Network Security Lecture 02: DNS Security PDF

Network Security Lecture 02: DNS Security Prof. Dr. Sahar M. Ghanem Associate Professor Computer & Systems Engineering Dept. Faculty of Engineering, Alexandria University References Kurose’s section 2.4 Kak’s Lecture Notes 17 Network Security 2024, (c) Sahar M. Ghanem 2 Outline Host Identifier DNS Services How DNS Works? DNS Caching DNS Message Format DNS on Linux DNS Cash Poisoning Attack Attacks Network Security 2024, (c) Sahar M. Ghanem 3 Host Identifier We human beings can be identified in many ways: names; social security numbers; driver’s license numbers Within a given context one identifier may be more appropriate than another. An Internet host identifier is its hostname that is appreciated by humans. e.g. www.facebook.com; www.google.com An Internet host also is identified by so-called IP addresses that consists of four bytes and has a rigid hierarchical structure. e.g. 121.7.106.83 As we scan the IP address from left to right, we obtain more and more specific information about where the host is located in the Internet. Similar to scanning postal address from bottom to top. Network Security 2024, (c) Sahar M. Ghanem 4 Services Provided by DNS The Internet’s domain name system (DNS) is a directory service that translates hostnames to IP addresses. DNS is a distributed database implemented in a hierarchy of DNS servers and an application-layer protocol that allows hosts to query the distributed database. The DNS protocol runs over UDP and uses port 53. RFC 1034; RFC 1035 The DNS servers are often UNIX machines running the Berkeley Internet Name Domain (BIND) software. DNS is employed by other application-layer protocols to translate user- supplied hostnames to IP addresses (e.g. HTTP, SMTP, …) Network Security 2024, (c) Sahar M. Ghanem 5 DNS Services DNS provides other important services: Host aliasing: Alias hostnames, when present, are more mnemonic than canonical hostnames. e.g. canonical: relay1.west-coast.enterprise.com; alias: www.enterprise.com Mail server aliasing: the MX record permits a company’s mail server and Web server to have identical (aliased) hostnames Load distribution: among replicated servers each having a different IP address. Rotates the ordering of the addresses within each reply. Network Security 2024, (c) Sahar M. Ghanem 6 Overview of How DNS Works hostname-to-IP-address translation On UNIX-based machines, gethostbyname() is the function call that an application calls in order to perform the DNS translation. A simple design for DNS would have one DNS server that contains all the mappings but this design doesn’t scale. Problems: A single point of failure; Traffic volume; Distant centralized database; Maintenance Instead, the mappings are distributed across the DNS servers. There are three classes of DNS servers organized in a hierarchy: root ; top-level domain (TLD); authoritative Network Security 2024, (c) Sahar M. Ghanem 7 Network Security 2024, (c) Sahar M. Ghanem 8 Classes of DNS servers Root DNS servers. There are more than 1000 root servers instances scattered all over the world that provide the IP addresses of the TLD servers. Copies of 13 different root servers coordinated through the Internet Assigned Numbers Authority (IANA). Top-level domain (TLD) servers. For each of the top-level domains (com, org, net, edu, and gov, …) and all of the country top-level domains (uk, fr, ca, jp, …) Provide the IP addresses for authoritative DNS servers. Authoritative DNS servers. Every organization with publicly accessible hosts. Network Security 2024, (c) Sahar M. Ghanem 9 Local DNS Server Local DNS server(s): Each ISP has a local DNS server(s) and provides the host with the IP address of that server (through DHCP) Check accessing network status windows When a host makes a DNS query, the query is sent to the local DNS server, which acts a proxy, forwarding the query into the DNS server hierarchy. Any DNS query can be iterative or recursive. Usually, the query from the requesting host to the local DNS server is recursive, and the remaining queries are iterative. Network Security 2024, (c) Sahar M. Ghanem 10 Network Security 2024, (c) Sahar M. Ghanem 11 Network Security 2024, (c) Sahar M. Ghanem 12 DNS Caching DNS extensively exploits DNS caching in order to improve the delay performance and to reduce the number of DNS messages ricocheting around the Internet. When a DNS server receives a DNS reply it can cache the mapping in its local memory and provide that mapping, even if it is not authoritative for the hostname. DNS servers discard cached information after a period of time (often set to two days). Because of caching, root servers are bypassed for all but a very small fraction of DNS queries. Network Security 2024, (c) Sahar M. Ghanem 13 DNS Records and Messages DNS distributed database store resource records (RRs) A resource record is a four-tuple that contains the following fields: (Name, Value, Type, TTL); TTL is the time to live; If Type=A, then Name is a hostname and Value is the IP address for the hostname. If Type=NS, then Name is a domain (such as foo.com) and Value is the hostname of an authoritative DNS server. If Type=CNAME, then Value is a canonical hostname for the alias hostname Name. If Type=MX, then Value is the canonical name of a mail server that has an alias hostname Name. … Network Security 2024, (c) Sahar M. Ghanem 14 DNS Message Format (1/2) Both query and reply messages have the same format. The first 12 bytes is the header section has a number of fields: 16-bit number that identifies the query A 1-bit query/reply flag (query (0); reply (1)) A 1-bit authoritative flag (DNS server is an authoritative server) A 1-bit recursion-desired flag A 1-bit recursion-available field four number-of fields that indicate the number of occurrences of the four types of data sections that follow the header Network Security 2024, (c) Sahar M. Ghanem 15 DNS Message Format (2/2) The question section contains information about the query that includes a name field that contains the name that is being queried, and a type field that indicates the type of question being asked (e.g. Type A, or Type MX). In a reply from a DNS server, the answer section contains the resource records for the name that was originally queried. The authority section contains records of other authoritative servers. The additional section contains other helpful records. Network Security 2024, (c) Sahar M. Ghanem 16 Network Security 2024, (c) Sahar M. Ghanem 17 nslookup nslookup program is available from most Windows and UNIX platforms that allows sending a DNS query to any DNS server. Many Web sites allow to remotely employ nslookup. Network Security 2024, (c) Sahar M. Ghanem 18 ICANN How records get into the database? A registrar is a commercial entity that verifies the uniqueness of the domain name, enters the domain name into the DNS database, and collects a small fee for its services. (ICANN accredits the various registrars). (http://www.internic.net) e.g. Created a new startup company Register the domain name at a registrar. Provide the registrar with the names and IP addresses of the primary and secondary authoritative DNS servers. The registrar would then make sure that a Type NS and a Type A record are entered into the TLD servers. Network Security 2024, (c) Sahar M. Ghanem 19 DNS on Linux Network Security 2024, (c) Sahar M. Ghanem 20 /etc/hosts If a private home network has just four or five machines, the easiest way to establish a DNS-like naming service for the network is to create a host table (in the /etc/hosts) file on each machine. The name resolver program consult /etc/hosts table. Network Security 2024, (c) Sahar M. Ghanem 21 /etc/resolv.conf The file /etc/resolv.conf lists the name servers to use by the name resolver programs. Automatically generated by the networking software. changed when you move the computer from one location to another. DNS Hijacking: DNSChanger malware in 2012 is a malware that changes the content of the file to a rouge DNS. Network Security 2024, (c) Sahar M. Ghanem 22 /etc/host.conf The file /etc/host.conf tells the system in what order it should search through the two sources of mappings: /etc/hosts and DNS (BIND server). e.g. content: order hosts, bind Network Security 2024, (c) Sahar M. Ghanem 23 Network Service If you change any of the network config files (e.g. /etc/hosts), you would need to restart the network service by sudo /etc/init.d/network restart Network Security 2024, (c) Sahar M. Ghanem 24 DNS Organization At the top of the hierarchy are the 13 root servers. programmed into every name resolver a.root-servers.net, b.root-servers.net, c.root-servers.net, … File /usr/share/dns/root.hints is installed with bind9 Path name to the file is in /etc/bind/named.conf.default-zones Network Security 2024, (c) Sahar M. Ghanem 25 How DNS Works? A root server responds back with either: IP address of a Generic Top Level Domain (gTLD) DNS server (e.g. com, edu, gov, mil, net, org, …) IP address of a Country Code Top Level Domain (ccTLD) DNS server (e.g. uk, jp, …) Ask the dig utility to query one of the root servers to see all the gTLD DNS servers for the ‘.com’ domain, dig @b.root-servers.net com Network Security 2024, (c) Sahar M. Ghanem 26 How DNS Works? DNS server listens on port 53. check /etc/services A 16-bit randomly generated integer (Transaction ID) is sent in a DNS query. A valid answer to a DNS query must contain the same integer. A DNS cache is flushed by executing as root: /etc/init.d/bind9 restart Network Security 2024, (c) Sahar M. Ghanem 27 dig Utility dig (domain information groper) is a utility for interrogating DNS nameservers for information about the host IP addresses, mail exchanges, nameservers for other domains, … dig without any arguments will return the IP addresses for the root servers. dig examines the contents of /etc/resolv.conf file for the nameservers to send the query to. (in the order they are listed ) 127.0.0.1 is the loopback address if you run a DNS server Similar utilities: host; nslookup; whois Network Security 2024, (c) Sahar M. Ghanem 28 New Zone Large domains typically have multiple nameservers for redundancy (master and slave). Within A’s zone of authority, A can delegate control for a subdomain to B to create a nameserver with its name. The nameserver of A would be the recursive nameserver for hostnames in B. This new nameserver become the SOA (Start of Authority) for all the hostnames within. Similarly, B can delegate a portion of its domain to someone else. Network Security 2024, (c) Sahar M. Ghanem 29 DNS Cache Various client applications maintain their own DNS caches usually with very short caching times (1- 30 minutes) The OS may carry out some local name resolution before sending out a name resolution request to the nameserver of the local domain (/etc/hosts and cache for 30 min) ISP nameserver will cache an IP address for a hostname for 48 hours. What is stored in the cache is both the IP address and its associated TTL (Time To Live) that is set by the administrator of the authoritative DNS server. minutes, hours, days, and even weeks Network Security 2024, (c) Sahar M. Ghanem 30 DNS Protection Caching and replication are of considerable importance in making the DNS system secure against a large-scale Denial-of-Service attacks. Network Security 2024, (c) Sahar M. Ghanem 31 BIND (1/2) BIND (Berkeley Internet Name Daemon) is an implementation of a domain name server (DNS) that has three components: DNS server (named in the Ubuntu) that listens on UDP port 53 DNS name resolver library tools such as dig, host, nslookup, etc. BIND 9 support DNSSEC (DNS Security Extensions). If the response to be returned to a client is longer than 1024 bytes, the nameserver will switch to the TCP protocol on the same port. Network Security 2024, (c) Sahar M. Ghanem 32 BIND (2/2) How named responds to a query depends on a configuration file called named.conf (/etc/bind/named.conf) declares the locations of the zone that contain the database related to the names under the authority of the nameserver (named.conf.local). declares ACL (Access Control List) lists and various options for the operation of the server (named.conf.options). An Ubuntu machine come with preinstalled BIND that gives a local nameserver ready to go as a caching nameserver. Network Security 2024, (c) Sahar M. Ghanem 33 DNS Vulnerabilities Network Security 2024, (c) Sahar M. Ghanem 34 DNS Cache Poisoning Attack Phishing is online fraud that attempts to steal sensitive information such as usernames, passwords, and credit card numbers. In pharming, a user’s browser is redirected to a malicious web site after an attacker corrupts a domain nameserver (DNS) with illegitimate IP addresses for certain hostnames. BIND whose versions predate that of BIND9 are vulnerable. What makes DNS cache poisoning difficult (or, in some cases, relatively easy) is the use of a 16-bit Transaction ID integer that is sent with every DNS query. Network Security 2024, (c) Sahar M. Ghanem 35 Transaction ID When an application needs to resolve a symbolic hostname, it sends out a DNS query along with the 16-bit Transaction ID integer. When a nameserver is able to respond to a DNS query, it returns the answer along with the Transaction ID number so that the recipient of the response can identify the corresponding query. Earlier versions of BIND did not randomize the Transaction IDs; the numbers used were purely sequential. Network Security 2024, (c) Sahar M. Ghanem 36 Example Attack Steps (1/2) To poison the cache of harbor.ecn.purdue.edu by placing in its cache an incorrect IP address for amazon.com domain. (you can replace harbor.ecn. purdue.edu with the IP address of DNS server provided by your ISP provider /etc/resolv.conf). Ask the DNS server to carry out the name lookup for the domain amazon.com: dig amazon.com @harbor.ecn.purdue.edu Simultaneously fire up a script that floods harbor.ecn.purdue.edu with manually crafted packets that look like the expected reply but that contain the wrong IP address. (few hundred packets ) Each reply will contain a different Transaction ID integer, with the hope that the Transaction ID in one of those fake replies will match the Transaction ID in the query sent out by harbor. Network Security 2024, (c) Sahar M. Ghanem 37 Example Attack Steps (2/2) The attack could be worse if the fake reply contains information (in its Additional Section) that is not requested but it would nonetheless be stored away by the DNS server. There is one more piece of information that the attacker needs, the source port that the attacked nameserver uses when sending out its queries about the domain name the attacker wants to hijack. BIND reuses the same port for queries on behalf of the same client. The attacker first issue a request of a hostname in his own domain to figure out that port. Network Security 2024, (c) Sahar M. Ghanem 38 Script for DNS Cache Poisoning Attack The UDP packets with specific payloads and with specific DNS transaction ID numbers must be manually crafted out. Two main challenges in converting the script into a cache poisoning attack: Constructing a spoofing set of DNS Transaction IDs and making a correct guess for the destination port. Network Security 2024, (c) Sahar M. Ghanem 39 Dan Kaminsky’s Attack, 2008 Another weakness: a caching nameserver accepting resource records for hosts not asked for in the query. This attack starts by querying the nameserver of the victim domain for possibly nonexistent symbolic hostnames. The attacker now sends spoofed replies for all of the queries emanating for the various versions of invalid hostnames. A caching nameserver would not only accept the Resource Records in the Answer Section of the fake replies to its queries, but also the RRs in the Additional Section. Network Security 2024, (c) Sahar M. Ghanem 40 DNS Poisoning Fix Randomizing the ports for the outgoing queries, as opposed to using the same port for the same query repeatedly. Insisting that all recursive nameservers carry out what is known as bailiwick check of the RRs in the replies sent by the other nameservers before accepting them. Bailiwick check means to not accept an RR if it contains a hostname that was not in the outgoing query. Network Security 2024, (c) Sahar M. Ghanem 41 Attacks Network Security 2024, (c) Sahar M. Ghanem 42 DNS Attack, 2002 DDoS bandwidth-flooding attack against DNS servers took place on October 21, 2002 that leveraged a botnet to send truck loads of ICMP ping messages to each of the 13 DNS root IP addresses many of the DNS root servers were protected by packet filters, configured to always block all ICMP ping messages directed at the root servers. most local DNS servers cache the IP addresses of top-level-domain servers, allowing the query process to often bypass the DNS root servers. Network Security 2024, (c) Sahar M. Ghanem 43 DNSChanger malware, 2012 DNSChanger malware in 2012 is a malware that changes the content of the /etc/resolv.conf file to a rouge DNS. Network Security 2024, (c) Sahar M. Ghanem 44 DNS Attack, 2016 DDoS attack that sent a deluge of DNS queries to top-level-domain servers took place against the top-level-domain service provider Dyn on October 21, 2016 A large number of DNS lookup requests from a botnet consisting of about one hundred thousand IoT devices that had been infected with Mirai malware. For almost a full day, Amazon, Twitter, Netflix, Github and Spotify were disturbed. Network Security 2024, (c) Sahar M. Ghanem 45 Network Security Lecture 03: WiFi Security Prof. Dr. Sahar M. Ghanem Associate Professor Computer & Systems Engineering Dept. Faculty of Engineering, Alexandria University Prerequisites Medium Access Control (MAC) Address Address Resolution Protocol (ARP) RC4 stream cipher AES Network Security 2024, (c) Sahar M. Ghanem 2 Outline WiFi Architecture WiFi Frame WiFi Security Services WiFi Security Standards WiFi Vulnerability WPA2-PSK attack, 2017 WEP Attacks aircrack-ng tool Network Security 2024, (c) Sahar M. Ghanem 3 WiFi Standards IEEE 802.11 wireless LAN standards is known as WiFi (Wireless Fidelity) that defines frame structure medium access protocol internetworking with wired Ethernet LANs Network Security 2024, (c) Sahar M. Ghanem 4 Network Security 2024, (c) Sahar M. Ghanem 5 Network Security 2024, (c) Sahar M. Ghanem 6 WiFi Architecture (1/4) The fundamental building block is the basic service set (BSS). A BSS contains one or more wireless stations and a central base station, known as an access point (AP). As with Ethernet devices, each 802.11 wireless station has a 6-byte MAC address that is stored in the firmware of the station’s adapter (i.e. network interface card). Each AP also has a MAC address for its wireless interface. As with Ethernet, these MAC addresses are administered by IEEE and are (in theory) globally unique. Network Security 2024, (c) Sahar M. Ghanem 7 WiFi Architecture (2/4) When a network administrator installs an AP, the administrator assigns a one or two-word Service Set Identifier (SSID) to the access point. The administrator must also assign a channel number to the AP. 802.11 operates in the frequency range of 2.4 GHz to 2.4835 GHz. Within this 85 MHz band, 11 partially overlapping channels are defined. A WiFi jungle is any physical location where a wireless station receives a sufficiently strong signal from two or more APs. Network Security 2024, (c) Sahar M. Ghanem 8 WiFi Architecture (3/4) Each of these APs is located in a different IP subnet and would have been independently assigned a channel. A wireless device needs to join exactly one of the subnets and needs to associate with exactly one of the APs. The wireless device creates a virtual wire between itself and the associated AP. An AP periodically send beacon frames, each of which includes the AP’s SSID and MAC address. A wireless device, knowing that APs are sending out beacon frames, scans the 11 channels, seeking beacon frames from any APs This type of scanning is known as passive scanning. Network Security 2024, (c) Sahar M. Ghanem 9 WiFi Architecture (4/4) A wireless device can also perform active scanning, by broadcasting a probe frame that will be received by all APs within the wireless device’s range and then the APs respond with a probe response frame. Once associated with an AP, the device will want to join the subnet to which the AP belongs by sending a DHCP discovery message. The wireless device is required to authenticate itself to the AP either based on a device’s MAC address or employs username and password The AP can communicate with an authentication server using a protocol such as RADIUS or the recently standardized DIAMETER protocol. Network Security 2024, (c) Sahar M. Ghanem 10 Network Security 2024, (c) Sahar M. Ghanem 11 Multiple Access Control (MAC) Protocol Because multiple wireless devices, or the AP itself may want to transmit data frames at the same time over the same channel, a multiple access protocol is needed to coordinate the transmissions There are three classes of multiple access protocols: channel partitioning, random access, and taking turns. The designers of 802.11 chose a random access protocol that is referred to as carrier sense multiple access with collision avoidance (CSMA/CA). Network Security 2024, (c) Sahar M. Ghanem 12 Network Security 2024, (c) Sahar M. Ghanem 13 WiFi Frame The payload, which typically consists of an IP datagram or an ARP packet. It has four address fields, each of which can hold a 6-byte MAC address. Three address fields are needed for moving the network-layer datagram from a wireless station through an AP to a router interface. The fourth address field is used in ad hoc mode. The WEP field indicates whether encryption is being used or not. Network Security 2024, (c) Sahar M. Ghanem 14 WiFi Security Services WiFi Security handles: Mutual authentication. The network will typically want to first authenticate the device (verify its identity and to check its access privileges). Similarly, the mobile device will want to authenticate the network to which it is attaching. Encryption. Encrypting link-level frames carrying user-level data exchanged between the mobile device and the access point (AP). The mobile device and AP will need to derive the symmetric encryption and decryption keys to be used. Network Security 2024, (c) Sahar M. Ghanem 15 Network Security 2024, (c) Sahar M. Ghanem 16 WiFi Authentication (1/5) For authentication, the AP serves as a pass-through device, relaying authentication and key derivation messages between the mobile device and the authentication server. The process of mutual authentication and encryption-key derivation has four distinct phases: 1. Discovery 2. Mutual authentication and shared symmetric key derivation 3. Shared symmetric session key distribution 4. Encrypted communication between mobile device and a remote host via the AP Network Security 2024, (c) Sahar M. Ghanem 17 WiFi Authentication (2/5) Discovery: The AP advertises its presence and the forms of authentication and encryption that can be provided to the mobile device. The mobile device then requests the specific forms of authentication and encryption that it desires. Network Security 2024, (c) Sahar M. Ghanem 18 WiFi Authentication (3/5) Mutual authentication and shared symmetric key derivation: Assuming that the authentication server and the mobile device already have a shared common secret before starting mutual authentication. The device and the authentication server will use this shared secret along with nonces and cryptographic hashing in authenticating each other. They will also derive the shared session key to be used by the mobile device and the AP to encrypt frames transmitted over the 802.11 wireless link. Network Security 2024, (c) Sahar M. Ghanem 19 WiFi Authentication (4/5) Shared symmetric session key distribution: Since the symmetric encryption key is derived at the mobile device and the authentication server, a protocol will be needed for the authentication server to inform the AP of the shared symmetric session key. Network Security 2024, (c) Sahar M. Ghanem 20 WiFi Authentication (5/5) Encrypted communication between mobile device and a remote host via the AP: This communication happens with the link-layer frames sent between the mobile device and the AP being encrypted using the shared session key created and distributed. AES symmetric key cryptography, is typically used in practice. Network Security 2024, (c) Sahar M. Ghanem 21 WiFi Security Standards The original 802.11security specification known collectively as Wired Equivalent Privacy (WEP) contained a number of serious security flaws. WiFi Protected Access (WPA1) was developed in 2003 to overcome WEP’s security flaws. WPA1 soon gave way to WPA2, which mandated the use of AES symmetric key encryption. At the heart of WPA is a four-way handshake protocol that performs both mutual authentication and shared symmetric session-key derivation. WPA3 was released in June 2018 as an update to WPA2. Network Security 2024, (c) Sahar M. Ghanem 22 Network Security 2024, (c) Sahar M. Ghanem 23 Four-way handshake Protocol (1/2) Mutual authentication and shared symmetric session-key derivation are accomplished in the first two steps of the four-way handshake. The other steps are used to derive a second key used for group communication. Both the mobile device (M) and the authentication server (AS) begin knowing a shared secret key 𝑲𝑨𝑺−𝑴 (e.g., a password). Them derive a shared symmetric session key, 𝑲𝑴−𝑨𝑷 , which will be used to encrypt/decrypt frames. Network Security 2024, (c) Sahar M. Ghanem 24 Four-way handshake Protocol (2/2) First, the authentication server (AS) generates a nonce, 𝑵𝒐𝒏𝒄𝒆𝑨𝑺 , and sends it to the mobile device. The mobile device, M, receives the nonce and generates its own nonce, 𝑵𝒐𝒏𝒄𝒆𝑴. Then generates the symmetric shared session key, 𝑲𝑴−𝑨𝑷 and sends , 𝑵𝒐𝒏𝒄𝒆𝑴 , and a signed value that encodes 𝑵𝒐𝒏𝒄𝒆𝑨𝑺 and 𝑲𝑨𝑺−𝑴. The session key, 𝑲𝑴−𝑨𝑷 , is generated by M and AS using 𝑵𝒐𝒏𝒄𝒆𝑨𝑺 , 𝑵𝒐𝒏𝒄𝒆𝑴 , 𝑲𝑨𝑺−𝑴 , M MAC address, and AS MAC address. The AS informs the AP of this key value. Network Security 2024, (c) Sahar M. Ghanem 25 WiFi Vulnerability Network Security 2024, (c) Sahar M. Ghanem 26 WiFi Encryption WiFi communications are encrypted with WEP (Wired Equivalent Privacy), WPA (WiFi Protected Access), or WPA2 protocol. RC4 is used for packet-based data encryption in both WEP and WPA. WPA2, on the other hand, uses the AES block cipher. WEP would be considered to be a highly unsafe protocol for use today in practically any context. Network Security 2024, (c) Sahar M. Ghanem 27 WiFi Authentication (1/2) Authentication to be carried out with a Pre-Shared Key (PSK). A PSK is 10 manually specified hex digits for the case of WEP. For WPA and WPA2, PSK is derived with a key derivation function from a shared secret passphrase/password. The passphrase would become the shared secret amongst the allowed users of the WiFi router. WPA2-PSK is also referred to as WPA2-Personal for SOHO (small office and home) applications. Network Security 2024, (c) Sahar M. Ghanem 28 WiFi Authentication (2/2) WPA2 can also be used in a more secure enterprise mode, in which case it is referred to as WPA2-Enterprise. Client authentication in WPA2-Enterprise is carried out on a per user basis and also allows for 2-factor authentication and authentication with certificates. The authentication services in WPA2-Enterprise involves three agents: a client/supplicant, an authenticator/AP, and an authentication server for verifying the login credentials. Network Security 2024, (c) Sahar M. Ghanem 29 KRACK attack, 2017 A serious vulnerability in the WPA2-PSK protocol is discovered that known as KRACK: Key Reinstallation AttaCK. The cause of the vulnerability was NOT a bug in an implementation of the protocol, but in the WiFi standard itself. This vulnerability is in the 4-way handshake that is used to establish a randomly generated key for AES based encryption. The attack allows the platform to be tricked into (re)installing an all- zero encryption key. Network Security 2024, (c) Sahar M. Ghanem 30 RC4 in WEP (1/3) It is educational to see how RC4 was used in WEP and why that led to the demise of WEP. The WEP protocol requires each packet to be encrypted separately with its own RC4 key. If the same keystream is used for two different plaintext byte streams, an XOR of the corresponding ciphertext streams becomes independent of the keystream and that can create a backdoor to extracting the plaintext stream from the ciphertext stream. Network Security 2024, (c) Sahar M. Ghanem 31 RC4 in WEP (2/3) The RC4 key for each packet is a simple concatenation of a 24-bit Initialization Vector (IV) and the root key (AP’s security code). While the root key remains fixed over all the packets, the value of IV is incremented from one packet to the next. The official WEP standard only calls for 40-bits for the root key (10 hex characters) and there is also support for 104-bit root key. The RC4 key for a packet is then used to encrypt the data followed by its ICV value. Network Security 2024, (c) Sahar M. Ghanem 32 RC4 in WEP (3/3) The problem is that the root key remains fixed for long periods of time (in home use, people almost never change their root keys) and the IV has only 24 bits in it. This implies that distinct keystreams can be generated for only 2^24 (around 16 millions) different packets. This implies that the same keystream will be used for different packets in a long session. Since the IV is sent in plaintext, anyone with a packet sniffer can directly see the first three bytes (IV) of the RC4 key used for a packet. Network Security 2024, (c) Sahar M. Ghanem 33 WPA WPA provides enhanced security because it uses a 48-bit Initialization Vector. WPA is merely a just slightly-more-secure wrapper around WEP and suffers from the basic RC4-based weaknesses as WEP. WPA2 does NOT use RC4 instead it uses AES in the Counter mode (CTR). Network Security 2024, (c) Sahar M. Ghanem 34 WEP Attacks Network Security 2024, (c) Sahar M. Ghanem 35 FMS Attack, 2001 FMS attack, named after Fluhrer, Mantin, and Shamir in their publication “Weaknesses in Key Scheduling Algorithm of RC4”. The attack describes how to guess the key bytes when the 3-byte Initialization Vector satisfies certain properties but the attack require a large amount of data (4 million packets). In 2004, this attack was made stronger where the key bytes could be guessed with about 500,000 packets (KoreK attack). Network Security 2024, (c) Sahar M. Ghanem 36 Klein Attack, 2008 (1/3) Klein Attack for figuring out the WEP root key. This attack is based on combinatorial analysis of the pseudorandom sequence produced by the RC4 algorithm. It was shown that strong correlations exist in the byte sequence produced by the pseudorandom byte generation algorithm. The attack proposed by Klein is a plaintext-ciphertext attack. Network Security 2024, (c) Sahar M. Ghanem 37 Network Security 2024, (c) Sahar M. Ghanem 38 Klein Attack, 2008 (2/3) An easy way to collect the needed plaintext-ciphertext pairs is for the attacker’s wireless interface to send a large number of repeated ARP (Address Resolution Protocol) requests to the wireless AP being attacked and collect the response packets to be harvested. The attacker can make good guesses for the fields that come before the “Data” field even it is encrypted. These plaintext bytes can be XOR’ed with the ciphertext bytes to recover several initial bytes of the pseudorandom sequence that was generated by the RC4 algorithm. Network Security 2024, (c) Sahar M. Ghanem 39 Klein Attack, 2008 (3/3) For WEP, the first three bytes of the key used for each packet are the three bytes of the Initialization Vector that is transmitted in plaintext. To apply the Klein attack to WEP, you start with knowing the first three bytes of the key and then using Klein’s recursive reasoning to figure out the bytes of the root key. Network Security 2024, (c) Sahar M. Ghanem 40 PTW Attack, 2007 The publication “Breaking 104 Bit WEP in Less Than 60 Seconds” by Tews, Weinmann, and Pyshkin. This attack removed an important shortcoming of the Klein attack’s need to calculate the key bytes recursively. The key bytes are calculated independently. Although it is incredibly fast and requires not much data, the main limitation of PTW is that it can only crack 40 and 104 bit keys. Network Security 2024, (c) Sahar M. Ghanem 41 aircrack-ng tool aircrack-ng is a tool for recovering the WEP encryption key in under a minute. The tool gets a wireless interface to establish fake associations and fake authentications with the attacked access point. Then, the wireless interface mounts a replay attack on the attacked access point for the purpose of acquiring a large number of ARP packets with different initialization vectors. Network Security 2024, (c) Sahar M. Ghanem 42 Before the Attack Identify the AP MAC address and the channel it is using (iwlist command). Create a Monitor Mode of the wireless interface that is usually operates in the Managed Mode. This mode allows to capture packets going to and coming off an AP without having to associate with it (airmon-ng command). Supply the wireless interface created in the Monitor Mode with a MAC address that’s distinct and different from that of the Managed Mode wireless interface (macchanger command). A script (StartMonitorModeInterface.sh) is provided in which are packaged the various steps. Network Security 2024, (c) Sahar M. Ghanem 43 The Attack Steps Step 1: As root, execute the shell script StartMonitorModeInterface.sh Step 2: In a separate window, execute the following command as root to inject and replay the ARP packets aireplay-ng -2 -p 6000 -c FF:FF:FF:FF:FF:FF -b xx:xx:xx:xx:xx:xx -h 00:11:22:33:44:55 mon0 Step 3: Both windows will show a continuously changing readout. After capturing a large enough collection of packets (say, around 100,000 packets) kill both of those jobs and execute as root aircrack-ng -b xx:xx:xx:xx:xx:xx mydumpfile-01.cap Network Security 2024, (c) Sahar M. Ghanem 44 Assignment 3 How to set a WiFi authentication server (RADIUS or DIAMETER)? Wireshark ARP lab aircrack-ng assignment Network Security 2024, (c) Sahar M. Ghanem 45 Network Security Lecture 05: Email Security Prof. Dr. Sahar M. Ghanem Associate Professor Computer & Systems Engineering Dept. Faculty of Engineering, Alexandria University Outline Email Security Overview Pretty Good Privacy (PGP) Email Standards SPAM Network Security 2024, (c) Sahar M. Ghanem 2 Email Security Overview Network Security 2024, (c) Sahar M. Ghanem 3 e-mail components e-mail is an asynchronous communication medium—people send and read messages when it is convenient for them, without having to coordinate with other people’s schedules. A high-level view of the Internet mail system has three major components: user agents, mail servers, and the Simple Mail Transfer Protocol (SMTP). Network Security 2024, (c) Sahar M. Ghanem 4 Network Security 2024, (c) Sahar M. Ghanem 5 User Agents (1/2) User agents allow users to read, reply to, forward, save, and compose messages. Examples include Microsoft Outlook, Apple Mail, Web-based Gmail, the Gmail App running in a smartphone, … When the sender is finished composing her message, her user agent sends the message to her mail server, where the message is placed in the mail server’s outgoing message queue. When the receiver wants to read a message, his user agent retrieves the message from his mailbox in his mail server. Network Security 2024, (c) Sahar M. Ghanem 6 User Agents (2/2) If the sender’s server cannot deliver the email, it holds the message in a message queue and attempts to transfer the message later. Reattempts are often done every 30 minutes. If there is no success after several days, the server removes the message and notifies the sender with an e-mail message. Network Security 2024, (c) Sahar M. Ghanem 7 SMTP (1/5) SMTP (RFC 5321, 1982) is the principal application-layer protocol for Internet electronic mail. It uses the reliable data transfer service of TCP to transfer mail from the sender’s mail server to the recipient’s mail server. Both the client and server sides of SMTP run on every mail server. When a mail server sends mail to other mail servers, it acts as an SMTP client. When a mail server receives mail from other mail servers, it acts as an SMTP server. Network Security 2024, (c) Sahar M. Ghanem 8 SMTP (2/5) SMTP restricts the body (not just the headers) of all mail messages to simple 7-bit ASCII. It requires binary multimedia data to be encoded to ASCII before being sent over SMTP; and it requires the corresponding ASCII message to be decoded back to binary after SMTP transport. SMTP does not use intermediate mail servers for sending mail, even when the two mail servers are located at opposite ends of the world. Network Security 2024, (c) Sahar M. Ghanem 9 Network Security 2024, (c) Sahar M. Ghanem 10 SMTP (3/5) The client SMTP has TCP establish a connection to port 25 at the server SMTP. Once this connection is established, the server and client perform some application layer handshaking to introduce themselves before transferring information. SMTP can count on the reliable data transfer service of TCP to get the message to the server without errors. Example conversation: If the hostname of the client is crepes.fr and the hostname of the server is hamburger.edu. Network Security 2024, (c) Sahar M. Ghanem 11 Network Security 2024, (c) Sahar M. Ghanem 12 SMTP (4/5) As part of the dialogue, the client issued five commands: HELO, MAIL FROM, RCPT TO, DATA, and QUIT. You can use telnet to carry out a direct dialogue with an SMTP server telnet serverName 25 When an e-mail message is sent a header containing peripheral information precedes the body of the message itself. Each header line contains readable text, consisting of a keyword followed by a colon followed by a value. Every header must have a From: header line and a To: header line; may include a Subject: header line as well as other optional header lines. Network Security 2024, (c) Sahar M. Ghanem 13 SMTP (5/5) The sender’s user agent uses SMTP or HTTP to deliver the e-mail message into her mail server, then the mail server uses SMTP to relay the e-mail message to the receiver’s mail server. If the receiver is using Web-based e-mail, then the user agent will use HTTP to retrieve the e-mail and in this case it requires the receiver server to have an HTTP interface as well as an SMTP interface. The alternative method is to use the Internet Mail Access Protocol (IMAP). Network Security 2024, (c) Sahar M. Ghanem 14 Network Security 2024, (c) Sahar M. Ghanem 15 e-mail confidentiality (1/2) e-mail security features are confidentiality, sender authentication, message integrity, and receiver authentication. For confidentiality assuming public keys are available: The sender (Alice) (1) selects a random symmetric session key, 𝑲𝑺 , (2) encrypts her message, 𝒎, with the symmetric key, + (3) encrypts the symmetric key with receiver’s (Bob’s) public key, 𝑲𝑩 , (4) concatenates the encrypted message and the encrypted symmetric key to form a “package,” and (5) sends the package to Bob’s e-mail address. Network Security 2024, (c) Sahar M. Ghanem 16 e-mail confidentiality (2/2) When the receiver (Bob) receives the package, he (1) uses his private key, 𝑲− 𝑩 , to obtain the symmetric key, 𝑲𝑺 , and (2) uses the symmetric key 𝑲𝑺 to decrypt the message 𝒎. Network Security 2024, (c) Sahar M. Ghanem 17 Network Security 2024, (c) Sahar M. Ghanem 18 e-mail sender authentication and message integrity (1/2) Sender authentication and message integrity are provided using digital signatures and message digests. The sender (Alice) (1) applies a hash function, 𝑯, to her message, 𝒎, to obtain a message digest, (2) signs the result of the hash function with her private key, 𝑲− 𝑨 , to create a digital signature, (3) concatenates the original (unencrypted) message with the signature to create a package, and (4) sends the package to the receiver’s (Bob’s) e-mail address. Network Security 2024, (c) Sahar M. Ghanem 19 e-mail sender authentication and message integrity (1/2) When the receiver (Bob) receives the package, he (1) applies the sender’s (Alice’s) public key, 𝑲𝑨+ , to the signed message digest and (2) compares the result of this operation with his own hash, H, of the message. An e-mail system that provides confidentiality, sender authentication, and message integrity can be done by combining the procedures. Network Security 2024, (c) Sahar M. Ghanem 20 Network Security 2024, (c) Sahar M. Ghanem 21 Network Security 2024, (c) Sahar M. Ghanem 22 Public Key Distribution The previous design requires Alice to obtain Bob’s public key, and requires Bob to obtain Alice’s public key. A popular approach for securely distributing public keys is to certify the public keys using a CA. Network Security 2024, (c) Sahar M. Ghanem 23 Pretty Good Privacy (PGP) By Phil Zimmermann in 1991 that uses MD5 or SHA for calculating the message digest; CAST, triple-DES, or IDEA for symmetric key encryption; and RSA for the public key encryption. When PGP is installed, the software creates a public key pair for the user. The public key can be posted on the user’s Web site or placed in a public key server. The private key is protected by the use of a password. Network Security 2024, (c) Sahar M. Ghanem 24 Network Security 2024, (c) Sahar M. Ghanem 25 Network Security 2024, (c) Sahar M. Ghanem 26 PGP Web of Trust PGP provides a mechanism for public key certification that is quite different from the more conventional CA. PGP public keys are certified by a web of trust. Alice herself can certify any key/username pair when she believes the pair really belong together. In addition, Alice can say that she trusts another user to vouch for the authenticity of more keys. Users physically gather, exchange public keys, and certify each other’s keys by signing them with their private keys. Network Security 2024, (c) Sahar M. Ghanem 27 Pretty Good Privacy (c) Sahar M. Ghanem 28 Pretty Good Privacy (PGP) Originally by Phil Zimmerman. OpenPGP has now become an open- source standard (RFC 4880). For email security and protecting data in long-term storage. GPG (Gnu Privacy Guard) is an implementation of OpenPGP. (c) Sahar M. Ghanem 29 Data Protection To encrypt a file gpg --cipher-algo AES256 -c myinfo.txt’ You will be prompted for a passphrase the output will be placed in a file named myinfo.txt.gpg remove the file using secure remove (srm) You can decrypt the encrypted file gpg myinfo.txt.gpg Network Security 2024, (c) Sahar M. Ghanem 30 PGP Services (1/2) Authentication: Sender authentication consists of the sender attaching his/her digital signature to the email and the receiver verifying the signature using public-key cryptography (attached or detached signature) using RSA/SHA or DSS/SHA. Confidentiality: Choice of three different block-cipher algorithms: CAST-128 (default), IDEA, or 3DES that is used in the Cipher Feedback Mode (CFB). The encryption key (session key) is generated for each email message separately. The session key is encrypted using RSA with the receiver’s public key or established using the ElGamal variant of Diffie-Hellman algorithm. (c) Sahar M. Ghanem 31 PGP Services (2/2) If confidentiality and authentication are needed simultaneously, a digital signature for the message is generated using the hash code of the message plaintext and prepended to the email message before it is encrypted with the session key. Compression: by default, it compresses the email message after appending the signature but before encryption using ZIP algorithm. Email compatibility: PGP uses Base64 encoding for network message transmission that is character oriented. Segmentation: many email systems place restrictions on how much of the message will be transmitted as a unit. PGP has built-in facilities for such segmentation and re-assembly. (c) Sahar M. Ghanem 32 Network Security 2024, (c) Sahar M. Ghanem 33 Network Security 2024, (c) Sahar M. Ghanem 34 Network Security 2024, (c) Sahar M. Ghanem 35 (c) Sahar M. Ghanem 36 PGP Key Management (1/3) People are expected to have multiple public and private keys. How does the recipient know which public key of his own is used and which of the corresponding public keys of the sender to use? The sender sending along the public keys is a wasteful in space. PGP protocol uses a relatively short key identifiers (key ID). Every PGP agent maintain its own list of paired private/public keys in what is known as the “Private Key Ring”; and a list of the public keys for all its email correspondents in what is known as the “Public Key Ring”. (c) Sahar M. Ghanem 37 (c) Sahar M. Ghanem 38 PGP Key Management (2/3) The key ID associated with a public key consists of its least significant 64 bits (16 hex characters ). the private keys in the table are stored in an encrypted form. The encryption algorithm asks the user to enter a passphrase that is hashed with SHA- 1 to yield a 160-bit hash code. The first 128 bits of the hash code are used as the encryption key by the CAST-128 algorithm. The fields Producer Trust, Key Legitimacy, and Certificate Trust are to assess how much trust to place in the public keys belonging to other people. PGP Web of Trust (bottom-up) is used for authenticating the binding between a public key and its owner (full, partial, and none express the degree of trust) (c) Sahar M. Ghanem 39 PGP Key Management (3/3) For proper operation of the web of trust, it is important that everyone who signs a public key for another submits the signature to a central key server. The Certificate Trust field indicates how much trust a user wants to place in the entry in the Certificate field. For a given public key, the value for the Key Legitimacy field is automatically derived by PGP from the value(s) stored for the Certificate Trust field(s) and a predefined weight for each symbolic value for certificate trust. (c) Sahar M. Ghanem 40 PGP tool Free publicly available PGP Keyservers at various places around the world. http://pgp.mit.edu/faq.html Key generation command gpg --gen-key The public and private keys that are generated are deposited in the files pubring.gpg and secring.gpg of the.gnupg directory. The trust file is created in this directory and is called trustdb.gpg. You can upload your public key to this server by gpg --keyserver pgp.mit.edu --send-keys your_8_char_KeyID (c) Sahar M. Ghanem 41 E-mail Standards Network Security 2024, (c) Sahar M. Ghanem 42 Internet Mail Architecture Agents: Message User Agent (MUA) Mail Submission Agent (MSA) Message Transfer Agent (MTA) Mail Delivery Agent (MDA) Message Store (MS) SMTP: Simple Mail Transfer Protocol (Extended SMTP (ESMTP)) TCP port 25 Mail Access Protocols POP3: Post Office Protocol (POP3) (TCP port 110) IMAP: Internet Mail Access Protocol (IMAP) (TCP port 143) Network Security 2024, (c) Sahar M. Ghanem 43 Network Security 2024, (c) Sahar M. Ghanem 44 E-mail Format E-mail format specification is RFC 5322 (Internet Message Format, 2008). Multipurpose Internet Mail Extension (MIME) is an extension to the RFC 5322 framework that is intended to address some of the problems and limitations of the use of SMTP and RFC 5322. Secure/MIME (S/MIME) is a security enhancement to the MIME Internet e-mail format standard. Network Security 2024, (c) Sahar M. Ghanem 45 Network Security 2024, (c) Sahar M. Ghanem 46 SPAM Network Security 2024, (c) Sahar M. Ghanem 47 SPAM A spam may try to steal information from your computer or turn it into a spambot for spreading even more spam. Another kind of spam consists of email generated by legitimate businesses and organizations that you either have no interest in reading or have no time for following up on. Spam filters that carry out a statistical analysis of email to decide whether or not it is spam are called Bayesian filters A more effective spam filters can be designed with tools that carry out regular-expression based processing of email messages. Network Security 2024, (c) Sahar M. Ghanem 48 Procmail (1/2) The most popular program that is used as an MTA is known as Sendmail. Other MTAs include MMDF, Postfix, Smail, Qmail, Zmailer, Exchange, … When MDA is used — is to apply any applicable filters to the email before sending the messages to the clients in the local network. On Linux/Unix platforms, the most commonly used MDA is Procmail and Deliver. These filters may be at the system level, in which case they can affect all users, or at the level of individual users. Network Security 2024, (c) Sahar M. Ghanem 49 Procmail (2/2) On Linux, the filters used by MDA take the form of recipes that are placed in a file named.procmailrc. After the email is deposited in a user mailbox, it may be read by the user with the help of an MUA. Widely used examples of MUAs are Thunderbird, MH, Pine, Elm, Mutt, Outlook, Eudora, Evolution, … Network Security 2024, (c) Sahar M. Ghanem 50 Structure of an Email Message Envelope: consists of the “conversation” that takes place between a sender MTA and a receiver MTA. Contains “Envelope From” address Header: contains the “From:”, “To:”, “Cc:”, etc., information. It has the “Header From” address Body: carries the message of the email. Spam filter rules can be based on just the header, or just the body, or both. Bad guys are so fond of using email to spread malware is because it has been so easy to fake the headers in the messages. Network Security 2024, (c) Sahar M. Ghanem 51 Email Authentication Protocols SPF (Sender Policy Framework) DKIM (Domain Keys Identified Mail) DMARC (Domain-based Message Authentication Reporting and Conformance) Network Security 2024, (c) Sahar M. Ghanem 52 DNS TXT Email authentication protocols depend on the TXT records in DNS servers. A TXT record stored in a DNS server is any information that a domain administrator wants to make available regarding their domain. Network Security 2024, (c) Sahar M. Ghanem 53 SPF SPF (Sender Policy Framework) is a protocol that allows an organization to specify who is allowed to send email on behalf of the domain to which the organization belongs by placing appropriate entries in the DNS servers. For an organization that wants to use SPF in its outgoing email, it has to create an “SPF TXT” record in the DNS that is the authoritative name server for the domain of the organization. Through the record, it is declaring that any email emanating from the domain will come from the IPv4 addresses listed in the record. The adoption of SPF appears to be more widespread than that of DKIM. Network Security 2024, (c) Sahar M. Ghanem 54 DKIM DKIM (Domain Keys Identified Mail) is an email exchange between two servers, it allows the receiving server to carry out cryptographic authentication of the fact that the email was actually sent by the sending server. The basic purpose of a DKIM TXT record is to store the public key that a sending MTA has used for digitally signing the hash of a designated field in the email being processed by the receiving MTA. MTA can authenticate the email since the signature is based on just the headers and since DKIM header includes the signature. Network Security 2024, (c) Sahar M. Ghanem 55 DMARC DMARC (Domain-based Message Authentication Reporting and Conformance) protocol is to verify that the domain in the “Envelope From” is the same as the domain in the “Header From” (referred to as “domain alignment”). DMARC can carry the check both on the basis of SPF and on the basis of DKIM. DMARC protocol is to state a policy as to what the receiving MTA should do to an email should their SPF and DKIM based verifications fail. The DMARC policy will state whether such an email should be rejected, or be declared as spam while being forwarded to its recipient, or should the verification failure be just ignored. Network Security 2024, (c) Sahar M. Ghanem 56 Assignment How to telnet gmail SMTP server? What is the difference between S/MIME and PGP? How to use S/MIME? Procmail for filtering spam PGP for Gmail using Mailvelope: You can follow the steps in How to Use PGP Encryption With Gmail and Other Web Email With Mailvelope (YouTube). Network Security 2024, (c) Sahar M. Ghanem 57 Network Security Lecture 06: Anonymity Services Prof. Dr. Sahar M. Ghanem Associate Professor Computer & Systems Engineering Dept. Faculty of Engineering, Alexandria University Outline Prerequisites: SOCKS; TLS; Privoxy Tor Features Cells, Circuits, and Streams Integrity Checking Passive and Active Attacks Tor in Linux Blocking Tor Network Security 2024, (c) Sahar M. Ghanem 2 Prerequisites Network Security 2024, (c) Sahar M. Ghanem 3 Firewalls Firewalls can be designed to operate at any of the following three layers: 1) Transport Layer: for example packet filtering with iptables 2) Application Layer: for example HTTP Proxy 3) The layer between the Application Layer and the Transport Layer, (called shim layer): for example SOCKS proxy A shim layer proxy server can monitor all session requests that are routed through it in an application-independent manner to check the requested sessions for their legitimacy. Network Security 2024, (c) Sahar M. Ghanem 4 SOCKS (1/4) RFC 1928 A SOCKS server, serving as a firewall, would require direct connectivity to the internet and the local intranet can ”hide” behind it. It is also be referred to as an anonymizing proxy. SOCKS makes it easy to apply ACL (Access Control List) rules to the traffic emanating from the LAN, makes it easy to centrally log all internet bound traffic and the caching of web services. Network Security 2024, (c) Sahar M. Ghanem 5 SOCKS (2/4) SOCKS, an abbreviation of “SOCKetS”, consists of two components: A SOCKS client and a SOCKS server. The socks client is implemented between the application layer and the transport layer (referred to as socksifying the client call). The socks server is implemented at the application layer and usually run on port 1080. The socks server checks the session request made by the socksified LAN client for its legitimacy and then forwards the request to the server on the internet. Any response received back from the server is forwarded back to the LAN client. Network Security 2024, (c) Sahar M. Ghanem 6 SOCKS (3/4) Port forwarding/tunneling: SOCKS gateway receives its incoming LAN- side requests on a single port and then forward the requests onwards into the internet to specific ports on specific internet hosts. replaces the source IP address with its own IP address similar to NAT (network address translation) SOCKS5 features: built-in support for a variety of authentication methods includes support for UDP able to move DNS name resolution to the proxy server Network Security 2024, (c) Sahar M. Ghanem 7 SOCKS (4/4) Dante, available from http://www.inet.no/dante/, is a popularly used implementation of the socks protocol. socksify name_of_your_client_application How to socksify a web browser? Network Security 2024, (c) Sahar M. Ghanem 8 Public proxy servers https://www.proxynova.com/proxy-server-list/ Any proxy server listed can be used with a software application that supports the use of proxies such as a web browser. The most popular uses of proxies include hiding your real IP address, disguising your geographic location, and accessing blocked websites. Network Security 2024, (c) Sahar M. Ghanem 9 TLS Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over the Internet. It is widely used in applications such as email, instant messaging, voice over IP, but its use in securing HTTPS remains the most publicly visible. The TLS protocol aims primarily to provide security, including confidentiality, integrity, and authenticity through the use of certificates. Network Security 2024, (c) Sahar M. Ghanem 10 Privoxy Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads. Privoxy has a flexible configuration and can be customized to suit different needs. Network Security 2024, (c) Sahar M. Ghanem 11 TOR Network Security 2024, (c) Sahar M. Ghanem 12 Introduction Onion Routing is a distributed overlay network designed to anonymize TCP-based applications like web browsing, secure shell, and instant messaging. Clients choose a path through the network and build a circuit, in which each node (or “onion router” or “OR”) in the path knows its predecessor and successor, but no other nodes in the circuit. Tor seeks to frustrate attackers from linking communication partners, or from linking multiple communications to or from a single user. Uses a very clever interplay between the RSA and the DH (Diffie- Hellman) public-key cryptography. Network Security 2024, (c) Sahar M. Ghanem 13 Tor Features (1/3) Perfect forward secrecy: Attack: a hostile node recording traffic and later compromising successive nodes in the circuit and forcing them to decrypt it. Solution: the initiator negotiates DH session keys with each successive hop in the circuit and those keys are deleted after the session. Separation of “protocol cleaning” from anonymity: Tor uses SOCKS proxy interface, allowing the support of most TCP-based programs without modification. Leaky-pipe circuit topology: Tor initiators can direct traffic to nodes partway down the circuit and allows traffic to exit the circuit from the middle to avoids traffic shape and volume attacks. Network Security 2024, (c) Sahar M. Ghanem 14 Tor Features (2/3) Directory servers: Trusted nodes act as directory servers and provide signed directories describing known routers and their current state. Users periodically download them via HTTP. Variable exit policies: Each node advertises a policy describing the hosts and ports to which it will connect. Rendezvous points and hidden services: Tor provides a mechanism for responder anonymity where clients negotiate rendezvous points to connect with hidden servers. Network Security 2024, (c) Sahar M. Ghanem 15 Tor Features (3/3) Many TCP streams can share one circuit End-to-end integrity checking Congestion control No mixing, padding, or traffic shaping Network Security 2024, (c) Sahar M. Ghanem 16 The Tor Design The Tor network is an overlay network. Each onion router (OR) maintains a TLS connection to every other OR. Each user runs an onion proxy (OP) to fetch directories, establish circuits, and handle connections from user applications. Each OR maintains a long-term identity key (ID key) and a short-term onion key. The ID key is used for signatures. The onion key is used to set up a circuit and negotiate ephemeral keys. Network Security 2024, (c) Sahar M. Ghanem 17 Cells (1/2) Traffic passes along in fixed-size cells that is 512 bytes, and consists of a header and a payload. Cells are either control cells or relay cells. The header includes a circuit identifier (circID), and a command. Each single circuit has a different circID on each OP/OR or OR/OR connection it traverses. The control cell commands are: padding; create or created; and destroy. Network Security 2024, (c) Sahar M. Ghanem 18 Cells (2/2) Many TCP streams can be multiplexed over a circuit. Relay cells have an additional header containing a streamID, checksum, the length of the payload, and a relay command. The contents of the relay header and cell payload are encrypted or decrypted together as the cell moves along the circuit, using AES in counter chaining mode. The relay commands are: relay data, relay begin, relay end, relay teardown, relay connected, relay extend and relay extended, relay truncate and relay truncated, relay sendme and relay drop. Network Security 2024, (c) Sahar M. Ghanem 19 Network Security 2024, (c) Sahar M. Ghanem 20 Circuits and Streams Each circuit can be shared by many TCP streams. To limit linkability, users’ OPs build a new circuit periodically (once a minute). A user’s OP constructs circuits incrementally, negotiating a symmetric key with each OR on the circuit, one hop at a time. Circuits are built in the background, therefore, OPs can recover from failed circuit creation without delaying streams. Except for the user’s OP (onion proxy), the routing knowledge at any single node on a path is limited to exactly two nodes, the immediately preceding node and the immediately following node. Network Security 2024, (c) Sahar M. Ghanem 21 Constructing a circuit (1/3) 1. To begin creating a new circuit, the OP (call her Alice) sends a create cell to the first node in her chosen path (call him Bob). 2. She chooses a new circID 𝑪𝑨𝑩 and the payload contains the first half of the Diffie-Hellman handshake (𝒈𝒙𝟏 ), encrypted to the onion key of the OR (call him Bob). 3. Bob responds with a created cell containing the second half of the DH handshake (𝒈𝒚𝟏 ), along with a hash of the negotiated key 𝑲𝟏 = 𝒈𝒙𝟏 𝒚𝟏. The negotiated key is used to derive two symmetric keys, one for each direction. 4. Alice and Bob can send one another relay cells encrypted with the negotiate key. Network Security 2024, (c) Sahar M. Ghanem 22 Constructing a circuit (2/3) 1. To extend the circuit, Alice sends a relay extend cell to Bob, specifying the address of the next OR (Carol), and an encrypted 𝒈𝒙𝟐 for her. 2. Bob copies the half handshake into a create cell, and passes it to Carol (choosing circID 𝑪𝑩𝑪 ). 3. When Carol responds with a created cell, Bob wraps the payload into a relay extended cell and passes it back to Alice. 4. Alice and Carol share a common key 𝑲𝟐 = 𝒈𝒙𝟐 𝒚𝟐. 5. To extend the circuit to a third node or beyond, Alice proceeds as above, always telling the last node in the circuit to extend one hop further. Network Security 2024, (c) Sahar M. Ghanem 23 Constructing a circuit (3/3) The circuit-level handshake protocol achieves unilateral entity authentication (Alice knows she’s handshaking with the OR, but the OR doesn’t care who is opening the circuit). Alice --> Bob : 𝐸𝑃𝐾𝐵𝑜𝑏 (𝑔 𝑥 ) Bob --> Alice : 𝑔 𝑦 , 𝐻(𝐾|“ℎ𝑎𝑛𝑑𝑠ℎ𝑎𝑘𝑒”) Network Security 2024, (c) Sahar M. Ghanem 24 Network Security 2024, (c) Sahar M. Ghanem 25 (c) Sahar M. Ghanem 26 Relay Cells (1/2) To construct a relay cell addressed to a given OR, Alice iteratively encrypts the cell payload with the symmetric key of each hop up to that OR. Upon receiving a relay cell, an OR looks up the corresponding circuit, and decrypts the relay header and payload with the session key for that circuit. Because the streamID is encrypted to a different value at each step, only at the targeted OR will it have a meaningful value. If the OR recognizes the streamID, it accepts the relay cell, otherwise, it looks up the circID and OR for the next step, replaces the circID, and sends the decrypted relay cell to the next OR. Network Security 2024, (c) Sahar M. Ghanem 27 Relay Cells (2/2) Alice may choose different exit points because of their exit policies, or to keep the ORs from knowing that two streams originate from the same person. When an OR later replies to Alice with a relay cell, it encrypts the cell’s relay header and payload with the single key it shares with Alice, and sends the cell back toward Alice along the circuit. Subsequent ORs add further layers of encryption as they relay the cell back to Alice. Network Security 2024, (c) Sahar M. Ghanem 28 Tear down a circuit Alice sends a destroy control cell. Each OR in the circuit receives the destroy cell, closes all streams on that circuit, and passes a new destroy cell forward. To tear down a circuit incrementally: Alice can send a relay truncate cell to a single OR on a circuit. That OR then sends a destroy cell forward, and acknowledges with a relay truncated cell. Alice can extend the circuit to different nodes, without signaling to the intermediate nodes. Similarly, if a node on the circuit goes down, the adjacent node can send a relay truncated cell back to Alice. Network Security 2024, (c) Sahar M. Ghanem 29 Opening and closing streams (1/2) When Alice’s application wants a TCP connection to a given address and port, it asks the OP (via SOCKS) to make the connection. The OP chooses the newest open circuit (or creates one if none is available), and chooses a suitable OR on that circuit to be the exit node. Closing a Tor stream uses a two-step handshake for normal operation, or a one-step handshake for errors. Network Security 2024, (c) Sahar M. Ghanem 30 Opening and closing streams (2/2) Some applications pass the alphanumeric hostname to the Tor client, while others resolve it into an IP address first and then pass the IP address to the Tor client. If the application does DNS resolution first, Alice thereby reveals her destination to the remote DNS server. The use of privacy-aware proxies like Privoxy wherever possible is encouraged. Network Security 2024, (c) Sahar M. Ghanem 31 Integrity checking on streams Tor uses TLS on its links—its integrity checking protects data from modification by external adversaries but need to protect from insider attacks. When Alice negotiates a key with a new hop, they each initialize a SHA-1 digest with a derivative of that key. From then on they each incrementally add to the SHA-1 digest the contents of all relay cells they create, and include with each relay cell the first four bytes of the current digest. Each also keeps a SHA-1 digest of data received, to verify that the received hashes are correct. Network Security 2024, (c) Sahar M. Ghanem 32 Other design techniques Rate limiting and fairness Congestion control Rendezvous Points and hidden services Resource management and denial of service Exit policies and abuse Directory Servers Network Security 2024, (c) Sahar M. Ghanem 33 Threat Model A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. Tor does not protect against such a strong adversary. It is assumed an adversary who can observe some fraction of network traffic; who can generate, modify, delete, or delay traffic; who can operate onion routers of his own; and who can compromise some fraction of the onion routers. Network Security 2024, (c) Sahar M. Ghanem 34 Passive attacks (1/2) Observing user traffic patterns: will not reveal her destination or data, but it will reveal traffic patterns. Observing user content: connections to responders may not be encrypted. Recommendation is the use Privoxy. Option distinguishability: clients who are in the minority may lose more anonymity. End-to-end timing correlation: Tor only minimally hides such correlations but running the OP on the Tor node or behind a firewall provides protection. Network Security 2024, (c) Sahar M. Ghanem 35 Passive attacks (2/2) End-to-end size correlation: the leaky pipe topology provides limited protection. Website fingerprinting: streams are multiplexed within the same circuit provides limited protection Network Security 2024, (c) Sahar M. Ghanem 36 Active attacks (1/2) Compromise keys: periodic key rotation limits the window of opportunity for these attacks. Iterated compromise: building circuits that cross jurisdictions can make legal coercion harder (jurisdictional arbitrage). Run a recipient: use Privoxy. Run an onion proxy: compromising an onion proxy compromises all future connections through it. DoS non-observed nodes: the best defense is robustness. Run a hostile OR: if an adversary controls m > 1 out of N nodes, he can correlate at most (m/N)^2 of the traffic in this way. Network Security 2024, (c) Sahar M. Ghanem 37 Active attacks (2/2) Introduce timing into messages Tagging attacks: integrity checks on cells prevent this attack. Replace contents of unauthenticated protocols: clients should prefer protocols with end-to-end authentication. Replay attacks: Tor is not vulnerable to replay attacks. Smear attacks: the network requires volunteers who can tolerate some political heat. Distribute hostile code: signing all Tor releases with an official public key and provide all releases in source code form. Network Security 2024, (c) Sahar M. Ghanem 38 Directory attacks Destroy directory servers: If more than half are destroyed, human intervention will be necessary. Subvert a directory server: ORs are included or excluded by majority vote. Subvert a majority of directory servers. Encourage directory server dissent: could split the quorum into mutually hostile camps, thus partitioning users. Trick the directory servers into listing a hostile OR: directory server operators should be able to filter out most hostile ORs. Convince the directories that a malfunctioning OR is working: Directory servers must actively test ORs by building circuits and streams as appropriate Network Security 2024, (c) Sahar M. Ghanem 39 Tor in Linux Network Security 2024, (c) Sahar M. Ghanem 40 Tor in Linux (1/2) http://www.torproject.org Download the “tor” package. The download installs: tor tor-geoipdb: contains the mapping from IP address prefixes to different countries torsocks: shell script to interact with the OP (installed at /usr/bin/torsocks) Tor SOCKS proxy server (Onion Proxy/OP) runs at port 9050 (c) Sahar M. Ghanem 41 Tor in Linux (2/2) Customize the Tor config file that is located at /etc/tor/torrc Before opening the file, it requires a password hash for the password you plan to use in order to limit access to the OP. tor --hash-password your_password Use the returned hash value to make changes to the config file. The torouter package can be installed for Tor to act as a Tor relay. You can configure Tor to run as a bridge by making changes to the config file /etc/tor/torrc Network Security 2024, (c) Sahar M. Ghanem 42 curl Using curl package (Connect-with-URL) to demonstrate how Tor anonymized routing. curl uses the URL syntax to transfer data under many protocols, including FTP, HTTP, HTTPS, IMAP, POP3, SMTP, and TELNET. Try curl https://api.ipify.org (it returns what it believes is your IP address) Try torsocks curl https://api.ipify.org Network Security 2024, (c) Sahar M. Ghanem 43 torsocks The shellscript torsocks causes the tor client at /usr/bin/tor to reach out to the Directory Authority for a list of ORs (Tor relays). From the list of the relays returned the Tor client constructs a circuit, which typically involves three relays, to the destination IP address. The IP address returned by the curl command will be that of the exit node in the Tor circuit. (c) Sahar M. Ghanem 44 Blocking Tor (1/3) Tor Directory Authorities are servers that maintain a list of the IP addresses of all the currently available relays. The IP addresses of all these servers are hardcoded into every Tor client. Each Tor relay sends information about itself once every 18 hours. The Directory Authority servers compile this information and publish a list once every hour. Any country can block all of these IP addresses at all its major network traffic routing points and thus make Tor unusable in that country. (c) Sahar M. Ghanem 45 Blocking Tor (2/3) See Python script “get_tor_relays.py” If a Tor client could connect with an entry point in the Tor network of relays, it would then be able to construct the rest of a Tor circuit. A bridge can make possible this selection of an entry point. A Tor bridge is a third type of a relay, the other two being an exit relay and a non-exit relay. A bridge does NOT publish its information to any Directory Authority. A Tor user may turn his/her client into a bridge relay and let his/her friends know about its IP address through direct communication. Network Security 2024, (c) Sahar M. Ghanem 46 Blocking Tor (3/3) Tor also uses the notion of Bridge Authorities that at any given time contain only partial information on the bridge relays. Firewalls can have the ability to block such relays by packet filtering at the major network traffic routing points in the country using Deep Packet Inspection (DPI). (c) Sahar M. Ghanem 47 Virtual Private Network (VPN) Using VPN, the destination server will not see the source IP address and that gives a measure of anonymity. The logs at the VPN proxy server would surely know the source IP address. Third-party VPN servers often have fixed IP addresses that can easily be blocked. An extended VPN service known as VPN Gate might be more blocking resistant. http://www.vpngate.net (c) Sahar M. Ghanem 48 Assignment SOCKS: how to socksify a web browser? What services does public proxy servers provide? Privoxy: How to install and configure privoxy? Tor and tor bridge (Experiment with Tor as described in section 20.5.1 of Lecture Notes by Avinash Kak. You need to add a bridge in order for Tor to work.) Network Security 2024, (c) Sahar M. Ghanem 49

Network Security Lecture 02: DNS Security PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue