Class 16Deniable Authentication

CIS 755: Advanced Computer SecuritySpring 2014

Eugene Vasserman

http://www.cis.ksu.edu/~eyv/CIS755_S14/

Administrative stuff

• Office hours moved on Monday– Will be 3 – 4:30

• Quiz today (last 15 minutes)

Multiple Join/Bootstrap Attack

A,B,C

D,E,F

Join Join

Never let nodes re-join/get more contacts!

Harvesting Attack

Never contact anyone except neighbors!

Confirmation Attack

Yes

Are you in the secret network?

Never respond to anyone except neighbors!

secretsecret Covert Auth.!!

Hi? Hi!

XX

Hi? ??

BridgeSPA Bridges

Ongoing problems

• SilentKnock MitM vulnerability• Bridge TLS distinguishability

• Other solutions?– TCP fragmentation, apparently– obfsproxy

SilentKnock

• Software has exploitable bugs (!)• Firewalls can not protect services that

should be externally accessible• Can we prevent unauthorized users from

accessing the service?• Can we prevent them from even detecting the service?

Problem Overview

BUG

Big evil untrusted Internet

Big evil untrusted Internet

TCP 3-way handshake

ServerSYN (25)

SYN-ACK

Client

SMTP(port 25)

Web(port 80)

Mailsoftware ACK (25)

Data (25)

What is Port Knocking?

ServerSYN (666)SYN (777)SYN (888)SYN (25)

SYN-ACK

Client

SMTP(closed)

Web(port 80)

Mailsoftware

SYN (25)

Code:666,777,888

Code:666,777,888

SMTP(port 25)

Covert Authentication

• Dining Freemasons:

– Alice is able to authenticate to Bob using a shared secret without Mallory being aware that an authentication took place

– Bob is unaware that Alice tries to authenticate if Bob does not share a secret with Alice

Problem Statement

• Design a port knocking system that provides– Authentication– Replay protection–Non-detection– Practical implementation– Formal threat model– Provable security

Security of Port Knocking

• Computationally bounded adversary may:– observe many authenticated sessions– arbitrarily inject, delete, and reorder messages

• Cannot distinguish a port knocking client/server pair from those using ordinary TCP/IP, plus some out-of-band authentication mechanism

E. Vasserman, N. Hopper, J. Laxson, and J. Tyra – SilentKnock: practical, provably undetectable authentication

Security Definition

Hidden world

(implementation)

Plausible world

(ideal security)

SC

A

Queue SC

A

keyed

Implementation Overview

• “Simulate” shared signaling by steganographically embedding a MAC into TCP SYN packet

• Application-transparent proxies:– sknockproxy (client) automatically detects

“protectable” streams– sknockd (server) decodes/verifies embedded

MAC

• Userspace implementation

System OverviewClient Server

Packet Filter Hooks

• sknockd– Listen for SYN, FIN, RST– Passively examines only those packets

• sknockproxy– Listen for all packets going to given IP/port

pair– Modifies all packets in stream of interest

• Server-optimized

Steganographic Embedding

Linux 2.6 TCP SYN packet header with embedded MAC

Timestamp Encoding Details

• Only get to modify lowest byte• Must delay packet dispatch• Re-transmitted SYN packets must have the

same sequence number but different timestamp– Re-encode retransmitted packets and delay

dispatch again

Replay Protection

• Two-field counter (C1 || C2)

• C1 = C2 = 0 at first server connection

• De-synchronization can occur if SYN or SYN-ACK is lost

• Auto-resynchronization using timed counter field

Optimizations

• MAC pre-computation for first connection• Background MAC computations for future

connections (not yet implemented)– Counter values and passwords are known for

future connections, can AES-encrypt them while waiting for connection

– Can even store in config file!

sknockd Timing Results

Experiment SSH only sknockd without commit

Average response time (μs)

242.86

± 8.59

389.33

± 13.36

295.44

± 8.64

Slowdown factor

1 1.60 1.22

Known Limitations

• Only protects start of connection (TCP hijacking still possible)

• Limited MAC size• Identity binding: IP addresses• Distinguishability by packet-modifying

adversary

Questions?

Reading discussion