CSCE 465 Lecture 19

« previous | Tuesday, April 2, 2013 | next »

Intrusion Detection System (IDS)

	Firewall	Network IDS
Monitoring	Passive	Active
If it fails	Fail-Close	Fail-Open

Network IDS Requirements:

Each letter represents a packet:

Can be accomplished with "bad" checksum or carefully crafted TTL ^[1] value.

Each letter represents a packet:

This can be accomplished with fragmentation and overlapping packets

What IDS Sees may not be what the end system gets: IDS needs to perform full reassembly of packets in order to see for sure, but can bog down system.

A one-way function/transformation that produces a fixed-length unique identifier (message digest) for a longer sequence of data

E.g. MD5 = 128 Bits; SHA-1 = 160 Bits

Properties:

Performance: Easy to compute $H(n)$
One-Way: Given $H(m)$ , but not $m$ it should be computationally infeasible to find $m$
Weak Collision Resistance (Weak-collision-free): Given $H(m)$ , it's computationally infeasible to find $m'$ such that $H(m)=H(m')$
Strong Collision Resistance (Strong-collision-free): Computationally infeasible to find $m_{1}$ and $m_{2}$ such that $H(m_{1})=H(m_{2})$

Length of Hash Image:

if Hash function is not a good one, it can be easy for either Alice or Bob to cheat.

Alice and Bob share a secret key $k$ , but don't want to use encryption of the message with $k$
Alice sends encrypted random number $r_{1}$ to Bob
Bob sends encrypted random number $r_{2}$ to Alice
Concatenation $r_{1}\mid r_{2}$ is used as IV into OFB, where $H$ is encryption function to produce a one-time pad

Is reverse possible? can encryption be used to generate hash?

↑ Time to Live is the number of hops that the packet should be sent before it is dropped. Each router hop decreases this value by 1. For example, a packet with TTL=3 will be sent for 3 hops, and when the TTL reaches 0, the packet will be dropped.