Network Security

Dr. Nguyen Tuan Nam ntnam@fit.hcmus.edu.vn

What to Be Covered

Cryptography Authentication Standard Electronic mail Others

Nguyen Tuan Nam/NetSec/Win2010

Assignment & Grading

Textbook

Network Security Private Communication in a Public World, 2nd edition, Charlie Kaufman, Radia Perlman, Mike Speciner, Prentice Hall Midterm

2 exams

On the 5th week (4 weeks from today) 25% 45%

Final exam (or final project)

Term projects (20%) Class participation (10%) Students are responsible to attend classes and take notes (extra credit) Fun and creative
Nguyen Tuan Nam/NetSec/Win2010 3

Terminology

Hacker

Not for the vandals that break into computer systems

Steal money, peoples time Called intruder, bad guy and imposter (Trudy) Incorruptly honest Not motivated by money Careful not to harm anyone

Instead, master programmers

Secret key cryptography (instead of symmetric cryptography) Public key cryptography (instead of asymmetric cryptography)
Nguyen Tuan Nam/NetSec/Win2010 4

Terminology

Privacy
Keeping communication from being seen by anyone other than the intended recipients Other books use confidentiality

Alice and Bob: Alices computer and Bobs computer User Alice and user Bob: human

Nguyen Tuan Nam/NetSec/Win2010

Why so many Terminology?

Speaker: Isnt it terrifying that on the Internet we have no privacy? A: You mean confidentiality? B: Why do security types insist on inventing their own language? C: Its a denial-of-service attack

Nguyen Tuan Nam/NetSec/Win2010

Notation
Symbol Description Bitwise-exclusive-or Concatenation Message encrypted with secret key K Message encrypted with Bobs public key Message signed with Bobs private key
Nguyen Tuan Nam/NetSec/Win2010 7

| K{message} {message}Bob [message]Bob

Primer on Networking
Dr. Nguyen Tuan Nam ntnam@fit.hcmus.edu.vn

OSI Reference Model

Not the only way to construct a network Designed by the ISO (International Standard Organization)

Too big a task for single committee subdivide the problem among several committees 7 layers Uses the services of the layer below Adds functionality Provides services to the layer above

Each layer

Note: real networks seldom neatly fit into the sevenlayer model
Nguyen Tuan Nam/NetSec/Win2010 9

OSI Reference Model

Application Presentation Session Transport Network Data link Physical
Nguyen Tuan Nam/NetSec/Win2010 10

IP, UDP, and TCP

Nguyen Tuan Nam/NetSec/Win2010

11

Directory Service

Directory or Naming Service Instead of one directory, it is structured as a tree of directory

Hierarchical name Prevent the directory from getting unreasonable large

Why is it important to security?

Nguyen Tuan Nam/NetSec/Win2010

12

Replicated Services

Convenient to have 2 or more computers performing the same function (due to performance)
Overloaded Distance Availability

Why is it so important to security?

Nguyen Tuan Nam/NetSec/Win2010

13

Packet Switching

In a network, message is generally broken into smaller chunks Each chunk (packet) is sent independently Why?
Messages from various sources can be interleaved on the same link Error recovery is done on the chunk Buffer management in the routers is simpler if the size of packets has a reasonable upper limit

Nguyen Tuan Nam/NetSec/Win2010 14

Network Component

Clients Servers Dumb terminal Terminal server

Nguyen Tuan Nam/NetSec/Win2010

15

Active vs. Passive Attacks

Passive attack where the intruder

Eavesdrops but does NOT modify the message stream in anyway

Active attack where the intruder

May transmit messages Replay old messages Modify messages in transit Delete selected messages Ex: man-in-the-middle attack

Nguyen Tuan Nam/NetSec/Win2010 16

Layers and Cryptography

Encryption and integrity protection are done

On the original message

Infrastructure does not need to know, just forward the message Infrastructure and the one that keeps the crypto. protected message need not be trusted Any corruption or lost

On each chunk of the message End-to-end Hop-by-hop

Packet switches must be trusted (by definition, the packet switches see the plaintext)

Nguyen Tuan Nam/NetSec/Win2010

17

Authorization

Authentication proves who you are Authorization defines what you are allowed to do Access control list (ACL)

Who is allow to do what with a resource For each user, what he/she is allowed to do

Capability model

Nguyen Tuan Nam/NetSec/Win2010

18

Tempest

Biggest concern: eavesdrop and modify/inject messages

Magic of physics: movement of electrons can be measured from a surprising distance away Can eavesdrop without even needing to physically access the link Wireless, shared medium Measures how far away an intruder must be before eavesdropping is impossble That distance is known as the devices control zone Control zone is the region that must be physically guarded to keep out intruders
Nguyen Tuan Nam/NetSec/Win2010 19

US military Tempest program

Key Escrow for Careless Users

Prudent to keep your key in a safe place

When misplace your own key still scan retrieve a copy of the key

A database of keys Only be reconstructed with the cooperation of several independent machines Some applications dont require recoverable key

Can be reset by third party (administrator) Only some of the keys are escrowed
Nguyen Tuan Nam/NetSec/Win2010 20

User may want different keys for different uses

Viruses, Worms, Trojan Horses

Trojan horse

Instructions hidden inside an otherwise useful program that do bad thing Usually used when the malicious instructions are installed at the time the program is written A set of instructions that, when executed, inserts copies of itself into other programs A program that replicates itself by installing copies of itself on other machines across a network
Nguyen Tuan Nam/NetSec/Win2010 21

Viruses

Worms

Viruses, Worms, Trojan Horses

Trapdoor

An undocumented entry point intentionally written into a program For debugging purposes, which can be exploited as a security flaw Malicious instructions that trigger on some event in the future Malicious instructions installed on a system that can be remotely triggered to carry out some attack Large number of zombies
Nguyen Tuan Nam/NetSec/Win2010 22

Logic bomb

Zombie

Where Do They Come From?

Trapdoor

May be intentionally installed to facilitate troubleshooting Written by bad guys Halting problem

The rest

Problem

Impossible to tell what an arbitrary program will do No access to the source code Even if you did have access to the code, wont bother reading it at all
Nguyen Tuan Nam/NetSec/Win2010 23

Nobody looks

Nguyen Tuan Nam/NetSec/Win2010

24

What Does a Virus Look Like?

Replace any instruction (at location x), by a jump to some free space in memory (location y) Write the virus program starting at location y Place the instruction that was originally at location x at the end of the virus program Jump to x+1

Nguyen Tuan Nam/NetSec/Win2010

25

Viruses

Do some damage Might replicate itself by looking for any executable files and infecting them Once an infected program is run

The virus is executed again Do more damage Replicate itself to more programs

Usually spread silently until some triggering event If damage to fast, wouldnt spread as far
Nguyen Tuan Nam/NetSec/Win2010 26

How Does a Digital Pest Appear on Your Computer?

Running an infected program

Forum Program: planted by employees or intruders Email with attached program

Sometimes you dont realize you are running a program

Postscript Autorun (CD-ROMs, USB flash drives)

Nguyen Tuan Nam/NetSec/Win2010 27

What Is This?

main(t,_,a ) char * a; { return! 0<t? t<3? main(-79,-13,a+ main(-87,1-_, main(86, 0, a+1 ) +a)): 1, t<_? main( t+1, _, a ) :3, main ( -94, -27+t, a ) &&t == 2 ?_ <13 ? main ( 2, _+1, "%s %d %d\n" ) :9:16: t<0? t<-72? main( _, t, "@n'+,#'/*{}w+/w#cdnr/+,{}r/*de}+,/*{*+,/w{%+,/w#q#n+,/#{l,+, /n{n+,/+#n+,/#;#q#n+,/+k#;*+,/'r :'d*'3,}{w+K w'K:'+}e#';dq#'l q#'+d'K#!/+k#;q#'r}eKK#}w'r}eKK{nl]'/#;#q#n'){)#}w'){){nl]'/+#n';d }rw' i;# ){nl]!/n{n#'; r{#w'r nc{nl]'/#{l,+'K {rw' iK{;[{nl]'/w#q#n'wk nw' iwk{KK{nl]!/w{%'l##w#' i; :{nl]'/*{q#'ld;r'}{nlwb!/*de}'c ;;{nl'{}rw]'/+,}##'*}#nc,',#nw]'/+kd'+e}+;#'rdq#w! nr'/ ') }+}{rl#'{n' ')# }'+}##(!!/") : t<-50? _==*a ? putchar(31[a]): main(-65,_,a+1) : main((*a == '/') + t, _, a + 1 ) : 0<t? main ( 2, 2 , "%s") :*a=='/'|| main(0, main(-61,*a, "!ek;dc i@bK'(q)-[w]*%n+r3#l,{}:\nuwloca-O;m .vpbks,fxntdCeghiry") ,a+1);}

Nguyen Tuan Nam/NetSec/Win2010

28

[mm@noise]$ xmas On the first day of Christmas my true love gave to me a partridge in a pear tree. On the second day of Christmas my true love gave to me two turtle doves and a partridge in a pear tree. On the third day of Christmas my true love gave to me three french hens, two turtle doves and a partridge in a pear tree. On the fourth day of Christmas my true love gave to me four calling birds, three french hens, two turtle doves and a partridge in a pear tree. On the fifth day of Christmas my true love gave to me five gold rings; four calling birds, three french hens, two turtle doves and a partridge in a pear tree. On the sixth day of Christmas my true love gave to me six geese a-laying, five gold rings; four calling birds, three french hens, two turtle doves and a partridge in a pear tree. On the seventh day of Christmas my true love gave to me seven swans a-swimming, six geese a-laying, five gold rings; four calling birds, three french hens, two turtle doves and a partridge in a pear tree. On the eigth day of Christmas my true love gave to me eight maids a-milking, seven swans a-swimming, six geese a-laying, five gold rings; four calling birds, three french hens, two turtle doves and a partridge in a pear tree. On the ninth day of Christmas my true love gave to me nine ladies dancing, eight maids a-milking, seven swans a-swimming, six geese a-laying, five gold rings; four calling birds, three french hens, two turtle doves and a partridge in a pear tree. On the tenth day of Christmas my true love gave to me ten lords a-leaping, nine ladies dancing, eight maids a-milking, seven swans a-swimming, six geese a-laying, five gold rings; four calling birds, three french hens, two turtle doves and a partridge in a pear tree. On the eleventh day of Christmas my true love gave to me eleven pipers piping, ten lords a-leaping, nine ladies dancing, eight maids a-milking, seven swans aswimming, six geese a-laying, five gold rings; four calling birds, three french hens, two turtle doves and a partridge in a pear tree. On the twelfth day of Christmas my true love gave to me twelve drummers drumming, eleven pipers piping, ten lords a-leaping, nine ladies dancing, eight maids a-milking, seven swans a-swimming, six geese a-laying, five gold rings; four calling birds, three french hens, two turtle doves and a partridge in a pear tree.
Nguyen Tuan Nam/NetSec/Win2010 29

Virus Checker

A race between good and bad Patterns of command

Knows the instruction sequence for lots of types of viruses Checks all the files on disk and instruction in memory for those patterns Raises a warning if it finds a match Needs to be updated periodically for new patterns file Hooks into the OS and inspects files before they are written to disk Changes the order of its instructions Changes to functionally similar instructions Encryption with a variable key Poly = many; morphic = form Heuristic virus checkers only require certain crucial piece parts of code to match still enough patterns left even in polymorphic code Constrains the mutation rate Any other approaches?

Polymorphic virus: each time it copies itself

Metamorphic virus Snapshot of disk storage Goat or bait files

Nguyen Tuan Nam/NetSec/Win2010

30

Nonresident vs. Resident Viruses

Nonresident viruses: can be thought of

Finder module Replication module Replication module is loaded into the memory This module is executed each time the OS is called to perform a certain operation Fast infector

Resident viruses

Infect as many files as possible Pros and cons? Infect host infrequently Does not seem very successful

Slow infector

Stealth mode

Anti-virus software can be misused if it cannot detect the virus in the memory
Given that there is no infallible method to test a program for hidden bad side effects what can we do?
Nguyen Tuan Nam/NetSec/Win2010 31

What Can We Do Today?

Dont run software from suspicious sources Frequently run virus checkers Run programs in the most limited possible environment

Separate disks Separate VMs

Watch out for warnings Frequent backups External devices

Nguyen Tuan Nam/NetSec/Win2010 32

Mandatory (Nondiscretionary) Access Control

Discretionary

Someone who owns a resource can make a decision as to who is allowed to use (access) it Philosophy: users and the programs they run are good guys Enforce a policy where users might be allowed to use information themselves But might not be allowed to make a copy of it available to someone else Even owners of the resources has to follow the policy Philosophy:

Nondiscretionary access controls

Users are careless + programs they run cant be trusted System must prevent users from accidentally or intentionally giving info to someone else Confine information within a security perimeter

Nguyen Tuan Nam/NetSec/Win2010

33

Levels of Security

Simplified description of the US DoD as an example Security level

Unclassified < confidential < secret < top secret CRYPTO, INTEL, NUCLEAR (SECRET; {INTEL, NUCLEAR})

A set of categories (compartments)

A clearance

Given 2 security labels (X, S1) and (Y, S2) (X, S1) is at least as sensitive as (Y, S2) iff

X Y and S2 is a subset of S1 Example: (TOP_SECRET, {CRYPTO, COMSEC}) > (SECRET, {CRYPTO})

Nguyen Tuan Nam/NetSec/Win2010

34

Mandatory Access Control Rules

A human can only run a process that has a security label below or equal to that of the humans label A human can only read information marked with a security label below or equal to that of the process A process can only write information marked with a security label above or equal to that of the process
Will it be enough to protect sensitive data?

Nguyen Tuan Nam/NetSec/Win2010

35

Covert Channel

Timing channel

Create some signal/behavior to represent 0 or 1 per unit of time Noise The use of shared resources (memory, sound card) Introduce enough noise to reduce the bandwidth of the covert channel (assuming the secret data is large)

Storage channel

No general way to prevent all the covert channels

Nguyen Tuan Nam/NetSec/Win2010

36

Legal Issues

Patents

Most cryptographic techniques are covered by patents and historically this has slowed their deployment

Export controls
The US government used to impose severe restrictions on export of encryption Why?

Nguyen Tuan Nam/NetSec/Win2010

37