View
24
Download
0
Category
Tags:
Preview:
DESCRIPTION
Class 16 Deniable Authentication CIS 755: Advanced Computer Security Spring 2014. Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S14/. Administrative stuff. Office hours moved on Monday Will be 3 – 4:30 Quiz today (last 15 minutes). Multiple Join/Bootstrap Attack. A, B, C. Join. - PowerPoint PPT Presentation
Citation preview
Class 16Deniable Authentication
CIS 755: Advanced Computer SecuritySpring 2014
Eugene Vasserman
http://www.cis.ksu.edu/~eyv/CIS755_S14/
Administrative stuff
• Office hours moved on Monday– Will be 3 – 4:30
• Quiz today (last 15 minutes)
Multiple Join/Bootstrap Attack
A,B,C
D,E,F
Join Join
Never let nodes re-join/get more contacts!
Harvesting Attack
Never contact anyone except neighbors!
Confirmation Attack
Yes
Are you in the secret network?
Never respond to anyone except neighbors!
secretsecret Covert Auth.!!
Hi? Hi!
XX
Hi? ??
BridgeSPA Bridges
Ongoing problems
• SilentKnock MitM vulnerability• Bridge TLS distinguishability
• Other solutions?– TCP fragmentation, apparently– obfsproxy
SilentKnock
• Software has exploitable bugs (!)• Firewalls can not protect services that
should be externally accessible• Can we prevent unauthorized users from
accessing the service?• Can we prevent them from even detecting the service?
Problem Overview
BUG
Big evil untrusted Internet
Big evil untrusted Internet
TCP 3-way handshake
ServerSYN (25)
SYN-ACK
Client
SMTP(port 25)
Web(port 80)
Mailsoftware ACK (25)
Data (25)
What is Port Knocking?
ServerSYN (666)SYN (777)SYN (888)SYN (25)
SYN-ACK
Client
SMTP(closed)
Web(port 80)
Mailsoftware
SYN (25)
Code:666,777,888
Code:666,777,888
SMTP(port 25)
Covert Authentication
• Dining Freemasons:
– Alice is able to authenticate to Bob using a shared secret without Mallory being aware that an authentication took place
– Bob is unaware that Alice tries to authenticate if Bob does not share a secret with Alice
Problem Statement
• Design a port knocking system that provides– Authentication– Replay protection–Non-detection– Practical implementation– Formal threat model– Provable security
Security of Port Knocking
• Computationally bounded adversary may:– observe many authenticated sessions– arbitrarily inject, delete, and reorder messages
• Cannot distinguish a port knocking client/server pair from those using ordinary TCP/IP, plus some out-of-band authentication mechanism
E. Vasserman, N. Hopper, J. Laxson, and J. Tyra – SilentKnock: practical, provably undetectable authentication
Security Definition
Hidden world
(implementation)
Plausible world
(ideal security)
SC
A
Queue SC
A
keyed
Implementation Overview
• “Simulate” shared signaling by steganographically embedding a MAC into TCP SYN packet
• Application-transparent proxies:– sknockproxy (client) automatically detects
“protectable” streams– sknockd (server) decodes/verifies embedded
MAC
• Userspace implementation
System OverviewClient Server
Packet Filter Hooks
• sknockd– Listen for SYN, FIN, RST– Passively examines only those packets
• sknockproxy– Listen for all packets going to given IP/port
pair– Modifies all packets in stream of interest
• Server-optimized
Steganographic Embedding
Linux 2.6 TCP SYN packet header with embedded MAC
Timestamp Encoding Details
• Only get to modify lowest byte• Must delay packet dispatch• Re-transmitted SYN packets must have the
same sequence number but different timestamp– Re-encode retransmitted packets and delay
dispatch again
Replay Protection
• Two-field counter (C1 || C2)
• C1 = C2 = 0 at first server connection
• De-synchronization can occur if SYN or SYN-ACK is lost
• Auto-resynchronization using timed counter field
Optimizations
• MAC pre-computation for first connection• Background MAC computations for future
connections (not yet implemented)– Counter values and passwords are known for
future connections, can AES-encrypt them while waiting for connection
– Can even store in config file!
sknockd Timing Results
Experiment SSH only sknockd without commit
Average response time (μs)
242.86
± 8.59
389.33
± 13.36
295.44
± 8.64
Slowdown factor
1 1.60 1.22
Known Limitations
• Only protects start of connection (TCP hijacking still possible)
• Limited MAC size• Identity binding: IP addresses• Distinguishability by packet-modifying
adversary
Questions?
Reading discussion
Recommended