Network Security

Security 1 (CM0475, CM0493) 2020-21 Università Ca’ Foscari Venezia

Riccardo Focardi www.unive.it/data/persone/5590470 secgroup.dais.unive.it Operating systems protect data through user authentication, access control and authorization

Data sent over a network is Introduction vulnerable to sniﬃng and Network (in)security tampering Network security requires cryptography

2 Security protocols aim at providing security over insecure networks

Typical properties: authenticity, Introduction conﬁdentiality, integrity Cryptographic techniques: Security protocols symmetric and asymmetric cryptography, digital signature, Message Authentication Code (MAC)

3 Secure email: S/MIME

Secure/Multipurpose Internet Mail Enveloped data: encrypted content of Extension (S/MIME) is a security any type enhancement to the MIME Internet Signed data: signed content base64 e-mail format standard encoded (requires S/MIME to view) MIME deﬁnes content formats such Clear-signed data: signed content, as text, image, audio, and video with only signature base64 encoded S/MIME adds content types that (can be viewed without S/MIME) allow for signing and/or encrypting Signed and enveloped data: signed e-mail messages and encrypted content of any type

4 Signed and clear-signed data

Algorithms: RSA or DSA (Digital Recipient with S/MIME: Signature Algorithm) with a secure 1. Decode base64 and obtains s hash such as SHA-256 and Msg

s = RSASK( SHA-256( Msg ) ) 2. Check that RSA ( s ) == SHA-256( Msg ) SK is the private key of the sender PK PK is the public key of the sender ● clear-signed: base64( s ) + Msg is sent to recipient, or Recipient without S/MIME will only be ● signed: base64( s + Msg ) is sent able to view clear-signed message to recipient

5 Enveloped data

Algorithms: RSA and AES (Advanced Recipient with S/MIME: Encryption Standard) 1. Decode base64 and obtains e 1. generate a fresh AES key K and eK

2. e = AES_EK( Msg ) 2. K = RSASK( eK ) (a cipher mode is used) SK is the private key of the

3. eK = RSAPK( K ) recipient

PK is the public key of the 3. Msg = AES_DK( e ) recipient AES cipher mode is required to 4. base64( e + eK ) is sent to encrypt Msg of arbitrary size recipient

6 Efail attack [USENIX 2018]

Efail attack exploits two different Attack 1: weaknesses of S/MIME and 1. intercept encrypted message c openPGP (which is similar to 2. forge another message c’ whose S/MIME) decryption is Weak cipher modes: both S/MIME

7 Efail attack [USENIX 2018]

MIME parser vulnerability: clients do Attack 2: not isolate multiple MIME parts of an 1. intercept encrypted message c email but display them in the same 2. forge another message HTML document Thunderbird 3. c is decrypted on the ﬂy and replaced with its plaintext p ⇒ direct plaintext exﬁltration 4. p goes to web server logs

8 Efail attack 2: example

Middle part is decrypted and the three are stitched together:

which is URLencoded as:

NOTE: No obvious ﬁxes for attack 1 that requires “authenticated encryption modes” in S/MIME and openPGP. More detail at the attack web page 9 DomainKeys Identiﬁed Mail (DKIM)

DKIM allows administrative domains Transparency: DKIM is not visible by to digitally sign e-mail messages end users

Signature is verified through the  no modification in email clients domain public key, which is publicly  no certificates for end users available  applies to all emails from cooperating domains Widely adopted by many email providers (e.g. google, yahoo), ISPs, ☹ only confirms the administrative governments domain and not the actual sender

10 SSL and TLS

Secure Sockets Layer (SSL) and its Handshake protocol: creates a successor Transport Layer Security secure session between the client (TLS) are security services and the server implemented as a set of protocols Alert protocol: deals with alerts and that rely on TCP suitably closes open sessions and Aim: end-to-end security connections

Record protocol: provides basic Heartbeat protocol: keeps sessions security services to various alive by periodically sending higher-layer protocols “heartbeat” messages

11 Record protocol

Provides two services for SSL connections based on the keys negotiated during handshake

Conﬁdentiality: a shared secret key k1 is used for symmetric encryption of SSL payloads

Message integrity: a shared secret key k2 is used to compute a Message Authentication Code (MAC)

Figure from Lawrie Brown, William Stallings. Computer Security: Principles and Practice, 4/E, Pearson. 12 Handshake protocol

Establishes a secure TLS session Client Server

Phase 1: Establish security client_hello capabilities, including protocol version, session ID, cipher suite, compression method, and initial random numbers server_hello Note: random numbers will be used to prevents replay attacks

13 Handshake protocol: phase 2

Phase 2: Server may send certiﬁcate, Client Server key exchange and request certiﬁcate

certificate Server signals end of hello message phase server_key_exchange Note: this phase depends on the certificate_request particular cipher suite selected in phase 1 server_hello_done

14 Handshake protocol: phase 3

Phase 3: Client checks validity of Client Server server certiﬁcate certificate

Then, it sends certificate if requested, client_key_exchange key exchange and possibly certificate verification certificate_verify

Note: certificate verification is a signature of handshake data and proves that client knows the private key corresponding to the public one in the certificate (if requested) 15 Handshake protocol: phase 4

Phase 4: commit the negotiated Client Server change_cipher_spec cipher suite and finish handshake protocol finished Note: messages finished are sent using the agreed cipher suit in order to confirm that client and server correctly agree on algorithms, keys change_cipher_spec and secrets finished

Technically this phase is named Change Cipher Spec Protocol 16 Since the ﬁrst introduction of SSL in 1994 numerous attacks have been devised against these protocols

Fixes required:

SSL/TLS attacks ● changes in the protocol ● changes in the crypto tools used ● changes in the implementation

Analysis “in the wild” [S&P19]

17 Bleichenbacher attack (1998 → 2018)

Bleichenbacher attack (1998): The Idea: the attacker tries many attack allows to break RSA ciphertexts related to the target one, ciphertexts by exploiting a weak until one is accepted and discovers padding scheme the ﬁrst two bytes of the plaintext

Padding in RSA is used to randomize ⇒ the relation allows for guessing the plaintext so to prevent trivial bits of the target plaintext brute-force ● Attack optimized [Crypto12] PKCS#1 v1.5 padding starts with ● Return Of Bleichenbacher's bytes 0x00 0x02 Oracle Threat (ROBOT), 2018

18 CRIME attack (2012)

CRIME (Compression Ratio Info-leak Idea: the attacker injects suitably Made Easy) allows to recover the crafted strings and observes the content of web cookies when data compression rate compression is used along with TLS When compression rate increases Assumption 1: the attacker can inject there are duplicate strings values of his/her choice in the ⇒ char-by-char brute-forcing requests (e.g. through malicious 2013: BREACH based on CRIME javascript making cross requests) Fix: disable compression in TLS Assumption 2: the attacker can sniff the encrypted traﬃc 19 PKI attacks

PKI (Public Key Infrastructure) In [ACM2012] many SSL/TLS library allows for checking certificate validity implementations have been shown to have vulnerable certificate validation Certificates link public keys to implementations entities that own the corresponding private keys Badly designed APIs and data-transport libraries which present If certificates are not properly developers with a “confusing” array checked a Man-In-The-Middle (MITM) of settings and options attack is possible ⇒ server impersonation ⇒ many application not checking certificates! 20 Heartbleed attack (2014)

Heartbeat protocol: the request Attack: contains payload length and payload, ● The attacker forges a request which is “echoed” back in response message with minimum length OpenSSL bug: (e.g., 16 bytes) declaring maximum length (e.g., 64 Kbyte) 1. read the incoming request ● The attacker gets back about 64 message and allocate a buffer Kbyte of uninitialized memory in 2. overwrites the buffer with the the response, that might incoming message contain server secrets and keys 3. did not check that the length was the declared one! More detail here Simpliﬁed picture 21 IPv4 and IPv6 security

IPSec provides security over IPv4 Secure branch oﬃce connectivity: A (optional) and IPv6 company can build a virtual private network (VPN) over the Internet Authentication: received packet was transmitted by the party identiﬁed as Secure remote access: An end user the source in the packet header can gain secure access to a company (implies integrity) network over the Internet

Conﬁdentiality: enables end-to-end Secure connectivity with partners: encryption to prevent eavesdropping secure communication with other by third parties organizations

22 IPSec advantages

In a firewall or router: strong security Security for individual users: useful for all traffic crossing the perimeter, for off-site workers and for setting no overhead for internal traffic up a secure virtual subnetwork within an organization for sensitive Transparency: IPSec is below applications transport (TCP and UDP) so it is fully transparent to applications Securing other protocols: IPSec can be used to make insecure protocols Usability: users are not required to more secure use security tools because IPSec Example: routing protocols can be provides security transparently protected by running over IPSec

23 Security association

IPsec provides a combined Security Association (SA): one-way authentication/encryption function relationship between a sender and a called Encapsulating Security receiver Payload (ESP) and a key exchange ⇒ function (ISAKMP) Two-way secure exchange requires two SAs ⇒ most applications (es. VPN) require both authentication and SA is identiﬁed through a encryption ● Security Parameter Index (SPI), similar to ports (Authentication-only is deprecated) ● Destination IP address

24 SA main ﬁelds

Sequence number counter: 32-bit Lifetime for this SA: A time interval or value used to generate the Sequence byte count after which an SA must be Number ﬁeld in ESP headers replaced with a new SA

Anti-replay window: a sliding window IPSec protocol mode: tunnel or within which the sequence number transport (discussed next) must fall Path MTU: Any observed path ESP information: encryption and maximum transmission unit authentication algorithm, keys, (maximum size of a packet initialization values, key lifetimes transmitted without fragmentation)

25 IPsec ESP Format

Figure from Lawrie Brown, William Stallings. Computer 26 Security: Principles and Practice, 4/E, Pearson. IPSec protocol modes

Transport mode: Typically used for Tunnel mode: Typically, security end-to-end communication between gateways that implements IPsec two hosts Hosts behind the gateways Example: for ESP over IPv4, the communicate through the tunnel with payload is the data that normally gateways source and destination IPs follow the IP header (entire IP packet is encapsulated)

ESP in transport mode encrypts and Example: IPSec VPNs authenticates the IP payload and optionally authenticates the IP ESP in tunnel mode encrypts and header authenticates the entire IP packet 27