程序代写代做代考 scheme chain algorithm cache dns Warnings….

Warnings….
• Format Warning:

– Today’s slides are borrowed from CSE473
without being properly converted to this class’s
google slides format….

• Coverage Warning
– Included are some details that we have not

covered the background material for so we will
gloss over some areas.

CSE 523S:
Systems Security
Computer & Network

Systems Security

Spring 2018
Jon Shidal

(slides borrowed from CSE473)

Plan for Today
• Questions
• Assignment
• System Design & Security

– [x] Why are our computer systems vulnerable?
– [x] Working with binaries and processes
– [x] Why are our networks vulnerable?
– Working with packets — Next class
– Network security revisited

Assignment
• For Monday

– HW2 Due
– Readings

• HTAOE: Ch. 4 195-223
• For Wednesday

– Readings
• HTAOE: Ch. 3 115-132

• For Monday (2/19)
– The following sections of Metasploit Unleashed

• Introduction, Metasploit Fundamentals, Information
Gathering, Vulnerability Scanning, Exploit Development

http://www.offensive-security.com/metasploit-unleashed

Principles of Network Security/
Internet Attacks and Defenses

■ Basic principles
■ Symmetric encryption
■ Public-key encryption
■ Signatures, authentication, message integrity
■ Denial-of-Service & Distributed Denial-of-Service

John DeHart
Based on material from Jon Turner, Roch Guerin and Kurose & Ross

Four Elements of Network Security

■ Confidentiality
» only sender, intended receiver should “understand” message
» sender encrypts message, receiver decrypts

■ Authentication
» sender, receiver want to confirm identity of each other
» Use of “certification of authenticity” issued by trusted entity

■ Message integrity
» sender, receiver want to ensure message not altered (in transit, or

afterwards) without detection
■ Access and availability

» services must be accessible and available to users
6

A Traditional Model of Security

■ Alice & Bob want to communicate “securely”
■ Trudy (intruder) may intercept, delete, add, and modify

messages
7

Secure
Sender

channel data, control
messages

data data

Alice Bob

Trudy

Secure
Receiver

The Language of Cryptography

m plaintext message
KA(m) ciphertext, encrypted with key KA
m = KB(KA(m))
Note that KA and KB need not be identical

i.e., symmetric vs. asymmetric encryption
8

plaintext plaintextciphertext

KA

encryption
algorithm

decryption
algorithm

Alice’s
encryption

key

Bob’s
decryption

key
KB

Simple Encryption Scheme
■ Substitution cipher

» substituting one thing for another
» Mono-alphabetic cipher: substitute one letter for another

plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: mnbvcxzasdfghjklpoiuytrewq

plaintext: bob. i love you. alice
ciphertext: nkn. s gktc wky. mgsbc

Encryption key: mapping from set of 26 letters to set of 26
letters (26! Possible mappings to choose from)

9

Breaking an Encryption Scheme
■ Cipher-text only attack

» Trudy just has ciphertext she can analyze
» two approaches:

• brute force: search through all keys
• statistical analysis – e.g., using fact that ‘e’ is most common letter

■ Known-plaintext attack
» Trudy has at least some plaintext corresponding to ciphertext
» e.g., in mono-alphabetic cipher, Trudy determines pairings for

a,l,i,c,e,b,o,
■ Chosen-plaintext attack

» Trudy can get ciphertext for chosen plaintext
■ Ideally, an encryption scheme should be resistant to even a

chosen-plaintext attack 10

Block Cipher Encryption – (1)
■ Transposition block cipher

» Changing the order of the input
» a.k.a. a scrambler

3-bit block: 1 2 3

3-bit transposed block: 2 3 1
input: 011 110 001 010 000
ciphertext: 110 101 010 100 000

Encryption key: permutation of k-bit blocks (k!=6 distinct permutations
for k=3, i.e., key of size ⎡log2 k!⎤ or ⎡log2 3!⎤ = 3 bits)
Why 3 bits? What do we use the 3 bits to identify?

11

Block Cipher Encryption – (2)
■ Substitution block cipher

» Maps a k-bit block to another uniquely distinct k-bit block
» k-bit block input is one out of 2k possible input
» Substitution applies permutation to all possible 2k inputs

input: 011 110 001 010 000

ciphertext: 111 001 011 100 101
Encryption key: permutation among 23=8 3-bit blocks (8!=40,320
distinct permutations, i.e., key of size ⎡log2 8!⎤ = 16 bits Why 16 bits?
What do we use the 16 bits for? 12

3×8 decoder

1 2 3

8 blocks permutation

3×8 decoder

1 2 3

000 101
001 011
010 100
011 111
100 000
101 010
110 001
111 110

Symmetric Key Cryptography

■ Symmetric key cryptography
» Bob and Alice share same (symmetric) key: KS
» e.g., key might be knowing the substitution pattern in mono

alphabetic substitution cipher
■ Main issue: how do Bob and Alice agree on key value?

» need a separate, secure channel (to exchange key)
» governments can use couriers, but that’s not a practical solution for

individuals over the Internet
13

plaintextciphertext

KS

encryption
algorithm

decryption
algorithm

plaintext
message, m

KS

KS(m) m=KS(KS(m))

Block Ciphers
■ DES (Data Encryption Standard) is an example of a block cipher

» encrypts fixed length chunks separately (each chunk is a letter in an alphabet of
size 2k, where k is the chunk size in bits)

■ Naive implementation can be vulnerable
» if each block is encrypted in the same way, repeated clear-text blocks produce

repeated cipher-text blocks
» statistics of repeated blocks can aid attacker

■ Cipher Block Chaining (CBC) used to address this
» makes identical clear-text blocks look different when encrypted
» example: each clear-text block m is xor-ed with a different “random” value

before encryption
• start with random Initialization Vector (IV) and xor this with first block before

encrypting (IV sent to receiver, but need not be secret)
• before encrypting each subsequent block, xor it with the ciphertext of the

previous block 14

General Cipher Block Chaining
■ Repeat across independent blocks

(IV = Initial Vector – can be sent in the clear)

IV

Block1

Cipher1

DES

Block2

Cipher2

DES

Block3

Cipher3

DES

Block4

Cipher4

DES

15

XOR

■ Any other cipher block encryption can be used in lieu
of DES

Data Encryption Standard (DES)
■ Block cipher with cipher block chaining

» 56-bit symmetric key, 64-bit plaintext input
■ How secure is it?

» DES Challenge: 56-bit-key-encrypted phrase decrypted
(brute force) in less than a day in January 1999

» no known good analytic attack
» Has been withdrawn as a NIST standard.

■ More secure variant
» 3DES: encrypt 3 times with 3 different keys
» Advanced Encryption Standard (AES)

• replaced DES in 2001
• processes data in 128 bit blocks
• 128, 192, or 256 bit keys
• a computer that could break DES in one second (by brute force) would need

149 trillion years to break AES
16

DES Cipher

■ encrypt 64 bit chunks
■ initial permutation
■ 16 identical “rounds” of

function application, each
using different 48 bits of key
= F(56 bit key)

■ final permutation

DES operation
(encryption by obfuscation)

17

Public Key Cryptography
■ The problem with symmetric keys

» They require sender & receiver to know a shared secret key
» ok for governments perhaps, but no good for public internet

■ Public key cryptography
» radically different approach [Diffie-Hellman76, RSA78]
» built around idea of “one-way functions” that are easy to compute, but

computationally difficult to invert
» uses two keys

• public key known to all (used to encrypt messages)
• private key known only to message recipient (used to decrypt)

» since no common shared key, allows communication with strangers over
insecure network

» drawback: computationally expensive for large messages
• in practice, used to encrypt and share symmetric keys

18

Public Key Cryptography

19

plaintext
message, m

ciphertextencryption
algorithm

decryption
algorithm

Bob’s public key

plaintext
message

Bob’s private key

encryption
algorithm K+B(m) m=K–B(K+B(m))

K–B

K+B

One-Way Functions
■ Function that is easy to compute, hard to invert

» example: easy to multiply two large prime numbers, but hard to find prime
factors of a large composite number
• no known method that is substantially better than trial-and error
• a 300 digit number has about 10150 candidate factors

■ Key idea leading to practical public-key encryption
» compute product of two large primes and make product public, while keeping

prime factors private
» product can be used to encrypt message, but to decrypt it, you must know the

prime factors
■ RSA method based on this idea

» named for its inventors Rivest, Shamir and Adelman
■ Alternate one-way functions have been proposed

» based on variety of hard (NP-complete) computational problems
20

Background: Modulo Arithmetic
■ x mod n = remainder of x when divided by n
■ Basic properties

[(a mod n) + (b mod n)] mod n = (a+b) mod n
[(a mod n) – (b mod n)] mod n = (a–b) mod n
[(a mod n) * (b mod n)] mod n = (a*b) mod n

■ Consequently,
(a mod n)d mod n = ad mod n

= [(a mod n)l mod n]*[(a mod n)d-l mod n] mod n
■ Example: a=14, n=10, d=3:

(a mod n)d mod n = (14 mod 10)3 mod 10
= 43 mod 10

= 64 mod 10 = 4
ad = 143 = 2744 ad mod 10 = 4

21

Creating an RSA Key Pair
1. Choose two large prime numbers p, q (say, 1024 bits long) and compute n=pq
2. Choose a number e<(p–1)(q–1) with no common factor >1 with (p–1)(q–1), i.e., e

and (p–1)(q–1) are relatively prime
3. Choose a number d such that ed–1 is a multiple of (p–1)(q–1)
equivalently, d = (k(p–1)(q–1)+1)/e for some positive integer k

4. Public key K+=(n,e), private key K–=(n,d)
5. Advertise K+ but keep K– private, and discard (do not disclose) p and q (if p and q

are known, e and d can be easily inferred)

Example with small numbers:

p=5, q=7, n=35, (p–1)(q–1)=24, e=5, d=29

(d = (6*4*6+1)/5 = 29 for k=6, p-1=4, q-1=6, e=5 )

Dependent on having an efficient way to generate large prime numbers and efficient
ways to select e and d 22

RSA Encryption/Decryption
Sending encrypted message to owner of (K+ K–)

■ Given (n,e), (n,d) as discussed, and message m K+A(K–B(c))=m
» Only B can decrypt it and B can confirm it came from A.

30

Certificate Authorities
■ Public-key systems require a secure way of making public keys available

» can’t simply start by exchanging public keys in the clear, as this allows
a “man-in-the-middle” attack
• intruder, sitting between A and B, can substitute its own public key,

causing A to encrypt messages using intruder’s public key
• intruder can then snoop on messages and re-encrypt using B’s public

key, so B can’t detect intrusion
■ Certificate Authority (CA) vouches for the association between a user and

their public key
» CA provides Bob with signed certificate of Bob’s identity

• CA encrypts Bob’s identifier and public key using CA’s private key
» so, Alice decrypts certificate using CA’s public key

• public keys for “reputable” CAs “built in” to browsers
» security depends on trustworthiness/reliability of CAs 31

Elements of Network Security
■ Confidentiality

» only sender, intended receiver should “understand” message
» sender encrypts message, receiver decrypts

■ Authentication
» sender, receiver want to confirm identity of each other
» Use of “certification of authenticity” issued by trusted entity

■ Message integrity
» sender, receiver want to ensure message not altered (in transit, or

afterwards) without detection
■ Access and availability

» services must be accessible and available to users
32

Verifying Message Integrity
■ How do we prevent an intruder from tampering with messages?

» can encrypt and sign messages, but is this necessary?
■ Use a hash function h to produce message digest

» sender computes h(m) and sends pair (m,h(m+s)=MAC)
• s is a shared secret, hash value is Message Authentication Code

» receiver computes h(m+s) and compares to received value
» requires hash function that is hard to invert

• MD5, SHA-1, SHA-2, SHA-3 are commonly used “cryptographic hash
functions”

■ Can also use this to reduce effort for digital signatures
» sender encrypts h(m) and sends pair (m, K–(h(m)))
» receiver computes h(m) and compares it to received value, after

decrypting it using sender’s public key
33

Elements of Network Security
■ Confidentiality

» only sender, intended receiver should “understand” message
» sender encrypts message, receiver decrypts

■ Authentication
» sender, receiver want to confirm identity of each other
» Use of “certification of authenticity” issued by trusted entity

■ Message integrity
» sender, receiver want to ensure message not altered (in transit, or

afterwards) without detection
■ Access and availability

» services must be accessible and available to users

34

Traffic Attacks & Defenses Overview
■ Access and Availability
■ Traffic attacks: The goal is to overwhelm the target’s resources at either the network or

host/application level
» Network attacks

• DNS amplification attack: Requires access to open DNS server and use of spoofed addresses (that of
the target)

• Bandwidth flooding: If you have a large enough botnet, you can generate lots of traffic without
resorting to address spoofing

» Application attacks
• TCP SYN attack: Seeks to exhaust server state resources by opening lots of fake connections
• HTTP GET flood: Same concept but with HTTP
• TCP “shrew” attacks: takes advantage of TCP’s own behavior (more on later slide)

■ Defenses: Aimed at detecting, redirecting, and preventing attacking packets from reaching
their target (or the target’s network)
» Address filtering: Primarily aimed at countering address spoofing
» Unicast Reverse Path Filtering (uRPF): Discards traffic arriving from incorrect or invalid interface (only

works when routing is symmetric)
» Black holes and sink holes: Used to attract unwanted traffic (backscatter) or redirect traffic for attack

target

35

First Some Definitions
■ Bogon prefix

» route that should never appear in an internet routing table.
• Private, reserved, unallocated, etc.

» Often used by attackers as their source address.
» IANA (Internet Assigned Numbers Authority) maintains bogon list
» IPv4 bogon list is shrinking as address space is used up.

■ Internet Background Noise (IBN)
» Packets addressed to addresses or ports where there is no network

device to receive them.
■ Backscatter

» IBN resulting from DDoS attack using spoofed addresses

36

Network Ingress Filtering

■ Defeating Denial of Service Attacks which employ IP Source
Address Spoofing – BCP 38 (RFC 2827)
» BCP: Internet Best Current Practices

■ Covers cases involving spoofing of both unreachable as well as
valid addresses
» The latter can translate into a “double” attack, i.e., the spoofed source

may now be filtered by the domain under attack, or the response traffic
may swamp the unwitting source, e.g., as with a DNS amplification
attack

■ Filter traffic entering router from a known domain to ensure
that source address is from that domain.

37

Black-Hole Router
■ Helps identify attacks when they start, including on the network

infrastructure itself
■ Also called Network Telescope

» Targets the dark/unused address space of Internet.
■ Advertise reachability to prefix in bogon address space
■ Inferring DDoS attacks from backscatter measurements

» Assumes that attackers use randomly selected spoofed addresses, with
“responses” from victims sent back to those random source addresses

» Extrapolates frequency, magnitude, and types of attacks from
backscatter responses sent to address located in a “quiet” /8 network
(1/256th of the Internet address space)

38

Sink Holes
■ The network equivalent of a honey pot: One or more dedicated

network/router that seeks to attract or divert attack traffic and support its
analysis
» A double monitoring and defense role
» Advertise host route for server under attack

• Diverts all attack traffic to sink hole network
» Advertise default route in local domain

• Pulls in all internal (and external) “junk” traffic, e.g., to bogon address space
■ Other uses

» Monitoring scanning of infrastructure addresses (pre-attack)
• By advertising default route of routed for bogon IPs

» Monitoring activity on dark space (worms for locally infected clients)
» Capture backscatter, i.e., responses (from attack victims) to bogon address

space and addresses spoofed by attackers

39

DNS Attacks
■ Redirecting traffic to an attacker by hijacking DNS replies

» Faking a response to a query requires only spoofing a source address
and guessing an ID field value (DNS has no authentication)

» This together with DNS caching behavior makes it easy to implement
various DoS attacks a.k.a. cache poisoning (setting the TTL value of the
reply to a high value will ensure that resolvers keep the fake answer for
a long time)

» The scope of cache poisoning can range from a single client to a slave
primary server handling an entire zone (the attack then targets the
zone transfer messages)

» DNSSEC (RFCs 4033, 4035) adds one-way authentication to DNS
responses, i.e., provides data integrity and origin authentication

40

DNS Attacks (continued)
■ DNS Amplification Attack

» Attacker issues DNS request with source address spoofed to target
machine
• Request asks for large amount of data, type “ANY”.

» Amplification is a function of the number of replies that can be directed
to the host under attack, and the size of those replies (creating fake
DNS records that can be used during attacks can significantly augment
the size of the DNS replies)

■ DNSSEC does not prevent DNS amplification attacks
» They only require spoofing the source address of DNS queries, but

depend on access to open DNS servers
41

Application Layer attacks: Low-Rate TCP-Targeted
Denial of Service Attacks
■ Most servers now have mechanisms to defend against TCP SYN attacks, so

attackers need to be a bit more creative
■ Rather than blast traffic to swamp a server, take advantage of TCP’s behavior

to mount effective attacks that are harder to detect (low rate)
■ Relies on sending properly timed short periodic bursts of packets

» Packet bursts induce multiple losses and delay retransmissions for RTO
• RTO: Retransmission TimeOut

» Another burst after another RTO can result in many/most flows experiencing repeated
time-outs

■ Effective even in the presence of flows with heterogeneous RTO and RTT
values
» Select appropriate intermediate RTO value
» Can actually force the time-out synchronization of heterogeneous flows

■ Neither router based schemes (RED-PD) nor end-host based schemes (RTO
randomization) are able to successfully detect or diffuse the attacks 42

The End.

43