SET-1 Information Security

1. a) Describe in detail about TCP session hijacking and UDP hijacking.

Hijacking a TCP Session
One of the key features of TCP is reliability and ordered delivery of packets. To accomplish this, TCP uses acknowledgment (ACK) packets and sequence numbers. Manipulating these is the basis for TCP session hijacking. As we mentioned earlier, the MITM attacker simply needs to be positioned so that communications between the client and the server are relayed through him or her. To understand how an attacker might sneak into the TCP session in a blind session hijack attack, you need to look at what happens when a client initiates a TCP session with the server. As shown in Figure 1, the client first initiates a session with the server by sending a synchronization (SYN) packet to the server with initial sequence number x. The server responds with a SYN/ACK packet that contains the server's own sequence number p and an ACK number for the client's original SYN packet. This ACK number indicates the next sequence number the server expects from the client. In our example, this is x+1, because the client's original SYN packet counted as a single byte. The client acknowledges receipt of the SYN/ACK packet by sending back to the server an ACK packet with the next sequence number it expects from the server, which in this case is p+1 (the server's initial SYN packet sequence number plus one). The client and server are ready to start exchanging data. The sequence number values just described are important for understanding how to successfully hijack this session later, so pay close attention to them in the paragraphs that follow. The same goes for ACK numbers, which are key to understanding TCP ACK storms.

Figure 1 TCP Three-Way Handshake For now, observe what happens to these sequence numbers when the client starts sending data to the server (see Figure 2). In order to keep the example simple, the client sends the character A in a single packet to the server.

Figure 2 Sending Data over TCP The client sends the server the single character in a data packet with the sequence number x+1. The server acknowledges this packet by sending back to the client an ACK packet with number x+2 (x+1, plus 1 byte for the A character) as the next sequence number expected by the server. Enter the attacker. If the attacker wanted to inject data into the TCP session as the client, he or she would need to:

Spoof the client's IP address Determine the correct sequence number that is expected by the server from the client Inject data into the session before the client sends its next packet

The first and second tasks are easily accomplished, but the third is a bit trickier. Tricky, but not impossible. Essentially, the attacker needs a way to prevent the client from sending into the session new data that would shift sequence numbers forward. To do this, the attacker could just send the data to inject and hope it is received before the real client can send new data, as shown in Figure 3. Or, he or she could perform a denial of service (DoS) attack on the client, or perhaps some tricks that use address resolution protocol (ARP) spoofing.

Figure 3 Blind Injection Here is how this might play out. The attacker sends a single Z character to the server with sequence number x+2. The server accepts it and sends the real client an ACK packet with acknowledgment number x+3 to confirm that it has received the Z character. Attackers can automate the session hijacking process just described with tools such as Juggernaut, by Mike Schiffman, and Hunt, by Pavel Krauz.

Hijacking a UDP Session

Hijacking a session over a User Datagram Protocol (UDP) is exactly the same as over TCP, except that UDP attackers do not have to worry about the overhead of managing sequence numbers and other TCP mechanisms. Since UDP is connectionless, injecting data into a session without being detected is extremely easy. Figure 4 shows how an attacker could do this.

Figure 4 Session Hijacking over UDP DNS queries, online games like the Quake series and Half-Life, and peer-to-peer sessions are common protocols that work over UDP; all are popular targets for this kind of session hijacking.

b)Gaining control over the Routing tables at layer 3 is one of the attacks - explain how Route tables modification is crucial.
ARP Table Modifications
The address resolution protocol is used by each host on an IP network to map local IP addresses to hardware addresses or MAC addresses. Here is a quick look at how this protocol works. Say that Host A (IP address 192.168.1. 100) wants to send data to Host B (IP address 192.168.1.250). No prior communications have occurred between Hosts A and B, so the ARP table entries for Host B on Host A are empty. As shown in Figure 6, Host A broadcasts an ARP request packet indicating that the owner of the IP address 192.168.1.250 should respond to Host A at 192.168.1.100 with its MAC address. The broadcast packet is sent to every machine in the network segment, and only the true owner of the IP address 192.168.1.250 should respond. (As you will see shortly, this is not always the case.) All other hosts discard this request packet, but Host A receives an ARP reply packet from

Host B indicating that its MAC address is BB:BB:BB:BB:BB:BB. Host A updates its ARP table, and can now send data to Host B.

Figure 6 Finding the Owner of a MAC Address Can you see the security problem here? Does Host A know that Host B really did send the ARP reply? The answer is no, and attackers take advantage of this. In our example, attackers could spoof an ARP reply to Host A before Host B responded, indicating that the hardware address E0:E0:E0:E0:E0:E0 corresponds to Host B's IP address, as shown in Figure 7. Host A would then send any traffic intended for Host B to the attacker, and the attacker could choose to forward that data (probably after some tampering) to Host B.

Figure 7 Spoofed Reply Attackers can also use ARP packet manipulation to quiet TCP ACK storms, which are noisy and easily detected by devices such as intrusion detection system (IDS) sensors (see Figure 8). Session hijacking tools such as Hunt accomplish this by sending unsolicited ARP replies. Most systems will accept these packets and update their ARP tables with whatever information is provided. In our Host A/Host B example, an attacker could send Host A a spoofed ARP reply indicating that Host B's MAC address is something nonexistent (like C0:C0:C0: C0:C0:C0), and send Host B another spoofed ARP reply indicating that Host A's MAC address is also something nonexistent (such as D0:D0:D0:D0:D0:D0).

Figure 8 Stopping a TCP ACK Storm

2 a) Explain about key distribution approaches of message authentication.

Key distribution centre components Session key Permanent key Key distribution centre Security Service Module (SSM) Authentication Requirements - must be able to verify that: Message came from alleged source or author Contents have not been altered It was sent at a certain date-time or at a particular position in a sequence Protection against active attacks: Falsification of data and transactions Approaches to message authentication Authentication using conventional encryption Message authentication without message encryption Message authentication code One-way hash function Message authentication code (MAC)

One-way hash function

Conventional encryption

One-way hash function

Public-key cryptography

b) Explain about Data Encryption Standard and also discuss about the strength of DES.

the left hand side of figure 1. Initial permutation (IP - defined in table 2.1) rearranging the bits to form the permuted input. 2. Followed by 16 iterations of the same function (substitution and permutation). The output of the last iteration consists of 64 bits which is a function of the plaintext and key. The left and right halves are swapped to produce the preoutput. 3. Finally, the preoutput is passed through a permutation (IP1 - defined in table 2.1) which is simply the inverse of the initial permutation (IP). The output of IP1 is the 64-bit ciphertext. the inputs to each round consist of the Li,Ri pair and a 48 bit subkey which is a shifted and contracted version of the original 56 bit key. The use of the key can be seen in the right hand portion of figure Initially the key is passed through a permutation function For each of the 16 iterations, a subkey (Ki) is produced by a combination of a left circular shift and a permutation (PC2 - defined in table 2.2) which is the same for each iteration. However, the resulting subkey is different for each iteration because of repeated shifts. The Data Encryption Standard (DES) is a symmetric key block cipher which takes 64-bit plaintext and 56-bit key as an input and produces 64-bit cipher text as output. The DES function is made up of P and S-boxes. P-boxes transpose bits and S-boxes substitute bits to generate a cipher.

Strength- The strength of DES lies on two facts:

The use of 56-bit keys: 56-bit key is used in encryption, there are 256 possible keys. A brute force attack on such number of keys is impractical. The nature of algorithm: Cryptanalyst can perform cryptanalysis by exploiting the characteristic of DES algorithm but no one has succeeded in finding out the weakness.

a) Explain the procedure involved in RSA public-key encryption algorithm.

b) List two disputes that can arise in the context of message authentication. What are the properties that digital signature should have? Suppose that A send authenticated message to B. the following disputes that could rise. A may forge a different message and claim that it came from B. B would simply have to create a message and append an authentication code using the key that A and B share. B can deny sending the message. Because it is possible for A to forge a message, there is no way to provide that B did in fact send the message. Required properties of digital signatures To be valid, digital signatures require properties: - Authenticity: a valid signature implies that the signer deliberately signed the associated message - Unforgeability: only the signer can give a valid signature for the associated message - Non-re-usability: the signature of a document can not be used on another document - Non-repudiation: the signer can not deny having signed a document that has valid signature - Integrity: ensure the contents have not been modified 4. a) Explain why PGP generates a signature before applying the compression. The signature is generated before compression for two reasons: (a) It is preferable to sign an uncompressed message so it is free of the need for a compression algorithm for later verication. (b) Different version of PGP produce different compressed forms. Applying the hash function and signature after compression would constrain all PGP implementation to the same version of the compression algorithm. b) Write down the functions provided by S/MIME. S/MIME Functionality In terms of general functionality, S/MIME is very similar to PGP. Both offer the ability to sign and/or encrypt messages. In this subsection, we briefly summarize S/MIME capability. We then look in more detail at this capability by examining message formats and message preparation.

Functions
S/MIME provides the following functions:

Enveloped data: This consists of encrypted content of any type and encrypted-content encryption keys for one or more recipients. Signed data: A digital signature is formed by taking the message digest of the content to be signed and then encrypting that with the private key of the signer. The content plus signature are then encoded using base64 encoding. A signed data message can only be viewed by a recipient with S/MIME capability.

Clear-signed data: As with signed data, a digital signature of the content is formed. However, in this case, only the digital signature is encoded using base64. As a result, recipients without S/MIME capability can view the message content, although they cannot verify the signature.

Signed and enveloped data: Signed-only and encrypted-only entities may be nested,

so that encrypted

data may be signed and signed data or clear-signed data may be encrypted.
5. a) Explain in detail about the IP Security Architecture. IP Security Architecture The IPSec specification has become quite complex. To get a feel for the overall architecture, we begin with a look at the documents that define IPSec. Then we discuss IPSec services and introduce the concept of security association. IPSec Documents The IPSec specification consists of numerous documents. The most important of these, issued in November of 1998, are RFCs 2401, 2402, 2406, and 2408:

RFC 2401: An overview of a security architecture RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 RFC 2406: Description of a packet encryption extension to IPv4 and IPv6 RFC 2408: Specification of key management capabilities Encapsulating Security Payload (ESP): Covers the packet format and general issues related to the use of the ESP for packet encryption and, optionally, authentication. Authentication Header (AH): Covers the packet format and general issues related to the use of AH for packet authentication. Encryption Algorithm: A set of documents that describe how various encryption algorithms are used for ESP. Authentication Algorithm: A set of documents that describe how various authentication algorithms are used for AH and for the authentication option of ESP. Key Management: Documents that describe key management schemes. Domain of Interpretation (DOI): Contains values needed for the other documents to relate to each other. These include identifiers for approved encryption and authentication algorithms, as well as operational parameters such as key lifetime.

b) List the default ISAKMP exchange types? ISAKMP Exchange Base Exchange allows key exchange and authentication material to be transmitted together. This minimizes the number of exchanges at the expense of not providing identity protection. The first two messages provide cookies and establish an SA with agreed protocol and transforms; both sides use a nonce to ensure against replay attacks. The last two messages exchange the key material and user IDs, with an authentication mechanism used to authenticate keys, identities, and the nonces from the first two messages. The Identity Protection Exchange expands the Base Exchange to protect the users' identities. The first two messages establish the SA. The next two messages perform key exchange, with nonces for replay protection. Once the session key has been computed, the two parties exchange encrypted messages that contain authentication information, such as digital signatures and optionally certificates validating the public keys. The Authentication Only Exchange is used to perform mutual authentication, without a key exchange. The first two messages establish the SA. In addition, the responder uses the second message to convey its ID and uses authentication to protect the message. The initiator sends the third message to transmit its authenticated ID. The Aggressive Exchange minimizes the number of exchanges at the expense of not providing identity protection. In the first message, the initiator proposes an SA with associated offered protocol and transform options. The initiator also begins the key exchange and provides its ID. In the second message, the responder indicates its acceptance of the SA with a particular protocol and transform, completes the key exchange, and authenticates the transmitted information. In the third message, the initiator transmits an authentication result that covers the previous information, encrypted using the shared secret session key. The Informational Exchange is used for one-way transmittal of information for SA management. 6. a) Explain about Payment Processing which is supported by SET Payment Processing involves the following steps

Purchase request Payment authorization Payment capture

Explanation about purchase request, payment authorization and payment capture------5M b) Explain how SSL makes use of TCP to provide a reliable end-to-end secure service. SSL Diagram----------------------- 3M

Explanation about all parts of SSL protocol---------------------------------5M

SSL Record Protocol The SSL Record Protocol provides two services for SSL connections:

Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional encryption of SSL payloads. Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC).

Change Cipher Spec Protocol The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL Record Protocol, and it is the simplest. This protocol consists of a single message, which consists of a single byte with the value 1. The sole purpose of this message is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection. Alert Protocol The Alert Protocol is used to convey SSL-related alerts to the peer entity. As with other applications that use SSL, alert messages are compressed and encrypted, as specified by the current state. Each message in this protocol consists of two bytes. The first byte takes the value warning(1) or fatal(2) to convey the severity of the message. If the level is fatal, SSL immediately terminates the connection. Other connections on the same session may continue, but no new connections on this session may be established. The second byte contains a code that indicates the specific alert. First, we list those alerts that are always fatal (definitions from the SSL specification): Handshake Protocol The most complex part of SSL is the Handshake Protocol. This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record. The Handshake Protocol is used before any application data is transmitted. 7. a) Define Honey pots. How are they designed? Explain. Honeypots A relatively recent innovation in intrusion detection technology is the honeypot. Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems. Honeypots are designed to

divert an attacker from accessing critical systems collect information about the attacker's activity encourage the attacker to stay on the system long enough for administrators to respond Initial efforts involved a single honeypot computer with IP addresses designed to attract hackers. More recent

research has focused on building entire honeypot networks that emulate an enterprise, possibly with actual or simulated traffic and data. Once hackers are within the network, administrators can observe their behavior in detail and figure out defenses. b) What are the deficiencies of SNMPV1? Both the versions v1 and v2c lack the following security-related features.

Authentication Privacy Authorization and access control Remote configuration and administration capabilities

One notable deficiency in SNMP was the difficulty in monitoring networks, as opposed to nodes on networks. A substantial functional enhancement to SNMP was achieved by the definition of a set of standardized management objects referred to as the Remote Network Monitoring MIB (RMON MIB) objects. Another major deficiency in SNMP was the complete lack of security facilities. c) What is the role of compression and encryption in the operation of a virus? What is the role of compression in the operation of a virus?

A virus may use compression so that the infected program is exactly the same length as an uninfected version. A portion of the virus, generally called a mutation engine, creates a random encryption key to encrypt the remainder of the virus. The key is stored with the virus, and the mutation engine itself is altered. When an infected program is invoked, the virus uses the stored random key to decrypt the virus. When the virus replicates, a different random key is selected. 8. a) What does state full inspection firewall mean? Explain. Stateful Inspection Firewalls A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context. To understand what is meant by context and why a traditional packet filter is limited with regard to context, a little background is needed. Most standardized applications that run on top of TCP follow a client/server model. For example, for the Simple Mail Transfer Protocol (SMTP), e-mail is transmitted from a client system to a server system. The client system generates new e-mail messages, typically from user input. The server system accepts incoming e-mail messages and places them in the appropriate user mailboxes. SMTP operates by setting up a TCP connection between client and server, in which the TCP server port number, which identifies the SMTP server application, is 25. The TCP port number for the SMTP client is a number between 1024 and 65535 that is generated by the SMTP client. In general, when an application that uses TCP creates a session with a remote host, it creates a TCP connection in which the TCP port number for the remote (server) application is a number less than 1024 and the TCP port number for the local (client) application is a number between 1024 and 65535. The numbers less than 1024 are the "well-known" port numbers and are assigned permanently to particular applications (e.g., 25 for server SMTP). The numbers between 1024 and 65535 are generated dynamically and have temporary significance only for the lifetime of a TCP connection. A simple packet-filtering firewall must permit inbound network traffic on all these high-numbered ports for TCP-based traffic to occur. This creates a vulnerability that can be exploited by unauthorized users. A stateful inspection packet filter tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, as shown in Table. There is an entry for each currently established connection. The packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory. Source Address 192.168.1.100 192.168.1.102 192.168.1.101 192.168.1.106 223.43.21.231 219.22.123.32 210.99.212.18 24.102.32.23 223.212.212 Source Port 1030 1031 1033 1035 1990 2112 3321 1025 1046 Destination Address 210.9.88.29 216.32.42.123 173.66.32.122 177.231.32.12 192.168.1.6 192.168.1.6 192.168.1.6 192.168.1.6 192.168.1.6 Destination Port 80 80 25 79 80 80 80 80 80 Connection State Established Established Established Established Established Established Established Established Established

b) In the context of access control, what is the difference between subject and an object? A general model of access control as exercised by a file or database management system is that of an access matrix. The basic elements of the model are as follows:

Subject: An entity capable of accessing objects. Generally, the concept of subject equates with that of process. Any user or application actually gains access to an object by means of a process that represents that user or application.

Object: Anything to which access is controlled. Examples include files, portions of files, programs, and segments of memory. Access right: The way in which an object is accessed by a subject. Examples are read, write, and execute.

Prepared by G. DAYANANDAM Prof. and HOD QISIT ,ONGOLE.