Data Refinement

Download Report

Transcript Data Refinement

Lecture 0
Anish Arora
CSE 5473
Network Security
Objectives
•
Network (cyber-) security threats and countermeasures
•
Elements of cryptography
•
Protocols for security services
•
Network security design using available secure solutions
•
Some advanced issues and technologies
(e.g. DDoS attacks, anonymous communications, wireless
security, device / sensor network / cyberphysical security)
•
Original research in network security
Yes, You will Master Acronyms
•
DES, AES, RSA, Blowfish, MD, RC, SHA…
•
IPSec
•
OSPF
•
SSL, TLS
•
PGP (BGP?), Shibboleth
•
DDoS
What We Won’t Cover
•
How to configure and install security solutions
•
Forensics
•
Comprehensive organization approach to information assurance
•
Business aspects of network security
And we’ll only superficially cover:
•
Mathematics underlying cryptography
•
How to crack systems (spyware, malware, adware)
•
How to deal with access breaches (firewalls, IDS, port knocking)
•
Legal issues underlying export and patenting
Related Courses that Do Cover What We Omit
•
CSE 5473: This course
 Focuses on network aspects of the tip of the so-called
security pyramid
•
CSE 4471*: Information Security
 A big picture perspective. From time to time, I’ll refer you
here for background reading or access security
•
CSE 5351: Introduction to Cryptography
 A reference for details on some of our topics
Also 5472 (Information Security Projects), 5359 (Int. Studies in Crypto.)
*: All links in lectures are optional reading unless otherwise specified
What We Will Assume
You should be familiar with:
 Network layers
 Protocols for the transport layer (TCP, UDP), for
routing (RIP or OSPF), for the application layer (http)
 C/C++ and/or script programming
I expect from you some mathematical maturity, including
the ability to learn and use new mathematical &
programming notations (NesC for instance)
Course Materials
Webpage: http://cse.ohio-state.edu/~anish/5473.html
syllabus, slides, notes, assignments, announcements
see also CARMEN (cse_5473_sp2015_31987)
Text
•
William Stallings, Cryptography and Network Security: Principles
& Practice ; either:

5th Ed., Prent. Hall, 2010, ISBN:0136097049 errata

4th Ed., Prent. Hall, 2002, ISBN:0131873164 errata
References
•
•
Mark Stamp, Information Security: Principles & Practice, Wiley
2011 ISBN:0470626399
Bruce Schneier, Applied Cryptography, 2nd Ed., Wiley 1996
ISBN 0-471-11709-9
My Expectations
•
Read the material assigned in class, to the point that you
can answer simple conceptual or what-if questions in the
quiz. (I don’t expect you to remember details of crypto
algorithms or security protocols or usage parameters)
•
Work independently and ethically on homeworks and labs
•
Read lectures before class, we can more time in class to
discuss flaws, threats, attacks relevant to the discussion;
keep in mind you may know more about specific security
features and bugs than I do
Grading Plan
•
Homework assignments:15% (focus: puzzles)
•
Laboratory exercises:
25% (focus: cracking)
•
In-class quizzes:
10% (focus: pay attention in class)
•
Midterm quiz:
20% (focus: concepts)
•
Research project:
30% (focus: theory/implementation)
Project will be done by teams of 2 undergraduates, or one
graduate student. I’ll provide options for programming
projects or you may consult with me to choose your own
(theory, analysis, design, or implementation) project
Grading is relative  You might get an A at 75%
Outline of Lecture 0
•
Security attacks
•
Security mechanisms
•
Security models
•
Security services
Background `big picture’ :

4471 discussion of threats/attack (Read this)
Security Attacks
Definition Any action that compromises security of information
Examples :
Security Attacks (contd.)
•
Other attacks include:

Flooding, Denial of Service, Jamming

Traffic Analysis

Routing Attacks: false routes, configuration changes (SNMP)

Leak Information, Disown Information

Remote arbitrary code execution, e.g., via Viruses or Worms

Trapdoors, Covert functions, Logic Bombs

Man in the Middle
 impersonates peers to one another; provides service via others

Free Rider or Free Loader
 a peer that gets service but does not provide service
Lazy Middle Man
 a peer that does part of the work but never whole
 Inject faults

Number of Security Attacks
Trends in Security Attacks
Optional reading: Malware, Worms, Phishing, Botnets, XSS
Security Attacks (contd.)
•
Attacks are comprised of elementary attacks:
 Replay
 Deletion
 Host compromise
 Capability compromise
 Key compromise
 Data Encryption: requires knowledge of key
 Data Decryption: requires knowledge of inverse key
 Timestamps: requires access to a secure time server
 Eavesdropping
 IP spoofing
(Optional reading: Sniffing, Spoofing, Password tools)
Types of Security Attacks
Attacks
Attacks
Attacks
A Classification of Security Attacks
•
Passive or Active:

•
Host Compromise or Communication Compromise:

•
•
both can access information being communicated, but only the
latter can create or modify it
only the former can obtain knowledge of all information known to
the host
Internal or External:

only the former can impersonate a system process, and thus also
act as an intermediary

only the former let’s the protocol being executed known
Destructive or Nondestructive:

only the latter allows information to still be correctly communicated
to the destination(s)
Security Mechanism
Definition A mechanism that is designed to detect, prevent,
or recover from a security attack
Pervasive security mechanisms include:
 encryption or encipherment
 digital signatures, notarization
 traffic padding
 routing control
 trusted functionality
 security labels
 access controls
 event detection
 audit trails
 firewalls
Types of Keys
Cryptography underlies many security mechanisms. Keys are
often used for securing or unsecuring information
•
•
•
•
Symmetric, S:
Same key is used to encode and decode
Asymmetric or Public/Private, B/R:
Public key is used to encode, private key to decode
One way function, f:
Given x, it is easy to compute f(x), but given f(x) it’s hard to
compute x
One way function with trapdoor, f:
A one way function where given f(x) it is easy to compute x if
one knows a trapdoor function g s.t. g(f(x))=x
Types of Keys (contd.)
•
•
•
•
One way permutation, f,g:
Both f and g are one way functions and each other's trapdoor
One way hash function, MD:
A hash function MD that is one way
(Recall that a hash function may be many-to-one)
One way weakly collision-free hash function, MD:
A one way hash function MD s.t. given x it is hard to compute
a different y s.t. MD(x)=MD(y)
One way strongly collision-free hash function, MD:
A one way hash function MD s.t. it is hard to compute
different x and y s.t. MD(x)=MD(y)
Types of Keys (contd.)
•
Weak key:
A key in the key-space that does not encode well,
e.g., 0-key, and is thus easy to guess
•
Complement key:
A key s.t. Complement(f(x)) = f(Complement(x))
and thus involves considering half the x to guess
•
Related keys:
A pair of keys that are related by some difference
which can be exploited to reduce the number of x to guess
Kerchoff’s Principle
•
•
•
For key based cryptosystems, the property of security
should not rely on the secrecy of the mechanism (aka,
algorithm)
In other words, it should rely only on the secrecy of the
key
Interpretation: avoid security by obscurity
Security Models:
A Model for Secure Network Communication
Consider information flowing over an insecure communications
channel, in the presence of possible opponents
An appropriate security transform (encryption algorithm) can be
used, with suitable keys, possibly negotiated using the presence
of a trusted third party
Using this model requires us to:
•
design a suitable algorithm for the security transformation
•
generate the secret information (keys) used by the algorithm
•
develop methods to distribute and share the secret information
•
specify a protocol enabling the principals to use the
transformation and secret information for a security service
A Model for Secure Network Communication
A Model for Network Access Security
Consider controlled access to information or resources on a
computer system, in the presence of possible opponents
Appropriate controls are needed on the access and within
the system, to provide suitable security. Some
cryptographic techniques are useful here also
Using this model requires us to:
•
•
•
select appropriate gatekeeper functions to identify users
implement security controls to ensure only authorized
users access designated information or resources
implement trusted computer systems
A Model for Network Access Security
Recall: CSE 651 focuses more on Comm. than Access Model
Security Service
Definition A service that enhances the security of data
processing systems and information transfers.
Makes use of one or more security mechanisms
Examples of network security service requirements:
•
authentication
•
privacy, confidentiality
•
integrity
•
non repudiation
•
obliviousness
•
information flow
Authentication
Definition The requirement by which a process securely
communicates its identity to another
Thus, if process k receives an identification communication from
process j then it must be the case that there is a corresponding
send of that identification communication by j
Note that if messages are not all unique, then to deal with replay
of old communications from j, we may have to embed counters
in the state to capture bad prefixes
Instances of identity communication of j:
kj : n
j  k : R.j ‹n›
or
kj : n
j  k : S ‹n ; j›
Privacy
Definition The requirement by which communication is possible
that can be decoded only by the processes that agree to
communicate
In some cases, source, destination, frequency of communication
needs to be protected as well
Instances of private communication from j to k:
•
j  k : S ‹data›
or
•
j  k : B.k ‹data›
Integrity
Definition The requirement by which a recipient can prove
to itself that the message is what was indeed sent
I.e., the message was not modified or replaced
Instance of integrity of communication from j to k:
•
j  k : data, MD(data; S)
Non Repudiation
Definition The requirement by which a recipient can prove to anyone
that the message was indeed sent by the sender
Likewise, a sender can prove that a recipient indeed received the
message
Note that non-repudiation implies integrity, but not vice versa. Note that
non-repudiation does not necessarily imply authentication, since the
message could have been forwarded by a third party
Instance of nonrepudiation of communication from j to k:
•
j  k : data, R.j ‹data›
or
•
j  k : data, R.j ‹MD(data)›
Obliviousness
Definition The requirement by which a process may
perform a set of operations but not be sure which one (or
more) of them was correctly performed
•
•
E.g., a process may send two messages but not be sure
which one of them was correctly received
E.g. (slide 93 onwards), a process may sign one of a set
of messages but not know which one it signed, or use one
of a set of keys to encrypt with but not know which one
was chosen
Information Flow
Definition The requirement by which a high-level process
cannot communicate any information to a low-level
process, directly or indirectly
Sometimes this is called absence of covert channels or
subliminal channels
One sufficient condition for this requirement is called
noninterference, which says that the outcome of an action
of a low-level process in a computation remains the same
even if actions performed by all higher-level processes are
added or deleted to the computation
Security services (contd.)
Other important security services include:
•
authorization: access is enabled if that access is allowed
•
availability: permanence, non-erasure
•
verifiability: a sort of integrity, revealing originality not content
•
unforgeability: a sort of integrity, forged messages must be
independent of original messages
•
distinguishability: can guess whether encrypted msg is m0/m1
•
detectability: can guess whether encrypted msg is valid
Optional reading: Firewalls (upto slide 37), Intrusion Detection
An aside on hashing
•
Length of hash << length of message, & often fixed at 48-128
•
Some other names of hashing: finger printing, message
integrity check (MIC), message digest, cryptographic
checksum, manipulation detection code
•
Hash functions are wellknown. So hashing, unlike encryption
algorithms, is exportable; often used to communicate
programs securely over the web
•
MD‹key;data› is a message authentication code (MAC) or data
authentication code (DAC); knowing key
More on hashing: Relative costs
Using 0 keys (MD) is cheaper that using 1 key (S), which in turn
is cheaper than using 2 keys (B, R)
Privacy by j  k: S‹data› is cheaper than j  k: B.k‹data›
Authentication by j  k: MD‹j;n;S› is cheaper than j  k: S‹j;n›
Non-repudiation via R.j‹MD‹data›› is cheaper than R.j‹data›
Often 2 keys are used in rare modes and 1 key is used in
common modes
Ethical, social, policy and legal issues
•
•
•
•
Some software we will study may be under export
restriction, it is your responsibility to obey the applicable
laws
Many of the algorithms we will discuss are protected by
patents, which makes it illegal to make and sell (or give
away) computer programs that use those algorithms
I expect you to work individually. Cheating/undisclosed
collaboration will be dealt with severely
Background `Big Picture’ Reading:
 From CSE4471 on Ethics/Law (optionally this, this)
Patent issues
•
Many cryptographic techniques & algorithms are patented
•
Some are nonetheless royalty free (DES), at least for public
use
•
Software licenses are necessary in these cases
Export issues
•
Some governments consider encryption a dangerous technology
•
USA, Australia, New Zealand, France and Russia control export
•
Export licenses are needed for export to a government
•
Import always ok; cannot export to Cuba, Iran, Iraq, Libya, North
Korea, Sudan, Syria
•
Previously:
 Technical review needed for export to non-government
 Open source did not need review but must have deposited source code
 Less than 64 bit encryption generally ok for export
 Illegal to carry abroad encryption software on your laptop!
Elements of cryptography:
Types of security
•
unconditional security
 no matter how much computation is available, cipher cannot be
broken since ciphertext provides insufficient information to
uniquely determine the corresponding plaintext
 one-time pad: a truly random key as long as the message
 is unbreakable: ciphertext bears no statistical relationship to plaintext
 can only use the key once though
 have problem of safe distribution of key
•
computational security

given limited computing resources (e.g. time needed for calculations is
greater than age of universe), the cipher cannot be broken
Terminology
•
cryptography - study of encryption principles/methods

characterize by:
 number of keys used
o
single-key or private / two-key or public
 type of encryption operations used
o
substitution / transposition / product
 way in which plaintext is processed
o
•
•
•
block / stream
cryptanalysis (codebreaking) - study of principles/ methods of
deciphering ciphertext without knowing key
cryptology - the field of both cryptography and cryptanalysis
brute force attacks – search-based alternative to cryptanalaysis:
attacker tries every possible key to decipher ciphertext
Brute force attacks
•
always possible to simply try every key
•
most basic attack, proportional to key size
•
assume either know / recognise plaintext
•
not all key sizes equal:
• 80 bit DES ~ 1024 bit RSA
• as of 2010, neither regarded as secure
Types of cryptanalysis attacks
•
ciphertext only
 only know ciphertext / algorithm, statistical, can identify plaintext
•
known plaintext

•
attack cipher by knowing / suspecting plaintext & ciphertext
chosen plaintext
 attack cipher by selecting plaintext and obtaining ciphertext,
useful if limited set of messages
•
chosen ciphertext
 attack cipher by selecting ciphertext and obtaining plaintext
•
chosen text
 attack cipher by selecting either plaintext or ciphertext to
en/decrypt
Things we won’t really talk about
Substitution ciphers:
 where letters of plaintext are replaced by others: b  e, c  f
 or where if plaintext is viewed as a sequence of bits, then bit
patterns are replaced with ciphertext bit patterns
 monoalphabetic: arbitrary mapping of letter to letter; 26!
multiletter coding: mapping from multiple letters
polyalphabetic techniques: multiple mappings e.g. position based
 subject to brute force search and frequency attacks
Transposition (permutation) ciphers:
 where the letter order is rearranged without altering the letters
 subject to frequency attacks
Things we won’t really talk about
Product ciphers:
 use several ciphers in succession to make harder
 especially if a substitution is followed by a transposition
 number of rounds should suffice to make output look random
 each input bit in “block” should affect every output bit
 this is bridge from classical to modern ciphers
Cryptanalysis tools:
 special hardware
 supercomputers or parallel machines
 Internet coarse-grain parallelism
Things we won’t really talk about (contd.)
Steganography
 an alternative to encryption
 hides existence of message
 uses only subset of letters/words in longer msg marked in some way
 using invisible ink
 hiding in LSB in graphic image or sound file
 drawback: high overhead to hide relatively few info bits