Transcript Chapter 9 - SFU computer science

Chapter 9
Security
Topics

Introduction


Security channel



Authentication, integrity, confidentiality
Access control


Threats, mechanisms, cryptography
Firewall, secure mobile code
Security management
Examples

Kerberos, E-commerce
What Do We Need to Protect?

Data


Resources


Information we keep on computers (product
design, financial records, personnel data)
Unauthorized use of computer time & space
Reputation

Misrepresentation, forgery, negative publicity
Fundamental Security Objectives




Confidentiality - Protection from unauthorized
persons
Integrity - consistency of data; no
unauthorized creation, alteration or
destruction
Availability - ensuring access to legitimate
users
Access control - ensuring appropriate use by
authorized users
Security Threats

Interception



Interruption



Unauthorized changing of data
Fabrication


Unavailable of service or data
Denial of service attack
Modification


Unauthorized access to a service or data
Eavesdropping
Adding data or activity normally not exist.
Security policy
Examples: Threat
Request
Server
Client
Response
Eavesdropping
Server
Attacker
Denial of service
Example: Security Policy

Chinese Wall Model: widely used in financial
world


Group datasets into “conflict of interest
classes”
Subjects are allowed to access to at most one
dataset belonging to each such conflict of
interest class

Subject s can access company c’s data only if




a) s has already accessed c’s data or
b) s has not yet accessed any of c’s competitors’
data
s can write to c’s data only if s can not read any
other company’s sensitive data
Mandatory security policy for UK Stock
Exchange.
Security Mechanisms

Encryption


Authentication


Verify the identify of user
Authorization


Transform data to achieve confidentiality and
integrity
Check the permission
Auditing

Trace the accesses, used for analysis
Cryptography

Intruders and eavesdroppers in communication.
Classifications

Symmetric cryptography: shared Key



Asymmetric cryptography: a pair of keys



P=DK(EK(P))
DES
P=DKD(EKE(P))
RAS
Hash function: one way function, not
reversible


h=H(m)
MD5
Notations
Notation
Description
KA, B
Secret key shared by A and B
K A
K

A
Public key of A
Private key of A
DES
64-bit data block
a)
b)
The principle of DES
Outline of one encryption round
Key Generation
Attacking DES

Cryptanalysis



Relies on nature of the encryption algorithm and
additional knowledge of the general types of
plain texts (frequencies of letters etc.)
Some samples of plain- and cipher texts
Brute-force

Test every possible key on some cipher text until
readable result be done in advance if key is not
changed
Brute-force Key Search
Key size (bits) Key space size
Mean time required
at 1 key test/msec
32
56 (DES)
232 = 4.3 x 109
128
24 = 300
128
38
5.4
x
10
2
= 3.4 x 10
168
256 = 7.2 x 1016
35.8 minutes
1,142 years
billion big bangs
36 big bangs
168
50
5.9
x
10
2
= 3.7 x 10
Don’t get impressed easily: DES can now be cracked in hours!
Triple DES
Public-Key Cryptosystems
Encryption
Plaintext P
E K+ (.)
Decryption
Ciphertext C
Public key K+
Encryption
Plaintext P
E K- (.)
P
DK-(.)
Private key K
Decryption
Ciphertext C
Private key K
DK+(.)
P
Public key K+
Idea

Questions:




314159265358979 * 314159265358979=?
3912571506419387090594828508241 = ?*?
Idea: Use easy algorithm for encryption. Use
difficult algorithm for decryption
A user picks a public key/private key pair


publish the public key
private key not published
RSA: Rivest, Shamir and Adleman
Foundation: no known method that can efficiently
find the prime factors of large numbers.


In RSA, private and public keys are constructed from very
large prime numbers (consisting of hundreds of decimal
digits)
Four steps to construct the keys:





Choose two very large prime numbers, p and q
Compute n = p x q and z = (p – 1) x (q – 1)
Choose a number d that is relatively prime to z
Compute the number e such that e x d = 1 mod z
How It Works?

How it works?






Encryption: C = Pe mod n
Decryption: P = Cd mod n
K+ = (e, n), K = (d, n)
The intruder needs to factor n into p and q to crack the
code.
Higher cost of computation.
Problems:



1) Is the number of primes infinite? Yes!
2) Are they scarce? Yes! 4% of the first 25 billion numbers.
And the percentage drops as the numbers get bigger.
Implication: it is tricky to propose a new prime number. E.g.,
is 687,532,127 a prime?
Example (1)
To find a key pair e, d:
1. Choose two large prime numbers, P and Q (each greater than 10100), and form:
n=PxQ
Z = (P–1) x (Q–1)
2. For d choose any number that is relatively prime with Z (that is, such that d
has no common factors with Z).
We illustrate the computations involved using small integer values for P
and Q:
P = 13, Q = 17 –> n = 221, Z = 192
d=5
3. To find e solve the equation:
e x d = 1 mod Z
That is, e x d is the smallest element divisible by d in the series Z+1, 2Z+1, 3Z+1,
... .
e x d = 1 mod 192 = 1, 193, 385, ...
385 is divisible by d
e = 385/5 = 77
Example (2)
To encrypt text using the RSA method, the plaintext is divided into equal blocks
of length k bits where 2k < n (that is, such that the numerical value of a block
is always less than n; in practical applications, k is usually in the range 512 to
1024).
k = 7, since 27 = 128
The function for encrypting a single block of plaintext M is:
E'(e, n, M) = Me mod n
for a message M, the ciphertext is M77 mod 221
The function for decrypting a block of encrypted text c to produce the original
plaintext block is:
D'(d, n, c) = cd mod n
Rivest, Shamir and Adelman proved that E' and D' are mutual inverses
(that is, E'(D'(x)) = D'(E'(x)) = x) for all values of P in the range 0 ≤ P ≤ n.
Secret Message
Signature
Remark: Goal of a signature is to guarantee, that the receiver is
sure that the received message is from the sender. However,
anyone with Gerd’s public key of Gerd can also read.
Message Digest

Cryptographic checksum


One-way function


Just as a regular checksum protects the receiver from
accidental changes to the message , a cryptographic
checksum protects the receiver from malicious changes.
Given a cryptographic checksum for a msg, it is virtually
impossible to figure out what msg produced that checksum;
it is not computationally feasible to find two msg that hash
to the same cryptographic checksum.
Relevance

If you are given a checksum for a message & you are able
to compute exactly the same checksum for that message,
then it is highly likely this message produced the checksum
you were given.
Hash Function: MD5

For each round, four functions are applied. And each
function has 16 iterations.
MD5: Iterations
Requirements
Received msg:
m
MD5(m)
MD5(m)
Compare
Weak collision resistance: given m and h, difficult to find m’
such that h=H(m’)
Strong collision resistance: given h, difficult to find m and
m’ such that H(m)=H(m’).
Tamper Proof
Using K+ and K−
Received msg:
m
K− { MD5(m) }
K+ K− { MD5(m)}
MD5(m)
Compare
Secure Channels

Main model of DS: client-server


Servers may be distributed and replicated
How to secure a DS?

Establish secure communication between client/server



Establish authorization



Authentication of communicating partners
Ensuring message integrity and confidentiality
How to be sure on the server side, that a client is allowed to
get the requested service?
Access control
Two principles:


Set-up phase precedes message exchange
Session keys to ensure message integrity
Setup Phase

Suppose Alice and Bob want to communicate
with each other, Alice at machine M1 and Bob
at machine M2:

1. Alice is setting up a communication channel,



a) Either by sending a message directly to Bob or
b) by sending a corresponding message to a trusted third
party, helping to set up this channel
2. Once the channel has been set up, both sides
know for sure, that they can exchange messages
Authentication on Shared Key
Optimization?
Reflection Attack
Consequence: use different challenges for initiator and responder
Scalability of Session Keys

Suppose we have N hosts each sharing
a secret key with each of the other N-1
hosts



DS has (N-1)*N/2 secret session keys and
each host has manage (N-1) session keys
For large N #session keys will be a
problem
Instead you can install a trusted key
distribution center KDC on one of the
nodes of the DS
Authentication: Key Distribution Center
Improvement
Ticket

Using a ticket and letting Alice set up a connection to Bob.
Needham-Schroeder
Authentication Protocol

In early distributed systems (1974-84) it was difficult to protect
the servers


E.g. against masquerading attacks on a file server because there
was no mechanism for authenticating the origins of requests
public-key cryptography was not yet available or practical



computers too slow for trap-door calculations
RSA algorithm not available until 1978
Needham and Schroeder therefore developed an authentication
and key-distribution protocol for use in a local network


An early example of the care required to design a safe security
protocol
Introduced several design ideas including the use of nonces.
Illustration
nonce
Nonce: a random number used only once. The purpose is to uniquely
relate two messages to each other.
Q1: Why include B in message 2?
Q2: How about if a chuck knows an old key KA,B?
Enhancement

Protection against malicious reuse of a previously generated
session key in the Needham-Schroeder protocol.
Authentication Using Public-Key
Cryptography

Mutual authentication in a public-key cryptosystem.
Q: how to exchange public keys?
Message Integrity & Confidentiality
Digital Signature

Goals:




To authenticate stored document files as well as messages
To protect against forgery
To prevent the signer from repudiating a signed document (denying
their responsibility)
Encryption of a document in a secret key constitutes a signature
-
impossible for others to perform without knowledge of the key
strong authentication of document
strong protection against forgery
weak against repudiation (signer could claim key was
compromised)
Illustration

Digital signing a message using public-key cryptography.
Digital Signature (2)

Digitally signing a message using a message digest.
Certificate Authority (CA)

Verify the owner of a public key


CA are organized in a hierarchy.



Maintain the (owner, public_key) by a certificate
authority
For each merchant, it issues a certificate.
The names of CA are widely known, e.g. Verisign.
Chain of trust

Certified by a higher-level CA: the central
authority: IPRA
CA Hierarchy
IPRA= Internet Policy
Registration Authority (root)
PCA= policy certification authority
IPRA
PCA1
CA
User
CA = certification authority
PCA2
CA
User
User
CA
PCA3
CA
CA
CA
CA
User
User
User
CA
User
User
Certificate Authorities in X.509
X.509 Certificate Format
Version
Serial Number
Signature Algorithm ID
Issuer (CA) X.500 Name
Validity Period
Subject X.500 Name
Subject Public Algorithm ID
Key Info Public Key Value
Issuer Unique ID
Subject Unique ID
CA Digital Signature
SSL Handshake
(PK_alg, encr_alg, MD)
Optional
K-C { R }
SSL Record Protocol
abcdefghi
Application data
Fragment/combine
Record protocol units
abc
def
ghi
Compress
Compressed units
Hash
MAC
Encrypt
Encrypted
Transmit
TCP packet
Message digest
Confidential Group
Communication




Goal: secure channels between each
pair of nodes
Share one key?
Share a key between each pair of
nodes?
Each node has its own private key but
all the nodes share a public key.
Access Control
General Issues in Access
Control

General model of controlling access to objects.
Access Control

•
•
Access control
Matrix
Access Control
List
Capabilities.
Protection Domains

The hierarchical organization of protection
domains as groups of users.
Firewalls
Common implementations of a firewall, e.g. a
packet-filtering router or an application gateway
Firewall Solutions

Definition - hardware &/or software
components that restrict access between a
restricted network & the Internet or between
networks
Logically - a separator, restricter, analyzer

Rarely a single object




Restricts people to entering at a controlled point
Prevents attackers from getting close to other
defenses (host controls)
Restricts people to leaving at a controlled point
Firewall Capabilities




Focus security decisions - single point to
leverage control
Enforce security policy -minimize
exceptions
Log Internet activity - analysis
Limit exposure - separate sensitive
areas of one network from another or
outside world
Firewall Limitations

Can’t protect against
malicious insiders
 connections that don’t go through it
 new threats
 viruses


scans for source & destination addresses
& port numbers, not details of data
Types of Firewalls

Simple traffic logging systems



audit log file of files accessed (HTTPD)
site usage/demand hours/links/browsers used
IP Packet Screening Routers (packet filtering
gateway)



not only looks at ‘can’ it route, but ‘should’ it
selectively routes or blocks packets based on rules
based on protocols, destination (port 80), known
source IP addresses
Types of Firewalls (cont.)

Hardened Firewall Host (hardware)



Halts unauthorized users
Concentrates security, hides internal system
names, centralizes & simplifies net management
Proxy Server (software)


Deals with external server requests on behalf of
internal clients
May limit certain HTTP methods (CGI or Java
applets)
Filtering Router
Mail server
(port=25)
Filtering router
Internet
Intranet
Check the source and destination address.
Make decisions based on security policies.
Filtering Router and Bastion Host

Firewall Architectures

Dual-homed host (two network interfaces)


One communicates externally, one internally
No direct communication internal to external hosts
Internet
Real Server
Dual-homed Host
Proxy
Server
Proxy Client/Internal Host
Advantages




All accesses can be logged
Reduce the number of Internet
connections by making it a caching
proxy
Does not reveal the names and
addresses of actual clients inside
But: slow down page downloading by
an order of magnitude.
Other Variations

Multiple Bastion Hosts



Merge Interior & Exterior Routers




Sufficient capability to specify inbound & outbound filters
Usually on the perimeter network
Merge Bastion Host & Exterior Router
Use Multiple Exterior Routers


Performance, redundancy, need to separate data & servers
Usenet, SMNP/DNS, FTP/WWW
Multiple connections to Internet or Internet + other sites
Multiple Perimeter Nets

Redundancy, privacy
Futures

Third-generation Firewalls



Client & server apps with native support for
proxied environments
Dynamic packet filtering


combined features of packet filtering & proxy
systems
Packet rules modified “on the fly” in response to
triggers
Underlying Internet protocol undergoing
revisions - IPv6
Not Recommended

Merging Bastion Host & Interior Router


Breach of host leaves access to internal net
Using Multiple Interior Routers




Routing software could decide fastest way to
another internal system is via the perimeter net
Difficult to keep multiple interior routers
configured correctly
Most important & complex set of packet filters
May need to use multiples to resolve
performance bottlenecks or separate internal
networks
Private Network
Virtual Private Network
Internet
Intranet A
Intranet B
Tunneling
Router RA
Router RB
RB
Station 100
200
Data
encrypted
Station 200
Tunneling
Virus
Virus
Memory-Resident Virus
Runs whenever certain
interrupts occur.
Encrypted virus
To conceal signature.
Worms: Illustration
Low address
Program
UNIX Address Space
Statically
allocated
data
Stack
High address
Procedure Call
E.g., finger aabbcc
[PC]
aa
bb
cc
ret
para2
para1
Buffer area allocated
by called fingerd
(512 bytes)
Return address
Stack
High address
Buffer Overflow
E.g., finger aabb…zz
0100
[PC]
aa
bb
cc
…
…
0100
para2
para1
Stack
Malicious program
(binary)
Return address
Security Management
Key Establishment

The principle of Diffie-Hellman key exchange.
Key Distribution (1)

Secret-key distribution
Key Distribution (2)

Public-key distribution: Certificate
Secure Group Management

Securely admitting a new group member P.
Authorization Management
Capabilities
48 bits
24 bits
8 bits
48 bits
Server port
Object
Rights
Check

A capability in Amoeba.
Capabilities Generation

Generation of a restricted capability from an owner
capability.
Delegation


Transfer the access rights on files, resources,
etc.
Suppose Alice wants to delegate rights to Bob


If Alice knows everyone, broadcast the certificate
Otherwise, construct a certificate saying “The
bearer of this certificate has rights R.”


Problems?
Using proxy, a token that allows its owner to operate
with the rights granted in the token.
The General Structure of A Proxy
Delegating And Exercising Rights
Example: Kerberos (1)

Authentication in Kerberos.
Example: Kerberos (2)

Setting up a secure channel in Kerberos.
Electronic Payment Systems
(1)

a)
b)
c)
Payment systems
based on direct
payment between
customer and
merchant.
Paying in cash.
Using a check.
Using a credit
card.
Electronic Payment Systems
(2)

a)
b)
Payment systems based on money transfer between
banks.
Payment by money order.
Payment through debit order.
Privacy Issue



Using cash
Using credit card
Online
Digital Money

Suppose Alice wants to pay $12 to Bob


Contact her bank and request withdrawal $12
Bank hands out digital money (each note is
signed)





Each note carries a unique serial number
Hand over the notes to Bob
Bob contact the bank if the money has been used.
Problem: privacy issue.
Solution: blind signature
E-cash

The principle of anonymous electronic cash using blind
signatures.