Network Security Lecture 09: Transport Layer Security PDF

Summary

These lecture notes cover network security, focusing on transport layer security, and include discussions on TCP vulnerabilities, SYN flooding, IP source address spoofing, best current practices, and demonstrations of denial-of-service (DoS) attacks. The material is aimed at an undergraduate computer science audience.

Full Transcript

Network Security

Lecture 09: Transport Layer Security
Prof. Dr. Sahar M. Ghanem
Associate Professor
Computer & Systems Engineering Dept.
Faculty of Engineering, Alexandria University
TCP Vulnerabilities

Network Security 2024, (c) Sahar M. Ghanem 2
Outline
The Shrew DoS Attack
SYN Flooding
IP Source Address Spoofing
Best Current Practice (BCP) 38
Demonstrating DoS

Network Security 2024, (c) Sahar M. Ghanem 3
The Shrew DoS attack (1/2)
Described in a 2003 publication.
The retransmission decision for a TCP segment is based on logic that
operates at two different timescales:
When traffic congestion is low, the timescale is RTT (Round Trip
Time), which is typically of the order of a few tens of milliseconds.
When congestion is high, the timescale determined by the much
longer RTO (Retransmission Timeout), which is generally of the order
of a full second.
The manner in which RTO is set and reset can be exploited to launch
the Shrew attack on a sender TCP.

Network Security 2024, (c) Sahar M. Ghanem 4
The Shrew DoS attack (2/2)
An attacker can provoke a TCP flow to repeatedly enter a
retransmission timeout state by sending a high-rate, but short-
duration bursts having RTT-scale burst length, and repeating
periodically at slower RTO timescales (square wave).
The victim will be throttled to near zero throughput, while the
attacker will have low average rate making it difficult for counter-DoS
to detect.

Network Security 2024, (c) Sahar M. Ghanem 5
SYN Flooding (1/2)
TCP SYN flooding is a method that the user of a hostile client
program can use to conduct a denial-of-service (DoS) attack on a
computer server.
The hostile client repeatedly sends a TCP SYN request to every port
on the server using a fake IP address (know as SYN scanning).
The server responds to each such attempt with a SYN/ACK response
from each open port and with an RST response from each closed
port.
In a SYN flood attack, the hostile client never sends back the
expected ACK packet for each SYN/ACK packet received from the
server (resulting in a half-open connection).
Network Security 2024, (c) Sahar M. Ghanem 6
SYN Flooding (2/2)
And as soon as a connection for a given port gets timed out, another
SYN request arrives for the same port from the hostile client.
The server would wait for 75 seconds for the ACK packet
The server can modify its firewall rules so that all SYN packets arriving
from the intruder will be simply discarded.
The server can protect its resources by rate limiting all incoming SYN
packets.

Network Security 2024, (c) Sahar M. Ghanem 7
IP Source Address Spoofing (1/2)
IP source address spoofing refers to an intruder using one or more
forged source IP addresses to launch, say, a TCP SYN flood attack on a
host in another network.
As soon as the attack is detected, the admins of the targeted network
will block the source IP addresses.
If it should happen that the forged IP addresses are legitimate, such
packet filtering would amount to a DoS to the otherwise legitimate
users/systems at those IP addresses.
The attacker may also cause SYN/ACK flooding at the victim hosts.

Network Security 2024, (c) Sahar M. Ghanem 8
IP Source Address Spoofing (2/2)
In 1994, the famous case of IP spoofing attack is launched by Kevin
Mitnick on the computers of a security expert Tsutomu Shimomura.
IP address spoofing may also be used to establish a one-way
connection with a remote host with the intention of executing
malicious code at the remote host.
These commands may be sophisticated that would enable A to fetch
information from a database program maintained by B.

Network Security 2024, (c) Sahar M. Ghanem 9
IP Source Address Spoofing Scenario (1/3)
Assume that A and X are on the same LAN and X and wants to open a
one-way connection to B by pretending to be A.
X will not see any returned message from B since the routers will
send it directly to A.
X can mount a SYN flood attack on A, or just wait for A to go down.
Critical to this exploit is X’s ability to make a guess at the sequence
number that B will use when sending the SYN/ACK packet to A at the
beginning of the exchange.

Network Security 2024, (c) Sahar M. Ghanem 10
IP Source Address Spoofing Scenario (2/3)
X sends to B a number of connection-request packets (the SYN
packets); this X does without posing as any other party.
When B responds to X with SYN/ACK packets, X sends RST packets
back to B.
X is able to receive a number of sequential outputs of B’s random-
number generator.
If the PRNG (pseudo-random number generators) used by a host TCP
machine is of poor quality, it may be possible to construct a
reasonable small sized set of possible ISNs (Initial Sequence
Numbers) that the target host might use next, called spoofing set.
Network Security 2024, (c) Sahar M. Ghanem 11
IP Source Address Spoofing Scenario (3/3)
Mounting an IP spoofing attack boils down to being able to construct
spoofing sets of size of a few thousand entries.
This is due to a combination of bad PRNG design and the birthday
paradox.

Network Security 2024, (c) Sahar M. Ghanem 12
Best Current Practice (BCP) (1/2)
A large number of ISPs now use what is referred to as ingress filtering
that it has become much more difficult to use IP source address
spoofing for launching attacks.
The ISP edge router checks the entry in the source IP address field of
the all packet that emanate from the hosts that are meant for hosts in
the internet at large.
The router drops the packets (or dumps them in a log file) if these
source IP addresses do not fall within the range that corresponds to
the network address of the router.

Network Security 2024, (c) Sahar M. Ghanem 13
Best Current Practice (BCP) (2/2)
Another obstacle faced by an attacker who wants to mount an IP
spoofing attack is that the ISP router may overwrite the fake IP source
address the attacker is using in the outgoing packets if the attacker is
operating in a private network that uses NAT (Network Address
Translation).

Network Security 2024, (c) Sahar M. Ghanem 14
Demonstrating DoS
It is relatively trivial to mount such attacks when both the attacker
and the attacked are in the same LAN.
port_scan.py is a Python script that figures out what ports are open
at a host.
DoS5.py is the attack script that will be executed on the attacker host.
In python, Scapy is a powerful tool for creating packets in any of the
first four layers of the TCP/IP protocol stack.
You can ask Scapy to create a packet, set its various fields, put it on
the wire, and have it capture the response packet if there is one.

Network Security 2024, (c) Sahar M. Ghanem 15
SSL/TLS

Network Security 2024, (c) Sahar M. Ghanem 16
Outline
SSL/TLS
SSL Connection & SSL Session
The SSL Record Protocol
The SSL Handshake Protocol
The Heartbeat Extension

Network Security 2024, (c) Sahar M. Ghanem 17
Transport Layer Security (1/2)
In 1995, SSL (Secure Socket Layer) was developed by Netscape to provide
secure and authenticated connections between browsers and servers.
In 1999, IETF made SSL Version 3 an open standard and called it TLS
Version 1.
SSL/TLS has become important to several other forms of information
exchange in the internet (other than web servers and browsers).
For example, TLS is used to protect email servers, remote login security
(through SSH servers), and some virtual private networks (SSL VPNs).
The software library that implements this protocol is OpenSSL.

Network Security 2024, (c) Sahar M. Ghanem 18
Transport Layer Security (2/2)
SSL/TLS allows for either server-only authentication or server-client
authentication.
In server-only authentication, the client receives the server’s
certificate and generates a secret key that it then encrypts with the
server’s public key for confidentiality.
Fundamental to the security that is established with the SSL/TLS
protocol are the certificates issued by the Certificate Authorities
(CA).

Network Security 2024, (c) Sahar M. Ghanem 19
Network Security 2024, (c) Sahar M. Ghanem 20
SSL Connection & SSL Session
A connection is a one-time transport of information between two
nodes that is transient. Every connection is associated with a session.
A session is an enduring association between a client and a server
that is created by the SSL Handshaking Protocol.
A session can consist of multiple connections.
A session is characterized by a set of security parameters that apply
to all the connections in the session.
If we wanted to leave a session open in anticipation of upcoming data
exchanges the Heartbeat Extension is needed.

Network Security 2024, (c) Sahar M. Ghanem 21
Connection State
An SSL connection state is characterized by the following parameters:
Server and client random
Server Write MAC (Message Authentication Code) Secret
Client Write MAC Secret
Server Write Key
Client Write Key
Initialization vectors
Sequence Numbers

Network Security 2024, (c) Sahar M. Ghanem 22
Session State
An SSL session state is characterized by the following parameters:
Session Identifier
Peer Certificate (may be null)
Compression Method
Cipher Spec: specifies the bulk data encryption algorithm and a hash
algorithm used for MAC calculation. It also defines cryptographic
attributes such as the hash_size.
Master Secret
IsResumable flag
Network Security 2024, (c) Sahar M. Ghanem 23
The SSL Record Protocol (1/2)
The SSL Record Protocol sits directly above the TCP protocol and
provides two services: Confidentiality and Message Integrity.
This protocol is in charge of taking the actual data fragmenting the
data into blocks, applying authentication and encryption primitives to
each block, and handing the block to TCP.
The operation of the SSL Record Protocol consists of five steps:
Fragmentation; Compression; Adding MAC; Encryption; Append SSL
Record Header
Each output block produced by the SSL Record Protocol is referred to
as an SSL record.
Network Security 2024, (c) Sahar M. Ghanem 24
The SSL Record Protocol (2/2)
Fragmentation: The message is fragmented into blocks whose length
does not exceed 2^14 (16384) bytes.
Compression: This optional step requires lossless compression. SSLv3
does not specify compression.
A number of choices are available for the encryption step depending
on the level of security needed (e.g. 3DES or RC4-128).
The header consists of 8 bits for declaring the content type, 8 bits for
declaring the major version used for SSL, 8 bits for declaring the
minor version used, and 16 bits for declaring the length of the
compressed plaintext (or the plaintext if no compression was used).
Network Security 2024, (c) Sahar M. Ghanem 25
Network Security 2024, (c) Sahar M. Ghanem 26
Network Security 2024, (c) Sahar M. Ghanem 27
Network Security 2024, (c) Sahar M. Ghanem 28
The handshake protocol
Before the SSL Record Protocol is applied, it must become aware of
what algorithms to use for compression, authentication, and
encryption. That information is generated by the SSL Handshake
Protocol.
The SSL Handshake Protocol is also responsible for the server and the
client to authenticate each other.
This protocol also come up with the cryptographic keys to be used for
the encryption and the authentication of each SSL record.
The SSL Handshake protocol works in four phases.

Network Security 2024, (c) Sahar M. Ghanem 29
Network Security 2024, (c) Sahar M. Ghanem 30
Network Security 2024, (c) Sahar M. Ghanem 31
Phase 1: Establish Security Capabilities
Initiated by the client and is used to establish the security capabilities present at
the two ends of a connection.
The client sends to the server a client hello message with the following
parameters: Version; Random ; Session ID; Cipher Suite; Compression Method.
The server responds with its server hello message that has a similar set of
parameters. The server’s response includes the specific algorithms selected by
the server from the client’s lists for compression, authentication, and encryption.
The Cipher Suite parameter in the server hello message consists of two elements.
1. The key exchange method: RSA, or three different types of Diffie-Hellman, …
2. CipherSpec that indicate the authentication algorithm selected, the length of
MAC, the encryption algorithm,...

Network Security 2024, (c) Sahar M. Ghanem 32
Key Exchange Methods
RSA: The secret key is encrypted with the receiver’s RSA public key.
Fixed Diffie–Hellman: the server’s certificate contains the Diffie–
Hellman public parameters signed by the certificate authority (CA).
Ephemeral Diffie–Hellman: the Diffie–Hellman public keys are
exchanged and signed using the sender’s private RSA or DSS key (the
most secure of the three DHoptions).
Anonymous Diffie–Hellman: The base Diffie–Hellman algorithm is
used with no authentication (vulnerable to man-in-the-middle
attacks).

Network Security 2024, (c) Sahar M. Ghanem 33
CipherSpec
CipherAlgorithm: RC4, RC2, DES, 3DES, DES40, or IDEA
MACAlgorithm: MD5 or SHA-1
CipherType: Stream or Block
IsExportable: True or False
HashSize: 0, 16 (for MD5), or 20 (for SHA-1) bytes
Key Material: A sequence of bytes that contain data used in
generating the write keys
IV Size: The size of the Initialization Value for Cipher Block Chaining
(CBC) encryption
Network Security 2024, (c) Sahar M. Ghanem 34
Phase 2: Server Authentication and Key Exchange
Is initiated by the server by sending a message containing its one or
more certificates for the validation of the server public key by the
client.
This could be followed by a server key exchange message, and a
certificate request message if the server also wants to validate the
client.
The server key exchange message could, for example, consist of the
global Diffie-Hellman values and the server’s Diffie-Hellman public
key.
Phase 2 handshaking ends when the server sends the client a server
hello done message.
Network Security 2024, (c) Sahar M. Ghanem 35
Phase 3: Client Authentication and Key Exchange
Is initiating by the client by sending to the server the client’s
certificate but only if the server made a request.
Next, the client sends to the server a mandatory client key exchange
message.
This phase ends when the client sends to the server a certificate
verify message.

Network Security 2024, (c) Sahar M. Ghanem 36
Phase 4: Finish
The client sends to the server a change cipher spec message
indicating that it is copying the pending CipherSpec into the current
CipherSpec.
Next, the client sends to the server the finished message.
The change cipher spec message format must correspond to the
Change Cipher Spec Protocol. This protocol says that the message
must consist of a single byte with a value of 1 indicating the change.
The last of the SSL protocols, Alert Protocol, is used to convey SSL-
related alerts to the peer entity.

Network Security 2024, (c) Sahar M. Ghanem 37
Network Security 2024, (c) Sahar M. Ghanem 38
The Heartbeat Extension (1/3)
As soon as the data exchange between two endpoints terminates, the
session will also terminate.
There is significant overhead associated with the negotiation of the
security parameters for establishing a secure session.
Applications may require that once the security parameters have
been agreed upon through the Handshake protocol, they should
continue to hold good even through lulls in data exchange between
the two endpoints.
How does either of the endpoints distinguish between a temporary
lull in the data exchange and the final termination of a secure
connection?
Network Security 2024, (c) Sahar M. Ghanem 39
The Heartbeat Extension (2/3)
The Heartbeat Extension Protocol sits on top of the SSL/TLS Record
Protocol.
It has two messages, HeartbeatRequest and HeartbeatResponse.
When one endpoint sends a HeartbeatRequest message to the other
endpoint, the former expects a HeartbeatResponse from the latter.
When one endpoint sends a HeartbeatRequest message to the other
endpoints, the former also starts what is known as the retransmit
timer.
An SSL/TLS session is considered to have terminated in the absence of
a HeartbeatResponse packet within a time interval.
Network Security 2024, (c) Sahar M. Ghanem 40
The Heartbeat Extension (3/3)
As a protection against a replay attack, a HeartbeatRequest packet
must include a payload that must be returned without change by the
receiver in its HeartbeatResponse packet.

Network Security 2024, (c) Sahar M. Ghanem 41
Assignment
TLS VPN vs. IPsec VPN
https://www.techtarget.com/searchsecurity/feature/Tunnel-vision-
Choosing-a-VPN-SSL-VPN-vs-IPSec-VPN
How to configure Apache web server to use certificates

Network Security 2024, (c) Sahar M. Ghanem 42