© 2008 Andreas Haeberlen, MPI-SWS1

Pretty Good Packet Authentication

Andreas HaeberlenMPI-SWS / Rice

University

Rodrigo RodriguesMPI-SWS

Peter DruschelMPI-SWS

Krishna GummadiMPI-SWS

2© 2008 Andreas Haeberlen, MPI-SWS

Packet authentication

Internet packets cannot be authenticated Example: Alice receives P, source address X

Can Alice be sure that P was sent by the host with address X?(no, addresses can be spoofed!)

Can Alice convince a third party that P was sent by this host?(no, packets can be forged!)

Alice Bob

Foo.net

Foo.net Bar.netBar.net

Internet

AssignsIP address X

Packet P(source address X)

Admin

3© 2008 Andreas Haeberlen, MPI-SWS

The Internet needs packet authentication

The lack of packet authentication is causing a variety of problems, e.g.:

Bypassing spam blacklists [SIGCOMM'06]

Eve

Bar.netBar.net

Foo.net

Foo.net

Innocent.net

Innocent.net

Mailserver

No more mail from bar.net!

Innocent.net

Internet

4© 2008 Andreas Haeberlen, MPI-SWS

The Internet needs packet authentication

The lack of packet authentication is causing a variety of problems, e.g.:

Bypassing spam blacklists [SIGCOMM'06] False accusations [HotSec'08]

Alice

Eve

Bar.netBar.net

Foo.net

Foo.net

Innocent.net

Innocent.net

Tracker

"Hi, I am Alice"

5© 2008 Andreas Haeberlen, MPI-SWS

The Internet needs packet authentication

The lack of packet authentication is causing a variety of problems, e.g.:

Bypassing spam blacklists [SIGCOMM'06] False accusations [HotSec'08] Unverifiable complaints, plausible deniability

Can we add authentication to the Internet?

Alice Eve

Bar.netBar.netFoo.net

Foo.net

Admin "Alice has been portscanning me!"?!?

6© 2008 Andreas Haeberlen, MPI-SWS

Which properties do we want?

There is a spectrum of possible solutions Strength vs. other goals (such as privacy) Strength vs. feasibility/practicability

Can we find a good compromise?

Str

on

g

Weak

Internettoday

Moreingressfiltering

Clean-slatedesigns

(e.g. AIP)

Crypto+biometrics

BrainscannerPGPA

IPtraceback

Infeasible / too strongDeployment path?

7© 2008 Andreas Haeberlen, MPI-SWS

Proposed solution: PGPA

We propose Pretty Good Packet Authentication

PGPA provides the following capability:Given a packet, a source address and timestamp,the ISP that owns the source address can verify whether the packet was sent at approximately that time

Alice

Bob

Foo.net

Foo.net Bar.netBar.net

Internet

Address Xassigned here

Packet(source address X)

Judy

Has X sent at 4:11pm

today?

YesHas X sent at 4:11pm

today?

8© 2008 Andreas Haeberlen, MPI-SWS

Privacy and anonymity

PGPA protects users' privacy To ask a question about a packet, the requester

must already know the entire packet

PGPA is compatible with anonymity Standard techniques (such as onion routing) can

still be applied

Given a packet, a source address and timestamp,the ISP that owns the source address can verify whether the packet was sent at approximately that time

Given a packet, a source address and timestamp,the ISP that owns the source address can verify whether the packet was sent at approximately that time

Given a packet, a source address and timestamp,the ISP that owns the source address can verify whether the packet was sent at approximately that time

9© 2008 Andreas Haeberlen, MPI-SWS

Outline

Introduction Pretty Good Packet Authentication

(PGPA) How PGPA could be used A simple implementation Conclusion

10© 2008 Andreas Haeberlen, MPI-SWS

How PGPA could be used

PGPA could be used to solve each of the motivating problems:

Bypassing spam blacklists

Eve

Bar.netBar.net

Foo.net

Foo.net

Innocent.net

Innocent.net

Mailserver

Innocent.net

Was this traffic sent from

Innocent.net?

No

11© 2008 Andreas Haeberlen, MPI-SWS

How PGPA could be used

PGPA could be used to solve each of the motivating problems:

Bypassing spam blacklists False accusations

Alice

Eve

Bar.netBar.net

Foo.net

Foo.net

Innocent.net

Innocent.net

Tracker

"Hi, I am Alice"

Was this sent from 1.2.3.4?

1.2.3.4

No

12© 2008 Andreas Haeberlen, MPI-SWS

How PGPA could be used

PGPA could be used to solve each of the motivating problems:

Bypassing spam blacklists False accusations Unverifiable complaints, plausible deniability

Alice Eve

Bar.netBar.netFoo.net

Foo.net

Admin "Alice has been portscanning me!"Is that true?

13© 2008 Andreas Haeberlen, MPI-SWS

PGPA tradeoffs

Associates packets with addresses, not users Reveals that packets were sent, but not why Assumes that ISPs and users do not collude

Very simple Effective against real-world problems Compatible with anonymity Protects users' privacy Straightforward implementation Plausible deployment path

Limitations:

Advantages:

Rest of this talk

14© 2008 Andreas Haeberlen, MPI-SWS

Outline

Introduction Pretty Good Packet Authentication

(PGPA) How PGPA could be used A simple implementation Conclusion

15© 2008 Andreas Haeberlen, MPI-SWS

Keeping records of past traffic

PGPA needs to 'remember' past traffic A set of traffic monitors keep a record of transmitted packets Storing (timestamp, hash) per packet is sufficient

Where should the traffic monitors be placed? Natural choice: Access link Backbone is not modified much easier to deploy

Access linksAlice

Bob

A.netA.net B.netB.net

Internet

Charlie

16© 2008 Andreas Haeberlen, MPI-SWS

Where to place the traffic monitor?

A.netA.net

A.netA.net

A.netA.net

User's premises: Inexpensive; good scalability User can physically destroy the device

At the ISP: Easy to deploy User has to trust the ISP

Secure channel

Monitor

Both: No trust userISP required More overhead

Modem

Router

17© 2008 Andreas Haeberlen, MPI-SWS

Calculating digests

Monitor stores only a digest of each packet Saves space; preserves privacy if monitor is compromised

What if packet is transformed in the network?

Examples: TTL, ECN bits, IP fragmentation, header options Digest must be invariant to transformations [Snoeren02] Reassemble packet before hashing; zero out certain fields

Hash: 0x4711Hash: 0xD1FF

TTL: 63CONTENT

TTL: 63CONTENT

58

A.net

18© 2008 Andreas Haeberlen, MPI-SWS

PGPA preserves users' privacy

Can PGPA be used to snoop on users' traffic? Seen earlier: PGPA only confirms specific packets But what if the attacker tries to guess a packet? Infeasible - attacker would have to correctly guess the

transmission time plus TCP seq. no., IPID field, etc. (≥80 bits)

What if the monitor is stolen or compromised? Only reveals digests, not actual packets Can include a salt in each digest (against dictionary attacks)

Spy Monitor

Did you send trafficto cnn.com earlier today?

Did you send packetX at time t?

Yes

19© 2008 Andreas Haeberlen, MPI-SWS

Traffic monitors are feasible

How much storage does a monitor need? Example: DSL connection Assume worst case: 1 Mbps upstream, fully utilized with 40-

byte packets at all times 3,125 packets/sec Monitor stores SHA-1 hash, 32-bit timestamp per packet

Need 187 GB/month

Single harddisk per user in the worst case Likely to hold in the future (storage grows faster than bw) Many set-top boxes already contain storage

20© 2008 Andreas Haeberlen, MPI-SWS

Summary

The Internet needs a mechanism to authenticate packets

Pretty Good Packet Authentication (PGPA) is a compromise between power and feasibility

PGPA is simple, easy to implement, and has a plausible deployment path

Thank you!