/16/200924 TCP Sliding Window 1234567891011… offered window (advertised by receiver) usable window sent, not ACKed acknowledged sent and can send ASAP can’t send until window moves

25 02/16/200925 Anti-Replay Window w is window size r is right edge of window Assume s is sequence number of next received message Three cases to consider 1 w right edge r 23 sequence numbers not yet received received before assumed received r-w+1

26 02/16/200926 Cases of Anti-Replay Window Case i: if s is smaller than sequence numbers in window, discard message s 1w sr

27 02/16/200927 Cases of Anti-Replay Window Case ii: s is in window if s has not been received yet, then deliver message s if s has been received, then discard message s 1w srs (deliver)(discard)

28 02/16/200928 Cases of Anti-Replay Window Case iii: if s is larger than sequence numbers in window, then deliver message s and slide the window so that s becomes its new right edge 1w sr window before shift 1w window after shift

29 02/16/200929 Properties of Anti-Replay Window Protocol Discrimination: receiver delivers at most one copy of every message sent by sender w-Delivery: receiver delivers at least one copy of each message that is neither lost nor suffered a reorder of degree w or more, where w is window size

30 02/16/200930 Problem with Anti-Replay Window Receiver gets s, where s >> r Window shifts to right Many good messages that arrive later will be discarded discarded good msgs 1w r window before shift s 1w window after shift

31 02/16/200931 Automatic Shift vs. Controlled Shift Automatic shift: window automatically shifts to the right to cover the newly received sequence number without any consideration of how far the newly received sequence number is ahead Controlled shift: if the newly received sequence number is far ahead, discard it without shifting window in the hope that those skipped sequence numbers may arrive later

32 02/16/200932 Three Properties of Controlled Shift Adaptability receiver determines whether to sacrifice a newly received message according to the current characteristics of the environment Rationality receiver sacrifices only when messages that could be saved are more than messages that are sacrificed Sensibility receiver stops sacrificing if it senses that the messages it means to save are not likely to come

33 02/16/200933 Additional Case with Controlled Shift Case iv: s is more than w positions to the right of window receiver estimates number of good messages it is going to lose if it shifts the window to s if the estimate is larger than d+1, where d is the counter of discarded messages, and d+1 is less than dmax, then receiver discards this message and increments d by 1 otherwise, receiver delivers the message, shifts the window to the right, and resets d to 0

34 02/16/200934 Another Problem with Anti-Replay Window Computer may reset due to transient fault or power loss If either sender or receiver is reset and restarts from 0, then synchronization on sequence numbers is lost

35 02/16/200935 Scenario of Sender Reset If p is reset, unbounded number of fresh messages are discarded by q 49483210 pq seq# : 50 seq# : 50 fresh messages yet discarded by q seq# : 0 reset

36 02/16/200936 Scenario of Receiver Reset If q is reset, it can accept unbounded number of replayed messages 49483210 pq inserted by adversary seq# : 50 seq# : 50 replayed yet accepted by q seq# : 0 reset

37 02/16/200937 Overcome Reset Problems IPsec Working Group: if reset, the Security Association (SA) is deleted and a new one is established -- very expensive Our solution: periodically push current state of SA into persistent memory (e.g. hard drive); if reset, restore state of SA from this memory

38 02/16/200938 SAVE and FETCH When SAVE is executed, the last sequence number or right edge of window will be stored in persistent memory When FETCH is executed, the last stored sequence number or right edge of window will be loaded from persistent memory into memory

39 02/16/200939 SAVE at Sender s is sequence number at p Every K p messages, p executes SAVE(s) to store current s in persistent memory Choose appropriate K p such that in spite of execution delay, SAVE(s) is guaranteed to complete before message numbered s+K p is sent

40 02/16/200940 FETCH at Sender When p wakes up after reset, p executes FETCH(s) to fetch s stored in persistent memory After FETCH(s) completes, p executes SAVE(s+2K p ) and waits After SAVE(s+2K p ) completes, p can send next message using seq# s+2K p

41 02/16/200941 Convergence of Sender Assume when p resets, SAVE(s) has not yet completed, and the last sent seq# is s+t t < K p otherwise SAVE(S) should have completed When p wakes up, s-K p will be fetched Therefore, adding 2K p to fetched seq# guarantees that next sent seq# is fresh

42 02/16/200942 Convergence of Sender Assume when p resets, SAVE(s) has completed, and the last sent seq# is s+u u < K p otherwise SAVE(S+K p ) should have started When p wakes up, s will be fetched Therefore, adding 2K p to fetched seq# guarantees that next sent seq# is fresh

43 02/16/200943 Convergence of Sender

44 02/16/200944 Results of SAVE and FETCH When p is reset, some sequence numbers will be abandoned by p, but no message sent from p to q will be discarded provided no message reorder occurs When q is reset, the number of discarded messages is bounded by 2K q When p or q is reset, no replayed message will be accepted by q

45 02/16/200945 Next Class Address Resolution Protocol (ARP) and its security problems Secure ARP Read paper on website

Download ppt "CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina."

Similar presentations

Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
CSCE 715: Network Systems Security

CSCE 715: Network Systems Security
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12
Cryptography and Network Security Hash Algorithms.

Cryptography and Network Security Hash Algorithms.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)

Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Authentication & digital signature Jen-Chang Liu Adapted from lecture slides by Lawrie Brown.

Authentication & digital signature Jen-Chang Liu Adapted from lecture slides by Lawrie Brown.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Similar presentations

Ads by Google