3 - Network- & Transport-Layer Security (Privacy)

Question 1

define privacy

Answer 1

Oxford Dictionary: Privacy is “the state of being free from being observed or disturbed by other people and of being free from public attention.”

Privacy is recognized as a human right

Attacks on digital privacy are mainly passive

• Eavesdropping
• Traffic Analysis

Privacy today?
- Edward Snowden:
“A child born today will have no conception of privacy”

Question 2

How To Preserve Privacy?

Answer 2

Access Control

• An attacker needs access to the communication medium to eavesdrop
• As we’ve seen, perfect access control is most often not really possible

Confidentiality

• Encryption ensures that nobody can read your messages
• Assumption: encryption cannot be broken!

But eavesdroppers still see your communication → Traffic Analysis

• Who communicates with whom and when?
• Do they communicate more often than usual? (If yes, something is suspicious)
• This is actually done in SIGINT (e.g. by the NSA)

Question 3

Privacy In The Internet?

Answer 3

Internet communication is routed according to contracts between ISPs and countries (policy-based routing, BGP)
- Do you trust all networks your traffic passes on its routes?

Snowden’s global surveillance disclosure in 2013 revealed that states eavesdrop on our communication in a much larger scale than most people expected.

Even if your provider is trustworthy, your information almost always passes networks owned and controlled by someone else!
- Security is only as strong as the weakest link in the chain!

End-to-end encryption needed

Question 4

End-to-end Encryption (E2EE)

Answer 4

The transport layer provides communications between application processes, i.e. end-to-end communication
- Perfect place to add E2EE functionality

Transport Layer Security (TLS)

• Based on its predecessor Secure Socket Layer (SSL)
• Originally designed to protect HTTP sessions
• But TLS can secure any protocol which uses TCP (e.g. SMTP)

SSL/TLS provides

• Peer entity authentication: Both (client and server), only the server, or none can be authenticated.
• User data confidentiality: On session establishment, different encryption algorithms (e.g. RC4, DES, AES) can be selected.
• User data integrity: A message authentication code (MAC) generated with a cryptographic hash function is appended to the user data.

Question 5

TLS Support

Answer 5

TLS has become the de facto standard for secure Internet communications

Why not using TLS to encrypt all web traffic?

• Slows down web servers
• Breaks Internet caching
• Not all information needs to be encrypted

It is a best practice in the web to use TLS whenever you deal with sensitive data

• Many sites use TLS to encrypt communication by default
• Critical sites (like banks) use TLS to additionally authenticate their legal ownership to the user

Question 6

TLS Protocol Architecture

Answer 6

TLS is structured as a layered and modular protocol architecture

1) Handshake: authentication and negotiation of parameters
2) Change Cipherspec: signaling of transitions in ciphering strategy
3) Alert: signaling of error conditions
4) Application Data: interface for transparent access to the record protocol
5) Record
- Fragmentation of user data into plaintext records of length < 214 Bytes
- Compression (optional) of plaintext records
- Encryption and integrity protection (both optional)

Question 7

TLS Handshake

Answer 7

Client and server agree on algorithms and exchange
random values and cryptographic parameters to agree on a master secret. Certificates are used for authentication.

If the exchanged certificates are signed, the peer can be authenticated using a trusted third party (e.g. VeriSign)

Both parties hold a connection state

Also the parameters for these algorithms are known

Keys are derived from a 48-byte shared master secret

Default connection state is that no encryption, compression, or MAC will be used

Question 8

Record Protocol

Answer 8

Content Type:

• Change Cipherspec. (20)
• Alert (21)
• Handshake (22)
• Application Data (23)

Version: the protocol version of SSL/TLS

Length: the length of the data in bytes must not exceed 2^14

Question 9

Record Data Processing

Answer 9

Sender

1) Record layer receives data of arbitrary size from higher layers and fragments it in plaintext records carrying chunks of at most 214 bytes
2) All records are then compressed with the compression algorithm defined in the current connection state
3) A message authentication code (MAC) is then calculated using the MAC algorithm defined in the connection state and appended to the compressed fragment
- Ensures message integrity and authenticity, and the detection of missing, extra, or repeated messages
4) The record data and the MAC are encrypted using the encryption algorithm defined in the connection state

Receiver
- The record is decrypted, integrity-checked, decompressed, de-fragmented and delivered to the higher layer

Question 10

TLS Peer Entity Verification

Answer 10

Clients (e.g. web browser) hold a set of root certificates (public keys) of the major certificate authorities

These authorities issue certificates to entities (e.g. websites) that wish to provide authenticated connections

• Certificates contain the domain name and/or IP address and are signed by the authority using public key cryptography
• Certificates can additionally contain the website’s legal owner which allows authentication of both, server and owner

As soon as the client (or the server) gets a certificate, it can check its validity by using the built-in signing authority’s root certificate
- If the application does not check the validity, the connection is still encrypted, but you don’t know who you are talking to!! → MITM

Question 11

TLS Cipher Suite

Answer 11

Key Exchange (KE)

• RSA: the server certificate is used for KE
• Diffie-Hellman (DH) with authentication: the server’s certificate contains the DH parameters signed by the certificate authority
• Can additionally be client-authenticated
• Clients hold a set of root certificates of major certificate authorities
• Anonymous Diffie-Hellman: DHKE without using a certificate
• Vulnerable to MITM attacks
• Only used on explicit request of application layer

After the key exchange, encryption can be done using RC4, 3DES, or AES with 128 or 256 bit key length

MACs are generated using either MD5 (broken!) or SHA

The mandatory cipher suite that must be implemented is RSA for KE with AES-128 for encryption and SHA for MAC generation

Question 12

Self-made Certificates

Answer 12

What if you want to set up an authenticated service?

• You have to buy a certificate from a trusted authority!
• VeriSign’s certificates cost 350€ to 1750€ per year!
• You can use self-signed certificates instead

Self-signed certificates can provide authentication only if you can distribute the certificate to users over a trustworthy
communication channel!
- Otherwise you usually get a warning that the connection is untrusted
- But applications usually allow to add the certificate
- Be careful! Could be a MITM attack!

Question 13

TLS Summary

Answer 13

TLS security protocol operates on and requires a reliable transport service → TCP

Up to now, no major security protocol has been proposed to protect datagram-oriented transport protocols like UDP

TLS offers true end-to-end protection for user data exchanged between application processes

Furthermore, it interworks easily with packet filtering of today’s firewalls

Question 14

Is E2EE Enough?

Answer 14

Are the certification authorities really trustworthy?

• Firefox includes 161 certificates!
• Certificates have been stolen! (e.g. DigiNotar)
• Certificate authorities are companies and may be forced to hand out certificates to governments!

Snowden’s documents revealed that the NSA stores metadata of millions of web users for up to a year, regardless of whether you are a target or not! [Guardian13]

• Metadata do not contain content-specific details which can be kept secret by using E2EE!
• Metadata rather contain things like who communicated with whom and when and from where?
• That’s enough information to, e.g., build your social graph or to find out about your habits!

So E2EE is apparently NOT enough!

For perfect privacy, we additionally need anonymity!

Question 15

What is Anonymity?

Answer 15

Oxford dictionary: Anonymity is the “lack of outstanding, individual, or unusual features; impersonality”

In the digital world: unless you don’t tell anybody, no one should know who you are and where you come from

• Not even the host you are communicating with
• Not even the NSA

And this is where the Tor Project comes into play!

Question 16

Tor: Overview

Answer 16

Tor = TOR = The Onion Router

Anonymization network originally developed by the U.S. Naval Research Laboratory to protect government communications

Tor “bounces” your communications around a distributed network of relays run by volunteers

The Tor network currently consists of more than 4000 relay nodes (onion routers)
- Total bandwidth > 3000 MiB/s according to [TorMetrics]

It offers anonymous browsing and location-hidden services, so called hidden services

Question 17

Tor: Onion Routing Principles

Answer 17

A Tor client’s traffic traverses a path (= circuit) of onion routers until it reaches its destination

• The path is (almost) randomly selected by the client
• The path changes within a given time interval (10minutes)
• The first router is the Entry Node, the last is called Exit Node, intermediate nodes are Relay Nodes
• The number of relay nodes is not bounded, but default is one

The client’s identity is hidden

• The destination host believes the last Tor node is its peer (based on the IP)
• Tor nodes mix traffic of multiple clients
• A client may also choose different exit points for different streams

Question 18

Tor: encryption scheme

Answer 18

An encryption scheme is used to ensure that every Tor node only sees the data needed to forward the packet:

The client negotiates a separate set of encryption keys with each node on the client’s selected path

The actual payload for the peer is encrypted with the key of the Exit Node

For the other nodes, encryption is applied in such a way that they can only decipher enough information to
forward the message to the next hop
- The message is deciphered layer by layer, like an onion

The onion routers’ knowledge (assuming 3 onion routers)

• The first node only knows that the client sends something, but neither the recipient nor the payload
• The second node doesn‘t know anything about the sender and the receiver
• The third node only knows the receiver and the payload, but not the message’s origin

Question 19

Tor: Number of relays

Answer 19

Nodes don‘t trust each other, i.e. in order to eavesdrop on somebody, the attacker needs to control all nodes

Two routers would suffice to provide a basic degree of anonymity

• Router 1 does not know destination and payload
• Router 2 does not know the source

However, controlling those two nodes would reveal all information → the more relays, the higher the security

On the other hand, each hop imposes latency
- The choice of three nodes as default value is a tradeoff between security and end-to-end latency

Question 20

Tor: Circuit Establishment

Answer 20

Path construction is crucial! Nodes should be controlled by different entities!
-Therefore, each selected router must be in a different /16 subnet

To improve performance, routers are additionally selected according to their bandwidth capabilities

• In an earlier version, routers advertised bandwidth without verification
• Nowadays, multiple independent, trusted nodes agree on a consensus bandwidth
• But a powerful attacker could actually have a lot of resources

Question 21

Tor: Limitations and Attacks

Overview

Answer 21

• Passive Attacks
• Active Attacks
• Directory Attacks
• Tor serves TCP only
• Cookies could still reveal identity → use E2EE
• Attackers can distribute a compromised copy of the client software which contains fake directory servers and keys he controls

Question 22

Tor: Limitations and Attacks

Passive Attacks

Answer 22

An attacker could observe traffic patterns like size, volume, or timings and try to correlate traffic between the client and the entry node and exit nodes to find the route

If an attacker controls C out of N Tor nodes, the probability of choosing a bad entry- and exit-node is p = (C/N)^2

Countermeasure: Entry Guards

• User defines a fixed set of entry nodes that he trusts
• When a circuit is built a random entry guard is chosen
• Disadvantage: if a guard node is compromised, it sees an even larger fraction of the client’s traffic

Question 23

Tor: Limitations and Attacks

Active Attacks

Answer 23

Actively introduce special signals into the sender’s outbound traffic with the goal to recognize this “watermark” in the receiver’s inbound traffic

Example: Cell Counter based attack [Ling09]

• Goal: Confirm that Alice communicates with Bob
• Attacker needs to control the exit node
• The attacker injects a unique signal into the traffic flow back to the relay node
• All Tor data is sent in 512-byte chunks called cells
• By sending bursts of cells with different lengths, a chosen bit sequence can be induced into the flow
• The signal can be recovered at the entry node by also compromising it or by eavesdropping on it

Question 24

Tor: Limitations and Attacks

Directory Attacks

Answer 24

A successful DoS on more than half of the directory servers prevents all the others to reach consensus

By taking over more than half of the directory servers, an attacker may advertise as many compromised routers as he wishes

Question 25

Tor: Limitations and Attacks

Tor serves TCP only

Answer 25

UDP requests like DNS can reveal the client’s identity as they are not routed through the Tor network
- There are workarounds which use SOCKS proxies to resolve the destination’s IP at the exit node

Question 26

Tor: Limitations and Attacks

Threats that are not related to Tor’s design

Answer 26

Cookies could still reveal identity → use E2EE

Attackers can distribute a compromised copy of the client software which contains fake directory servers and keys he controls

Question 27

Tor: Abuse

Answer 27

Tor provides a protocol for anonymous services, so called hidden services which can be abused for illegal activity

Example: Silk Road

Botnets can hide their communication behind Tor [Botnet13]

• In August 2013, the number of Tor users increased by suspicious 500%, most probably bots
• This large amount has caused serious performance problems

Question 28

Privacy Conclusion

Answer 28

SSL/TLS provides minimum degree of privacy, E2EE on transport layer

• Requires a trusted third party. But who is really trustworthy?
• People and programmers often do not pay much attention to correct use of TLS

There is also a network layer protocol for authentication and encryption: IPsec

• Allows authentication of the origin, encryption and replay protection for IP packets
• IPsec is allegedly sabotaged by the NSA
• It’s not a mandatory part of the IPv4 standard, but it’s a fixed part of IPv6

Additional encryption should be used on application layer (e.g. PGP)

Besides E2EE, anonymity should be established for better privacy

Tor seems to be a promising candidate to provide anonymity

• Even the NSA seems to have trouble dealing with Tor
• Anonymity comes at a price: abuse and bad performance

Question 29

Network- & Transport-Layer Security Summary

Answer 29

Legacy protocols (e.g. IP, ICMP, or ARP) used in local networks and the Internet suffer from lack of security measures
- It is fairly easy to find vulnerable machines (→ scanning)

Many different kinds of DoS attacks exist to bring down services or machines
- They are happening and they are hard to defend against

Countermeasures are mostly workarounds

• Security measures have to be included into the standards (like with IPsec and IPv6)
• Firewalls are good, but no panacea
• Intrusion detection usually happens when it’s already too late, but it’s important to recover from attacks and assess damage

Privacy is inconvenient but still possible!