Network Security
Security 1 (CM0475, CM0493) 2020-21 Università Ca’ Foscari Venezia
Riccardo Focardi www.unive.it/data/persone/5590470 secgroup.dais.unive.it Operating systems protect data through user authentication, access control and authorization
Data sent over a network is Introduction vulnerable to sniffing and Network (in)security tampering Network security requires cryptography
2 Security protocols aim at providing security over insecure networks
Typical properties: authenticity, Introduction confidentiality, integrity Cryptographic techniques: Security protocols symmetric and asymmetric cryptography, digital signature, Message Authentication Code (MAC)
3 Secure email: S/MIME
Secure/Multipurpose Internet Mail Enveloped data: encrypted content of Extension (S/MIME) is a security any type enhancement to the MIME Internet Signed data: signed content base64 e-mail format standard encoded (requires S/MIME to view) MIME defines content formats such Clear-signed data: signed content, as text, image, audio, and video with only signature base64 encoded S/MIME adds content types that (can be viewed without S/MIME) allow for signing and/or encrypting Signed and enveloped data: signed e-mail messages and encrypted content of any type
4 Signed and clear-signed data
Algorithms: RSA or DSA (Digital Recipient with S/MIME: Signature Algorithm) with a secure 1. Decode base64 and obtains s hash such as SHA-256 and Msg
s = RSASK( SHA-256( Msg ) ) 2. Check that RSA ( s ) == SHA-256( Msg ) SK is the private key of the sender PK PK is the public key of the sender ● clear-signed: base64( s ) + Msg is sent to recipient, or Recipient without S/MIME will only be ● signed: base64( s + Msg ) is sent able to view clear-signed message to recipient
5 Enveloped data
Algorithms: RSA and AES (Advanced Recipient with S/MIME: Encryption Standard) 1. Decode base64 and obtains e 1. generate a fresh AES key K and eK
2. e = AES_EK( Msg ) 2. K = RSASK( eK ) (a cipher mode is used) SK is the private key of the
3. eK = RSAPK( K ) recipient
PK is the public key of the 3. Msg = AES_DK( e ) recipient AES cipher mode is required to 4. base64( e + eK ) is sent to encrypt Msg of arbitrary size recipient
6 Efail attack [USENIX 2018]
Efail attack exploits two different Attack 1: weaknesses of S/MIME and 1. intercept encrypted message c openPGP (which is similar to 2. forge another message c’ whose S/MIME) decryption is Weak cipher modes: both S/MIME
7 Efail attack [USENIX 2018]
MIME parser vulnerability: clients do Attack 2: not isolate multiple MIME parts of an 1. intercept encrypted message c email but display them in the same 2. forge another message HTML document Thunderbird 3. c is decrypted on the fly and replaced with its plaintext p ⇒ direct plaintext exfiltration 4. p goes to web server logs
8 Efail attack 2: example
Middle part is decrypted and the three are stitched together:
which is URLencoded as:
NOTE: No obvious fixes for attack 1 that requires “authenticated encryption modes” in S/MIME and openPGP. More detail at the attack web page 9 DomainKeys Identified Mail (DKIM)
DKIM allows administrative domains Transparency: DKIM is not visible by to digitally sign e-mail messages end users
Signature is verified through the no modification in email clients domain public key, which is publicly no certificates for end users available applies to all emails from cooperating domains Widely adopted by many email providers (e.g. google, yahoo), ISPs, ☹ only confirms the administrative governments domain and not the actual sender
10 SSL and TLS
Secure Sockets Layer (SSL) and its Handshake protocol: creates a successor Transport Layer Security secure session between the client (TLS) are security services and the server implemented as a set of protocols Alert protocol: deals with alerts and that rely on TCP suitably closes open sessions and Aim: end-to-end security connections
Record protocol: provides basic Heartbeat protocol: keeps sessions security services to various alive by periodically sending higher-layer protocols “heartbeat” messages
11 Record protocol
Provides two services for SSL connections based on the keys negotiated during handshake
Confidentiality: a shared secret key k1 is used for symmetric encryption of SSL payloads
Message integrity: a shared secret key k2 is used to compute a Message Authentication Code (MAC)
Figure from Lawrie Brown, William Stallings. Computer Security: Principles and Practice, 4/E, Pearson. 12 Handshake protocol
Establishes a secure TLS session Client Server
Phase 1: Establish security client_hello capabilities, including protocol version, session ID, cipher suite, compression method, and initial random numbers server_hello Note: random numbers will be used to prevents replay attacks
13 Handshake protocol: phase 2
Phase 2: Server may send certificate, Client Server key exchange and request certificate
certificate Server signals end of hello message phase server_key_exchange Note: this phase depends on the certificate_request particular cipher suite selected in phase 1 server_hello_done
14 Handshake protocol: phase 3
Phase 3: Client checks validity of Client Server server certificate certificate
Then, it sends certificate if requested, client_key_exchange key exchange and possibly certificate verification certificate_verify
Note: certificate verification is a signature of handshake data and proves that client knows the private key corresponding to the public one in the certificate (if requested) 15 Handshake protocol: phase 4
Phase 4: commit the negotiated Client Server change_cipher_spec cipher suite and finish handshake protocol finished Note: messages finished are sent using the agreed cipher suit in order to confirm that client and server correctly agree on algorithms, keys change_cipher_spec and secrets finished
Technically this phase is named Change Cipher Spec Protocol 16 Since the first introduction of SSL in 1994 numerous attacks have been devised against these protocols
Fixes required:
SSL/TLS attacks ● changes in the protocol ● changes in the crypto tools used ● changes in the implementation
Analysis “in the wild” [S&P19]
17 Bleichenbacher attack (1998 → 2018)
Bleichenbacher attack (1998): The Idea: the attacker tries many attack allows to break RSA ciphertexts related to the target one, ciphertexts by exploiting a weak until one is accepted and discovers padding scheme the first two bytes of the plaintext
Padding in RSA is used to randomize ⇒ the relation allows for guessing the plaintext so to prevent trivial bits of the target plaintext brute-force ● Attack optimized [Crypto12] PKCS#1 v1.5 padding starts with ● Return Of Bleichenbacher's bytes 0x00 0x02 Oracle Threat (ROBOT), 2018
18 CRIME attack (2012)
CRIME (Compression Ratio Info-leak Idea: the attacker injects suitably Made Easy) allows to recover the crafted strings and observes the content of web cookies when data compression rate compression is used along with TLS When compression rate increases Assumption 1: the attacker can inject there are duplicate strings values of his/her choice in the ⇒ char-by-char brute-forcing requests (e.g. through malicious 2013: BREACH based on CRIME javascript making cross requests) Fix: disable compression in TLS Assumption 2: the attacker can sniff the encrypted traffic 19 PKI attacks
PKI (Public Key Infrastructure) In [ACM2012] many SSL/TLS library allows for checking certificate validity implementations have been shown to have vulnerable certificate validation Certificates link public keys to implementations entities that own the corresponding private keys Badly designed APIs and data-transport libraries which present If certificates are not properly developers with a “confusing” array checked a Man-In-The-Middle (MITM) of settings and options attack is possible ⇒ server impersonation ⇒ many application not checking certificates! 20 Heartbleed attack (2014)
Heartbeat protocol: the request Attack: contains payload length and payload, ● The attacker forges a request which is “echoed” back in response message with minimum length OpenSSL bug: (e.g., 16 bytes) declaring maximum length (e.g., 64 Kbyte) 1. read the incoming request ● The attacker gets back about 64 message and allocate a buffer Kbyte of uninitialized memory in 2. overwrites the buffer with the the response, that might incoming message contain server secrets and keys 3. did not check that the length was the declared one! More detail here Simplified picture 21 IPv4 and IPv6 security
IPSec provides security over IPv4 Secure branch office connectivity: A (optional) and IPv6 company can build a virtual private network (VPN) over the Internet Authentication: received packet was transmitted by the party identified as Secure remote access: An end user the source in the packet header can gain secure access to a company (implies integrity) network over the Internet
Confidentiality: enables end-to-end Secure connectivity with partners: encryption to prevent eavesdropping secure communication with other by third parties organizations
22 IPSec advantages
In a firewall or router: strong security Security for individual users: useful for all traffic crossing the perimeter, for off-site workers and for setting no overhead for internal traffic up a secure virtual subnetwork within an organization for sensitive Transparency: IPSec is below applications transport (TCP and UDP) so it is fully transparent to applications Securing other protocols: IPSec can be used to make insecure protocols Usability: users are not required to more secure use security tools because IPSec Example: routing protocols can be provides security transparently protected by running over IPSec
23 Security association
IPsec provides a combined Security Association (SA): one-way authentication/encryption function relationship between a sender and a called Encapsulating Security receiver Payload (ESP) and a key exchange ⇒ function (ISAKMP) Two-way secure exchange requires two SAs ⇒ most applications (es. VPN) require both authentication and SA is identified through a encryption ● Security Parameter Index (SPI), similar to ports (Authentication-only is deprecated) ● Destination IP address
24 SA main fields
Sequence number counter: 32-bit Lifetime for this SA: A time interval or value used to generate the Sequence byte count after which an SA must be Number field in ESP headers replaced with a new SA
Anti-replay window: a sliding window IPSec protocol mode: tunnel or within which the sequence number transport (discussed next) must fall Path MTU: Any observed path ESP information: encryption and maximum transmission unit authentication algorithm, keys, (maximum size of a packet initialization values, key lifetimes transmitted without fragmentation)
25 IPsec ESP Format
Figure from Lawrie Brown, William Stallings. Computer 26 Security: Principles and Practice, 4/E, Pearson. IPSec protocol modes
Transport mode: Typically used for Tunnel mode: Typically, security end-to-end communication between gateways that implements IPsec two hosts Hosts behind the gateways Example: for ESP over IPv4, the communicate through the tunnel with payload is the data that normally gateways source and destination IPs follow the IP header (entire IP packet is encapsulated)
ESP in transport mode encrypts and Example: IPSec VPNs authenticates the IP payload and optionally authenticates the IP ESP in tunnel mode encrypts and header authenticates the entire IP packet 27