knocking down the hacienda with tcp stealth · knocking down the hacienda with tcp stealth...
TRANSCRIPT
Knocking down the HACIENDA with TCP Stealth
Christian GrothoffActual work: Julian Kirsch
Technische Universität München
May 8, 2015
Knocking down the HACIENDA 1/1
Knocking down the HACIENDA 2/1
Knocking down the HACIENDA 3/1
Knocking down the HACIENDA 4/1
Knocking down the HACIENDA 5/1
Knocking down the HACIENDA 6/1
Knocking down the HACIENDA 7/1
Knocking down the HACIENDA 8/1
Knocking down the HACIENDA 9/1
Knocking down the HACIENDA 10/1
Knocking down the HACIENDA 11/1
Knocking down the HACIENDA 12/1
Knocking down the HACIENDA 13/1
Knocking down the HACIENDA 14/1
Knocking down the HACIENDA 15/1
Knocking down the HACIENDA 16/1
Knocking down the HACIENDA 17/1
Knocking down the HACIENDA 18/1
Knocking down the HACIENDA 19/1
So, is it all lost?
Knocking down the HACIENDA 20/1
Two Solutions
I Backwards-compatible minimally invasive hotfixI Clean-slate principled rearchitecture
Knocking down the HACIENDA 21/1
An Introduction to Port Knocking
No knock, no fun
Host 1 Host 2
Tim
e
SYN (SEQ = x) port 22
RST (SEQ = y, ACK = x + 1)
Port knocking example
Host 1 Host 2
Tim
e
SYN (SEQ = x0) port 4242
RST (SEQ = y0, ACK = x0 + 1)
SYN (SEQ = x1) port 1337
RST (SEQ = y1, ACK = x1 + 1)
SYN (SEQ = x2) port 22
SYN (SEQ = y2, ACK = x2 + 1)
(SEQ = x2 + 1,ACK = y2 + 1)
Knocking down the HACIENDA 22/1
DesignOverview
Practical and Secure Stealthy Servers
3.
2.
1.
Knocking down the HACIENDA 23/1
DesignStealthiness
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Source Port Destination Port
Sequence Number
Acknowledgement NumberData
Offset ReservedURG
ACK
PSH
RST
SYN
FIN
Window
Checksum Urgent Pointer
Optionshhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhh
Knocking down the HACIENDA 24/1
Design (v1)Security
I Destination IP address IPdI Destination port PdI TCP timestamp T
I Pre-Shared Key S
I Hash function h
Authentication Security Token (AV)AV := h((IPd,Pd,T),S)
I ISN := AV
Knocking down the HACIENDA 25/1
Knocking down the HACIENDA 26/1
Design (v2)Security
I Destination IP address IPd
I Destination port Pd
I TCP timestamp T
I Pre-Shared Key SI Hash functions h, h′
I Payload p
TCP Payload Integrity Protector IHIH := h′(S ◦ p)
Authentication Security Token AVAV := h((IPd,Pd,T, IH),S)
I ISN := AV ◦ IH
Knocking down the HACIENDA 27/1
Host 1 Host 2
Tim
e
SYN (SEQ = x = (AV ◦ IH))
RST (SEQ = y, ACK = x + 1)
ACK (SEQ = y, ACK = x + 1)
(SEQ = x + 1, ACK = y + 1)Payload
RST (SEQ = y + 1, ACK = x + 2)
. . .
no
yes
AV correct?
no
yes
IH correct?
Knocking down the HACIENDA 28/1
DesignEase of Use
I Source IP and Port not included in ISN generation⇒ Compatibility with NATs
I Knocking is implemented in the kernel⇒ No fiddling with config-files, firewall rules or daemons⇒ Trivial to use from an application developer’s perspective
Knocking down the HACIENDA 29/1
DesignEase of Use – TCP Stealth Server
1 char s e c r e t [ 6 4 ] = " This i s my magic ID . " ;2 i n t payload_len = 4 ;3 i n t sock ;4
5 sock = socket ( AF_INET , SOCK_STREAM, IPPROTO_TCP) ;6 i f ( sock < 0) {7 p r i n t f ( " socket ( ) f a i l e d , %s\n" , s t r e r r o r ( errno ) ) ;8 return 1 ;9 }
10 i f ( se tsockopt ( sock , IPPROTO_TCP , TCP_STEALTH, s e c r e t , s i ze of ( s e c r e t ) ) ) {11 p r i n t f ( " se t sockopt ( ) f a i l e d , %s\n" , s t r e r r o r ( errno ) ) ;12 return 1 ;13 }14 i f ( se tsockopt ( sock , IPPROTO_TCP , TCP_STEALTH_INTEGRITY_LEN ,15 &payload_len , s i ze of ( payload_len ) ) ) {16 p r i n t f ( " se t sockopt ( ) f a i l e d , %s\n" , s t r e r r o r ( errno ) ) ;17 return 1 ;18 }19 /∗ Cont inue with b ind ( ) , l i s t e n ( ) , a c c e p t ( ) , r e c v ( ) , . . . ∗ /
Knocking down the HACIENDA 30/1
DesignEase of Use – TCP Stealth Client
1 char s e c r e t [ 6 4 ] = " This i s my magic ID . " ;2 char payload [ 4 ] = " 1234 " ;3 i n t sock ;4
5 sock = socket ( AF_INET , SOCK_STREAM, IPPROTO_TCP) ;6 i f ( sock < 0) {7 p r i n t f ( " socket ( ) f a i l e d , %s\n" , s t r e r r o r ( errno ) ) ;8 return 1 ;9 }
10 i f ( se tsockopt ( sock , IPPROTO_TCP , TCP_STEALTH, s e c r e t , s i ze of ( s e c r e t ) ) ) {11 p r i n t f ( " se t sockopt ( ) f a i l e d , %s\n" , s t r e r r o r ( errno ) ) ;12 return 1 ;13 }14 i f ( se tsockopt ( sock , IPPROTO_TCP , TCP_STEALTH_INTEGRITY ,15 payload , s i ze of ( payload ) ) ) {16 p r i n t f ( " se t sockopt ( ) f a i l e d , %s\n" , s t r e r r o r ( errno ) ) ;17 return 1 ;18 }19 /∗ Cont inue with c o n n e c t ( ) , s end ( ) , . . . ∗ /
Knocking down the HACIENDA 31/1
DesignEase of Use – libknockify
I Shared library for use at compile- or run-timeI Enables TCP Stealth functionality for legacy code
$ LD_PRELOAD=./libknockify.so ncat knock-server application-port
I Configuration options (such as the TCP Stealth secret) are given asenvironment variables or via a special file
Knocking down the HACIENDA 32/1
Limitations
I Distribution of the Pre-Shared KeyI ISN has only 32 bits
I Changes to ISN and TSVal by middle boxes:
TCP PortBehavior 34343 80 443Unchanged 126 (93%) 116 (82%) 128 (90%)Mod. outbound 5 (4%) 5 (4%) 6 (4%)Mod. inbound 0 (0%) 1 (1%) 1 (1%)Mod. both 4 (3%) 13 (9%) 7 (5%)Proxy (probably mod. both) 0 (0%) 7 (5%) 0 (0%)Total 135 (100%) 142 (100%) 142 (100%)
Numbers by Honda et al. “Is it Still Possible to Extend TCP?”
I IETF, Linux and FreeBSD communities so far fail to adopt
Knocking down the HACIENDA 33/1
Limitations
I Distribution of the Pre-Shared KeyI ISN has only 32 bitsI Changes to ISN and TSVal by middle boxes:
TCP PortBehavior 34343 80 443Unchanged 126 (93%) 116 (82%) 128 (90%)Mod. outbound 5 (4%) 5 (4%) 6 (4%)Mod. inbound 0 (0%) 1 (1%) 1 (1%)Mod. both 4 (3%) 13 (9%) 7 (5%)Proxy (probably mod. both) 0 (0%) 7 (5%) 0 (0%)Total 135 (100%) 142 (100%) 142 (100%)
Numbers by Honda et al. “Is it Still Possible to Extend TCP?”
I IETF, Linux and FreeBSD communities so far fail to adopt
Knocking down the HACIENDA 33/1
Limitations
I Distribution of the Pre-Shared KeyI ISN has only 32 bitsI Changes to ISN and TSVal by middle boxes:
TCP PortBehavior 34343 80 443Unchanged 126 (93%) 116 (82%) 128 (90%)Mod. outbound 5 (4%) 5 (4%) 6 (4%)Mod. inbound 0 (0%) 1 (1%) 1 (1%)Mod. both 4 (3%) 13 (9%) 7 (5%)Proxy (probably mod. both) 0 (0%) 7 (5%) 0 (0%)Total 135 (100%) 142 (100%) 142 (100%)
Numbers by Honda et al. “Is it Still Possible to Extend TCP?”
I IETF, Linux and FreeBSD communities so far fail to adopt
Knocking down the HACIENDA 33/1
Cat break (sponsored by IRTF)
Knocking down the HACIENDA 34/1
HACIENDA is a port mapper.
What else does the NSA map?
Let’s ask The Intercept...
Knocking down the HACIENDA 35/1
HACIENDA is a port mapper.
What else does the NSA map?
Let’s ask The Intercept...
Knocking down the HACIENDA 35/1
HACIENDA is a port mapper.
What else does the NSA map?
Let’s ask The Intercept...
Knocking down the HACIENDA 35/1
Knocking down the HACIENDA 36/1
Time to Build a NEWGNU Network
Knocking down the HACIENDA 37/1
The NEWGNU Network (very simplified)
Internet
GoogleDNS/X.509TCP/UDP
IP/BGPEthernet
Phys. Layer
GNUnet
ApplicationsGNU Name System
CADET (SCTP+Axolotl+TCP Stealth)R5N DHT (KBR)
CORE (OTR)HTTPS/TCP/WLAN/...
Knocking down the HACIENDA 38/1
The NEWGNU Network (very simplified)
Internet
GoogleDNS/X.509TCP/UDP
IP/BGPEthernet
Phys. Layer
GNUnet
ApplicationsGNU Name System
CADET (SCTP+Axolotl+TCP Stealth)R5N DHT (KBR)
CORE (OTR)
HTTPS/TCP/WLAN/...
Knocking down the HACIENDA 38/1
The NEWGNU Network (very simplified)
Internet
GoogleDNS/X.509TCP/UDP
IP/BGPEthernet
Phys. Layer
GNUnet
ApplicationsGNU Name System
CADET (SCTP+Axolotl+TCP Stealth)R5N DHT (KBR)
CORE (OTR)HTTPS/TCP/WLAN/...
Knocking down the HACIENDA 38/1
The NEWGNU Network (very simplified)
Internet
GoogleDNS/X.509TCP/UDP
IP/BGPEthernet
Phys. Layer
GNUnet
ApplicationsGNU Name System
CADET (SCTP+Axolotl+TCP Stealth)
R5N DHT (KBR)CORE (OTR)
HTTPS/TCP/WLAN/...
Knocking down the HACIENDA 38/1
The NEWGNU Network (very simplified)
Internet
GoogleDNS/X.509TCP/UDP
IP/BGPEthernet
Phys. Layer
GNUnet
ApplicationsGNU Name System
CADET (SCTP+Axolotl+TCP Stealth)R5N DHT (KBR)
CORE (OTR)HTTPS/TCP/WLAN/...
Knocking down the HACIENDA 38/1
The NEWGNU Network (very simplified)
Internet
GoogleDNS/X.509TCP/UDP
IP/BGPEthernet
Phys. Layer
GNUnet
Applications
GNU Name SystemCADET (SCTP+Axolotl+TCP Stealth)
R5N DHT (KBR)CORE (OTR)
HTTPS/TCP/WLAN/...
Knocking down the HACIENDA 38/1
The NEWGNU Network (very simplified)
Internet
GoogleDNS/X.509TCP/UDP
IP/BGPEthernet
Phys. Layer
GNUnet
ApplicationsGNU Name System
CADET (SCTP+Axolotl+TCP Stealth)R5N DHT (KBR)
CORE (OTR)HTTPS/TCP/WLAN/...
Knocking down the HACIENDA 38/1
The NEWGNU Network (very simplified)
Internet
GoogleDNS/X.509TCP/UDP
IP/BGPEthernet
Phys. Layer
GNUnet
ApplicationsGNU Name System
CADET (SCTP+Axolotl+TCP Stealth)R5N DHT (KBR)
CORE (OTR)HTTPS/TCP/WLAN/...
Knocking down the HACIENDA 38/1
Limitations
I Distribution of the Pre-Shared Key — use GNU Name System
I ISN has only 32 bits — use 256 bitsI Changes to ISN and TSVal by middle boxes — irrelevant in overlayI IETF, Linux and FreeBSD communities so far fail to adopt — all in userspaceI More issues to address⇒more research! (not done yet!)
Knocking down the HACIENDA 39/1
Limitations
I Distribution of the Pre-Shared Key — use GNU Name SystemI ISN has only 32 bits — use 256 bits
I Changes to ISN and TSVal by middle boxes — irrelevant in overlayI IETF, Linux and FreeBSD communities so far fail to adopt — all in userspaceI More issues to address⇒more research! (not done yet!)
Knocking down the HACIENDA 39/1
Limitations
I Distribution of the Pre-Shared Key — use GNU Name SystemI ISN has only 32 bits — use 256 bitsI Changes to ISN and TSVal by middle boxes — irrelevant in overlay
I IETF, Linux and FreeBSD communities so far fail to adopt — all in userspaceI More issues to address⇒more research! (not done yet!)
Knocking down the HACIENDA 39/1
Limitations
I Distribution of the Pre-Shared Key — use GNU Name SystemI ISN has only 32 bits — use 256 bitsI Changes to ISN and TSVal by middle boxes — irrelevant in overlayI IETF, Linux and FreeBSD communities so far fail to adopt — all in userspace
I More issues to address⇒more research! (not done yet!)
Knocking down the HACIENDA 39/1
Limitations
I Distribution of the Pre-Shared Key — use GNU Name SystemI ISN has only 32 bits — use 256 bitsI Changes to ISN and TSVal by middle boxes — irrelevant in overlayI IETF, Linux and FreeBSD communities so far fail to adopt — all in userspaceI More issues to address⇒more research! (not done yet!)
Knocking down the HACIENDA 39/1
A Pattern of Hope
Spy Program Target Defense StartedFTM/TRACFIN SWIFT/VISA/etc. DigiCash/GNU Taler 1990TREASUREMAP Internet (all) Freenet/GNUnet/Tor 2000HACIENDA vuln. TCP service Port Knocking 2000BULLRUN/DUAL_EC_DRBG PRNG (backdoor) n/a 2004BULLRUN/LONGHAUL TLS/IPSEC (keys) OTR/AXOLOTL 2004MJOLNIR Long-path in Tor Tor 0.2.3.11 2007PRISM US big data corps SecuShare 2009MORECOWBELL DNS GNU Name System 2012. . . . . . . . . . . .
Knocking down the HACIENDA 40/1
Questions?
Find more information at:I https://gnunet.org/
I https://gnunet.org/knock
I https://gnunet.org/gns
I https://gnunet.org/mcb
I http://www.taler.net/
Thanks to:JULIAN KIRSCH
JACOB APPELBAUM
MONIKA ERMERT
LAURA POITRAS
HENRIK MOLTKE
MAURICE LECLAIRE
ANDREAS ENGE
BART POLOT
LUCA SAIU
THE SOURCE
This work was fundedby the DeutscheForschungsgemein-schaft (DFG) underENP GR 3688/1-1.
Slides will be at http://grothoff.org/christian/.
Knocking down the HACIENDA 41/1
LimitationsRFC 1323: TCP Extensions for High Performance
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Source Port Destination Port
Sequence Number
Acknowledgement NumberData
Offset ReservedURG
ACK
PSH
RST
SYN
FIN
Window
Checksum Urgent Pointer
Optionshhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhh
Kind=8 10 TS Value (TSval)
TS Value (TSval) TS Echo Reply (TSecr)
TS Echo Reply (TSecr) Options
Optionshhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhh
Knocking down the HACIENDA 42/1