cryptographic approaches for securing routing protocols
play

Cryptographic Approaches for Securing Routing Protocols Adrian - PDF document

Feb 19, 2024 •25 likes •245 views

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure Routing? Current routing protocols assume trusted environment! Even misconfigurations severely disrupt Internet routing Secure routing

  1. Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure Routing? � Current routing protocols assume trusted environment! � Even misconfigurations severely disrupt Internet routing � Secure routing goals • Reduce misconfiguration impact • Robust against external malicious nodes (no compromised nodes) • Robust against compromised nodes (Byzantine failures) 1

  2. Routing Protocol Attacks � Current routing protocols are vulnerable • Prevent route establishment • Attracting traffic (e.g., blackhole attack) • Repelling traffic • Gratuitous detours • Cause route instabilities / route flapping • Denial-of-Service (DoS): router overload – Almost all attacks appear as DoS attacks, since routing is a service, however, we only consider router resource consumption as routing DoS attacks Approaches to Secure Routing � Detection/recovery • Use intrusion-detection techniques to detect malicious behavior � Prevention • Use cryptographic techniques to prevent malicious behavior � Robustness • Use robustness techniques to reduce impact of malicious behavior • E.g., use multipath routing to improve probability of packet delivery 2

  3. Outline � Secure ad hoc network routing protocols • SEAD: Secure Efficient Ad-hoc network Distance vector routing protocol – Joint work with Yih-Chun Hu and David Johnson – Defend against shortening hop count � Secure Internet routing protocols • SPV: Secure Path Vector – Joint work with Yih-Chun Hu and Marvin Sirbu – Secure BGP routing protocol Ad Hoc Networks � No infrastructure, or out-of-range base station � Devices self-organize to form a network � Ad hoc network routing protocol extends communication range 3

  4. Ad Hoc Network Applications � Ad hoc networks provide connectivity in various environments • Rooftop networks • Corporate ad hoc networks • Emergency response, disaster relief • Devices protecting critical infrastructures • Networks of cars relaying safety information • Satellite networks in space • Military applications Security Threats to Ad Hoc Networks � Wireless communication allows attacker to • Eavesdrop on all communication • Inject malicious messages into the network � Current ad hoc network routing protocols designed for trusted environments • Highly susceptible to attacks! • Skilled attacker can prevent communication � Sample ad hoc network attacks • Wormhole attack • Rushing attack 4

  5. What is a Wormhole? C C J G A K K S E D B H F Nodes C and K open a tunnel What is a Wormhole? C J G A K S E D B H F C and K act as repeaters for their neighbors 5

  6. Why is that an Attack? � Routing protocol sees wormhole as a link � But attacker could selectively forward only routing packets, but not data � Routing protocol generally chooses route through wormhole because it is the shortest route � Attacker does not need to compromise any nodes or keys! � Result: an attacker can cripple the network when using a routing protocol that does not protect against wormholes Rushing Attack � In a rushing attack, an attacker exploits duplicate suppression in broadcasts to suppress legitimate packets by quickly forwarding its own packets � Methods for rushing • Forwarding R EQUEST without checking signature • Using a longer transmission range • Ignoring delays specified by the MAC layer • “Tunneling” a R EQUEST over another medium 6

  7. Example Rushing Attack � A sends a R OUTE R EQUEST B A D E C Example Rushing Attack � A sends a R OUTE R EQUEST � B forwards the R EQUEST without checking the signature, or otherwise rushes the R EQUEST B A D E C 7

  8. Example Rushing Attack � A sends a R OUTE R EQUEST � B forwards the R EQUEST without checking the signature, or otherwise rushes the R EQUEST � C correctly processes the R EQUEST , and forwards it later as a result B A D E C Example Rushing Attack � A sends a R OUTE R EQUEST � B forwards the R EQUEST without checking the signature, or otherwise rushes the R EQUEST � C correctly processes the R EQUEST , and forwards it later as a result � Since D has already heard a R EQUEST from this discovery, D discards the R EQUEST B A D E C 8

  9. Example Rushing Attack � B rushes the R EQUEST � C forwards it later � Since D has already heard a R EQUEST from this discovery, D discards the R EQUEST � A discovers a path through B because B rushed the R EQUEST B A D E C Basic Distance Vector Routing � Each node maintains a routing table Example table at A : Destination Metric Next Hop A 0 - B 1 B C 2 B • Computed using Distributed Bellman-Ford – Each node periodically broadcasts its routing table A B C – For each routing table entry received, compare best known route with new information 9

  10. DSDV: Using Sequence Numbers to Prevent Routing Loops Adding sequence numbers guarantees loop-freedom: � Each node maintains a sequence number � Node increments its own sequence number each time it sends a routing update about itself � Each update includes sequence number and metric � An advertised route is “better” if either: • It has a greater (more recent) sequence number, or • Sequence numbers are equal, and the metric is lower � Only the most recent sequence number matters Attacks to defend against: Claim lower metric or higher sequence number SEAD Protocol Properties SEAD (Secure Efficient Ad hoc Distance vector): � Uses one-way hash chains to authenticate metric and sequence number � Assumes a limit k-1 on metric (as in other distance vector protocols such as RIP, where k=16) • Metric value infinity can be represented as k 10

  11. SEAD Metric Authenticators � Each node generates a hash chain and distributes the last element (C 12 ) for verification � Each sequence number has 3 hash chain values � Within a sequence number • C{0,3,6,9} represent metric 0 • C{1,4,7,10} represent metric 1 • C{2,5,8,11} represent metric 2 Metric 0 Metric 1 Metric 2 Sequence 3 Sequence 2 C 0 C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 C 9 C 10 C 11 C 12 Sequence 1 Sequence 0 SEAD Metric Authenticator Properties � SEAD metric authenticator prevents blackhole attack • Assume all nodes know authentic C 12 • Consider source announces C 9 for metric 0 • Neighbor announces C 10 for metric 1 • Attacker cannot announce lower metric! • Due to flooding, useless to announce lower metric with lower sequence number C 0 C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 C 9 C 10 C 11 C 12 11

  12. Remaining Problems � “Same Metric” Fraud attack • Attack: Replay metric and authenticator attacker hears • Solution: Tie forwarding node address to authenticator � Denial-of-Service attack: • Attack: Claim a very high sequence number • Solution: Each sequence number gets own chain � Larger metric spaces: • Verifying even one sequence number may be expensive (e.g., if metric is based on latency or policy) • Solution: Cheaper hash-chain following Hash Tree Chains � Each step in a hash tree chain is a one-time signature Hash Chain: v i v i -1 Hash Tree Chain: ’ b 0 b 0 b 01 ’ b 1 b 1 v i v i -1 ’ b 2 b 2 b 23 ’ b 3 b 3 12

  13. Using Hash Tree Chains � As before, one step in the one-way chain corresponds to a (sequence number, metric) pair Sequence 1, Metric 1 Sequence 1, Metric 2 ’ ’ b 0 b 0 b 0 b 0 b 01 b 01 ’ ’ b 1 b 1 b 1 b 1 v i v i -1 v i -2 ’ ’ b 2 b 2 b 2 b 2 b 23 b 23 ’ ’ b 3 b 3 b 3 b 3 Using Hash Tree Chains � As before, one step in the one-way chain corresponds to a (sequence number, metric) pair � Each b i corresponds to a forwarding node � Attacker must gather correct b i to replay metric ’ ’ ’ b 0 b 0 b 0 b 0 b 0 b 0 b 01 b 01 ’ ’ ’ b 1 b 1 b 1 b 1 b 1 b 1 v i v i -1 v i -2 ’ ’ b 2 b 2 b 2 b 2 b 23 b 23 b 23 b 23 ’ ’ b 3 b 3 b 3 b 3 13

  14. SPV: Secure Path Vector Routing � Joint work with Yih-Chun Hu and Marvin Sirbu � Presented at ACM Sigcomm 2004 � SPV adds security to BGP routing protocol • Use of highly efficient one-way function to provide security • Key insight: authentication of autonomous systems on path not necessary BGP Essentials � BGP is Internet’s interdomain routing protocol • Destinations are prefixes (CIDR blocks) • Route includes list of autonomous systems (AS) � A path vector protocol • Each AS maintains routes to each prefix • It advertises a (potentially different) subset of those routes to each of its peers • Each advertised route includes an ASPATH attribute (a list of ASes the route traverses) 14

  15. Three Important Attacks � Unauthorized AS advertises a prefix • E.g., small ISP advertises Google’s prefix • ASes closer to the small ISP than to Google will send Google’s packets to the ISP � ASPATH truncation • Reduces ASPATH length, causing downstream AS to prefer attacker’s route � ASPATH alteration • Remove undesirable ASNs from the path to cause downstream ASes to prefer attacker’s route S-BGP (Kent et al.) S-BGP checks two things: � Originating AS is authorized to advertise prefix � Each AS receives delegation from previous AS Requires identification of delegating AS Disadvantages: � S-BGP requires the use of computationally expensive digital signatures • Signing is 10,000 times slower than one-way function • Verification is 1,000 times slower � Poor incremental deployment properties 15

Recommend

KMART BOF Issues with existing Cryptographic Protection Methods for Routing Protocols,

KMART BOF Issues with existing Cryptographic Protection Methods for Routing Protocols,

KMART BOF Issues with existing Cryptographic Protection Methods for Routing Protocols, Requirements and Deployment Considerations David Ward What is this talk about? Introduce drafts in the routing area surrounding crypto auth in IGPs

528 views • 15 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

452 views • 14 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

947 views • 69 slides
Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Jobtalk Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton University Based on work with: Based on work with: Boaz Barak, Shai Halevi, Aaron Jaggard, Vijay Ramachandran, Jennifer Rexford, Eran

1.12k views • 42 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has columns for the destination network (or hosts) with the corresponding cost and the next router address to reach a destination. Additional

1.08k views • 84 slides
Routing In Ad Hoc Networks 1. Introduction to Ad-hoc networks 2. Routing in Ad-hoc networks 3.

Routing In Ad Hoc Networks 1. Introduction to Ad-hoc networks 2. Routing in Ad-hoc networks 3.

Routing In Ad Hoc Networks 1. Introduction to Ad-hoc networks 2. Routing in Ad-hoc networks 3. Proactive routing protocols DSDV 4. Reactive routing protocols DSR, AODV 5. Non-uniform routing protocols ZRP, CEDAR 6. Other

392 views • 22 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K.

Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K.

Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K. MASMOUDI, K. MASMOUDI, H. AFIFI H. AFIFI Boston, 08/2004 6 th PCRD Integrated Project Goal : provide secure communication

450 views • 22 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

702 views • 54 slides
What is the difference between routing and forwarding? Routing protocols: Implemented

What is the difference between routing and forwarding? Routing protocols: Implemented

Routing What is the difference between routing and forwarding? Routing protocols: Implemented distributed algorithms (scalability) Routers should have mutually consistent view of the network. Can be classified into: Intradomain

510 views • 5 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
Routing Algebras What are routing algebras? Created to study properties of routing protocols

Routing Algebras What are routing algebras? Created to study properties of routing protocols

Routing Algebras What are routing algebras? Created to study properties of routing protocols Does the routing protocol converge? Does the routing protocol compute optimal paths? Separates the routing data & algorithm Data

326 views • 11 slides
Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to Computer Security Announcements intermission Day 17: Crypto protocols and S protocols SSH Stephen McCamant University of Minnesota, Computer

338 views • 7 slides
PixelVault:+Using+GPUs+for+Securing+ Cryptographic+Opera;ons+ ! Giorgos+Vasiliadis+ +

PixelVault:+Using+GPUs+for+Securing+ Cryptographic+Opera;ons+ ! Giorgos+Vasiliadis+ +

PixelVault:+Using+GPUs+for+Securing+ Cryptographic+Opera;ons+ ! Giorgos+Vasiliadis+ + +gvasil@ics.forth.gr+ 1! Mo%va%on! Secret!keys!may!remain!unencrypted!in!CPU! Registers,!RAM,!etc.! Memory!disclosure!a?acks! Heartbleed!

737 views • 34 slides
Routing protocols Goals of this chapter In any network of diameter > 1, the routing &

Routing protocols Goals of this chapter In any network of diameter > 1, the routing &

Ad hoc and Sensor Networks Routing protocols Goals of this chapter In any network of diameter > 1, the routing & forwarding problem appears We will discuss mechanisms for constructing routing tables in ad hoc/sensor networks

751 views • 47 slides
Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why it was created? Cryptographic protocol Paper in 2004 by Ian Goldberg , Nikita Borisov and Eric Brewer Conversations in the

299 views • 18 slides
PixelVault:+Using+GPUs+for+Securing+ Cryptographic+Opera;ons+ ! Giorgos+Vasiliadis + +

PixelVault:+Using+GPUs+for+Securing+ Cryptographic+Opera;ons+ ! Giorgos+Vasiliadis + +

PixelVault:+Using+GPUs+for+Securing+ Cryptographic+Opera;ons+ ! Giorgos+Vasiliadis + + +gvasil@ics.forth.gr+ Elias!Athanasopoulos ! !elathan@ics.forth.gr! Michalis!Polychronakis ! !mikepo@cs.columbia.edu! So=ris!Ioannidis! ! !

931 views • 38 slides
Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 1. Interactive Proofs and Zero-Knowledge Protocols 2. Secure Multi-Party Computation Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine Agreement Secure Multi-Party

170 views • 3 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key

Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key

Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key distribution and PKI Introduction to Computer Security HW1 debrief Day 17: PKI and S protocols Stephen McCamant SSH University of Minnesota,

461 views • 11 slides
The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with

The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with

The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with Martijn Warnier jesseh@cs.kun.nl University of Nijmegen The Coinductive Approach to Verifying Cryptographic Protocols p.1/27 Outline I.

1.95k views • 184 slides
MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of

MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of

Zero-Knowledge Two-Party Protocols MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of Tartu MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge

1.49k views • 122 slides
Analysis of Inconsistent Routing Components in Reactive Routing Protocols Habib-ur Rehman, Lars

Analysis of Inconsistent Routing Components in Reactive Routing Protocols Habib-ur Rehman, Lars

Analysis of Inconsistent Routing Components in Reactive Routing Protocols Habib-ur Rehman, Lars Wolf Institut fr Betriebssysteme und Rechnerverbund Technische Universitt Braunschweig WMAN 2009, 5 th March, Kassel Introduction Analysis

738 views • 28 slides

More recommend