1

Final Exam ReviewIT443 – Network Security Administration

2

Fundamental Tenet of Cryptography

What is it?

If lots of smart people have failed to solve a problem, then it probably wont be solved

(soon).

3

Network Basics

• Network Layers– Application layer– Transport layer – IP layer – Data link layer

– TCP, UDP, IP, SSH, HTTP– IP address, MAC address, TCP address? – Port number

4

Layer Encapsulation

4

Get index.html

Connection ID

Source/Destination

Link Address

User A User B

5

Network Basics

• Headers– [ether net header [IP header [TCP header [Payload]]]]

• TCP / UDP– TCP is reliable

• Acknowledgement, retransmission, discard duplicates, …

– TCP 3-way handshake• SYN, ACK, FIN

6

Establishing a TCP Connection

• Three-way handshake to establish connection– Host A sends a SYN (open) to the host B– Host B returns a SYN acknowledgment (SYN ACK)– Host A sends an ACK to acknowledge the SYN ACK

SYN

SYN ACK

ACK

DataData

Each host tells its ISN to the other host.

7

Unreliable Message Delivery Service• User Datagram Protocol (UDP)

– IP plus port numbers – Optional error checking on the packet contents

• Lightweight communication between processes– Avoid overhead and delays of ordered, reliable delivery

• For example: VoIP, video conferencing, gaming

SRC port DST port

checksum

length

DATA

8

TCP Header

Source port Destination port

Sequence number

Acknowledgment

Advertised windowHdrLen Flags0

Checksum Urgent pointer

Options (variable)

Data

Flags: SYNFINRSTPSHURGACK

9

Network Basics

• IP layer– Routing (different paths)– IP prefix, e.g., 12.34.158.0/24– Classful Addressing (Class A, B, C)– Classless Inter-Domain Routing (CIDR)– Private networks

• 10.0.0.0/8 (255.0.0.0)• 172.16.0.0/12 (255.240.0.0)• 192.168.0.0/16 (255.255.0.0)

10

IP Packet

20-byteheader

4-bitVersion

4-bitHeaderLength

8-bitType of Service(TOS)

16-bit Total Length (Bytes)

16-bit Identification3-bitFlags 13-bit Fragment Offset

8-bit Time to Live (TTL) 8-bit Protocol 16-bit Header Checksum

32-bit Source IP Address

32-bit Destination IP Address

Options (if any)

Payload

11

Network Basics

• DNS – Hierarchical name space– Local DNS server / caching– dig / dig -x

• Data link layer– MAC address– ARP messages / ARP table

12

Network Basics

• Potential Questions Topics

Is 192.168.x.x globally accessible?

Which of the following header contain destination information:

A. TCP header

B. IP header

C. Ethernet header

Compare and contrast TCP and UDP and briefly describe their similarities and differences.

13

Recon & Info Gathering• Social Engineering: “the weakest link”,

– Physical or automated (e.g., phishing) – Defenses: user awareness

• Physical Security– Physical access, theft, dumpster diving– Defenses: locks, policies (access, screen savers, etc.), encrypted file

systems, paper shredders http://www.guardian.co.uk/politics/2008/sep/30/terrorism.ebay

• Web Searching and Online Recon– Check company website, get contact names, look for comments in html,

etc.– Use Search Engines: Google!, Usenet to discover technologies in use,

employee names, etc.– Defenses: “Security Through Obscurity”, Policies

14

Crypto Basics

• Encryption/Decryption– Plaintext, ciphertext, key– Secret key/symmetric key crypto

• What are some of the symmetric key encryption algorithms?

– Public key/asymmetric key crypto• What are some of the asymmetric key encryption

algorithms?

– Hash function• What are some of the hash algorithms?

15

Secret Key Cryptography

• Stream cipher• Block cipher

– Converts one input plaintext block of fixed size k bits to an output ciphertext block of k bits

– DES, IDEA, AES, …– AES

• Selected from an open competition, organized by NSA• Joan Daemen and Vincent Rijmen (Belgium)• Block size=128 bits, Key Size= 128/192/256 bits

16

Electronic Code Book (ECB)

E E E EKey

128

M1 M2 M3 M4

128 46 + padding

128

Plaintext

C1 C2 C3 C4

128 128 128128

Ciphertext

17

Cipher Block Chaining (CBC)

InitializationVector

E E E EKey

C1 C2 C3 C4

128 128 128128

M1 M2 M3 M4

128 128 46 + padding

128

18

Public Key Cryptography

• Public key crypto– Public/private key pair– Encryption/decryption (different keys)– Sign/verify (digital signature)– Much slower than secret key operations

• Algorithms– DSA, RSA

19

Diffie-Hellman

• Predates RSA• Does neither encryption nor signatures• What is it good for then?• How does it work?

20

Crypto Basics

• Hash function– One way transformation– Collision resistance– Applications

• Message digest/checksum• File integrity • Password• …

21

Modern Hash Functions• MD5 (128 bits)

– Previous versions (i.e., MD2, MD4) have weaknesses.– Broken; collisions published in August 2004– Too weak to be used for serious applications

• SHA (Secure Hash Algorithm)– Weaknesses were found

• SHA-1 (160 bits)– Broken, but not yet cracked – Collisions in 269 hash operations, much less than the brute-force attack

of 280 operations– Results were circulated in February 2005, and published in CRYPTO

’05 in August 2005

• SHA-256, SHA-384, …

22

Crypto Basics

• Potential Question TopicsIn secret key encryption, can the encrypted file’s size be smaller

than the original file’s?

Are the following desired properties of hash functions?• a. One-way property, that is, it’s easy to reverse the hash

computation, but computationally infeasible to compute the hash function itself.

• b. Collision free, that is, it’s computationally infeasible to find two messages that have the same hash value.

• c. Only authorized parties can perform hash functions.

23

Authentication

• What’s authentication– User authentication

• Allow a user to prove his/her identity to another entity (e.g., a system, a device).

– Message authentication• Verify that a message has not been altered without

proper authorization.

24

Authentication

• Threat– Eavesdropping– Password guessing– Server database reading (compromised)

25

Authentication

• Challenge/response

Alice BobI’m Alice

a challenge R

H(KAlice-Bob, R)

Alice BobI’m Alice

R

SigAlice{R}

26

Eavesdropping & Server Database Reading

• If public key crypto is not available, protection against both eavesdropping and server database reading is difficult:– Hash => subject to eavesdropping– Challenge requires Bob to store Alice’s secret in a database

Alice BobI’m Alice

A challenge R

H(KAlice-Bob, R)

Alice BobI’m Alice, H(KAlice-Bob)

27

Mutual Authentication

• Reflection Attack

Trudy BobI’m Alice, R2

R1, f(KAlice-Bob, R2)

f(KAlice-Bob, R1)

Trudy BobI’m Alice, R1

R3, f(KAlice-Bob, R1)

28

Mutual Authentication

• Reflection Attack

Alice BobI’m Alice, R2

R1, f(KAlice-Bob, R2)

f(KAlice-Bob, R1)

Alice BobI’m Alice

R1

f(KAlice-Bob, R1), R2

f(KAlice-Bob, R2)

Countermeasure

29

Authentication• Key Distribution Center

– If node A wants to communicate with node B• A sends a request to the KDC• The KDC securely sends to A: EKA(RAB) and EKB(RAB, A)

• Certificate– How do you know the public key of a node?– Certification Authorities (CA)– Everybody needs to know the CA public key– The CA generates certificates: Signed(A, public-key, validity

information)

[Alice’s public key is 876234]carol

[Carol’s public key is 676554]Ted & [Alice’s public key is 876234]carol

30

Authentication

• Password guessing– Online vs. offline– Dictionary attack– Password salt

31

Authentication

• Potential Question Topics

Assume Alice and Bob share a secret KAlice-Bob, what is the security flaw when they use the following protocol for Bob to authenticate Alice?

Alice BobI’m Alice, H(KAlice-Bob)

32

Some Issues for Password Systems

• A password should be easy to remember but hard to guess– that’s difficult to achieve!

• Some questions– what makes a good password?– where is the password stored, and in what

form?– how is knowledge of the password verified?

33

IPsec

• Which layer• Why we need it

– IP spoofing– Payload modification– Eavesdropping

34

SSL

• Which layer• Why we need it

– Think about https

• Main processes– Negotiate cipher suites– Authenticate servers– Verify certificates

35

Firewall / IDS

• What are their roles– Prevent vs. detect

• Firewall– Packet filtering (stateless) vs. session filtering

(stateful)– iptables

36

Internet Security Mechanisms

• Goal: prevent if possible; detect quickly otherwise; and confine the damage

Prevent:Firewall, IPsec, SSL

Detect:Intrusion Detection

Survive/Response:

Recovery, Forensics

37

Firewall / IDS

• IDS– Accuracy, e.g., false alarm

– Misuse detection (signatures)– Anomaly detection

– Host-based (e.g., aide)– Network-based (e.g., snort)

38

Firewall

• Potential Question Topics

A stateless firewall on a server cannot limit the number of TCP connections per client.

Describe the goal of the following firewall rule: iptables -A INPUT -p icmp -j DROP

Compose a firewall rule to block access to a SSL connection.

39

IDS

• Questions

– Explain the following snort rule and describe how to trigger the alert:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:“Test attack"; content:"test_attack"; … … )

– Compare host-based and network-based IDS, and briefly describe the difference.