3 - Network- & Transport-Layer Security (Privacy) Flashcards
define privacy
Oxford Dictionary: Privacy is “the state of being free from being observed or disturbed by other people and of being free from public attention.”
Privacy is recognized as a human right
Attacks on digital privacy are mainly passive
- Eavesdropping
- Traffic Analysis
Privacy today?
- Edward Snowden:
“A child born today will have no conception of privacy”
How To Preserve Privacy?
Access Control
- An attacker needs access to the communication medium to eavesdrop
- As we’ve seen, perfect access control is most often not really possible
Confidentiality
- Encryption ensures that nobody can read your messages
- Assumption: encryption cannot be broken!
But eavesdroppers still see your communication → Traffic Analysis
- Who communicates with whom and when?
- Do they communicate more often than usual? (If yes, something is suspicious)
- This is actually done in SIGINT (e.g. by the NSA)
Privacy In The Internet?
Internet communication is routed according to contracts between ISPs and countries (policy-based routing, BGP)
- Do you trust all networks your traffic passes on its routes?
Snowden’s global surveillance disclosure in 2013 revealed that states eavesdrop on our communication in a much larger scale than most people expected.
Even if your provider is trustworthy, your information almost always passes networks owned and controlled by someone else!
- Security is only as strong as the weakest link in the chain!
End-to-end encryption needed
End-to-end Encryption (E2EE)
The transport layer provides communications between application processes, i.e. end-to-end communication
- Perfect place to add E2EE functionality
Transport Layer Security (TLS)
- Based on its predecessor Secure Socket Layer (SSL)
- Originally designed to protect HTTP sessions
- But TLS can secure any protocol which uses TCP (e.g. SMTP)
SSL/TLS provides
- Peer entity authentication: Both (client and server), only the server, or none can be authenticated.
- User data confidentiality: On session establishment, different encryption algorithms (e.g. RC4, DES, AES) can be selected.
- User data integrity: A message authentication code (MAC) generated with a cryptographic hash function is appended to the user data.
TLS Support
TLS has become the de facto standard for secure Internet communications
Why not using TLS to encrypt all web traffic?
- Slows down web servers
- Breaks Internet caching
- Not all information needs to be encrypted
It is a best practice in the web to use TLS whenever you deal with sensitive data
- Many sites use TLS to encrypt communication by default
- Critical sites (like banks) use TLS to additionally authenticate their legal ownership to the user
TLS Protocol Architecture
TLS is structured as a layered and modular protocol architecture
1) Handshake: authentication and negotiation of parameters
2) Change Cipherspec: signaling of transitions in ciphering strategy
3) Alert: signaling of error conditions
4) Application Data: interface for transparent access to the record protocol
5) Record
- Fragmentation of user data into plaintext records of length < 214 Bytes
- Compression (optional) of plaintext records
- Encryption and integrity protection (both optional)
TLS Handshake
Client and server agree on algorithms and exchange
random values and cryptographic parameters to agree on a master secret. Certificates are used for authentication.
If the exchanged certificates are signed, the peer can be authenticated using a trusted third party (e.g. VeriSign)
Both parties hold a connection state
Also the parameters for these algorithms are known
Keys are derived from a 48-byte shared master secret
Default connection state is that no encryption, compression, or MAC will be used
Record Protocol
Content Type:
- Change Cipherspec. (20)
- Alert (21)
- Handshake (22)
- Application Data (23)
Version: the protocol version of SSL/TLS
Length: the length of the data in bytes must not exceed 2^14
Record Data Processing
Sender
1) Record layer receives data of arbitrary size from higher layers and fragments it in plaintext records carrying chunks of at most 214 bytes
2) All records are then compressed with the compression algorithm defined in the current connection state
3) A message authentication code (MAC) is then calculated using the MAC algorithm defined in the connection state and appended to the compressed fragment
- Ensures message integrity and authenticity, and the detection of missing, extra, or repeated messages
4) The record data and the MAC are encrypted using the encryption algorithm defined in the connection state
Receiver
- The record is decrypted, integrity-checked, decompressed, de-fragmented and delivered to the higher layer
TLS Peer Entity Verification
Clients (e.g. web browser) hold a set of root certificates (public keys) of the major certificate authorities
These authorities issue certificates to entities (e.g. websites) that wish to provide authenticated connections
- Certificates contain the domain name and/or IP address and are signed by the authority using public key cryptography
- Certificates can additionally contain the website’s legal owner which allows authentication of both, server and owner
As soon as the client (or the server) gets a certificate, it can check its validity by using the built-in signing authority’s root certificate
- If the application does not check the validity, the connection is still encrypted, but you don’t know who you are talking to!! → MITM
TLS Cipher Suite
Key Exchange (KE)
- RSA: the server certificate is used for KE
- Diffie-Hellman (DH) with authentication: the server’s certificate contains the DH parameters signed by the certificate authority
- Can additionally be client-authenticated
- Clients hold a set of root certificates of major certificate authorities
- Anonymous Diffie-Hellman: DHKE without using a certificate
- Vulnerable to MITM attacks
- Only used on explicit request of application layer
After the key exchange, encryption can be done using RC4, 3DES, or AES with 128 or 256 bit key length
MACs are generated using either MD5 (broken!) or SHA
The mandatory cipher suite that must be implemented is RSA for KE with AES-128 for encryption and SHA for MAC generation
Self-made Certificates
What if you want to set up an authenticated service?
- You have to buy a certificate from a trusted authority!
- VeriSign’s certificates cost 350€ to 1750€ per year!
- You can use self-signed certificates instead
Self-signed certificates can provide authentication only if you can distribute the certificate to users over a trustworthy
communication channel!
- Otherwise you usually get a warning that the connection is untrusted
- But applications usually allow to add the certificate
- Be careful! Could be a MITM attack!
TLS Summary
TLS security protocol operates on and requires a reliable transport service → TCP
Up to now, no major security protocol has been proposed to protect datagram-oriented transport protocols like UDP
TLS offers true end-to-end protection for user data exchanged between application processes
Furthermore, it interworks easily with packet filtering of today’s firewalls
Is E2EE Enough?
Are the certification authorities really trustworthy?
- Firefox includes 161 certificates!
- Certificates have been stolen! (e.g. DigiNotar)
- Certificate authorities are companies and may be forced to hand out certificates to governments!
Snowden’s documents revealed that the NSA stores metadata of millions of web users for up to a year, regardless of whether you are a target or not! [Guardian13]
- Metadata do not contain content-specific details which can be kept secret by using E2EE!
- Metadata rather contain things like who communicated with whom and when and from where?
- That’s enough information to, e.g., build your social graph or to find out about your habits!
So E2EE is apparently NOT enough!
For perfect privacy, we additionally need anonymity!
What is Anonymity?
Oxford dictionary: Anonymity is the “lack of outstanding, individual, or unusual features; impersonality”
In the digital world: unless you don’t tell anybody, no one should know who you are and where you come from
- Not even the host you are communicating with
- Not even the NSA
And this is where the Tor Project comes into play!
Tor: Overview
Tor = TOR = The Onion Router
Anonymization network originally developed by the U.S. Naval Research Laboratory to protect government communications
Tor “bounces” your communications around a distributed network of relays run by volunteers
The Tor network currently consists of more than 4000 relay nodes (onion routers)
- Total bandwidth > 3000 MiB/s according to [TorMetrics]
It offers anonymous browsing and location-hidden services, so called hidden services
Tor: Onion Routing Principles
A Tor client’s traffic traverses a path (= circuit) of onion routers until it reaches its destination
- The path is (almost) randomly selected by the client
- The path changes within a given time interval (10minutes)
- The first router is the Entry Node, the last is called Exit Node, intermediate nodes are Relay Nodes
- The number of relay nodes is not bounded, but default is one
The client’s identity is hidden
- The destination host believes the last Tor node is its peer (based on the IP)
- Tor nodes mix traffic of multiple clients
- A client may also choose different exit points for different streams
Tor: encryption scheme
An encryption scheme is used to ensure that every Tor node only sees the data needed to forward the packet:
The client negotiates a separate set of encryption keys with each node on the client’s selected path
The actual payload for the peer is encrypted with the key of the Exit Node
For the other nodes, encryption is applied in such a way that they can only decipher enough information to
forward the message to the next hop
- The message is deciphered layer by layer, like an onion
The onion routers’ knowledge (assuming 3 onion routers)
- The first node only knows that the client sends something, but neither the recipient nor the payload
- The second node doesn‘t know anything about the sender and the receiver
- The third node only knows the receiver and the payload, but not the message’s origin
Tor: Number of relays
Nodes don‘t trust each other, i.e. in order to eavesdrop on somebody, the attacker needs to control all nodes
Two routers would suffice to provide a basic degree of anonymity
- Router 1 does not know destination and payload
- Router 2 does not know the source
However, controlling those two nodes would reveal all information → the more relays, the higher the security
On the other hand, each hop imposes latency
- The choice of three nodes as default value is a tradeoff between security and end-to-end latency
Tor: Circuit Establishment
Path construction is crucial! Nodes should be controlled by different entities!
-Therefore, each selected router must be in a different /16 subnet
To improve performance, routers are additionally selected according to their bandwidth capabilities
- In an earlier version, routers advertised bandwidth without verification
- Nowadays, multiple independent, trusted nodes agree on a consensus bandwidth
- But a powerful attacker could actually have a lot of resources
Tor: Limitations and Attacks
Overview
- Passive Attacks
- Active Attacks
- Directory Attacks
- Tor serves TCP only
- Cookies could still reveal identity → use E2EE
- Attackers can distribute a compromised copy of the client software which contains fake directory servers and keys he controls
Tor: Limitations and Attacks
Passive Attacks
An attacker could observe traffic patterns like size, volume, or timings and try to correlate traffic between the client and the entry node and exit nodes to find the route
If an attacker controls C out of N Tor nodes, the probability of choosing a bad entry- and exit-node is p = (C/N)^2
Countermeasure: Entry Guards
- User defines a fixed set of entry nodes that he trusts
- When a circuit is built a random entry guard is chosen
- Disadvantage: if a guard node is compromised, it sees an even larger fraction of the client’s traffic
Tor: Limitations and Attacks
Active Attacks
Actively introduce special signals into the sender’s outbound traffic with the goal to recognize this “watermark” in the receiver’s inbound traffic
Example: Cell Counter based attack [Ling09]
- Goal: Confirm that Alice communicates with Bob
- Attacker needs to control the exit node
- The attacker injects a unique signal into the traffic flow back to the relay node
- All Tor data is sent in 512-byte chunks called cells
- By sending bursts of cells with different lengths, a chosen bit sequence can be induced into the flow
- The signal can be recovered at the entry node by also compromising it or by eavesdropping on it
Tor: Limitations and Attacks
Directory Attacks
A successful DoS on more than half of the directory servers prevents all the others to reach consensus
By taking over more than half of the directory servers, an attacker may advertise as many compromised routers as he wishes
Tor: Limitations and Attacks
Tor serves TCP only
UDP requests like DNS can reveal the client’s identity as they are not routed through the Tor network
- There are workarounds which use SOCKS proxies to resolve the destination’s IP at the exit node
Tor: Limitations and Attacks
Threats that are not related to Tor’s design
Cookies could still reveal identity → use E2EE
Attackers can distribute a compromised copy of the client software which contains fake directory servers and keys he controls
Tor: Abuse
Tor provides a protocol for anonymous services, so called hidden services which can be abused for illegal activity
Example: Silk Road
Botnets can hide their communication behind Tor [Botnet13]
- In August 2013, the number of Tor users increased by suspicious 500%, most probably bots
- This large amount has caused serious performance problems
Privacy Conclusion
SSL/TLS provides minimum degree of privacy, E2EE on transport layer
- Requires a trusted third party. But who is really trustworthy?
- People and programmers often do not pay much attention to correct use of TLS
There is also a network layer protocol for authentication and encryption: IPsec
- Allows authentication of the origin, encryption and replay protection for IP packets
- IPsec is allegedly sabotaged by the NSA
- It’s not a mandatory part of the IPv4 standard, but it’s a fixed part of IPv6
Additional encryption should be used on application layer (e.g. PGP)
Besides E2EE, anonymity should be established for better privacy
Tor seems to be a promising candidate to provide anonymity
- Even the NSA seems to have trouble dealing with Tor
- Anonymity comes at a price: abuse and bad performance
Network- & Transport-Layer Security Summary
Legacy protocols (e.g. IP, ICMP, or ARP) used in local networks and the Internet suffer from lack of security measures - It is fairly easy to find vulnerable machines (→ scanning)
Many different kinds of DoS attacks exist to bring down services or machines
- They are happening and they are hard to defend against
Countermeasures are mostly workarounds
- Security measures have to be included into the standards (like with IPsec and IPv6)
- Firewalls are good, but no panacea
- Intrusion detection usually happens when it’s already too late, but it’s important to recover from attacks and assess damage
Privacy is inconvenient but still possible!
