1 / 43

CSci 8271 Security and Privacy in Computing Lecture 1 Introduction

CSci 8271 Security and Privacy in Computing Lecture 1 Introduction. Fall 2011 Yongdae Kim. Introduction. Csci 8271: Security and Privacy in Computing Sixth offering Yongdae Kim 9 year-old hard-working, but not bright prof :-) E-mail: kyd(at)cs.umn.edu preferred Phone: 612-626-7526

lorand
Download Presentation

CSci 8271 Security and Privacy in Computing Lecture 1 Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSci 8271 Security and Privacy in ComputingLecture 1Introduction Fall 2011 Yongdae Kim

  2. Introduction • Csci 8271: Security and Privacy in Computing • Sixth offering • Yongdae Kim • 9 year-old hard-working, but not bright prof :-) • E-mail: kyd(at)cs.umn.edu preferred • Phone: 612-626-7526 • Office hour: EECS 4-225E • W 5:00 ~ 6:00 PM • Google chat @yongdaek • Else by appointment • 17+ in-class students and 3 UNITE students

  3. Basic Information • 3 units • W 6:30 ~ 9:00 • KHKH 3-111 • Catalog description • This course discusses about recent security and privacy issues on broad range of computer systems and networks. • Various threats on each system, attacks and countermeasures will be addressed. • Prerequisite (Or who’s ahead?) Count how many courses you have taken among • (Basic, Advanced) Algorithm, Data Structures • (Basic, Advanced) Network, Operating System • Computer Security • Cryptography

  4. Course Objectives • To learn • To learn security threats each system has • To learn basic security primitives used in computer and network security • To learn how to apply these primitives in designing secure systems • To learn how to claim the security of systems

  5. Textbooks • Required • Bunch of papers!!! • Optional • Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. Van Oorschot, Scott A. Vanstone (Editor), CRC Press, ISBN 0849385237, Available on-line at http://www.cacr.math.uwaterloo.ca/hac/

  6. Student Expectations • Keep up with material • complete relevant readings before class • browse lecture slides • Lecture Participation • Presentation • Draft slides should be sent to me at least 1 week ahead. • Reading report: 2 per week (except next week) • format available • Everyone including presenter. • Paper1 = MD5(studentID)%(# of papers), Paper2 = Paper1+1 • Evaluation of presentation: criteria available soon • Discussion • Feedback!!!! • Read your email regularly (at least twice a day). • Research project

  7. Class Information • Lecture format • Slides • Presentation by me and you • Browse the course Web site often • http://www-users.itlabs.umn.edu/classes/Fall-2011/csci8271/ • check it regularly • news and lecture notes (in PDF) will all be there • Please read your email!

  8. Grading • Distribution (Tentative) • Scale: A, A-, B+, B, B-, … • Lecture presentation: 24% • Reading report: 36% (=3% x 12) • Research project: 40% • Proposal: 5% • Interim Report: 5% • Paper: 25% • Presentation: 5% • Policy • I prefer hard course, good grade! • Can be changed depending on you • Which way? $&#($@(

  9. Project • Individual or Group Project (at most 3 in a group) • Subject should be confirmed by instructor • Important Dates • Pre-proposal: Sep 25, 11:59 PM. • Full Proposal: Oct 4, 11:59 PM. • Interim report: Nov 11, 11:59 PM • Final report: Dec 6, 11:59 PM. • Research paper • Though small, try to solve any problem. Extra credit will be given. • Design, attack, implementation, analysis! • Example: #@*)#*)!@ • No idea? Come to my office!

  10. Course Outline • See Calendar in class web page.

  11. Course Format • First 1 weeks cover basics • Blackbox analysis • introduce properties of PKC, SKC • Not much mathematics involved! • After that!!! • Introducing the system • Discussion on security issues for the systems • Introducing the solutions for the systems • Discussion on the solutions • Feasibility, Issues, Improvement

  12. Useful Information • Paper search • Google Scholar: http://scholar.google.com • Citeseer: http://citeseer.nj.nec.com/cs • Cryptology ePrint Archive: http://eprint.iacr.org/ • ACM Digital Library: http://portal.acm.org/ • IEEE Explorer: http://ieeexplore.ieee.org/ • Major conferences • Security: IEEE Symposium on Security and Privacy, ACM CCS, Usenix Security, NDSS, … • Networking and systems: Sigcomm, Mobicom, NSDI, OSDI, SOSP, Usenix Annual, FAST, … • Other links are available at class web site.

  13. Useful Information (Cnt.) • Crypto packages • OpenSSL: http://www.openssl.org • MIRACL: Multiprecision Integer and Rational Arithmetic C/C++ Library, http://indigo.ie/~mscott/ • Crypto++ by Wei Dai: http://www.eskimo.com/~weidai/cryptlib.html • Number Theory Library by Shoup: http://shoup.net/ntl/ • JCSI - Java Crypto and Security Implementation: http://www.wedgetail.com/jcsi/

  14. Eve Yves? The main players Bob Alice

  15. Attacks Normal Flow Destination Source Interruption: Availability Interception: Confidentiality Destination Destination Source Source Modification: Integrity Fabrication: Authenticity Destination Destination Source Source

  16. Taxonomy of Attacks • Passive attacks • Eavesdropping • Traffic analysis • Active attacks • Masquerade • Replay • Modification of message content • Denial of service

  17. Big picture Trusted third party (e.g. arbiter, distributor of secret information) Bob Alice Information Channel Message Message Secret Information Secret Information Eve

  18. Encryption • Why do we use key? • Or why not use just a shared encryption function? Adversary Encryption Ee(m) = c Decryption Dd(c) = m c insecure channel m m Plaintext source destination Alice Bob

  19. SKE with Secure channel Adversary d Secure channel Key source e Encryption Ee(m) = c Decryption Dd(c) = m c Insecure channel m m Plaintext source destination Alice Bob

  20. PKE with insecure channel Passive Adversary e Insecure channel Key source d Encryption Ee(m) = c Decryption Dd(c) = m c Insecure channel m m Plaintext source destination Alice Bob

  21. Symmetric vs. Public key Enc • Symmetric key encryption • if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e • Usually e = d • Public key encryption • Every entity has a private key SKand a public key PK • Public key is known to all • It is computationally infeasible to find SK from PK • Only SK can decrypt a message encrypted by PK • If A wishes to send a private message M to B • A encrypts M by B’s public key, C = EBPK(M) • B decrypts C by his private key, M = DBSK(C)

  22. e e’ Ee’(m) Public key should be authentic! • Need to authenticate public keys Ee(m) e Ee(m)

  23. Digital Signatures • Primitive in authentication and non-repudiation • Signature • Process of transforming the message and some secret information into a tag • Nomenclature • M is set of messages • S is set of signatures • SA: M ! S for A, kept private • VA is verification transformation from M to S for A, publicly known

  24. Key Establishment, Management • Key establishment • Process to whereby a shared secret key becomes available to two or more parties • Subdivided into key agreement and key transport. • Key management • The set of processes and mechanisms which support key establishment • The maintenance of ongoing keying relationships between parties

  25. Symmetric vs. Public key

  26. Hash function and MAC • A hash function is a function h • compression • ease of computation • Properties • one-way: for a given y, find x’ such that h(x’) = y • collision resistance: find x and x’ such that h(x) = h(x’) • Examples: SHA-1, MD-5 • MAC (message authentication codes) • both authentication and integrity • MAC is a family of functions hk • ease of computation (if k is known !!) • compression, x is of arbitrary length, hk(x) has fixed length • computation resistance • Example: HMAC

  27. MAC construction from Hash • Prefix • M=h(k||x) • appending y and deducing h(k||x||y) form h(k||x) without knowing k • Suffix • M=h(x||k) • possible a birthday attack, an adversary that can choose x can construct x’ for which h(x)=h(x’) in O(2n/2) • STATE OF THE ART: HMAC (RFC 2104) • HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding • The outer hash operates on an input of two blocks • Provably secure

  28. PKE with insecure channel Passive Adversary e Insecure channel Key source d Encryption Ee(m) = c Decryption Dd(c) = m c Insecure channel m m Plaintext source destination Alice Bob

  29. Digital Signature • Integrity • Authentication • Non-repudiation I did not have intimate relations with that woman,…, Ms. Lewinsky WJ Clinton

  30. Authentication • How to prove your identity? • Prove that you know a secret information • When key K is shared between A and Server • A  S: HMACK(M) where M can provide freshness • Why freshness? • Digital signature? • A  S: SigSK(M) where M can provide freshness • Comparison?

  31. Identification • Something known - passwords, PINs, keys… • a^*ehk3&(dAs • Something possessed - cards, handhelds… • Something inherent - biometrics

  32. Password Authentication • Stored either in the clear, or “encrypted” with OWF • Increasing security • Rules reduce the chance of easy passwords • Salt increases search space for a dictionary attack • Pass phrases - more security • Attacks • Replay of fixed passwords • Exhaustive search:8 character password has 40-50 bits • More directed dictionary attacks:Crack

  33. Challenge-response authentication • Alice is identified by a secret she possesses • Bob needs to know that Alice does indeed possess this secret • Alice provides responseto a time-variant challenge • Response depends on both secret and challenge • Using • Symmetric encryption • One way functions

  34. Challenge Response using SKE • Alice and Bob share a key K • Taxonomy • Unidirectional authentication using timestamps • Unidirectional authentication using random numbers • Mutual authentication using random numbers • Unilateral authentication using timestamps • Alice  Bob: EK(tA, B) • Bob decrypts and verified that timestamp is OK • Parameter Bprevents replay of same message in B  A direction

  35. Challenge Response using SKE • Unilateral authentication using random numbers • Bob  Alice: rb • Alice  Bob: EK(rb, B) • Bob checks to see if rb is the one it sent out • Also checks “B” - prevents reflection attack • rb must be non-repeating • Mutual authentication using random numbers • Bob  Alice: rb • Alice  Bob: EK(ra, rb, B) • Bob  Alice: EK(ra, rb) • Alice checks that ra, rb are the ones used earlier

  36. Kerberos vs. PKI vs. IBE • Still debating  • Let’s see one by one!

  37. A, B, NA EKBT(k, A, L), EKAT(k, NA, L, B) EKBT(k, A, L), Ek(A, TA, Asubkey) Ek(TA, Bsubkey) Kerberos (cnt.) T • EKBT(k, A, L): Token for B • EKAT(k, NA, L, B): Token for A • L: Life-time • NA? • Ek(A, TA, Asubkey): To prove B that A knows k • TA: Time-stamp • Ek(B, TA, Bsubkey): To prove A that B knows k B A

  38. EKAG(kAB, NA’, L, B), EkGB(kAB, A, L, NA’), B, NA’ EKGT(kAG, A, L), EKAT(kAG, NA, L, G) A, G, NA EKGT(kAG, A, L), EkAG(A, TA), B, NA’ EKGB (kAB, A, L, NA’), EkAB(A, TA’, Asubkey) Ek(TA’, Bsubkey) Kerberos (Scalable) T (AS) G (TGS) B A

  39. Public Key Certificate • Public-key certificates are a vehicle • public keys may be stored, distributed or forwarded over unsecured media • The objective • make one entity’s public key available to others such that its authenticity and validity are verifiable. • A public-key certificate is a data structure • data part • cleartext data including a public key and a string identifying the party (subject entity) to be associated therewith. • signature part • digital signature of a certification authority over the data part • binding the subject entity’s identity to the specified public key.

  40. CA • a trusted third party whose signature on the certificate vouches for the authenticity of the public key bound to the subject entity • The significance of this binding must be provided by additional means, such as an attribute certificate or policy statement. • the subject entity must be a unique name within the system (distinguished name) • The CA requires its own signature key pair, the authentic public key. • Can be off-line!

  41. Data Part • a validity period of the public key • a serial number or key identifier identifying the certificate • additional information about the subject entity (e.g., street or network address) • additional information about the key (e.g., algorithm and intended use); • quality measures related to the identification of the subject entity, the generation of the key pair, or other policy issues; • information facilitating verification of the signature (e.g., a signature algorithm identifier, and issuing CA’s name) • the status of the public key (cf. revocation certificates).

  42. ID-based Cryptography • No public key • Public key = ID (email, name, etc.) • PKG • Private key generation center • SKID = PKGS(ID) • PKG’s public key is public. • distributes private key associated with the ID • Encryption: C= EID(M) • Decryption: DSK(C) = M

  43. Discussion (PKI vs. Kerberos vs. IBE) • On-line vs. off-line TTP • Implication? • Non-reputation? • Revocation? • Scalability? • Trust issue? • DigiNotar and Comodo!

More Related