1 / 33

Security Aspects in Communication Systems

Security Aspects in Communication Systems. Networks, MM3 By Jesper Grønbæk (ljg@es.aau.dk) PhD Student NetSec 9. November 2007. MM3 contents. Main aim: Give a general introduction to security aspects in communication systems Requirements and solutions

amanda-conway
Télécharger la présentation

Security Aspects in Communication Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Aspects in Communication Systems Networks, MM3 By Jesper Grønbæk (ljg@es.aau.dk) PhD Student NetSec 9. November 2007

  2. MM3 contents Main aim: Give a general introduction to security aspects in communication systems • Requirements and solutions • Confidentiality, Integrity, Authentication, and more… • Security Framework: IPsec • Threats to the security solution • Security in large open communication networks • Discussion

  3. Problem Domains • Where are security considerations common? Open IP-based networks • Open interfaces, large user community, flexibility and off-the-shelf components High safety systems • Systems conveying highly critical communication. E.g. air traffic control information. Wireless networks, case SAFEDMI

  4. Problem Domains Access Point Malicious Attacker WLAN Train Antenna Maintanence Center • A case from the industry Wireless networks, case SAFEDMI • The industry acknowledges cost saving by introducing wireless communication • A MAJOR concern is security for safety and confidentiality reasons • SAFEDMI: Upload software. Request and download diagnostics data • Medium is easily accessible (from a remote location) and thereby vulnerable • Requirements for: confidentiality, integrity, authentication and availability

  5. Confidentiality • Basics and background of popular methods • Definitions: Clear text messages M, Key K, Cipher-texts C • Requirement: The transmitted information can only be available to the sender and receiver. • Threat: Eavesdropping • Method • Symmetric solution: encryption{M x K C, c=E(m, k)} decryption{m=D(c, k)} • M must be difficult to derive when only knowing C. • DES: Invented by IBM, approved federal standard 1976 • Small key size (56 bits)  Brute force attacks available • Crypto analysis attacks available • Designed for efficient hardware implementation • Triple DES, Improvement of DES by IBM in 1979 • Improved DES by 3xDES. I.e. key size 168 bits (or 112 bits). Example: c=DES(k3,DES(k2,DES(k1, m))) • Attacks known but typically considered unfeasible • AES, Candidate found in competition issued by NIST (1997-2000) • Winner: Rijndael, Othercandidates: Serpent, Twofish, RC6, … • Also efficient for hardware implementation (Smartcards. Req: < 256 bytes of RAM, < 2000 bytes of ROM) • Rijndael key sizes: 128-256 bits (32 bits steps). • NSA, National policy: 128,192, 256 bits  SECRET, 192, 256 required for TOP SECRET

  6. Confidentiality • DES encryption example • Block cipher: fixed size of m, same size of c, DES block size is 64 bits • Uses Feistel function ’f’ • Confusion: high complexity wrt. key  cipher-text • Diffusion: Redundancy in plaintext is not visible in cipher-text DES Feistel function ’f’

  7. Confidentiality C1 C0 C2 Cn P1 P0 P2 Pn K K K K IV Enc Enc Enc Enc Dec Dec Dec Dec K K K K … … IV Ref:Frederic Schutz 2000-11-15 No CBC With CBC P1 P0 P2 Pn C1 C0 C2 Cn • CBC encryption mode for block-chiffres • Encryption modes enable block ciphers to be used on a clear text of arbitrary lengths • CBC simply Cipher-Block-Chaining • Other encryption modes • ECB, CFB, OFB, Block Replay,…

  8. Integrity • Basics and background of popular methods • Definitions: Hash value h • Requirement: Provide assurance that the message M has not been changed on its way from the sender to the receiver • Threats: Re-sequence,insertion, deletion, corruption, masquerade or change of data. E.g. change of message destination address. • Method • Cryptographic HASH functions: h=H(m) • H must be efficiently computable • H-1 must NOT be efficiently computable • Collisions should be rare: if h=H(m1), it should be difficult to have H(m2)=H(m1) • Examples: MD5, WHIRLPOOL and SHA-(1/2) • Symmetric keyed HASH function: h=H(m, K) • Avoid man-in-the-middle attacks • Necessary to guarantee that only the intended recipient can calculate the correct HASH and verify authenticity of message M. • HMAC: keyed-Hash Message Authentication Code • Based on an arbitrary HASH function

  9. Integrity • HMAC example • Requires: A cryptographic HASH (e.g. SHA-2) + shared secret key K Ref: www.vckbase.com

  10. Authentication • Basics and background of popular methods • Requirement: Provide assurance that the communication partner is indeed the one being claimed • Threats: Un-trusted (malicious) party claims to be a trusted party • Method • Symmetric method: shared secret, e.g. key K. • Challenge-response (simplified): • Initiator requests challenge by transmitting a random value X and calculates XMAC • Responder calculates MAC based on X, K and a PRF, e.g. HMAC • Responder generates a new random value Y, calculates XRES, and transmits Y back to initiator with the calculated MAC. • The initiator checks: if XMAC = MAC the responder is trusted. The initiator calculates RES from Y and the PRF and sends it to the responder. • The responder checks if XRES = RES. If this is the case the two parties have successfully authenticated each other. • Asymmetric method: Public key encryption with key pair: Kid(kpriv,kpub) • A message encrypted with kpubcan only be decrypted with kprivand vice versa. • The Initiator can make sure that only the desired responder will receive a given message. The responder can make sure that only the trusted initiator can read the response. • Similarly to the symmetric method PRFs and random values are used in the challenge response.

  11. Asymmetric Encryption • Basics of RSA • Principle: difficulty of determining prime facors of large numbers • Secret primes p, q (>100 decimal digits) • Communicate n=p·q • Choose encryption key Ke, where Keand (p-1)(q-1) are without common factors • Decryption key: Kd = Ke-1mod (p-1)(q-1) • Usage: • Encryption: c = m mod n  Public key: (n, Ke) • Decryption: m = c mod n  Private key: (n, Kd) • Asymmetric encryption could also be used to solve confidentiality and integrity requirements. • Slow compared to symmetric methods. Great impact on communication performance • Good for authentication where large key sizes (1024 bits) can be used with little impact on performance Ke Kd

  12. Additional Requirements • Basics • Availability • Threat:DoS attacks try to make service unavailable e.g. by requesting it excessively • Method: Design system to spend minimal resources to deny malicious requests • Repetition • Threat: An attacker replays a recorded series of messages. E.g. to repeat transaction (money withdrawal). • Method: Sequence numbers • Privacy • Threat: The identity of, and potentially private information of users is revealed. • Method: Encryption and a design that protects identity information • Non-repudiation • Threat: A user can deny having used a certain service without the possibility for the service provider to prove the claim wrong. • Method: Introduce mechanisms of authentication. However, research topic.

  13. Additional Requirements • Keying material • In a full blown cryptographic communication solution different key types exist • Long Term-keys • Rarely changed • Should be used ”as little as possible”, e.g. only for first time authentication • Maybe stored in tamper-proof hardware: • Short Term-keys (session keys) • Newly generated for each session • Updated regularly based on time and/or data amount constraints • Different keys for: encryption, integrity/authentication and input for new keying material  Symmetric keys need to be established on two communicating parties separated by an un-trusted link  How may keys be generated? Trusted Platform Module SIM card Hardware Security Module

  14. Additional Requirements Prime: p Prime: p Base int: g (<(p-1)) Base int: g (<(p-1)) Secret rand. no.: XA Secret rand. no.: XB XA YA =g mod p XB YB =g mod p YA YB XB XA Xa XB Session key: K [g mod p] mod p [g mod p] mod p • Diffie-Hellman key agreement Peer ’A’ Peer ’B’ • Basic Principle • K is difficult to find even when knowing YA and YB given XA and XB are unknown Open wireless link

  15. Additional Requirements Application Access Point Transport A security framework for IP stacks Train Antenna WLAN IP IPsec Link Maintanence Center 802.11 • Performance requirements • Designing a secure communication system • Risk Assessment • Which attacks may occur? • How frequent may attacks be? • What are the potential impacts of certain attacks? (safety risks?) • Solutions • Design architecture • Methodologies used to attain security (we have considered basic cryptographic) • Cost of introducing security (performance/components/administration) • Limitations to the system • Impossible to provide ”full security” and prevent attacks.  More on this later

  16. Security Framework: IPsec • Background • Application Layer security solutions • SSL, SSH, TLS, … • Useful for end-to-end security solutions • (May be) Application specific • IPsec – an Internet layer solution • Independent of applications • General framework • Provides negotiation of security methods to be used • Applies security methods to IP packets depending on configuration • Does NOT specify specific cryptographic algorithms • Does NOT specify session-key establishment methods • Typically used for VPNs (AAU wireless) and Internet links between coorporate networks • Pro: May be implemented seamlessly to protect links in open networks • Con: May be complex to administer and configure • A collection of numerous RFCs (e.g. RFC 1828, RFC 2104, RFC 1829, …)

  17. Security Framework: IPsec • Configuration: modes of operation Tunnel mode: • Only payload is encrypted. • IP header remains unchanged – (e.g. not protected when using ESP, but it is with AH.) Transport mode (end-to-end oriented): • The original packet is fully encrypted (ESP). • Original packets are encapsulated in a new IP-header

  18. Security Framework: IPsec • Configuration: ESP • Encapsulating Security Payload (ESP) • Tunnel mode: • Outer IP-header not protected (not a problem in tunnel mode…) • Supports confidentiality • Supports origin authentication • Supports Data integrity • CBC-mode of algorithms typically used.

  19. Security Framework: IPsec • Configuration: AH • Authentication Header (AH) • Tunnel mode: • Entire header is protected except few fields like TOS, Fragment Offset… I.e. fields that may be changed in transit. • Supports Data integrity • Supports origin authentication • No confidentiality

  20. Security Framework: IPsec • Extended example: • Peer agreement of Security Associations • Security Association (SA) • Defines cryptographic algorithms and configuration (ESP, AH, tunnel…) • Corresponds to IP-add, IP-classes and ports • A SA is uni-directional. Two are needed for secure bi-directional communication • Application Layer control • Security Association Database • Security Policy Database • Simple example: Peer ’B’ Peer ’A’ Outbound – SA1 ESP-AES ESP-SHA-2 Dest. IP Inbound – SA2ESP-3DES ESP-MD5 Dest. IP Inbound – SA1 ESP-AES ESP-SHA-2 Dest. IP Outbound – SA2ESP-3DES ESP-MD5 Dest. IP SA1 SA2

  21. Security Framework: IPsec • Key agreement and SA setup procedure • Internet Key Exchange version 2 (IKEv2) • RFC 2409 typically deployed in IPsec solutions (Not defined by IPsec) • Two phase solution for negotiation of IPsec SAs • Phase 1: Establishment of temporary SAs (IKE SAs) for key negotiation • Authentication performed using asymmetric keys or pre-shared symmetric keys • Different modes (Main, Aggressive, Quick)  Different amount of exchanges required and levels of protection (E.g. in main mode peer IDs are only sent in an encrypted context) • DH key exchange to setup keys: • From main key ‘SKEYSEED’ three keys have been derived and used: • SKEY_A: Key used for authentication and integrity protection. • SKEY_E: Key used for encryption. • SKEY_D: Key used in later key generation processes to ensure different message exchanges to be associated even when changing keys. • Output: A secure and authenticated channel safe to use for setting up SAs • Phase 2: Negotiation and establishment of SAs used for actual data • New DH key negotiation is performed • Perfect Forward Secrecy (PFS): New keying data is used in the generation process. Decouples new session keys from LT-keys used for authentication • Session keys: time in use proportional to overall security of communication system • Keys are renegotiated as needed (time/data) [Tiller J.S.]

  22. Security Framework: IPsec • SAFEDMI deployment example • Bridge Device handles the lower layer security solution • Preshared keys • Remote authentication • IKEv2: Starting point in aggresive mode

  23. Security Framework: IPsec • SAFEDMI: Performance examples, communication • Configuration • IPv4, ESP (with confidentiality), Transport mode • Integrity/authentication: SHA-2 and HMAC (Keyed HASH) • Encryption: AES/(Rijndael) (NIST) IPsec performance: BD-DC uses IPsec. SHA256, Varying key length for AES. BD Utilization: 100% 128 bit – Mean goodput (FTP): 2.6 MiB/s (2 = 0.00027) 256 bit – Mean goodput (FTP): 2.4 MiB/s (2 = 0.00035) Baseline performance: IPsec disabled. BD Utilization: 75% Mean goodput (FTP): 11.1 MiB/s (2 = 0.0041)

  24. Security Framework: IPsec • SAFEDMI: Performance examples, IKEv2 • Example: PSK • Authentication handled by DMI • Total delay, Phase I and II, DH groups (main mode, AES256, SHA256) • 1024 bits, 3 seconds • 1536 bits, 4 seconds • 6144 bits, 47 seconds

  25. Threats To the Security Solution • What are the biggest challenges in providing a secure solution? • Brute force attack • Cryptographic Analysis to breach algorithms • Statistical • Mathematical • Often the ”tedious” approach • Lots of continuous research is done on finding weaknesses of e.g. AES. • Much simpler attacks may be possible • Examples of (more) Security threats • Bad passwords (who am I to judge) • Incomplete design • Complex design • Is IPsec an ideal security framework? – Experts say yes! experts say no! [The Hybrid Report] Opponents: “Complexity is the biggest enemy of security.” “Our biggest criticism is that IPsec is too complex. There are too many options that achieve the same or similar properties” Proponents: ”… if they (options) were completely equivalent this would be a good basis for simplifying IPsec. However there are subtle differences that have resulted in the proliferation of (different) options…” • Incomplete/wrong implementation:  Attack scenarios have been demonstrated for Linux native IPsec implementation (2002) Cause: A mandatory post-processing check defined in the RFCs was not implemented. • Bad configuration: Encryption without strong integrity checks is possible in ESP but makes no sense from a security perspective  Attacks based on destination address rewriting. See example in [Paterson, K.G.]

  26. Security in Large Open Comm. Networks • Current and future challenges in the Internet [Cantrell A.] • “Cybercrime is an ever increasing threat” • Attacks – conducted by organized criminals • Characteristics • Silent (not observable by computer/network owners) • Hard to detect (Increasingly complex and organized) • Highly targeted (Specific objectives defined for attacks) • 70 percent of weaknesses are related to Web technologies • Aims • Steal confidential information (credit card, passwords, coorporate information) • Collect e-mail addresses and personal information for targeted spamming • Perform DoS attacks to paralyze parts of the network (security companies) • … • Methods • Bot nets • Worms • Malicious homepages • … • Interested parties • Private and corporate users • Network providers/Service providers • Security companies • Research

  27. Security in Large Open Comm. Networks Ref: [Verissimo P.] • Research in security [Verissimo P.] • Huge research area, background in fault tolerant systems • How to make a system secure? • Traditional approach: Primarily fault avoidance  Attack prevention, vulnerability removal • New approaches: More fault tolerance  Intrusion detection, recovery, masking. • Intrusion tolerance • Assumption of vulnerable systems • Assumption of successful attacks • Tolerance: Ensure that the system remains secure and operational • Prevent faults from propagating:

  28. Security in Large Open Comm. Networks • Current and future challenges in the Internet • Need methods to provide useful intrusion (IDS) • An IDS may be deployed in a networking system to detect intrusions • Provide detection to enable prevention and recovery • Close external/internal ports • Disable network connections • Kill malicious clients • … • Collects monitoring information • Amount of port scans from external network • Amount of port scans from internal network • Increase in activity from external network • … • To provide useful detection mechanisms much work is done in analyzing ongoing attacks to create models

  29. Security in Large Open Comm. Networks • Honeypot projects • Use of Honeypots to attract attackers • A computer system with known and unknown vulnerabilities exposed to the open communication network. • Running in a virtual environment where observations about the attack can be collected • An attacker is unaware of trap • Typically organized in data collection networks to provide a full picture of attack types, targets and origins • CAIDA, Internet Motion Sensor, Team Cymru Darknet, … • Example honeypotleurre.com [Kaâniche M.] • 80 honeypots • 30 countries • 5 continents • Possible to join…

  30. Security in Large Open Comm. Networks • Some results (leurre.com) [Kaâniche M.] • Statistical models • Needed to develop predictive models for detection • HMM, Bayesian Networks, Heuristic diagnostic mechanisms, … • Example • An attack is associated to attacker IP address • Time between attacks given first packet from attacker IP address • http://www.laas.fr/~kaaniche/Slides/Slides-WEEDS-DSN06.pdf

  31. Final Discussion Access Point WLAN Train Antenna Maintanence Center • DES encryption example • ”Security aspects” is typically the first bullet in our delimitation, but… • … security aspects may have a huge impact if a technology can move to market or not! • RFIDs for object identification • Air traffic control systems • … • Your project (of course)… • SAFEDMI • Now hiring!

  32. References [Tiller J.S.]: A Technical Guide to IPsec Virtual Private Networks. CRC Press (2001) [Verissimo P.]: Design for resilient systems – Architectural, paradigmatic and algorithmic issues. Presentation, ReSIST summer school (2007) [Kaâniche M.]: Resilience evaluation with regard to accidental and malicious threats. Presentation, ReSIST summer school (2007) [Schwefel H.P.]:. Introduction to security aspects. Presentation, Algorithms and Architectures III AAU (2005) [Cantrell A.] Cybercrime on the rise, survey finds, CNNMoney.com (March 7, 2006) [Paterson, K.G.] Cryptography in Theory and Practice: The Case of Encryption in IPsec, In Journal Advances in Cryptology: EUROCRYPT (2006)

  33. References • Exercises Address: 181 Attacker node • Attacker wants to read parts of the communication between the source and destination node.Find the flipped bit sequence in C2Use the attack instructions in section 3 (3.1) and figure 3 of:http://www.ay2.org/downloads/ipsec-full.pdf 2) Tanenbaum (4th ed.): 11, 20, 25, 31 3) Make a risk assessment of your own project - Which requirements exist for security? - What are impacts of possible attacks? - What can be done to deliver the required security? Dest. node Security Gateway 1 Security Gateway 2 Open network Address: 107 IPsec tunnel mode, ESP, No integrity checks Source node

More Related