320 likes | 452 Views
CS 854 – Hot Topics in Computer and Communications Security. Fall 2006 Introduction to Cryptography and Security II. Announcements. First paper review is due on Monday Review one of the two mandatory papers FYI, I am the co-author of one of them.
E N D
CS 854 – Hot Topics in Computer and Communications Security Fall 2006 Introduction toCryptography and Security II
Announcements • First paper review is due on Monday • Review one of the two mandatory papers • FYI, I am the co-author of one of them
Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator. verifiable, nonforgeable, nonrepudiable: recipient (Alice) can prove to third party that Bob, and no one else (including Alice), must have signed document message integrity does not always require nonrepudiation See later Digital Signatures
Computationally expensive to sign long messages m Goal: fixed-length, easy- to-compute digital “fingerprint” H(m) message digest, cryptographic hash function can compute KB(H(m)) instead of KB(m) (Cryptographic) Hash Functions large message m H: Hash Function H(m) - -
Properties of H(m) • Input: arbitrarily long string of bits • Output: fixed-size (i.e., H() is many to one) • Given m, easy to compute H(m) • One-way property/pre-image resistant • For any given value x, it is computationally infeasible to find m such that H(m) = x • Weak-collision resistance/2nd pre-image resistant • For any given message m1, it is computationally infeasible to find m2 such that H(m1) = H(m2) • Strong-collision resistance/collision resistance • It is computationally infeasible to find a pair (m1,m2) such that H(m1) = H(m2)
Does collision resistance imply preimage resistance? • Alfred Menezes: No1 • G(x) is collision resistant hash function with n-bit output • H(x) = 1 || x if x has bitlength n • 0 || G(x) otherwise • H(x) is collision resistant, but not preimage resistant • Doug Stinson: Yes2 • In Random Oracle Model • Under certain circumstances (e.g., uniform hash function) 1 Handbook of Applied Cryptography 2Some observations on the theory of cryptographic hash functions
Message Authentication Code (MAC) • MAC allows Alice and Bob to communicate such that each of them can be sure that received messages were not tampered with • no non-repudiation • Keyed hash function can be used for implementing MAC • e.g., x = SHA-1(k||m), transmit m and x • only Alice and Bob know k • not secure against length-extension attack • HMAC = H(k XOR a || H(k XOR b || m)) a,b: specified constants H: preferably SHA-256
Entity Authentication • Prove that you are who you claim to be • Based on • what you know • password • what you own • badge • what you are • fingerprint
Passwords • User enters password, computer compares it with password in file • Bad if file gets stolen • Store only password hashes in file • Use salt to avoid dictionary attacks due to weak passwords • E.g., UNIX • Susceptible to replay attacks if attacker can sniff traffic exchanged between user and computer • Use secure channel (e.g., SSL, see later) • Challenge-response protocols • Zero-knowledge protocols
Overview • Network security • Symmetric-key encryption • Public-key encryption • Message integrity and authentication • Entity authentication • Key distribution • Computer security
Symmetric key problem: How do two entities establish shared secret key over network? requires secure channel (confidentiality, authentication, and message integrity) Solution: trusted key distribution center (KDC) acting as intermediary between entities E.g., Needham Schroeder Public key problem: When Alice obtains Bob’s public key (from web site, e-mail, diskette), how does she know it is Bob’s public key, not Trudy’s? requires authenticated channel and message integrity Solution: trusted certification authority (CA) Trusted Intermediaries
+ + Signingalgorithm K K B B K CA Certification Authorities • Certification authority (CA): binds public key to particular entity, E. • E (person, website) registers its public key with CA. • E provides “proof of identity” to CA. • CA creates certificate binding E to its public key. • certificate contains E’s public key, E’s name and address (or IP address) and is digitally signed by CA. Bob’s public key CA private key certificate for Bob’s public key, signed by CA - Bob’s identifying information
+ + Verify signature K K B B K CA Certification Authorities • When Alice wants Bob’s public key: • gets Bob’s certificate (from Bob or elsewhere) • apply CA’s public key to Bob’s certificate, get Bob’s public key • Alice needs to know CA’s public key Bob’s public key CA public key +
A certificate contains: • info about certificate owner, including algorithm and key value itself (not shown) • serial number (unique to issuer) • info about certificate issuer • valid dates • digital signature by issuer
SSL (Secure Socket Layer) • transport-layer security service • originally developed by Netscape • subsequently became Internet standard known as TLS (Transport Layer Security) • uses TCP to provide a reliable end-to-end service • server authentication • browser includes public keys for trusted CAs. • check your browser • browser receives server certificate, issued by trusted CA, from server • browser uses CA’s public key to validate certificate • client authentication • possible but typically applications use other means
SSL Services • message integrity • using a MAC with shared secret key • similar to HMAC but with different padding • confidentiality • using symmetric encryption with a shared secret key defined by Handshake Protocol • AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 • message is compressed before encryption
SSL Handshake Protocol • allows server & client to: • authenticate each other • to negotiate encryption & MAC algorithms • to negotiate cryptographic keys to be used • comprises a series of messages in phases • Establish Security Capabilities • Server Authentication and Key Exchange • Client Authentication and Key Exchange • Finish
SSL Handshake Protocol RSA-based server authentication: Phase 2: no server_key_exchange and certificate_request Phase 3: no certificate, client_key_exchange contains pre-master secret encrypted with public key from server certificate, no certificate_verify Phase 4: client & server compute master secret based on pre-master secret and initial random numbers, finished messages are authenticated/encrypted based on master secret For client authentication: client sends signed transcript in certificate_verify From Stallings
SSL/TLS: Good Practices • never enter confidential information (e.g., password) into a Web page that does not have URL starting with https://... • even when the Web page says that it’s secure nonetheless… • pay attention to popup/warning messages related to SSL or certificates • messages can be cryptic… • see usability section later in course • but now you can understand these messages
. KS( ) + + - KB(KS ) KA KB + + KS m . - KA( ) . - KA(H(m)) H( ) m Internet KS . + KB( ) Secure e-mail sender wants confidentiality, sender authentication, message integrity, and non-repudiation Sender uses three keys: her private key, receiver’s public key and newly created symmetric key
Pretty Good Privacy (PGP) • widely used secure-email application • developed by Phil Zimmermann, was target of 3-year federal investigation in USA • selected best available crypto algorithms to use • uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described. • integrated into a single program, easy to use • not always, see usability section later in course • on Unix, PC, Macintosh and other systems • originally free, now also have commercial versions available
PGP Key Management • no centralized CA, every user is own CA • can sign keys for users they know directly • key servers collect/distribute (signed) public keys • forms a “web of trust” • fully trust keys that I have signed • (partially) trust keys others have signed if have a chain of signatures to them • locally stored public keys are associated with trust indicators • I fully trust Bob (his public key) to sign keys • I partially trust Alice (her public key) to sign keys • users can also revoke their keys
Web of Trust From Stallings
Overview • Network security • Symmetric-key encryption • Public-key encryption • Message integrity and authentication • Entity authentication • Key distribution • Computer security
Access Control • Different levels • Applications (e.g., database) • Operating system • Hardware • Access control matrix • Rows list resources, columns list people, entries list kind of access (read, write, execute,…) • Access control lists (ACLs): column-wise implementation • List of people that can access a resource • Capabilities: row-wise implementation • List of resources that a person can access • Hybrid • ACL upon first access, capability subsequently
Multilevel Security • Information has different levels of classification • Confidential, secret, top secret,… • Very well researched due to military funding • Security policy: Clearly and concisely expresses goals of protection mechanism • Confidentiality • To whom can what information be disclosed • Integrity • Who is allowed to modify what information
Bell-LaPadula Security Policy Model • Proposed in 1973 • Simple security property • No process may read data at a higher level • No read up (NRU) • People cleared to ‘confidential’ cannot access top secret data • *-property • No process may write to a lower level • No write down (NRW) • Process running as ‘top secret’ cannot write files at ‘confidential’ level (maybe inadvertently) • Mandatory access control • As opposed to discretionary access control
Biba Integrity Model • Proposed in 1977 • Ignores confidentiality • Low water mark principle: integrity of an object is the lowest level of all objects that contributed to its creation • Later in course: (Remotely) proving integrity of a computer (e.g., no virus)
Other Aspects of Computer Security • Covert channels • Later in course • Software security • Buffer overflows • Cross-site scripting vulnerabilities • Later in course • Auditing • Intrusion detection and recovery • Computer forensics
Cryptography/Security Books • Mark Stamp, Information Security • Doug Stinson, Cryptography • Bruce Schneier, Applied Cryptography • Ross Anderson, Security Engineeringhttp://www.cl.cam.ac.uk/~rja14/book.html • Viega & McGraw, Building Secure Software • Cranor & Garfinkel, Security and Usability
Current/Upcoming Cryptography/Security Courses • Fall 2006: • C&O 685: The Mathematics of Public-Key Cryptography • Winter 2007: • CS 758: Cryptography/Network Security • Fall 2007 (planned): • CS 698 – Computer/Networks Security
Conferences of Interest • Security: USENIX Security, ACM CCS, IEEE Security & Privacy, NDSS, SecureComm • Privacy: PET, WPES, SOUPS • Economics: WEIS • Usability: SOUPS, CHI • Pervasive computing: UbiComp, PerCom, Pervasive, PerSec