CS 204: Interconnection of Cyber Physical Systems Week 10: Security Lecture Notes PDF
Document Details
Uploaded by ConsistentVibraphone
SMU
Tags
Summary
This document is a lecture on network security, specifically focusing on week 10 of the course CS 204: Interconnection of Cyber Physical Systems. The lecture outlines key concepts in network security, including cryptography techniques and various security protocols. It also covers different types of attacks and how to prevent them.
Full Transcript
SMU Classification: Restricted CS 204: Interconnection of Cyber Physical Systems Week 10: Security Link Layer: 7-1 SMU Classification: Restricted Outline ▪ What is network security? ▪ Principles of crypt...
SMU Classification: Restricted CS 204: Interconnection of Cyber Physical Systems Week 10: Security Link Layer: 7-1 SMU Classification: Restricted Outline ▪ What is network security? ▪ Principles of cryptography ▪ Message integrity, authentication ▪ Securing e-mail ▪ Securing TCP connections: TLS ▪ Network layer security: IPsec ▪ Security in wireless and mobile networks ▪ Operational security: firewalls and IDS Security: 8- 3 SMU Classification: Restricted What is network security? confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message authentication: sender, receiver want to confirm identity of each other message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection access and availability: services must be accessible and available to users Security: 8- 4 SMU Classification: Restricted Outline ▪ What is network security? ▪ Principles of cryptography ▪ Message integrity, authentication ▪ Securing e-mail ▪ Securing TCP connections: TLS ▪ Network layer security: IPsec ▪ Security in wireless and mobile networks ▪ Operational security: firewalls and IDS Security: 8- 8 SMU Classification: Restricted The language of cryptography Alice’s Bob’s KA encryption KB decryption key key plaintext encryption ciphertext decryption plaintext algorithm algorithm m: plaintext message KA(m): ciphertext, encrypted with key KA m = KB(KA(m)) Security: 8- 9 SMU Classification: Restricted Breaking an encryption scheme ▪ cipher-text only attack: ▪ known-plaintext attack: Trudy has ciphertext she Trudy has plaintext can analyze corresponding to ciphertext ▪ two approaches: e.g., in monoalphabetic cipher, Trudy determines brute force: search pairings for a,l,i,c,e,b,o, through all keys statistical analysis ▪ chosen-plaintext attack: Trudy can get ciphertext for chosen plaintext Security: 8- 10 SMU Classification: Restricted Symmetric key cryptography KS KS plaintext encryption ciphertext decryption plaintext algorithm K S(m) algorithm symmetric key crypto: Bob and Alice share same (symmetric) key: K ▪ e.g., key is knowing substitution pattern in mono alphabetic substitution cipher Q: how do Bob and Alice agree on key value? Security: 8- 11 SMU Classification: Restricted Simple encryption scheme substitution cipher: substituting one thing for another ▪ monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq e.g.: Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Encryption key: mapping from set of 26 letters to set of 26 letters Security: 8- 12 SMU Classification: Restricted A more sophisticated encryption approach ▪ n substitution ciphers, M1,M2,…,Mn ▪ cycling pattern: e.g., n=4: M1,M3,M4,M3,M2; M1,M3,M4,M3,M2;.. ▪ for each new plaintext symbol, use subsequent substitution pattern in cyclic pattern dog: d from M1, o from M3, g from M4 Encryption key: n substitution ciphers, and cyclic pattern key need not be just n-bit pattern Security: 8- 13 SMU Classification: Restricted Symmetric key crypto: DES DES: Data Encryption Standard ▪ US encryption standard [NIST 1993] ▪ 56-bit symmetric key, 64-bit plaintext input ▪ block cipher with cipher block chaining ▪ how secure is DES? DES Challenge: 56-bit-key-encrypted phrase decrypted (brute force) in less than a day no known good analytic attack ▪ making DES more secure: 3DES: encrypt 3 times with 3 different keys Security: 8- 14 SMU Classification: Restricted AES: Advanced Encryption Standard ▪ symmetric-key NIST standard, replaced DES (Nov 2001) ▪ processes data in 128 bit blocks ▪ 128, 192, or 256 bit keys ▪ brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES Security: 8- 15 SMU Classification: Restricted Public Key Cryptography symmetric key crypto: public key crypto ▪ requires sender, receiver ▪ radically different approach know shared secret key [Diffie-Hellman76, RSA78] ▪ Q: how to agree on key in ▪ sender, receiver do not first place (particularly if share secret key never “met”)? ▪ public encryption key known to all ▪ private decryption key known only to receiver Security: 8- 16 SMU Classification: Restricted Public Key Cryptography + K Bob’s public key B - K Bob’s private key B plaintext encryption ciphertext decryption plaintext message, m algorithm + K (m) algorithm - + B m = KB (K (m)) B Wow - public key cryptography revolutionized 2000-year-old (previously only symmetric key) cryptography! similar ideas emerged at roughly same time, independently in US and UK (classified) Security: 8- 17 SMU Classification: Restricted Public key encryption algorithms requirements: 1 +. -. need KB ( ) and K ( ) such that B - + K (K (m)) = m B B + 2 given public key KB , it should be impossible to - compute private key KB RSA: Rivest, Shamir, Adelson algorithm Security: 8- 18 SMU Classification: Restricted RSA in practice: session keys ▪ exponentiation in RSA is computationally intensive ▪ DES is at least 100 times faster than RSA ▪ use public key crypto to establish secure connection, then establish second key – symmetric session key – for encrypting data session key, KS ▪ Bob and Alice use RSA to exchange a symmetric session key KS ▪ once both have KS, they use symmetric key cryptography Security: 8- 28 SMU Classification: Restricted Outline ▪ What is network security? ▪ Principles of cryptography ▪ Authentication, message integrity ▪ Securing e-mail ▪ Securing TCP connections: TLS ▪ Network layer security: IPsec ▪ Security in wireless and mobile networks ▪ Operational security: firewalls and IDS Security: 8- 29 SMU Classification: Restricted Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” “I am Alice” failure scenario?? Security: 8- 30 SMU Classification: Restricted Authentication: ap5.0 – there’s still a flaw! man (or woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) I am Alice I am Alice R - K (R) ? T R Where are Send me your public key - mistakes + K (R) K Bob computes A made here? T + - Send me your public key K (K T(R)) = R, + T K authenticating A Trudy as Alice Trudy recovers m: + Trudy recovers Bob’s m: + - + K (m) Bob sends a personal - + m = K (K (m)) T m = K (K (m)) K (m) T T message, m to Alice A A A sends m to Alice and she and Bob meet a week encrypted with later in person and discuss m, Alice’s public key not knowing Trudy knows m Security: 8- 40 SMU Classification: Restricted Outline ▪ What is network security? ▪ Principles of cryptography ▪ Authentication, message integrity ▪ Securing e-mail ▪ Securing TCP connections: TLS ▪ Network layer security: IPsec ▪ Security in wireless and mobile networks ▪ Operational security: firewalls and IDS Security: 8- 41 SMU Classification: Restricted Digital signatures cryptographic technique analogous to hand-written signatures: ▪ sender (Bob) digitally signs document: he is document owner/creator. ▪ verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document ▪ simple digital signature for message m: Bob signs m by encrypting with his private key KB, creating “signed” message, KB- (m) - Bob’s private - Bob’s message, m KB m,KB(m) key Dear Alice Dear Alice Oh, how I have missed Oh, how I have missed you. I think of you all the Public key you. I think of you all the time! …(blah blah blah) encryption time! …(blah blah blah) algorithm - Bob Bob KB(m) Security: 8- 42 SMU Classification: Restricted Message digests computationally expensive to public-key-encrypt long messages goal: fixed-length, easy- to-compute digital “fingerprint” ▪ apply hash function H to m, get fixed size message digest, H(m) large message H: Hash Function H(m) m Hash function properties: ▪ many-to-1 ▪ produces fixed-size msg digest (fingerprint) ▪ given message digest x, computationally infeasible to find m such that x = H(m) Security: 8- 44 SMU Classification: Restricted Digital signature = signed message digest Bob sends digitally signed message: Alice verifies signature, integrity of digitally signed message: large message H: Hash m Function H(m) encrypted message digest - KB(H(m)) digital Bob’s signature large private - key KB (encrypt) message m digital Bob’s signature public + key KB (decrypt) encrypted H: Hash message digest function + - KB(H(m)) H(m) H(m) ? equal Security: 8- 46 SMU Classification: Restricted Hash function algorithms ▪ MD5 hash function widely used (RFC 1321) computes 128-bit message digest in 4-step process. arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x ▪ SHA-1 is also used US standard [NIST, FIPS PUB 180-1] 160-bit message digest Security: 8- 47 SMU Classification: Restricted Public key Certification Authorities (CA) ▪ certification authority (CA): binds public key to particular entity, E ▪ entity (person, website, router) registers its public key with CE provides “proof of identity” to CA CA creates certificate binding identity E to E’s public key certificate containing E’s public key digitally signed by CA: CA says “this is E’s public key” Bob’s digital public + signature + key KB (encrypt) KB CA’s private K - certificate for Bob’s Bob’s key identifying CA public key, signed by CA information Security: 8- 50 SMU Classification: Restricted Public key Certification Authorities (CA) ▪ when Alice wants Bob’s public key: gets Bob’s certificate (Bob or elsewhere) apply CA’s public key to Bob’s certificate, get Bob’s public key digital Bob’s + KB signature + public (decrypt) KB key CA’s public + key KCA Security: 8- 51 SMU Classification: Restricted Outline ▪ What is network security? ▪ Principles of cryptography ▪ Authentication, message integrity ▪ Securing e-mail ▪ Securing TCP connections: TLS ▪ Network layer security: IPsec ▪ Security in wireless and mobile networks ▪ Operational security: firewalls and IDS Security: 8- 52 SMU Classification: Restricted Secure e-mail: confidentiality Alice wants to send confidential e-mail, m, to Bob. KS m KS( ). KS(m ) KS(m ) KS( ). m + Internet - KS KS + KB( ). + KB(KS ) + KB(KS ) - KB( ). K+ B K-B Alice: ▪ generates random symmetric private key, KS ▪ encrypts message with KS (for efficiency) ▪ also encrypts KS with Bob’s public key ▪ sends both KS(m) and K+B(KS) to Bob Security: 8- 53 SMU Classification: Restricted Secure e-mail: confidentiality (more) Alice wants to send confidential e-mail, m, to Bob. KS m KS( ). KS(m ) KS(m ) KS( ). m + Internet - KS KS + KB( ). + KB(KS ) + KB(KS ) - KB( ). K+ B K-B Bob: ▪ uses his private key to decrypt and recover KS ▪ uses KS to decrypt KS(m) to recover m Security: 8- 54 SMU Classification: Restricted Secure e-mail: integrity, authentication Alice wants to send m to Bob, with message integrity, authentication KA- K+ A - - m H(.) K (.) - A KA(H(m)) KA(H(m)) + KA( ). H(m ) + Internet - compare m H( ). H(m ) m ▪ Alice digitally signs hash of her message with her private key, providing integrity and authentication ▪ sends both message (in the clear) and digital signature Security: 8- 55 SMU Classification: Restricted Outline ▪ What is network security? ▪ Principles of cryptography ▪ Authentication, message integrity ▪ Securing e-mail ▪ Securing TCP connections: TLS ▪ Network layer security: IPsec ▪ Security in wireless and mobile networks ▪ Operational security: firewalls and IDS Security: 8- 57 SMU Classification: Restricted Transport-layer security (TLS) ▪ widely deployed security protocol above the transport layer supported by almost all browsers, web servers: https (port 443) ▪ provides: confidentiality: via symmetric encryption all techniques we integrity: via cryptographic hashing have studied! authentication: via public key cryptography ▪ history: early research, implementation: secure network programming, secure sockets secure socket layer (SSL) deprecated TLS 1.3: RFC 8846 Security: 8- 59 SMU Classification: Restricted Transport-layer security (TLS) ▪ TLS provides an API that any application can use ▪ an HTTP view of TLS: HTTP 1.0 HTTP/2 HTTP/2 (slimmed) Application HTTP/3 TLS QUIC Transport TCP TCP UDP Network IP IP IP HTTP/2 over TCP HTTP/2 over TCP HTTP/2 over QUIC (which incorporates TLS) over UDP Security: 8- 66 SMU Classification: Restricted TLS: 1.3 cipher suite ▪ “cipher suite”: algorithms that can be used for key generation, encryption, MAC, digital signature ▪ TLS: 1.3 (2018): more limited cipher suite choice than TLS 1.2 (2008) only 5 choices, rather than 37 choices requires Diffie-Hellman (DH) for key exchange, rather than DH or RSA combined encryption and authentication algorithm (“authenticated encryption”) for data rather than serial encryption, authentication 4 based on AES HMAC uses SHA (256 or 284) cryptographic hash function Security: 8- 67 SMU Classification: Restricted TLS 1.3 handshake: 1 RTT 1 client TLS hello msg: ▪ guesses key agreement client hello: protocol, parameters 1 ▪ supported cipher suites ▪ indicates cipher suites it ▪ DH key agreement supports protocol, parameters 2 server TLS hello msg chooses server hello: 2 ▪ key agreement protocol, ▪ selected cipher suite parameters ▪ DH key agreement protocol, parameters ▪ cipher suite 3 ▪ server-signed certificate 3 client: ▪ checks server certificate ▪ generates key client server ▪ can now make application request (e.g.., HTTPS GET) Security: 8- 68 SMU Classification: Restricted TLS 1.3 handshake: 0 RTT ▪ initial hello message contains client hello: encrypted application data! ▪ supported cipher suites ▪ DH key agreement “resuming” earlier connection protocol, parameters between client and server ▪ application data application data encrypted using server hello: “resumption master secret” ▪ selected cipher suite from earlier connection ▪ DH key agreement protocol, parameters ▪ vulnerable to replay attacks! ▪ application data (reply) maybe OK for get HTTP GET or client requests not modifying client server server state Security: 8- 69 SMU Classification: Restricted Outline ▪ What is network security? ▪ Principles of cryptography ▪ Authentication, message integrity ▪ Securing e-mail ▪ Securing TCP connections: TLS ▪ Network layer security: IPsec ▪ Security in wireless and mobile networks ▪ Operational security: firewalls and IDS Security: 8- 70 SMU Classification: Restricted IP Sec ▪ provides datagram-level encryption, authentication, integrity for both user traffic and control traffic (e.g., BGP, DNS messages) ▪ two “modes”: payload payload payload tunnel mode: transport mode: ▪ entire datagram is encrypted, authenticated ▪ only datagram payload is ▪ encrypted datagram encapsulated encrypted, authenticated in new datagram with new IP header, tunneled to destination Security: 8- 71 SMU Classification: Restricted Two IPsec protocols ▪ Authentication Header (AH) protocol [RFC 4302] provides source authentication & data integrity but not confidentiality ▪ Encapsulation Security Protocol (ESP) [RFC 4303] provides source authentication, data integrity, and confidentiality more widely used than AH Security: 8- 72 SMU Classification: Restricted Security associations (SAs) ▪ before sending data, security association (SA) established from sending to receiving entity (directional) ▪ ending, receiving entitles maintain state information about SA recall: TCP endpoints also maintain state info IP is connectionless; IPsec is connection-oriented! 200.168.1.100 193.68.2.23 SA R1 stores for SA: ▪ 32-bit identifier: Security Parameter Index (SPI) ▪ origin SA interface (200.168.1.100) ▪ encryption key ▪ destination SA interface (193.68.2.23) ▪ type of integrity check used ▪ type of encryption used ▪ authentication key Security: 8- 73 SMU Classification: Restricted IPsec datagram authenticated encrypted ESP new IP original Original IP ESP ESP head header IP hdr datagram payload trailer auth er tunnel mode next ESP Seq paddin pad SPI head # g length er ▪ ESP trailer: padding for block ciphers ▪ ESP header: SPI, so receiving entity knows what to do sequence number, to thwart replay attacks ▪ MAC in ESP auth field created with shared secret key Security: 8- 74 SMU Classification: Restricted IPsec summary ▪ IKE message exchange for algorithms, secret keys, SPI numbers ▪ either AH or ESP protocol (or both) AH provides integrity, source authentication ESP protocol (with AH) additionally provides encryption ▪ IPsec peers can be two end systems, two routers/firewalls, or a router/firewall and an end system Security: 8- 82 SMU Classification: Restricted Outline ▪ What is network security? ▪ Principles of cryptography ▪ Authentication, message integrity ▪ Securing e-mail ▪ Securing TCP connections: TLS ▪ Network layer security: IPsec ▪ Security in wireless and mobile networks 802.11 (WiFi) 4G/5G ▪ Operational security: firewalls and IDS Security: 8- 83 SMU Classification: Restricted 802.11: WPA3 handshake mobile AS Authentication Server Initial shared secret Initial shared secret NonceAS derive session key KM-AP using initial- a shared-secret, NonceAS, NonceM b c derive session key KM-AP using initial shared secret , NonceAS, NonceM NonceM, HMAC(f(KAS-M,NonceAS)) a▪ AS generates NonceAS, sends to mobile b▪ mobile receives Nonce AS generates NonceM generates symmetric shared session key KM-AP using NonceAS, NonceM, and initial shared secret sends NonceM, and HMAC-signed value using NonceAS and initial shared c secret ▪ AS derives symmetric shared session key KM-AP Security: 8- 87 SMU Classification: Restricted Outline ▪ What is network security? ▪ Principles of cryptography ▪ Authentication, message integrity ▪ Securing e-mail ▪ Securing TCP connections: TLS ▪ Network layer security: IPsec ▪ Security in wireless and mobile networks 802.11 (WiFi) 4G/5G ▪ Operational security: firewalls and IDS Security: 8- 91 SMU Classification: Restricted Authentication, encryption in 4G LTE Home Subscriber Mobility Service (HSS) mobile Management Entity (MME) Base station (BS) Visited network Home network ▪ arriving mobile must: associate with BS: (establish) communication over 4G wireless link authenticate itself to network, and authenticate network ▪ notable differences from WiFi mobile’s SIMcard provides global identity, contains shared keys services in visited network depend on (paid) service subscription in home network Security: 8- 92 SMU Classification: Restricted Authentication, encryption in 4G LTE Home Subscriber Mobility Service (HSS) mobile KBS-M Management Entity (MME) K HSS-M KHSS-M Visited network Home network Base station (BS) ▪ mobile, BS use derived session key KBS-M to encrypt communications over 4G link ▪ MME in visited network + HHS in home network, together play role of WiFi AS ultimate authenticator is HSS trust and business relationship between visited and home networks Security: 8- 93 SMU Classification: Restricted Authentication, encryption: from 4G to 5G ▪ 4G: MME in visited network makes authentication decision ▪ 5G: home network provides authentication decision visited MME plays “middleman” role but can still reject ▪ 4G: uses shared-in-advance keys ▪ 5G: keys not shared in advance for IoT ▪ 4G: device IMSI transmitted in cleartext to BS ▪ 5G: public key crypto used to encrypt IMSI Security: 8- 99 SMU Classification: Restricted Outline ▪ What is network security? ▪ Principles of cryptography ▪ Authentication, message integrity ▪ Securing e-mail ▪ Securing TCP connections: TLS ▪ Network layer security: IPsec ▪ Security in wireless and mobile networks ▪ Operational security: firewalls and IDS Security: 8- 100 SMU Classification: Restricted Firewalls firewall isolates organization’s internal network from larger Internet, allowing some packets to pass, blocking others administered public network Internet trusted “good guys” untrusted “bad guys” firewall Security: 8- 101 SMU Classification: Restricted Firewalls: why prevent denial of service attacks: ▪ SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections prevent illegal modification/access of internal data ▪ e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network ▪ set of authenticated users/hosts three types of firewalls: ▪ stateless packet filters ▪ stateful packet filters ▪ application gateways Security: 8- 102 SMU Classification: Restricted Stateless packet filtering Should arriving packet be allowed in? Departing packet let out? ▪ internal network connected to Internet via router firewall ▪ filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source, destination port numbers ICMP message type TCP SYN, ACK bits Security: 8- 103 SMU Classification: Restricted Stateless packet filtering: example Should arriving packet be allowed in? Departing packet let out? ▪ example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 result: all incoming, outgoing UDP flows and telnet connections are blocked ▪ example 2: block inbound TCP segments with ACK=0 result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside Security: 8- 104 SMU Classification: Restricted Stateful packet filtering ▪ stateless packet filter: heavy handed tool admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established: action source dest protocol source dest flag address address port port bit allow outside of 222.22/16 TCP 80 > 1023 ACK 222.22/16 ▪ stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets “makes sense” timeout inactive connections at firewall: no longer admit packets Security: 8- 107 SMU Classification: Restricted Application gateways ▪ filter packets on host-to- gateway application application data as well telnet session gateway router and filter as on IP/TCP/UDP fields. ▪ example: allow select internal users to telnet gateway-to-remote host telnet session outside 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to dest host gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway Security: 8- 109 SMU Classification: Restricted Limitations of firewalls, gateways ▪ IP spoofing: router can’t know ▪ filters often use all or nothing if data “really” comes from policy for UDP claimed source ▪ tradeoff: degree of ▪ if multiple apps need special communication with outside treatment, each has own app. world, level of security gateway ▪ many highly protected sites ▪ client software must know still suffer from attacks how to contact gateway e.g., must set IP address of proxy in Web browser Security: 8- 110 SMU Classification: Restricted Intrusion detection systems ▪ packet filtering: operates on TCP/IP headers only no correlation check among sessions ▪ IDS: intrusion detection system deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) examine correlation among multiple packets port scanning network mapping DoS attack Security: 8- 111 SMU Classification: Restricted Network Security (summary) basic techniques…... ▪ cryptography (symmetric and public key) ▪ message integrity ▪ end-point authentication …. used in many different security scenarios ▪ secure email ▪ secure transport (TLS) ▪ IP sec ▪ 802.11, 4G/5G operational security: firewalls and IDS Security: 8- 113
