1 / 55

SENG 5199-3 Data and Network Security Lecture 2 Introduction + Basic Crypto

SENG 5199-3 Data and Network Security Lecture 2 Introduction + Basic Crypto. Yongdae Kim. Class web page, e-mail. E-mail policy Include [5199-3] in the subject of your e-mail Active participation will make the class more interesting. Especially, forum. Course Content. Ch 1, Introduction

rainer
Download Presentation

SENG 5199-3 Data and Network Security Lecture 2 Introduction + Basic Crypto

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SENG 5199-3 Data and Network SecurityLecture 2Introduction + Basic Crypto Yongdae Kim

  2. Class web page, e-mail • E-mail policy • Include [5199-3] in the subject of your e-mail • Active participation will make the class more interesting. • Especially, forum.

  3. Course Content • Ch 1, Introduction • Ch 5, Cryptography • Ch 2, Usability and Psychology • Software Security • Ch 3, Protocols • Ch 4, Access Control • Ch 6, Distributed Systems • Ch 7, Economics • Ch 26, System Evaluation and Assurance • Applications (Part II)

  4. News This Week (1) • TXT design flow • Facebook + SSL • Keylogger at Tunisia

  5. Design Hierarchy • What are we trying to do? • How? • With what? Policy Protocols Hardware, crypto, ...

  6. Security vs Dependability • Dependability = reliability + security • Reliability and security are often strongly correlated in practice • But malice is different from error! • Reliability: “Bob will be able to read this file” • Security: “The Chinese Government won’t be able to read this file” • Proving a negative can be much harder …

  7. Methodology 101 • Sometimes you do a top-down development. In that case you need to get the security spec right in the early stages of the project • More often it’s iterative. Then the problem is that the security requirements get detached • In the safety-critical systems world there are methodologies for maintaining the safety case • In security engineering, the big problem is often maintaining the security requirements, especially as the system – and the environment – evolve

  8. Threat Model • What property do we want to ensure against what adversary? • Who is the adversary? • What is his goal? • What are his resources? • e.g. Computational, Physical, Monetary… • What is his motive? • What attacks are out of scope?

  9. Terminologies • Attack: attempt to breach system security (DDoS) • Threat: a scenario that can harm a system (System unavailable) • Vulnerability: the “hole” that allows an attack to succeed (TCP) • Security goal: “claimed” objective; failure implies insecurity

  10. Goals: Confidentiality • Confidentiality of information means that it is accessible only by authorized entities • Contents, Existence, Availability, Origin, Destination, Ownership, Timing, etc… of: • Memory, processing, files, packets, devices, fields, programs, instructions, strings...

  11. Goals: Integrity • Integrity means that information can only be modified by authorized entities • e.g. Contents, Existence, Availability, Origin, Destination, Ownership, Timing, etc… of: • Memory, processing, files, packets, devices, fields, programs, instructions, strings...

  12. Goals: Availability • Availability means that authorized entities can access a system or service. • A failure of availability is often called Denial of Service: • Packet dropping • Account freezing • Jamming • Queue filling

  13. Goals: Accountability • Every action can be traced to “the responsible party.” • Example attacks: • Microsoft cert • Guest account • Stepping stones

  14. Goals: Dependability • A system can be relied on to correctly deliver service • Dependability failures: • Therac-25: a radiation therapy machine • whose patients were given massive overdoses (100 times) of radiation • bad software design and development practices: impossible to test it in a clean automated way • Ariane 5: expendable launch system • the rocket self-destructing 37 seconds after launch because of a malfunction in the control software • A data conversion from 64-bit floating point value to 16-bit signed integer value

  15. Interacting Goals • Failures of one kind can lead to failures of another, e.g.: • Integrity failure can cause Confidentiality failure • Availability failure can cause integrity, confidentiality failure • Etc…

  16. Security Assessment • Confidentiality? • Availability? • Dependability? • “Security by Obscurity:” • a system that is only secure if the adversary doesn’t know the details. • is not secure!

  17. Rules of Thumb • Be conservative: evaluate security under the best conditions for the adversary • A system is as secure as the weakestlink. • It is best to plan for unknown attacks.

  18. Security & Risk • We only have finite resources for security… • If we only have $20K, which should we buy? Product A Prevents Attacks: U,W,Y,Z Cost $10K Product B Prevents Attacks: V,X Cost $20K

  19. Risk • The risk due to a set of attacks is the expected (or average) cost per unit of time. • One measure of risk is Annualized Loss Expectancy, or ALE: ALE of attack A Σ ( pA × LA ) attack A Annualized attack incidence Cost per attack

  20. Risk Reduction • A defense mechanism may reduce the risk of a set of attacks by reducing LA or pA. This is the gross risk reduction (GRR): • The mechanism also has a cost. The net risk reduction (NRR) is GRR – cost. Σ (pA × LA – p’A×L’A) attack A

  21. News This Week (2) • Smartphone USB to attack PC • ISP to record data • Evercookie and fingerprinting

  22. Basic Cryptography Yongdae Kim

  23. Eve Yves? The main players Bob Alice

  24. Attacks Normal Flow Destination Source Interruption: Availability Interception: Confidentiality Destination Destination Source Source Modification: Integrity Fabrication: Authenticity Destination Destination Source Source

  25. Taxonomy of Attacks • Passive attacks • Eavesdropping • Traffic analysis • Active attacks • Masquerade • Replay • Modification of message content • Denial of service

  26. Big picture Trusted third party (e.g. arbiter, distributor of secret information) Bob Alice Information Channel Message Message Secret Information Secret Information Eve

  27. Terminology for Encryption • A denotes a finite set called the alphabet • M denotes a set called the message space • M consists of strings of symbols from an alphabet • An element of M is called a plaintext • C denotes a set called the ciphertext space • C consists of strings of symbols from an alphabet • An element of C is called a ciphertext • K denotes a set called the key space • An element of K is called a key • Ee is an encryption function where e  K • Dd called a decryption function where d  K

  28. Encryption • Why do we use key? • Or why not use just a shared encryption function? Adversary Encryption Ee(m) = c Decryption Dd(c) = m c insecure channel m m Plaintext source destination Alice Bob

  29. SKE with Secure channel Adversary d Secure channel Key source e Encryption Ee(m) = c Decryption Dd(c) = m c Insecure channel m m Plaintext source destination Alice Bob

  30. PKE with insecure channel Passive Adversary e Insecure channel Key source d Encryption Ee(m) = c Decryption Dd(c) = m c Insecure channel m m Plaintext source destination Alice Bob

  31. e e’ Ee’(m) Public key should be authentic! • Need to authenticate public keys Ee(m) e Ee(m)

  32. Digital Signatures • Primitive in authentication and non-repudiation • Signature • Process of transforming the message and some secret information into a tag • Nomenclature • M is set of messages • S is set of signatures • SA: M ! S for A, kept private • VA is verification transformation from M to S for A, publicly known

  33. Key Establishment, Management • Key establishment • Process to whereby a shared secret key becomes available to two or more parties • Subdivided into key agreement and key transport. • Key management • The set of processes and mechanisms which support key establishment • The maintenance of ongoing keying relationships between parties

  34. Symmetric vs. Public key

  35. Symmetric key Encryption • Symmetric key encryption • if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e • Usually e = d • Block cipher • breaks up the plaintext messages to be transmitted into blocks of a fixed length, and encrypts one block at a time • Stream cipher • encrypt individual characters of plaintext message one at a time, using encryption transformation which varies with time

  36. Hash function and MAC • A hash function is a function h • compression • ease of computation • Properties • one-way: for a given y, find x’ such that h(x’) = y • collision resistance: find x and x’ such that h(x) = h(x’) • Examples: SHA-1, MD-5 • MAC (message authentication codes) • both authentication and integrity • MAC is a family of functions hk • ease of computation (if k is known !!) • compression, x is of arbitrary length, hk(x) has fixed length • computation resistance • Example: HMAC

  37. MAC construction from Hash • Prefix • M=h(k||x) • appending y and deducing h(k||x||y) form h(k||x) without knowing k • Suffix • M=h(x||k) • possible a birthday attack, an adversary that can choose x can construct x’ for which h(x)=h(x’) in O(2n/2) • STATE OF THE ART: HMAC (RFC 2104) • HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding • The outer hash operates on an input of two blocks • Provably secure

  38. PKE with insecure channel Passive Adversary e Insecure channel Key source d Encryption Ee(m) = c Decryption Dd(c) = m c Insecure channel m m Plaintext source destination Alice Bob

  39. Digital Signature • Integrity • Authentication • Non-repudiation I did not have intimate relations with that woman,…, Ms. Lewinsky WJ Clinton

  40. Authentication • How to prove your identity? • Prove that you know a secret information • When key K is shared between A and Server • A  S: HMACK(M) where M can provide freshness • Why freshness? • Digital signature? • A  S: SigSK(M) where M can provide freshness • Comparison?

  41. Encryption and Authentication • EK(M) • Redundancy-then-Encrypt: EK(M, R(M)) • Hash-then-Encrypt: EK(M, h(M)) • Hash and Encrypt: EK(M), h(M) • MAC and Encrypt: Eh1(K)(M), HMACh2(K)(M) • MAC-then-Encrypt: Eh1(K)(M, HMACh2(K)(M))

  42. Challenge-response authentication • Alice is identified by a secret she possesses • Bob needs to know that Alice does indeed possess this secret • Alice provides responseto a time-variant challenge • Response depends on both secret and challenge • Using • Symmetric encryption • One way functions

  43. Challenge Response using SKE • Alice and Bob share a key K • Taxonomy • Unidirectional authentication using timestamps • Unidirectional authentication using random numbers • Mutual authentication using random numbers • Unilateral authentication using timestamps • Alice  Bob: EK(tA, B) • Bob decrypts and verified that timestamp is OK • Parameter Bprevents replay of same message in B  A direction

  44. Challenge Response using SKE • Unilateral authentication using random numbers • Bob  Alice: rb • Alice  Bob: EK(rb, B) • Bob checks to see if rb is the one it sent out • Also checks “B” - prevents reflection attack • rb must be non-repeating • Mutual authentication using random numbers • Bob  Alice: rb • Alice  Bob: EK(ra, rb, B) • Bob  Alice: EK(ra, rb) • Alice checks that ra, rb are the ones used earlier

  45. Challenge-response using OWF • Instead of encryption, used keyed MAC hK • Check: compute MAC from known quantities, and check with message • SKID3 • Bob  Alice: rb • Alice  Bob: ra, hK(ra, rb, B) • Bob  Alice: hK(ra, rb, A)

  46. Kerberos vs. PKIvs. IBE • Still debating  • Let’s see one by one!

  47. Kerberos • Basic • A, B, a TTP share long-term pairwise secret keys a priori • TTP either plays the role of KDC and itself supplies the session key, or serves as a key translation center (KTC) • A and B share no secret, T shares a secret with each • Goal: for B to verify A’s identity, establishing shared key • Description • A requests for credential to allow it to authenticate itself • T plays the role of a KDC, returning to A a session key encrypted for A and a ticket encrypted for B • The ticket contains the session key and A’s identity

  48. A, B, NA EKBT(k, A, L), EKAT(k, NA, L, B) EKBT(k, A, L), Ek(A, TA, Asubkey) Ek(TA, Bsubkey) Kerberos (cnt.) T • EKBT(k, A, L): Token for B • EKAT(k, NA, L, B): Token for A • L: Life-time • NA? • Ek(A, TA, Asubkey): To prove B that A knows k • TA: Time-stamp • Ek(B, TA, Bsubkey): To prove A that B knows k B A

  49. Kerberos (cnt.) • T • AS (Authentication Server) in Kerberos paper • Properties • secure and synchronized clocks • If password-based, protocol is susceptible to password-guessing attack • Asubkey and Bsubkey allow transfer of a key from A to B • Lifetime is intended to allow A to re-use the ticket

  50. EKAG(kAB, NA’, L, B), EkGB(kAB, A, L, NA’), B, NA’ EKGT(kAG, A, L), EKAT(kAG, NA, L, G) A, G, NA EKGT(kAG, A, L), EkAG(A, TA), B, NA’ EKGB (kAB, A, L, NA’), EkAB(A, TA’, Asubkey) Ek(TA’, Bsubkey) Kerberos (Scalable) T (AS) G (TGS) B A

More Related