CSCE 465 Lecture 19

« previous | Tuesday, April 2, 2013 | next »

Intrusion Detection System (IDS)

	Firewall	Network IDS
Monitoring	Passive	Active
If it fails	Fail-Close	Fail-Open

Network IDS Requirements:

High-speed, large volume monitoring
Real-time notification
Separate mechanism from policy
Extensible (add modules to detect new attacks)
Broad array of protection
Frugal with resources
Resilient to Stress and attacks against IDS itself

Eluding IDS

Insertion Attack

Each letter represents a packet:

End system sees "ATTACK"
IDS Sees "ATXTACK"
Attacker's data stream is "TXTCAAK"

Can be accomplished with "bad" checksum or carefully crafted TTL ^[1] value.

Evasion Attack

Each letter represents a packet:

End system sees "ATTACK"
IDS Sees "ATTCK"
Attacker stream is "TTCAAK"

This can be accomplished with fragmentation and overlapping packets

Summary

What IDS Sees may not be what the end system gets: IDS needs to perform full reassembly of packets in order to see for sure, but can bog down system.

Hash Functions

(See MATH 470 Lecture 20→)

A one-way function/transformation that produces a fixed-length unique identifier (message digest) for a longer sequence of data

E.g. MD5 = 128 Bits; SHA-1 = 160 Bits

Properties:

Performance: Easy to compute Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle H(n)}
One-Way: Given Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle H(m)} , but not Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m} it should be computationally infeasible to find Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m}
Weak Collision Resistance (Weak-collision-free): Given Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle H(m)} , it's computationally infeasible to find Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m'} such that Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle H(m) = H(m')}
Strong Collision Resistance (Strong-collision-free): Computationally infeasible to find Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m_1} and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m_2} such that Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle H(m_1) = H(m_2)}

Length of Hash Image:

Too long: unnecessary overhead
Too short: (birthday paradox) easy to find collisions

Application: Commitment Protocol

Alice picks Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle x} and sends Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle z = H(x)} to Bob
Bob picks his number Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle y} and sends it to Alice.
Alice sends Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle x}
Bob verifies Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle z = H(x)}

if Hash function is not a good one, it can be easy for either Alice or Bob to cheat.

Application: Message Encryption

Alice and Bob share a secret key Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle k} , but don't want to use encryption of the message with Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle k}
Alice sends encrypted random number Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r_1} to Bob
Bob sends encrypted random number Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r_2} to Alice
Concatenation Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r_1 \mid r_2} is used as IV into OFB, where Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle H} is encryption function to produce a one-time pad

Is reverse possible? can encryption be used to generate hash?

Footnotes

↑ Time to Live is the number of hops that the packet should be sent before it is dropped. Each router hop decreases this value by 1. For example, a packet with TTL=3 will be sent for 3 hops, and when the TTL reaches 0, the packet will be dropped.

[1] Time to Live is the number of hops that the packet should be sent before it is dropped. Each router hop decreases this value by 1. For example, a packet with TTL=3 will be sent for 3 hops, and when the TTL reaches 0, the packet will be dropped.

[1]