Day5

Network Security and Hacking Techniques Day 5

Introduction Introduction What is a Honeypot? Value of Honeypot Types of Honeypot Solutions Honeynet Etc. References “ The Linux Based Service s t hat Mean Business Securing Internet ”

Honeypot The Honepot Project is an all-volunteer, non-profit research organization Dedicated to learning the tools, tactics, and motives of the blackhat community and sharing the lessons learned Traditional honeypots have been for deception or detecting attacks

Introduction Term originally from the military fake target or ambush used in network security environment Background lack of information on blackhat communities

Goal Primary an instrument for information gathering and learning. other possibilities for a honeypot divert hackers from productive system catch a hacker while conducting an attack etc...

Honeypot (Cont…) 1 st Generation Honeypot Firewall separating the Honeynet into three different networks

Honeypot (Cont…) 2 nd Generation Honeypot

Honeypot (Cont…) 2nd Generation (2002-) easier to deploy, yet more difficult to detect gather greater information all requirements combined onto a single device easier to both deploy and manage a layer2 gateway, its acts as a bridge more difficult to detect (it has no IP Stack) control and capture all traffic in the single device

Information Security-Cryptography Basic Concepts Classical Cryptosystem Mathematics of Cryptography Modern Cryptographic techniques Secret Key Encryption Public Key Encryption Key Management Legal Considerations

Information Security-Cryptography Definitions Introduction to Crytograhpy Example Ciphers Types of Ciphers Methods of Encryption

Definitions Algorithm: The set of mathematical rules used in encryption and decryption. Cryptography: Science of secret writing that enables you to store and transmit data in a form that is available only to the intended individuals. Cryptosystem: Hardware or software implementation of cryptography that transforms a message to ciphertext and back to plaintext. Cryptoanalysis: Practice of obtaining plaintext from ciphertext without a key or breaking the encryption. Cryptology: The study of both cryptography and cryptoanalysis. Ciphertext: Data in encrypted or unreadable format. Encipher: Act of transforming data into an unreadable format.

Definitions (Conts…) Decipher: Act of transforming data into a readable format. Key: Secret sequence of bits and instructions that governs the act of encryption and decryption. Key clustering: Instance when two different keys generate the same cipher text from the same plaintext. Keyspace: Possible values used to construct keys. Plaintext: Data in readable format, also referred to as cleartext. Work factor: Estimated time, effort, and resources necessary to break a cryptosystem.

Cryptography The most widely used tool for securing information and services is cryptography. Cryptography relies on ciphers: mathematical function used for encryption and decryption of a message. Encryption : the process of disguising a message in such a way as to hide its substance. Ciphertext: an encrypted message Decryption: the process of returning an encrypted message back into plaintext. Encryption Decryption Plaintext Ciphertext Original Plaintext

Example Ciphers Caesar cipher: each plaintext characters is replaced by a character k to the right. “ Watch out for Brutus!” => “Jngpu bhg sbe Oehghf!” Only 25 choices! Not hard to break by brute force . Substitution Cipher : each character in plaintext is replaced by a corresponding character of ciphertext. E.g., cryptograms in newspapers. plaintext code: a b c d e f g h i j k l m n o p q r s t u v w x y z ciphertext code: m n b v c x z a s d f g h j k l p o i u y t r e w q 26! Possible pairs.

Ciphers For some message M, let’s denote the encryption of that message into cipher text as E k (M) = C Similarly, the decryption into plain text as D k (C) = M Notice, D k (E k (M)) = M symmetric key algorithms. Some algorithms use different keys for each operation: D k1 (E k2 (M))= M public-key algorithms.

Simplified Model of Symmetric Encryption

Ingredients Plain text Encryption algorithm Secret key Cipher text Decryption algorithm

Requirements for Security Strong encryption algorithm Even if known, should not be able to decrypt or work out key Even if a number of cipher texts are available together with plain texts of them Sender and receiver must obtain secret key securely Once key is known, all communication using this key is readable

Attacking Encryption Cryptanalysis Relay on nature of algorithm plus some knowledge of general characteristics of plain text Attempt to deduce plain text or key Brute force Try every possible key until plain text is achieved

Cryptanalysis plaintext Encrypt Decrypt K e K d C = E Ke (plaintext) Invader Side information plaintext plaintext Cryptanalysis

Cryptanalysis Cryptanalysis is the science of recovering the plaintext of a message without access to the key. Doesn’t have to discover the key necessarily. The loss of a key without cryptanalysis is called a compromise. Ciphertext-only attack The attacker has to recover the plaintext from only the ciphertext. Known-plaintext attack Portions of the cipher are known as plaintext. The rest may be easier to recover Chosen-plaintext attack The attacker can choose what plaintext to encrypt, again making it easier to recover other ciphertext.

Encryption Algorithms Block cipher Process plain text in fixed block sizes producing block of cipher text of equal size Data encryption standard (DES) Triple DES (TDES) Advanced Encryption Standard

Simple Block Cipher Plaintext message B 2 B 1 B 0 encrypt B 3 B 3 B 2 B 1 B 0

Problem If the same block is encrypted twice with the same key, the resulting ciphertext blocks are the same It is desirable to make identical plaintext blocks encrypt to different ciphertext blocks. Two methods are commonly used for this: CBC mode: a ciphertext block is obtained by first xoring the plaintext block with the previous ciphertext block, and encrypting the resulting value. CFB mode: a ciphertext block is obtained by encrypting the previous ciphertext block, and xoring the resulting value with the plaintext.

Stream Ciphers For some applications encryption in blocks will not work Telephone conversation Radio Broadcast … White noise…

Stream Cipher encrypt XOR K 0 K 1 K 2 K 3 number generator keystream buffer Plaintext stream Encrypted stream

Data Encryption Standard US standard 64 bit plain text blocks 56 bit key Broken in 1998 by Electronic Frontier Foundation Special purpose machine Less than three days DES now worthless

Triple DES ANSI X9.17 (1985) Incorporated in DES standard 1999 Uses 3 keys and 3 executions of DEA algorithm Effective key length 112 or 168 bit Slow Block size (64 bit) too small

Advanced Encryption Standard National Institute of Standards and Technology (NIST) in 1997 issued call for Advanced Encryption Standard (AES) Security strength equal to or better than 3DES Improved efficiency Symmetric block cipher Block length 128 bits Key lengths 128, 192, and 256 bits Evaluation include security, computational efficiency, memory requirements, hardware and software suitability, and flexibility 2001, AES issued as federal information processing standard (FIPS 197)

AES Description Assume key length 128 bits Input is single 128-bit block Depicted as square matrix of bytes Block copied into State array Modified at each stage After final stage, State copied to output matrix 128-bit key depicted as square matrix of bytes Expanded into array of key schedule words Each four bytes Total key schedule 44 words for 128-bit key Byte ordering by column First four bytes of 128-bit plaintext input occupy first column of in matrix First four bytes of expanded key occupy first column of w matrix

AES Comments (1) Key expanded into array of forty-four 32-bit words, w[i] Four distinct words (128 bits) serve as round key for each round Four different stages One permutation and three substitution Substitute bytes uses S-box table to perform byte-by-byte substitution of block Shift rows is permutation that performed row by row Mix columns is substitution that alters each byte in column as function of all of bytes in column Add round key is bitwise XOR of current block with portion of expanded key

AES Comments (1) Simple structure For both encryption and decryption, cipher begins with Add Round Key stage Followed by nine rounds , Each includes all four stages Followed by tenth round of three stages

AES Comments (2) Only Add Round Key stage uses key Begin and ends with Add Round Key stage Any other stage at beginning or end, reversible without key Adds no security Add Round Key stage by itself not formidable Other three stages scramble bits By themselves provide no security because no key Each stage easily reversible Decryption uses expanded key in reverse order Not identical to encryption algorithm Easy to verify that decryption does recover plaintext Final round of encryption and decryption consists of only three stages

Location of Encryption Devices Encryption Across a Packet Switching Network

Link Encryption Each communication link equipped at both ends All traffic secure High level of security Requires lots of encryption devices Message must be decrypted at each switch to read address (virtual circuit number) Security vulnerable at switches Particularly on public switched network

End to End Encryption Encryption done at ends of system Data in encrypted form crosses network unaltered Destination shares key with source to decrypt Host can only encrypt user data Otherwise switching nodes could not read header or route packet Traffic pattern not secure Use both link and end to end

Key Distribution Question: How to deliver a shared key to 2 parties that wish to exchange data without others to see the key? Key selected by A and delivered to B Third party selects key and delivers to A and B Use old key to encrypt and transmit new key from A to B Use old key to transmit new key from third party to A and B

Automatic Key Distribution for Connection-Oriented Protocols

Automatic Key Distribution Session Key Used for duration of one logical connection Destroyed at end of session Used for user data Permanent key Used for distribution of keys Key distribution center Determines which systems may communicate Provides one session key for that connection Security service module (SSM) Performs end to end encryption Obtains keys for host

Message Authentication Protection against active attacks Falsification of data Eavesdropping Message is authentic if it is genuine and comes from the alleged source Authentication allows receiver to verify that message is authentic Message has not altered Message is from authentic source Message timeline

Authentication Using Encryption Assumes sender and receiver are only entities that know key Message includes: error detection code sequence number time stamp

Authentication Without Encryption Authentication tag generated and appended to each message Message not encrypted Useful for: Messages broadcast to multiple destinations Have one destination responsible for authentication One side heavily loaded Encryption adds to workload Can authenticate random messages Programs authenticated without encryption can be executed without decoding

Message Authentication Code Generate authentication code based on shared key and message Common key shared between A and B If only sender and receiver know key and code matches: Receiver assured message has not altered Receiver assured message is from alleged sender If message has sequence number, receiver assured of proper sequence

Message Authentication Using a Message Authentication Code

One Way Hash Function Accepts variable size message and produces fixed size tag (message digest) Advantages of authentication without encryption Encryption is slow Encryption hardware expensive Encryption hardware optimized to large data Algorithms covered by patents Algorithms subject to export controls (from USA)

Message Authentication Using a One-Way Hash Function

Public Key Encryption Based on mathematical algorithms Asymmetric Use two separate keys Ingredients Plain text Encryption algorithm Public and private key Cipher text Decryption algorithm

Public Key Encryption - Operation One key made public Used for encryption Other kept private Used for decryption Infeasible to determine decryption key given encryption key and algorithm Either key can be used for encryption, the other for decryption

Steps User generates pair of keys User places one key in public domain To send a message to user, encrypt using public key User decrypts using private key

Digital Signature Sender encrypts message with their private key Receiver can decrypt using senders public key This authenticates sender, who is only person who has the matching key Does not give privacy of data Decrypt key is public

Signatures Handwritten signatures can verify that a document is Authentic The signature is mine and has not been altered Unforgeable Proves that I signed the document Non-repudible I cannot deny that I signed the document

Digital Signatures Public key systems can also be used to provide message authentication: The sender’s secret key can be used to encrypt a message, thereby signing it This creates a digital signature of a message, which the recipient (or anyone else) can check by using the sender's public key to decrypt it. This proves that the sender was the true originator of the message, and that the message has not been subsequently altered by anyone else

Digital Properties The properties of digital documents are different from paper documents We need to be able to bind a signature to the entire sequence of bits that make up the document How do I prevent someone from revealing their private key and then claiming they never signed something?

Message Digests Message digests are used to create short, fixed-length representations of longer, variable-length messages The goal is to make H(M) != H(M’) Digest algorithms are designed to produce unique digests for different messages.

Next Problem You digitally sign a document Send the document to a bank Encrypted using the bank’s public key How do you Verify that the public key you used to encrypt the message actually belongs to the bank? How does the bank verify that you actually signed the document (or where do they get your public key)?

Certificates A certificate associates a public key with the real identity of an individual, server, or other entity, known as the subject S u b jec t D i s t i n g u is he d N a m e, Pu b l ic K e y Iss ue r D i s t i n g u is he d N a m e, Si g n at u r e Pe ri o d o f v a li d i t y N o t Be f o r e Da t e, No t A f t e r D ate A d m i ni str a t ive i n fo rma ti o n V er si o n , S e r i a l N u mb e r Ex t en d e d I n f or m a t i o n

Certificate Authority A trusted source of certificates Verifying certificate requests Processing certificate requests Issuing and managing certificates In previous example I would get a certificate for the bank to obtain the public key of the bank The bank would get a certificate to obtain my public key

The RSA Algorithm Key Generation Select p , q p and q both prime, p  q Calculate n = p ´ q Calculate f( n ) = ( p – 1)( q – 1) Select integer e gcd(f( n ), e ) = 1; 1 < e < f( n ) Calculate d de mod f( n ) = 1 Public key KU = { e , n } Private key KR = { d , n } Encryption Plaintext: M < n Ciphertext: C = Me (mod n ) Decryption Ciphertext: C Plaintext: M = Cd (mod n )

Implementing Network Security using VPNs Introduction to VPNS Overview of VPNs CPE-Based VPNs Provider-Provisioned VPNs Introduction to RFC 2547 Introduction to CCClLayer 2 MPLS VPN lETF Standards Update Conclusions

What is a VPN? A private network constructed over a shared infrastructure Virtual: not a separate physical network Private: separate addressing and routing Network: a collection of devices that communicate Policies are key — global connectivity is not the goal Shared Infrastructure Mobile Users and Telecommuters Remote Access Branch Office Corporate Headquarters Suppliers, Partners and Customers Intranet Extranet

Deploying VPNs in the 1990s Operational model PVCs overlay the shared infrastructure (ATM/Frame Relay) Routing occurs at customer premise Benefits Mature technologies Relatively “secure” Service commitments (bandwidth, availability, and more) Limitations Scalability, provisioning and management Not a fully integrated IP solution Provider Frame Relay Network CPE CPE DLCI FR Switch DLCI DLCI FR Switch FR Switch

Deploying VPNs in the 21st'Century Uses IP infrastructure Can be,shared with Internet services increasing importance of IP/MPLS Subscriber benefits Lower operational expense Single network connection Provider benefits Multiservice infrastructure Creates additional source of revenue Shared Infrastructure Mobile Users and Telecommuters Remote Access Branch Office Corporate Headquarters Suppliers, Partners and Customers Intranet Extranet

VPN Classification Model Customer-managed VPN solutions (CPE-VPNs) Layer 2: L2TP and PPTP Layer 3: IPSec Provider-provisioned VPN solutions (PP-VPNs) Layer 3: MPLS-Based VPNs (RFC 2547bis) Layer 3: Non-MPLS-Based VPNs (Virtual Routers) Layer2: MPLS VPNs PE PE CPE CPE Subscriber Site 3 PP-VPN Subscriber Site 2 CPE PE VPN Tunnel VPN Tunnel VPN Tunnel CPE PE PE PE CPE CPE CPE-VPN VPN Tunnel Subscriber Site 1 Subscriber Site 3 Subscriber Site 2 VPN Tunnel VPN Tunnel Subscriber Site 1

CPE-VPNs: L2TP and PPTP Application: Dial access for remote users Layer 2 Tunneling Protocol (L2TP) RFC2661 Combination of L2f and Point-to-point Tunneling Point-to-Point Tunneling Protocol (PPTP) Bundled with Windows and Windows NT Authentication during setup lPSec can operate over PPP for stronger security V.x Modem PPP Dial up Service Provider or 或 VPN L2TP Access Server Dial Access Server L2TP Tunnel Dial Access Server PPTP Access Server PPTP Tunel Dial Access Provider

CPE-VPNs: IPSec Tunnel Mode IPSec defines IETF Layer 3 security architecture Applications - Strong security requirements, across one or multiple Service Providers Customer responsible for key management Security services include: Access control Data originauthentication Replay protection Dataintegrity Data privacy (encryption/decryption) Key management

CPE-VPNs: IPSec Example Uses normal IP services from service provider Protected packets forwarded by existing routers Does not address QoS/SLAs Minimal provider opportunity Customer manages its own routing Corporate HQ Branch Office CPE CPE IPsec ESP Tunnel Public Internet

Customer Edge Routers Customer Edge (CE) routers Router or switch device located at customer premises providing access to the service provider network Layer 2 (FR, ATM, Ethernet) and Layer 3 (IP, IPX, SNA …) independence of the service provider network CEs within a VPN, uses the same L2 technology to access the service provider network Requires a sub-interface per CE it needs to interconnect to within the VPN Maintains routing adjacencies with other CEs within the VPN CE P P PE CE Customer Edge CE CE PE VPN A VPN A VPN B VPN B PE ATM FR ATM FR VPN Site

Provider Edge Routers Provider Edge (PE) routers Maintain site-specific VPN Forwarding Tables Exchange VPN Connection Tables with other PE routers using MP-IBGP or LDP Use MPLS LSPs to forward VPN traffic CE P P PE CE CE CE PE VPN A VPN A VPN B VPN B PE Provider Edge ATM FR ATM FR

Provider Routers Provider (P) routers Forward data traffic transparently over established LSPs Do not maintain VPN-specific forwarding information CE P P PE CE CE CE PE VPN A VPN A VPN B VPN B PE Provider Routers ATM FR ATM FR

VPN Forwarding Tables ( VFT ) Each VFT is populated with: The forwarding information provisioned for the local CE sites VPN Connection Tables received from other PEs via iBGP or LDP P P P PE 2 VPN A Site 3 VPN A Site 1 VPN B Site2 VPN B Site 1 PE 1 PE 3 VPN A Site2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P A V FT is created for each site connected to the PE OSPF OSPF OSPF ATM ATM ATM

VPN Connection Tables ( VCT ) The VCT is a subset of information hold by the VFT VCTs are distributed by the PEs via iBGP or LDP Site 1 Site 2 Site 1 Site 2 PE-2 CE- 4 PE-1 CE-2 CE- 2 CE-1 VFT VFT VFT VFT A V CT is distributed for each VPN site to PE s MP-i BGP session / LDP

Day5

More Related Content

What's hot

Viewers also liked

Similar to Day5

Recently uploaded

Day5