Replay Attacks Network Systems Security Mort Anvari A Scenario of Replay Attack  Alice authorizes a transfer of funds from her account to Bob’s account  An eavesdropping adversary makes a copy of this message  Adversary replays this message at some later time 9/23/2004 Replay Attacks  Adversary takes past messages and plays them again   whole or part of message to same or different receiver  Encryption algorithms not enough to counter replay attacks 9/23/2004 Freshness Identifiers  Sender attaches a freshness identifier to message to help receiver determine whether message is fresh  Three types of freshness identifiers    nonces timestamps sequence numbers 9/23/2004 Nonces  A random number generated for a special occasion  Need to be unpredictable and not used before  Disadvantage is not suitable for sending a stream of messages  Mostly used in challenge-response protocols 9/23/2004 Timestamps  Sender attaches an encrypted real-time timestamp to every message  Receiver decrypts timestamp and compares it with current reading   if difference is sufficiently small, accept message otherwise discard message  Problem is synchronization between sender and receiver 9/23/2004 Sequence Numbers  Sender attaches a monotonically increasing counter value to every message  Sender needs to remember last used number and receiver needs to remember largest received number 9/23/2004 Operation of Sequence Numbers  Sender increments sequence number by after sending a message  Receiver compares sequence number of received message with largest received number   If larger than largest received number, accept message and update largest received number If less than largest received number, discard message 9/23/2004 Problem with Sequence Numbers  IPsec uses sequence number to counter replay attacks  However reorder can occur in IP  Messages with larger sequence number may arrive before messages with smaller sequence numbers  When reordered messages with smaller sequence numbers arrive later, they will be discarded 9/23/2004 Anti-Replay Window Protocol in IPsec  Protect IPsec messages against replay attacks and counter the problem of reorder  Sender puts a sequence number in every message  Receiver uses a sliding window to keep track of the received sequence numbers 9/23/2004 10 Properties of Protocol  Discrimination: receiver delivers at most one copy of every message sent by sender  w-Delivery: receiver delivers at least one copy of each message that is neither lost nor suffered a reorder of degree w or more, where w is window size 9/23/2004 15 Problem with Anti-Replay Window  Receiver gets s, where s >> r  Window shifts to right  Many good messages that arrive later will be discarded window before shift w r 9/23/2004 discarded good msgs window after shift w s 16 Automatic Shift vs Controlled Shift  Automatic shift: window automatically shifts to the right to cover the newly received sequence number without any consideration of how far the newly received sequence number is ahead  Controlled shift: if the newly received sequence number is far ahead, discard it without shifting window in the hope that those skipped sequence numbers may arrive later 9/23/2004 17 Three Properties of Controlled Shift  Adaptability  receiver determines whether to sacrifice a newly received message according to the current characteristics of the environment  Rationality  receiver sacrifices only when messages that could be saved are more than messages that are sacrificed  Sensibility  receiver stops sacrificing if it senses that the messages it means to save are not likely to come 9/23/2004 18 Additional Case with Controlled Shift  Case iv: s is more than w positions to the right of window    receiver estimates number of good messages it is going to lose if it shifts the window to s if the estimate is larger than d+1, where d is the counter of discarded messages, and d+1 is less than dmax, then receiver discards this message and increments d by otherwise, receiver delivers the message, shifts the window to the right, and resets d to 9/23/2004 19 Another Problem with Anti-Replay Window  Computer may reset due to transient fault  If either sender or receiver is reset and restarts from 0, then synchronization on sequence numbers is lost 9/23/2004 20 Scenario of Sender Reset  If p is reset, unbounded number of fresh messages are discarded by q p seq# : 50 reset q 49 48 ••• seq# : 50 seq# : fresh yet discarded by q 9/23/2004 21 Scenario of Receiver Reset  If q is reset, it can accept unbounded number of replayed messages inserted by adversary p seq# : 50 49 48 ••• q seq# : 50 reset seq# : replayed yet accepted by q 9/23/2004 22 Overcome Reset Problems  IPsec Working Group: if reset, the SA is deleted and a new one is established very expensive  Our solution: periodically push current state of SA into persistent memory; if reset, restore state of SA from this memory 9/23/2004 23 SAVE and FETCH  When SAVE is executed, the last sequence number or right edge of window will be stored in persistent memory  When FETCH is executed, the last stored sequence number or right edge of window will be loaded from persistent memory into memory 9/23/2004 24 SAVE at Sender  s is sequence number at p  Every Kp messages, p executes SAVE(s) to store current s in persistent memory  In spite of execution delay, SAVE(s) is guaranteed to complete before message numbered s+Kp is sent 9/23/2004 25 FETCH at Sender  When p wakes up after reset, p executes FETCH(s) to fetch s stored in persistent memory  After FETCH(s) completes, p executes SAVE(s+2Kp) and waits  After SAVE(s+2Kp) completes, p can send next message using seq# s+2Kp 9/23/2004 26 Convergence of Sender  Assume when p resets, SAVE(s) has not yet completed, and the last sent seq# is s+t, t < Kp  When p wakes up, s-Kp will be fetched  Therefore, adding 2Kp to fetched seq# guarantees that next sent seq# is fresh 9/23/2004 27 Results of SAVE and FETCH  When p is reset, some sequence numbers will be abandoned by p, but no message sent from p to q will be discarded provided no message reorder occurs  When q is reset, the number of discarded messages is bounded by Kq  When p or q is reset, no replayed message will be accepted by q 9/23/2004 28 Next Class  Address Resolution Protocol (ARP) and its security problems  Secure ARP  Read paper on website 9/23/2004 29 ... is reset, unbounded number of fresh messages are discarded by q p seq# : 50 reset q 49 48 ••• seq# : 50 seq# : fresh yet discarded by q 9/23/2004 21 Scenario of Receiver Reset  If q is reset,... accept unbounded number of replayed messages inserted by adversary p seq# : 50 49 48 ••• q seq# : 50 reset seq# : replayed yet accepted by q 9/23/2004 22 Overcome Reset Problems  IPsec Working... will be abandoned by p, but no message sent from p to q will be discarded provided no message reorder occurs  When q is reset, the number of discarded messages is bounded by Kq  When p or q