Professional Documents
Culture Documents
S ECURITY P OLICY
Security is a question of tradeoffs S ECURITY T HREATS
Security Policy: Interception: unauthorised party has gained access to a
➜ A statement of security requirements service or data
➜ Describes which actions entities in a system are allowed to take
Interruption: service or data become unavailable, unusable,
and which ones are prohibited
destroyed, etc.
Slide 6 • Entities: users, services, data, machines, etc. Slide 8
• Operations: read, write, send, start, stop, etc. Modification: unauthorised changing of data or tampering
with a service (so that it no longer adheres to its
Example:
specifications)
➜ Everyone (staff and students) has an account
➜ Access to course accounts must be approved Fabrication: additional data or activity are generated that
➜ Only course accounts can modify grades would normally not exist
Anything missing?
C RYPTOGRAPHY
H OW T O M AKE I T E ASIER The Basic Idea:
Passive intruder Active intruder Active intruder
Distribution of Mechanisms: only listens to C can alter messages can insert messages
F OUNDATIONS 7 C RYPTOGRAPHY 8
E NCRYPTION
The essence of encryption functions:
E NCRYPTION 9 E NCRYPTION 10
Symmetric ciphers:
Encrypt
In practice, keys are of finite length. Consequences?
➜ Finite key space ⇒ susceptible to exhaustive search Cipher
➜ Longer keys ⇒ more time needed for brute-force attack
Plaintext K text
• Time to guess a key is exponential in the number of bits of
Slide 21 Slide 23
the key Decrypt
X Longer keys also make E and D more expensive
➜ Cipher must be secure against any systematic attack ➜ Secret key: KE = KD
significantly faster than exhaustive search of key space V fast ⇒ suited for large data volumes
X Secure channel is needed to establish the shared, secret key
➜ How many keys needed for N agents?
➼ For any two agents, one key is needed
B ASIC C IPHERS
Substitution Ciphers:
➜ Each plaintext character replaced by a ciphertext character
➜ Caesar cipher: shift alphabet x positions
T INY E NCRYPTION A LGORITHM (TEA)
• Easy to break using statistical properties of language Symmetric encryption algorithm by Wheeler & Needham:
➜ Book cipher: replace words by location of word in book ➜ Encode a 64-bit block (text) consisting of two 32-bit integers
• Knowledge of book is the key ➜ Using a 128-bit key (k) represented by four 32-bit integers
Slide 22 Slide 24 ➜ Despite its simplicity, TEA is a secure and reasonably fast
One Time Pads:
➜ Random string XORed with plaintext encryption algorithm
➜ Information theoretically secure ➜ Can easily be implemented in hardware
➜ Random string must: ➜ Approximately three times as fast as DES
• Have no pattern or be predictable ➜ Achieves complete diffusion
• Not be reused
• Not be known by cryptanalyst
➜ Key distribution problem
Asymmetric ciphers:
Stream cipher:
keystream
number
generator E(K,M) ciphertext
stream
XOR
How they work: plaintext
➜ Trap-door functions: one-way functions with a secret exit stream
➜ Easy to compute in one direction, but infeasible to invert unless ➜ Encode a given plaintext bit by bit (e.g., voice)
Slide 30 a secret (secret key) is known Slide 32 ➜ Xor a keystream (sequence of ’random’ bits) with the plaintext
➜ Key pair is usually derived from a common root (such as large ➜ Security of ciphertext same as keystream
prime numbers) such that it is infeasible to reconstruct the root ➜ Keystream: Output of a random number generator encoded
from the public key with a block cipher algorithm
➜ How does the receiver reconstruct the plaintext?
• Generate the same keystream and xor it with the ciphertext
• requires starting value of RNG and the secret key
➜ Under which conditions can partial message loss be tolerated?
How can we check whether a message has been altered? • given h, find m such that H(m) = h
Hash functions:
128-bit constant Padded message (multiple of 512 bits)
Digest
512 bits
➜ Given a message M and sender private key Kpri , signed Threat Assumptions:
message: ➜ Can communication channel be intercepted?
➜ Can data stream be modified?
(M, {H(M )}Kpri )
➜ Are participants malicious?
Reflection:
1
A ➜ Use Alice to respond to Alice’s challenge
2 ➜ Alice → Eve: challenge
Slide 41 RB Slide 43
➜ Alice ← Eve: challenge
➜ Alice → Eve: response
Alice
3
K A,B (RB )
Bob
➜ Alice ← Eve: response
4
RA
5
K A,B( RA)
H OW TO B REAK A P ROTOCOL
Replay:
Man-in-the-Middle: ➜ Re-use Bob’s old message to respond to Alice’s challenge
➜ Take on the role of Alice to Bob and Bob to Alice ➜ Alice → Bob: challenge
Slide 42 ➜ Alice → Eve: challenge Slide 44
➜ Alice ← Eve ← Bob: response
➜ Eve → Bob: challenge ➜ Alice → Eve: challenge
➜ Eve ← Bob: response ➜ Alice ← Eve: response
➜ Alice ← Eve: response
Message Manipulation: 1
A, RA
➜ Change the message from Alice to Bob
➜ Alice sends: let’s meet at 3pm by the bridge
Alice
2
➜ Eve intercepts and changes
Bob
RB , K A,B( RA)
Slide 45 ➜ Bob receives: let’s meet at 2pm by the oak Slide 47
Changed Environment/Assumptions: 3
K A,B (RB )
➜ Bob is no longer trustworthy
➜ Bob sells Alice’s secrets to the tabloid press!
Oops!
➜ Vulnerable to reflection attack
1
A, RC
1 First session
A 2
RB , K A,B( RC)
2
RB 3
Chuck
A, RB
Bob
4 Second session
Slide 46 Slide 48 RB2 , K A,B( RB)
Alice
3
K A,B (RB )
Bob
5
K A,B (RB ) First session
4
RA
5
K A,B( RA)
Is this different from Man-in-the-middle?
Vulnerable?
Key Distribution
Centre
agent key
A KA
B KB
... ...
m 1: [A, B, N A]
S ECURE C OMMUNICATION
m 2: [{N A , B, KAB, {A,KAB }K }K ]
B A
]
➜ Message confidentiality
AB
➜ Message integrity
➜ Central key distribution centre D
➜ Each agent A shares a (symmetric) key KA with D
➜ A wants to communicate with B, asks D for session key KAB
➜ After key distribution protocol, both A and B know that they
share a key provided by D.
ClientHello
Establish protocol version, session
ID, cipher suite, compression
Secure replicated servers:
ServerHello method, exchange random values
➜ Secure Replicated Servers: protecting from malicious group
Certificate
members
Optionally send server certificate
Server Key Exchange
and request client certificate ➜ Collect responses from all servers and authenticate each
Certificate Request Not transparent
ServerHelloDone
Slide 54 Slide 56 ➜ Secret sharing:
Certificate
Send client certificate response ➜ All group members know part of a secret.
Client Key Exchange if requested
➜ Recipient combines answers from k members, decrypts with
Certificate Verify
special decryption function D.
Change Cipher Spec Change cipher suite and finish ➜ If successful: these k members are honest.
handshake
Finished ➜ If not: try other combination of answers.
Change Cipher Spec
Finished
Kerberos Authentication:
Approaches to Authentication:
Key Distribution Centre
Authentication Ticket Granting
Shared secret key: challenge and response encoded with Service A Service T
shared secret key m1 : [C; T ; n℄
Session Setup
Hybrid: use public keys to set up a secure channel and then Work f
m5 : [ C; t gKCS ; fhC; S igKS ; request; n℄
K ERBEROS 29 K ERBEROS 30
root CA
root CA Kpub
C1 CA
C1 Kpub
C2 CA
➜ Central KDC contains 0 signature root C2 Kpub
Alice
• Authentication service A, signature C1 Alice Kpub
3
knows all user logins and their passwords (secret keys) signature C2
2
as well as identity and key of T ;
Bob
• Ticket granting service T , 1
Slide 61 knows all servers and their secret keys Slide 63
Checking of certificates is recursive:
➜ Kerberos protocol has three phases: ➜ To establish trust in Alice’s certificate signed by C2 , Bob may
➀ login session setup (user authentication)
need to obtain C2 ’s certificate
➁ server session setup (establishing secure channel to server)
➜ Bob uses the public key of C2 to validate Alice’s certificate
➂ client-server RPC
➜ C2 is signed by C1
➜ Uses time-limited tickets
➜ This may lead to a chain of certificates
➜ Terminated by self-signed certificate of a root certification
authority (who Bob trusts)
Non-distributed Protection:
Are certificates valid forever? ➜ Global mechanisms
➜ Certificates may have an expiry date to reduce risk of security ➜ Global policies
breach ➜ Examples:
➜ After a certificate expires, a new one must be generated and
Slide 65 Slide 67 • Users
signed
• File permissions
➜ Alternatively, certificates may be revoked
• Separate address spaces
➜ Revocation is only effective if receiver regularly checks the
certificate server Distributed Protection:
➜ Service specific
• Web servers and .htaccess: authentication, access control
➜ Application specific
Object Subjects
Properties of the access matrix: S1 S2 S3 S4
➜ Rows define subjects’ protection domains /etc/passwd read read, write – read
➜ Columns define objects’ accessibility ➜ Column-wise representation of the access matrix
➜ Dynamic data structure: frequently changes ➜ Each object associated with a list of (subject, rights) pairs
Slide 69 Slide 71
• permanent changes (e.g. chmod) ➼ requires explicit authentication
• temporary changes (e.g. setuid flag) ➜ Usually supports concept of group rights (domain classes)
➜ Matrix is very sparse with many repeated entries (granted to each agent belonging to the group)
➼ usually not stored explicitly ➜ Often simplified to a simple fixed-size list
(e.g., UNIX user-group-others or VMS system-owner-group-world)
➜ Can have negative rights as well
(e.g., to simplify exclusion from groups)
Signature capabilities:
F IREWALLS
Properties:
➜ When communicating with untrusted clients/servers ‘
➜ Disconnects part of system from outside world
➜ Incoming communication inspected and filtered R EADING LIST
Two types:
Slide 78 Slide 80 Ross J. Anderson Security Engineering: A Guide to Building
➜ Packet-filtering gateway
Dependable Distributed Systems. Covers many pitfalls of
➜ Application-level gateway
building secure systems, with many real-world examples.
Three Myths of Firewalls:
➀ We’ve got the place surrounded
➁ Nobody here but us chickens
➂ Sticks and Stones may break my bones, but words will never hurt
me
Slide 82
H OMEWORK 41