Transcript CS 854 – Hot Topics in Computer and Communications Security

CS 854 – Hot Topics in Computer
and Communications Security
Fall 2006
Introduction to
Cryptography and Security II
1
Announcements
 First paper review is due on Monday
Review one of the two mandatory papers
 FYI, I am the co-author of one of them

2
Digital Signatures
Cryptographic technique analogous to handwritten signatures.
 sender (Bob) digitally signs document,
establishing he is document owner/creator.
 verifiable, nonforgeable, nonrepudiable: recipient
(Alice) can prove to third party that Bob, and no
one else (including Alice), must have signed
document
 message integrity does not always require
nonrepudiation

See later
3
(Cryptographic) Hash Functions
Computationally expensive
to sign long messages m
Goal: fixed-length, easyto-compute digital
“fingerprint” H(m)
message digest,
cryptographic hash
function
 can compute KB(H(m))
instead of KB(m)
large
message
m
H: Hash
Function
H(m)
4
Properties of H(m)
 Input: arbitrarily long string of bits
 Output: fixed-size (i.e., H() is many to one)
 Given m, easy to compute H(m)
 One-way property/pre-image resistant
 For any given value x, it is computationally infeasible to
find m such that H(m) = x
 Weak-collision resistance/2nd pre-image resistant
 For any given message m1, it is computationally infeasible
to find m2 such that H(m1) = H(m2)
 Strong-collision resistance/collision resistance
 It is computationally infeasible to find a pair (m1,m2) such
that H(m1) = H(m2)
5
Does collision resistance imply
preimage resistance?
 Alfred Menezes: No1
 G(x) is collision resistant hash function with nbit output
 H(x) = 1 || x
if x has bitlength n

0 || G(x)
otherwise
 H(x) is collision resistant, but not preimage
resistant
 Doug Stinson: Yes2
 In Random Oracle Model
 Under certain circumstances (e.g., uniform hash
function)
1 Handbook of Applied Cryptography
2Some
observations on the theory of
cryptographic hash functions
6
Message Authentication Code
(MAC)
 MAC allows Alice and Bob to communicate such
that each of them can be sure that received
messages were not tampered with

no non-repudiation
 Keyed hash function can be used for implementing
MAC



e.g., x = SHA-1(k||m), transmit m and x
only Alice and Bob know k
not secure against length-extension attack
 HMAC = H(k XOR a || H(k XOR b || m))
a,b: specified constants
H: preferably SHA-256
7
Entity Authentication
 Prove that you are who you claim to be
 Based on
 what you know
• password

what you own
• badge

what you are
• fingerprint
8
Passwords
 User enters password, computer compares it with
password in file
 Bad if file gets stolen
 Store only password hashes in file


Use salt to avoid dictionary attacks due to weak
passwords
E.g., UNIX
 Susceptible to replay attacks if attacker can sniff
traffic exchanged between user and computer



Use secure channel (e.g., SSL, see later)
Challenge-response protocols
Zero-knowledge protocols
9
Overview
 Network security
 Symmetric-key encryption
 Public-key encryption
 Message integrity and authentication
 Entity authentication
 Key distribution
 Computer security
10
Trusted Intermediaries
Symmetric key problem:
Public key problem:
 How do two entities establish
 When Alice obtains Bob’s
shared secret key over
network?

requires secure channel
(confidentiality, authentication,
and message integrity)
Solution:
 trusted key distribution center
(KDC) acting as intermediary
between entities

E.g., Needham Schroeder
public key (from web site, email, diskette), how does she
know it is Bob’s public key,
not Trudy’s?

requires authenticated
channel and message
integrity
Solution:
 trusted certification
authority (CA)
11
Certification Authorities
 Certification authority (CA): binds public key to
particular entity, E.
 E (person, website) registers its public key with CA.



E provides “proof of identity” to CA.
CA creates certificate binding E to its public key.
certificate contains E’s public key, E’s name and address
(or IP address) and is digitally signed by CA.
Bob’s
public
key
Bob’s
identifying
information
+
KB
Signing
algorithm
CA
private
key
K-
CA
+
KB
certificate for
Bob’s public key,
signed by CA
12
Certification Authorities
 When Alice wants Bob’s public key:
gets Bob’s certificate (from Bob or elsewhere)
 apply CA’s public key to Bob’s certificate, get
Bob’s public key

• Alice needs to know CA’s public key
+
KB
Verify
signature
CA
public
key
Bob’s
public
+
key
KB
+
K CA
13
A certificate contains:
 info about




certificate owner,
including algorithm
and key value
itself (not shown)
serial number
(unique to issuer)
info about
certificate issuer
valid dates
digital signature
by issuer
14
SSL (Secure Socket Layer)
 transport-layer security service
 originally developed by Netscape
 subsequently became Internet standard known as
TLS (Transport Layer Security)
 uses TCP to provide a reliable end-to-end service
 server authentication



browser includes public keys for trusted CAs.
• check your browser
browser receives server certificate, issued by trusted
CA, from server
browser uses CA’s public key to validate certificate
 client authentication
 possible but typically applications use other means
15
SSL Services
 message integrity
 using a MAC with shared secret key
 similar to HMAC but with different padding
 confidentiality
 using symmetric encryption with a shared
secret key defined by Handshake Protocol
 AES, IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128
 message is compressed before encryption
16
SSL Handshake Protocol

allows server & client to:




authenticate each other
to negotiate encryption & MAC algorithms
to negotiate cryptographic keys to be used
comprises a series of messages in phases
1.
2.
3.
4.
Establish Security Capabilities
Server Authentication and Key Exchange
Client Authentication and Key Exchange
Finish
17
SSL Handshake Protocol
RSA-based server authentication:
Phase 2: no server_key_exchange and
certificate_request
Phase 3: no certificate,
client_key_exchange contains premaster secret encrypted with public
key from server certificate,
no certificate_verify
Phase 4: client & server compute master
secret based on pre-master secret
and initial random numbers, finished
messages are
authenticated/encrypted based on
master secret
For client authentication: client sends
signed transcript in certificate_verify
From Stallings
18
SSL/TLS: Good Practices
 never enter confidential information (e.g.,
password) into a Web page that does not
have URL starting with https://...

even when the Web page says that it’s secure
nonetheless…
 pay attention to popup/warning messages
related to SSL or certificates
messages can be cryptic…
 see usability section later in course
 but now you can understand these messages 

19
Secure e-mail
sender wants confidentiality, sender authentication,
message integrity, and non-repudiation
-
KA
m
.
H( )
-
.
KA( )
-
KA(H(m))
+
KS
.
KS( )
+
m
KS
+
.
K B( )
+
Internet
+
KB(KS )
KB
Sender uses three keys: her private key, receiver’s
public key and newly created symmetric key
20
Pretty Good Privacy (PGP)
 widely used secure-email application
 developed by Phil Zimmermann, was target of 3-
year federal investigation in USA
 selected best available crypto algorithms to use
 uses symmetric key cryptography, public key
cryptography, hash function, and digital signature
as described.
 integrated into a single program, easy to use

not always, see usability section later in course
 on Unix, PC, Macintosh and other systems
 originally free, now also have commercial versions
available
21
PGP Key Management
 no centralized CA, every user is own CA
 can sign keys for users they know directly
 key servers collect/distribute (signed) public keys
 forms a “web of trust”
 fully trust keys that I have signed
 (partially) trust keys others have signed if have a chain
of signatures to them
 locally stored public keys are associated with
trust indicators


I fully trust Bob (his public key) to sign keys
I partially trust Alice (her public key) to sign keys
 users can also revoke their keys
22
Web of Trust
From Stallings
23
Overview
 Network security
 Symmetric-key encryption
 Public-key encryption
 Message integrity and authentication
 Entity authentication
 Key distribution
 Computer security
24
Access Control
 Different levels
 Applications (e.g., database)
 Operating system
 Hardware
 Access control matrix
 Rows list resources, columns list people, entries list kind
of access (read, write, execute,…)
 Access control lists (ACLs): column-wise implementation
• List of people that can access a resource

Capabilities: row-wise implementation
• List of resources that a person can access

Hybrid
• ACL upon first access, capability subsequently
25
Multilevel Security
 Information has different levels of
classification

Confidential, secret, top secret,…
 Very well researched due to military
funding
 Security policy: Clearly and concisely
expresses goals of protection mechanism

Confidentiality
• To whom can what information be disclosed

Integrity
• Who is allowed to modify what information
26
Bell-LaPadula Security Policy Model
 Proposed in 1973
 Simple security property
 No process may read data at a higher level
 No read up (NRU)
 People cleared to ‘confidential’ cannot access top secret
data
 *-property
 No process may write to a lower level
 No write down (NRW)
 Process running as ‘top secret’ cannot write files at
‘confidential’ level (maybe inadvertently)
 Mandatory access control
 As opposed to discretionary access control
27
Biba Integrity Model
 Proposed in 1977
 Ignores confidentiality
 Low water mark principle: integrity of an
object is the lowest level of all objects
that contributed to its creation
 Later in course: (Remotely) proving
integrity of a computer (e.g., no virus)
28
Other Aspects of Computer
Security
 Covert channels

Later in course
 Software security
 Buffer overflows
 Cross-site scripting vulnerabilities
 Later in course
 Auditing
 Intrusion detection and recovery
 Computer forensics
29
Cryptography/Security Books
 Mark Stamp, Information Security
 Doug Stinson, Cryptography
 Bruce Schneier, Applied Cryptography
 Ross Anderson, Security Engineering
http://www.cl.cam.ac.uk/~rja14/book.html
 Viega & McGraw, Building Secure Software
 Cranor & Garfinkel, Security and Usability
30
Current/Upcoming
Cryptography/Security Courses
 Fall 2006:

C&O 685: The Mathematics of Public-Key
Cryptography
 Winter 2007:

CS 758: Cryptography/Network Security
 Fall 2007 (planned):
 CS 698 – Computer/Networks Security
31
Conferences of Interest
 Security: USENIX Security, ACM CCS,
IEEE Security & Privacy, NDSS,
SecureComm
 Privacy: PET, WPES, SOUPS
 Economics: WEIS
 Usability: SOUPS, CHI
 Pervasive computing: UbiComp, PerCom,
Pervasive, PerSec
32