Computer Security midterm
Side-channel attacks (Differential Power Analysis, Timing Attacks)
Differential Power Analysis • Different instructions consume different amounts of power • By measuring the power consumed by the smartcard chip, it may be possible to extract the key Timing Attacks • If cryptographic operations don't take the same number of clock cycles, they can leak key information • Profiling cache misses can also reveal key information
Verinymity
From Latin verus, true, truly named
Privilege Separation
General strategy: restrict what the userland can do, and what hardware it can access
Counter Mode (CTR)
Generates the next keystream block by encrypting successive values of a counter combined with a nonce (IV) Use this mode when a stream cipher is needed
Chosen Protocol Attack
Given some target protocol: Design a new protocol that will attack the target protocol if users can be persuaded to reuse information ‣ Token ‣ Crypto Key Example: 1. Customer has to prove age on site A by signed X 2. Signature is used to buy coins from the bank by site A
Cryptocurrencies
Goal: decentralize the management of the currency's integrity Why? Ensure total transparency with respect to costs, fees, and operations for all users Need strong cryptography to do this
Slips and lapses at the level of skill
Inattention can cause a practiced action to be caused instead of an intended one
Confidentiality
Involves an obligation to protect some other person's or organization's secrets if you know them Example: In the United States, medical records stored by a healthcare provider are confidential, and protected by HIPAA
Authentication
It should be possible for the receiver of a message to determine its origin An intruder should not be able to impersonate someone else
Integrity
It should be possible for the receiver of a message to verify that it hasn't been modified An intruder should not be able to substitute a false message for a legitimate one
What is EC's relationship to Diffie-Hellman key exchange?
Like RSA, EC is commonly used to transmit a key to Alice and Bob, which will be used with a symmetric key cipher. Alternative protocol to RSA: Diffie-Hellman
Stuxnet
Malware targeted at Iranian nuclear facilities • Objective: vary speeds of centrifuge motors by infecting Siemens S7 PLCs • Level of sophistication hints at state-sponsored work ‣ Israel? ‣ United States? Technical Capabilities • Exploited four "0-day" vulnerabilities in MS Windows • Spread via a LAN or USB flash drives • Relayed status information back to attackers • Made use of rootkits in Windows and the PLC hardware (a first)
Some example attacks
Manipulating the message Changing the environment (fake ATM)
Coordinated Disclosure
Microsoft's position: software vendors have right to control product vulnerability information • Risk of sharing vulnerability with malicious parties is too high • Vulnerability is disclosed after the patch is released
How can two-factor authentication be attacked?
Phishing + Man-in-the-Middle 1. Attacker installs Trojan program on Alice's computer 2. When Alice logs into her bank, attacker piggybacks on that transaction with the Trojan
Security involves three processes:
Preventative technologies Detection and Reaction Forensic Systems
Cipher Block Chaining (CBC)
Simplest mode of block cipher ECB should not be used if encrypting more than one block of data with the same key (advice: just avoid it) because it repeats Alternative: make each ciphertext block dependent on all blocks processed up until that point
Packet spoofing
Source IP address is forged to exploit a trust relationship in the network
Defense in depth
Suggests layers, some of which may contain secrets, but the core must be secure without them.
Cryptography
The art and science of keeping messages secure
Secrecy
The effect of the mechanisms used to limit the number of principals who can access information Common mechanisms to provide secrecy: Cryptography Access Controls
/etc/shadow
The encrypted passwords
Code Obfuscation
The operation of code can reveal problems to an attacker Don't rely on this: assume an attacker can gain access to the code Example: frustrate Java decompilers
Principle of Lease Common Mechanism
The principle of least common mechanism states that mechanisms used to access resources should not be shared. Example: remote mobile virtualization
Anonymity
The quality or state of being unknown. without name
Output Feedback Mode (OFB)
Turns a block cipher into a self-synchronizing stream cipher Downside: *slow*
Kerberos
Two trusted third-parties: 1. Authentication server, which users log into 2. Ticket granting server, which gives users tickets needed to access resources
Intrusion Detection Systems
Two types: 1. Signature-based IDS 2. Statistical anomaly-based IDS
Modular differential attack
Wang and Yu, Eurocrypt 2005 We want to find a pair (M0, M1) and (M0, M1) such that: (a, b, c, d) = md5(a0, b0, c0, d0, M0), (a', b', c', d') = md5(a0, b0, c0, d0, M0 ), md5(a, b, c, d, M1) = md5(a', b', c', d', M1'), • Use modular integer subtraction as the measure of difference ‣ Finding the first blocks (M0, M0 ) takes about 2^39 md5 operations ‣ Finding the second blocks (M1, M1 ) takes about 2^32 md5 operations
Key revocation
What happens if Alice finds out about the stolen key by comparing message logs with Bob Kac ⟶ K'ac
Block Hashing Algorithm
When mining, the algorithm repeatedly hashes the block header while incrementing the nonce field. Incrementing the nonce field entails recomputing the merkle tree (i.e., tree of hashes)
Worms vs. Viruses
Worms: travel by themselves Viruses: travel attached to another program
Is 256 bits suitable for 128-bit ciphers?
Yes
Permission attributes r w x s t
r - read - read a file or list a directory's contents w - write - write to a file or directory x - execute - execute a file or recurse a directory tree s - suid/sgid - run executable with perms. of user or group t - sticky bit - owners have precedence for directory actions
chmod(1) command
sets permissions
Message meaning rule If Alice sees a message encrypted under k, and k is a good key for communicating with Bob, then ...
she will believe that the message was once said by Bob. A | ≡ A ↔^k B, A |⊲{X}k ----------------------- A | ≡ B |~ X
Curve25519
y^2 = x^3 + 486662x^2 + x Prime field: 2^255 - 19 Base point: x = 9 Advantages: • One of the fastest known curves • Not covered by any patents • Less susceptible to weak random-number generators (making side-channel attacks more difficult) • Not tainted by suspicious standards process
Reduction Functions
• A hash function maps plaintexts to hashes • A reduction function maps hashes to plaintexts • The reduction function does the reverse of a hash function, but it isn't its inverse Ex. Set of plaintexts is [0123456789]{6} (all numeric passwords of length 6) Hash function is md5() Reduction function R() returned the first six numbers of the hash md5("493823") = "222f00dc4b7f9131c89cff641d1a8c50" R("222f00dc4b7f9131c89cff641d1a8c50") = "222004" This process generated another plaintext from the hash of the previous plaintext — the purpose of the reduction function.
Key
• A piece of information that determines the functional output of a cryptographic algorithm (K) • Could be any one of a large number of values ‣ The range of possible values is called the keyspace
Public Key Cryptography
• A symmetric algorithm is like a safe ‣ The key is the combo ‣ Anyone with the combo can open the safe ‣ Anyone without the combo must learn safecracking 1976: Whitfield Diffie and Martin Hellman introduce alternative paradigm with two keys:
Trouble with key revocation
• Alice can't handle the key revocation by herself ‣ She has no idea that Mallory has her key for communication with Dave • Carol must handle key revocation and reissue ‣ She needs to keep an exhaustive log for every key request
A certificate
• An electronic document that conveys a key and related meta-data • Guaranteed by trusted third party
Trouble with RSA
• As factoring prime numbers becomes more efficient, key sizes have to grow ‣ This slows down the algorithm
Rainbow table algorithm
• Assume Mallory has a hash with an unknown plaintext • She checks to see whether it is inside any of the generated chains 22 while(hash not found) 1. Look for the hash in the list of final hashes, if it is there break out of the loop. 2. If it isn't there reduce the hash into another plaintext, and hash the new plaintext. 3. Go to the start. 4. If the hash matches one of the final hashes, the chain for which the hash matches the final hash contains the original hash. Mallory can now get that chain's starting plaintext, and start hashing and reducing it, until she comes to the known hash along with its secret plaintext.
How many CAs does your browser trust (Chrome, IE, Firefox)?
• Chrome: 198 CAs • IE: 320 CAs • Firefox: 150 CAs
Two-factor authentication
• Combines something you know with something you have • Attacker needs to compromise both factors to gain access to the system
How secure is elliptic curve cryptography?
• Compared to RSA, high security with shorter keys and excellent computational performance • For primitives of the same size, solving elliptic curve discrete logarithms is a much harder problem than prime number factorization ‣ Elliptic Curve algorithms are thus more secure than RSA
Brute Force Attack
• Could be a dictionary attack (often quick) • Could be an attack against the bits of the key (typically not quick)
Ways to mitigate chosen protocol attack
• Do not allow crypto keys to be used by more than one application • Do not let other people bootstrap their own application security off of yours ‣ Be aware of security dependencies
Sticky bit
• File system treats files in a directory in such a way that only the file's owner (or superuser) can rename or delete the file • Without sticky bit: any user with write and execute privileges can intentionally or unintentionally delete another user's files in a directory • Commonly used to protect scratch spaces drwxrwxrw*t* 12 root root 40960 Jan 21 12:39 /tmp
Defense against Man-in-the-Middle and Trojan Horses?
• For the banking scenario, derive the authentication code from: ‣ Transaction amount ‣ Payee account number ‣ Transaction sequence number 21 • This prevents an attacker from crafting their own transaction
Rainbow Tables and Table Chain
• From an attacker's perspective, password cracking is expensive: ‣ Each password needs to be hashed, which is slow ‣ Each pre-computed hash needs to be stored, which isn't feasible for large sets of passwords Rainbow Tables are a compromise between pre-computation and low memory usage • The tables are made up of chains of hash and reduction functions • A table only stores the starting plaintext and final hash After generating many chains the table might look something like: iaisudhiu = 4259cc34599c530b1e4a8f225d665802 oxcvioix = c744b1716cbf8d4dd0ff4ce31a177151 9da8dasf = 3cd696a8571a843cda453a229d741843 [...] sodifo8sf = 7ad7d6fa6bb4fd28ab98b3dd33261e8f
Man-in-the-Middle Attack
• General category of attacks • Active attacks are a lot more powerful than passive ones • A "man-in-the-middle" can modify, delete, and create new messages
Sensible password advice
• Never reuse a password you care about. An attacker can steal it from a low security site (your blog) and attack a higher stakes site (your bank). • Don't bother updating your password regularly • Be wary of the "secret question"; this is sometimes easier to break than your password itself. • Use two-factor authentication.
Password salts
• With a dictionary, it's possible to pre-compute a hash for every word, for all known algorithms • How do we defend against this? Calculate a different hash: H'(username, site, password) and use the high-order 64 bits as the salt and the low-order 18-24 bits as the iteration count. Iterations slow down attacks, e.g., if every password is hashed 100,00 times, guessing is slowed down to 1/100,000 the previous rate. (Slows down legitimate use as well.)
Curve choices
- Set of curves standardized by NIST ‣ Snowden disclosures: NSA tampered with the NIST process for other crypto designs - Brainpool curves ‣ May also have been manipulated - Bernstein's Curve25519
UNIX file permissions
-rw-rw-r-- 1 walter walter 3764 Jan 19 15:40 foo " - " = type " rw- " = owner " rw- " = owner " r-- " = other " walter " = user " walter " = group
Multiple signatures - assume that a hash document X, Hx has been generated (5 steps)
1. Alice signs the hash of the document {Hx}Ks,a 2. Bob signs the hash of the document {Hx}Ks,b 3. Bob sends his signature to Alice {Hx}Ks,b 4. Alice sends the message and signatures to Carol {Hx}Ks,a, {Hx}Ks,b 5. Carol verifies the signatures Hx,c = Hx,a = Hx,b?
Stealing passwords
1. Steal plaintext passwords (not as common these days) 2. Steal encrypted passwords and crack them (surprisingly easy) 3. Tap a legitimate terminal session and log the password 4. Shoulder surf the password
RSA Decryption
1. Take each encrypted block {xi} and apply the decryption formula: xi = {xi} mod n d The message could have also been encrypted with d and decrypted with e. The use of the keys is arbitrary! Example: 1. First block: 15701019 mod 3337 = 688 = x1 2. Subsequent blocks are recovered in the same manner
Security of RSA vs EC
228-bit RSA key: less energy than it takes to boil a teaspoon of water 228-bit EC key: enough energy to boil all of the water on earth
Algorithms with a brute force effort of less than [blank] are weak
2^90
Trust
A [blank] system or component is one whose failure can break the security policy
Certificate revocation procedures
A client accepting a certificate can check for revocation in two ways: 1. The original mechanism places the revoked certificate on the Certificate Revocation List (CRL) • File of revoked certificates signed by the issuing CA • URL of this list is included in each certificate • Client checks if the current cert. is on the list before accepting it 2. Online Certificate Status Protocol (OCSP) • Verifies the continuing validity of a certificate, rather than whether it was ever valid • Returns Valid, Invalid, or Unknown status codes ‣ What happens if a server returns Unknown? • Perceived advantage over CRL: reduces time between compromise and revocation
Trapdoor Function
A function that is easy to compute in one direction, yet believed to be difficult to compute in the opposite direction (finding its inverse) without special information, called the "trapdoor." Widely used in cryptography.
Non-repudiation
A sender should not be able to falsely deny later that a message was sent
Principle of Least Privilege
A subject should be given only those privileges that it needs in order to complete its task
Security policy
A succinct statement of a system's protection strategy Example: Bank's Policy • Each credit must be matched by an equal and opposite debit • All transactions over $1,000 must be authorized by two managers
Cipher Feedback Mode (CFB)
A variation of CBC that turns a block cipher into a self-synchronizing stream cipher Downside: *slow*
Basic OS Authentication
Alice (user) has: Password One-time password Biometric Bob (server) has: User list Credential list ID list B ---server prompt---> A A ---credential---> B B ---session granted/rejected---> A
/etc/passwd
All user login information except for the passwords
Firewalls
Any device, software, or arrangement of equipment that limits network access
What could be better about PKI?
Biggest problem: too many CAs, very little oversight Possible Solutions • Certificate transparency: every CA logs all of the certificates it issues (Google proposal) ‣ Easy to detect multiple certificates for the same site ‣ Problem: Requires universal buy-in • DNS-based Authentication of Named Entities (DANE) ‣ Allows x.509 certificates to be bound to DNS names using Domain Name System Security Extensions (DNSSEC) ‣ Problem: an attacker with access to a DNS server can replace certificates • Usability issue: browser warnings are routinely ignored ‣ Training users helps somewhat, but only goes so far ‣ Need better protocols and UI
ShiftRows Step
Bytes in each row of the state are shifted cyclically to the left. The number of places each byte is shifted differs for each row.
Chip + pin
Calculator uses bank card to perform crypto 1. Calculator is loaded with card 2. Asks for user's PIN 3. For card transaction: computes response code based on a counter 4. For two-step logon: computes a challenge
Digital Certificates
Certificates are: a signed message Certificates contain: • Owner's Name • Public Key • Algorithm Identifiers
Checking the chains of the rainbow table
Check the last column of the table: reduce and hash once Check the second to last column of the table: reduce and hash twice Check the third to last column of the table: reduce and hash three times Match: The starting plaintext (stored with the ending hash) is reduced and hashed until the correct plaintext is found within the chain
Privacy
Choice & control over use and disclosure of our identity and our information
Avoidable Pitfalls of EC
Choosing weak primitives: Use a modulus (public key) that is at least 256 bits Choosing an unsafe curve: Consult http://safecurves.cr.yp.to/ before choosing a curve Choosing an implementation that is vulnerable to invalid curve attacks: Use Curve25519 (via NaCL)
Botnets
Common Scenario: 1. Malicious code infects systems 2. Infected systems connect to Command & Control server 3. Spammer buys access to botnet 4. Spammer sends instructions via C&C server
Virtual Private Network
Corporate traffic passed over the Internet is encrypted from firewall to firewall
Identity
Correspondence between the names of principals, signifying that they refer to the same person or equipment Alice acting as Bob's manager Bob acting as Carol's manager Bob as branch manager signing a loan contract jointly with Dave
Zero-knowledge proofs
"I know that you know something, without knowing what that something is" • The usual way for Alice to prove something to Bob is to tell him what that something is. ‣ But then he knows it ‣ And he can tell others ‣ Alice cannot prevent this from happening once she divulges her secret 192 Zero-knowledge proofs: using one-way functions, Alice can prove to Bob that she knows something without divulging it Applications • Electronic voting systems • Digital signatures • Cryptocurrency • Nuclear disarmament discussions 199 Not commonly used because trust violations in technology are rampant
What to function to use for each algorithm (Block Cipher, Stream Cipher, Hash Function, Public Key Algorithm
AES | Block Cipher Counter mode AES | Stream Cipher SHA | Hash Function RSA or EC | Public Key Algorithm
Mistakes at the level of rules
Actions people take by following rules are open to errors when they follow the wrong rule Example: tricky URL https://www.citibank.secureauthentiction.com
Mutual Authentication
Alice and Bob need to identify each other: 1. A⟶B: Na 2. B⟶A: Nb 3. Ka⟶B: {Nb} 4. Kb⟶A: {Na} Weakness: same protocol is used in both directions Can be exploited with reflection attacks (can fake ID)
How to stop reflection attacks?
Alice and Bob need to identify each other; include IDs in the transaction: 1. A⟶B: N 2. B⟶A: {B, N}K * ID tied to specific actor • IDs can be checked with known actors • If known actor didn't send, reflection attack is detected
Nonce verification rule If Bob once said a message, and the message is fresh, then ...
Alice believes it A | ≡ #X, A | ≡ B |~ X ----------------------- A | ≡ B | ≡ X
Non-repudiation and digital signatures
Alice can cheat with digital signatures by signing a document and later claiming that she didn't 1. She signs the document as usual 2. She then anonymously publishes her private key, or conveniently loses it in a public place 3. All documents signed by Alice are repudiated Possible solution: timestamps ‣ However, Alice can still claim the key was compromised earlier, or time her signings well
Jurisdiction rule If Bob believes something, and is an authority on the matter, then ...
Alice should believe him. A | ≡ B | ⇒ X, A ≡ | B | ≡ X ----------------------- A | ≡ X
Choosing Initialization Vectors
Always use a random IV for each transaction The IV can be made public after encryption. Why is this secure? The IV is only used to ensure that the same plaintext encrypts to different ciphertexts. After it is used, there is no harm in releasing it, as it leaks no information about the plaintext.
Risk Mitigation
Assume that any system can be compromised Security systems have many components and connections Some of these are unknown to the designers, implementors and users Our best strategy: lessen the risk of attack
Elliptic Curve Trapdoor
Assume there is a starting point and an ending point The starting point goes through n * operations to arrive at the ending point 132 Finding out n when only the starting point and ending point are known is a hard problem
Verification of smart card banking protocol
Assumption: k is only available to actors who can be trusted to execute the protocol faithfully Goal: Prove that Bob should trust the check (B | ≡X) 1. B | ≡ X follows from B | ≡ A |⇒ X and B | ≡ A | ≡ X (hardware constraint) 2. B | ≡ A | ≡ X follows from #X and B | ≡ A |~ X 3. #X follows from its occurrence in {A, Na, B, Nb, X} k * guaranteed by this sequence number 4. B | ≡ A |~ X follows from the hardware constraint
Authentication race
Attacker collects just enough information to make educated guesses about credentials before the user finishes authenticating
Kerberos protocol What does this fix in NeedhamSchroeder?
Authentication server: Carol Ticket granting server: Dave P + Alice's password L = lifetime Kas = session key Kab = transaction key Kb = Bob's key known by Bob and Dave 1. A⟶C: P 2. C⟶A: {Kas} P 3. A⟶D: A, B 4. D⟶A: {Td, L, KAB, B{Td, L, Kab, A} Kb} Kas 5. A⟶B: {Td, L, Kab, A} Kb , {A, Ta} Kab 6. B⟶A: {Ta + 1}Kab 2. C⟶A: {KAS} Alice needs access to a resource provided by Bob • Timestamps are used in place of nonces ‣ Revoked / expired keys are easily detected ‣ New source of trouble: out of synch clocks Race conditions Default authentication in Microsoft Windows
Flaw in Needham-Schroder Protocol
Bob has to assume KAB from Carol is fresh • Kab is always conveyed by Alice • What if Alice waited a year between steps 2 and 3? ‣ Mallory can use Kab to establish a session with Bob ‣ If Kab is compromised, Bob can't easily detect a change made by Carol 1. Alice requests and receives a key to communicate with Bob 2. Mallory steals Kac 3. Mallory intercepts {Kab}Kac 4. Mallory requests and receives a key to communicate with Dave
Lightweight directory access protocol (LDAP)
Centralized network authentication simplifies user management RFC 4511 • Protocol for accessing X.500-based directory services • Designed to run over TCP/IP networks • LDAP entry is a collection of attributes that has a globallyunique Distinguished Name (DN) - cn for common name (Walter Scheirer) - mail for email address ([email protected]) • Entries are arranged in a hierarchical tree-like structure - Useful for arranging user records into an organization's structure
Ex. an attacker has created a bogus block What is the defense/strategy?
Defense: make it computationally expensive (and thus financially expensive) to add blocks General strategy: creators of blocks need to guess a number ‣ Number and block contents lead to a hash that is smaller than a separate chosen number ‣ The chosen number is related to the current processing power of the bitcoin network ‣ Guessing becomes more difficult as more computers join
Ex. an attacker has modified a block What is the defense?
Defense: validate the cryptographic fields of the block w.r.t. to other blocks in the chain
Linear Feedback Shift Register
Definition: An n-stage linear feedback shift register (LFSR) consists of an n-bit register r = r0...r(n-1) and an n-bit tap sequence t = t0...t(n-1). To obtain a key bit, r(n-1) is used, the register is shifted one bit to the right, and the new bit r0t0⊕...⊕r(n-1)t(n-1) is inserted.
Block Ciphers
Definition: Let E be an encryption algorithm, and let Ek(X) be the encryption of message X with key k. Let a message X = x1x2... , where each xi is of a fixed length. Then a block cipher is a cipher for which Ek(X) = Ek(x1)Ek(x2)... . Example: AES is a block cipher. It breaks the message into 128-bit blocks and uses the same 128-, 192- or 256- bit key to encipher each block Some encryption algorithms divide a message into a sequence of parts, or blocks, and encipher each block with the same key.
Elliptic Curves
Definition: set of points satisfying an equation in two variables with degree two in one of the variables and three in the other
Key diversification Where does Alice's key come from?
Ka⟶{A}KM {A} = Alice-specific ID KM = Master Key Pros: + Simple key management Cons: - Length of identifier may limit usable keyspace - Master key needs to be shared
Problem with rainbow tables, and solution
Problem: collisions Two plaintexts hash to the same value: This causes cycles in the table No guarantee that there will be a hash of a plaintext that will reduce to some other given plaintext. Solution: use a different reduction function in each column • Origin of the name "Rainbow Table" ‣ If each reduction function is a different color, with starting plaintexts at the top and final hashes at the bottom, the table would look like a rainbow • Chain merges become rare, because collisions have to occur on the same column (chance of collision is 1 / chain length) • Loops are also solved: if a hash in a chain is the same as a previous hash it won't reduce to the same plaintext.
Vulnerability
Property of a system or its environment which, in conjunction with an internal or external threat, can lead to a security failure A security failure is a breach of the system's security policy Example: Heartbleed bug: improper input validation in the implementation of the TLS heartbeat extension of OpenSSL
Signal's crypto components
Protocol Elements: Double Ratchet Algorithm Prekeys Triple Diffie-Hellman handshake Cryptographic Primitives: Curve25519 AES-256 SHA-256
Signing documents with public key cryptography and one-way hash functions (4 steps)
Public key algorithms are too slow to sign long documents, here's an alternative: kS,A {hX} 1. Alice produces a one-way hash of a document f (X) = Hx *only 256-bits if using SHA-256 2. Alice encrypts the hash with her private key, thereby signing the document {Hx}Ks,a 3. Alice sends the document and the signed hash to Bob X,{hX}Ks,a 4. Bob checks the signature 4.1 Hash the document: f (X) = Hx,b 4.2 Decrypt the signed hash: {hX} Ks,a, Kp,a = Hx,a k 4.3 Check if hashes match: Hx,a = Hx,b?
Self-Synchronous Stream Ciphers
Some stream ciphers obtain the key from the message itself. Two strategies for this: 1. Draw the key from the plaintext (Vigenère cipher from book): key: XTHEBOYHASTHEBA plaintext: THEBOYHASTHEBAG ciphertext: QALFPNFHSLALFCT 2. Draw the key from the ciphertext: key: XQXBCQOVVNGNRTT plaintext: THEBOYHASTHEBAG ciphertext: QXBCQOVVNGNRTTM
Protocol Failures
Sometimes the software and configuration is fine, but the underlying protocol is flawed Two hypothetical flaws in ssh: 1. NFS-mounted home directory; attacker spoofs NFS replies to inject bogus authorized_keys file 2. User copies .ssh directory to new system; new system can be accessed by any key trusted to the old system
Dynamic vs. static memory allocation
Static: • Memory for variables is automatically allocated ‣ On the stack or in other sections of code • No need to explicitly reserve memory • No control over the lifetime of this memory Dynamic: • Memory for variables is manually allocated and released ‣ On the heap • Programmer has control over the the lifetime of this memory
Assuming large quantum computers appear in the next couple of decades, what's a straightforward replacement for public key cryptography?
Symmetric Key Cryptography + Kerberos
Recommendations for Cryptographic Primitives in 2019 (symmetric cipher key length, RSA modulus, elliptic curve modulus, hash function (output))
Symmetric cipher key length | 128 bits RSA modulus | 2048 bits Elliptic curve modulus | 256 bits Hash function (output) | 256 bits
Full disclosure
Without full disclosure: • Vendors have no incentive to release patches if there is no customer demand for them • Sysadmins can't make informed decisions about risks to their systems • Malicious individuals have a longer window to exploit a flaw
suid pitfalls
• Programmer is in a rush and makes a program suid root ‣ What are the implications of this? • Difficult to track down who is invoking suid files • Figuring out the interaction between suid files and ACLs enforced by filesystem is complicated
Kerckhoffs' principle
"The security of a cryptographic system shall always and only depend on the secrecy of the key. Everything about the algorithm except for the keys shall be open." • Open and standardized systems are subject to constant analysis by the international research community • Secret systems can only be analyzed by internal specialists ‣ Unless an agency or company has a huge budget, severe and constant analysis of internal security systems is not easy • Any system whose security depends on keeping the details of the system secret is not secure in the long run. • Defense in depth suggests layers, some of which may contain secrets, but the core must be secure without them. • Keeping the "algorithm" and key concepts secret increases the asymmetric information, potentially keeping even experts from evaluating the system without significant effort.
Biometrics
"The use of physical or behavioral properties of human beings for automatic identity recognition"
Hidden directories
. - current directory .. - directory above the current one .bash_history .bash_logout .bashrc attacker creates directory ...
Elliptic Curve Diffie-Hellman (8 steps)
1. Alice and Bob agree on a shared curve generation parameter g g 2. Alice generates her private key a and calculates her public key A A = a × g 3. Bob generates his private key b and calculates his public key B B = b × g 4. Alice sends her public key to Bob A 5. Bob sends his public key to Alice B 6. Alice calculates the shared secret B × a = a × b × g 7. Bob calculates the shared secret A × b = a × b × g 8. The shared secret is the x coordinate of the calculated point on the curve
Signing documents with public key cryptography (3 steps)
1. Alice encrypts the document with her private key, thus signing it {X}Ks,a 2. Alice sends the signed document to Bob {X}kS,A 3. Bob decrypts the document with Alice's public key, thus verifying the signature {X}Ks,aKp,a = X
Sending a message using public key crypto
1. Alice gets Bob's key from the database 2 Alice encrypts her message using Bob's public key and sends it back to Bob 4. Bob decrypts Alice's message using his private key
Protocol for non-repudiation and digital signatures (6 steps)
1. Alice signs a message {X}Ks,a 2. Alice generates a header H containing some identifying info, concatenates it with the signed message, signs that, and sends to Carol {H,{X}Ks,a}Ks,a 3. Carol verifies Alice's information, adds a timestamp, and signs the updated message 3.1 {H,{X}Ks,a}Ks,a, Kp,a = H,{X}Ks,a 3.2 Tc, H,{X} Ks,a 3.3 {Tc, H,{X}Ks,a} Ks,c 4. Carol sends the updated message to Alice and Bob {Tc, H,{X}Ks,a}Ks,a 5. Bob verifies Carol's signature, the identifying information, and Alice's signature 5.1 {Tc, H,{X}Ks,a} Ks,c, Kp,c = Tc, H,{X}Ks,a 5.2 {X}Ks,a Kpa, = X 6. Alice verifies Carol's signature, if she did not originate the message, she raises an alert 6.1 {Tc, H,{X} } Ks,a Ks,c , Kp,c = Tc, H,{X}Ks,a
Zero-knowledge protocol
1. Alice uses her information and a random number to transform the hard problem into another hard problem, one that is isomorphic to the original ‣ She then solves this new instance of the hard problem 2. Alice commits to the solution of the new instance, using a bit-commitment scheme 3. Alice reveals the new instance to Bob. He cannot use this new problem to get any information about the original instance or its solution 4. Bob asks Alice to either: a. prove to him that the old and new instances are isomorphic, or b. open the solution she committed to in step 2 and prove that it is a solution to the new instance 5. Alice complies. 6. Alice and Bob repeats steps 1 through 5 n times
Two-step challenge and response protocol
1. A⟶B: N 2. B⟶A: {B,N} K K = Shared Key • In this scheme, Alice can decrypt the message from Bob, expecting to see the nonce she sent him • The shared key guarantees the integrity of the protocol ‣ But how is the shared key distributed?
Basic Key Exchange Protocol (3 steps)
1. A⟶C: A, B 2. C⟶A: {A, B, Kab, T} Kac, {A, B, KAB, T} 3. A⟶B: {A, B, Kab, T} Kbc, {X}Kab T = timestamp
Some software bugs
1. Buffer overflows ‣ Exceeding memory bounds can have unanticipated consequences 2. Integer manipulation attacks ‣ Overflows, underflows, wrap-around, or truncation can alter the execution flow of the stack 3. Format strings attacks ‣ Your printf() calls could be dangerous 4. Race conditions ‣ Happen when a transaction is carried out in two or more stages
RSA Key Generation
1. Choose two random large prime numbers of equal length, p and q. 2. Compute the product (modulus): n = p⋅q 3. Randomly choose the encryption key e such that e and (p - 1)(q - 1) are relatively prime 4. Use the extended Euclidean algorithm to compute the decryption key, d, such that: ed ≡ 1 mod (p - 1)(q - 1) d = e-1 mod ((p - 1)(q - 1)) • d and n are also relatively prime • The numbers e and n are the public key kP • The number d is the private key kS • The two primes, p and q, are no longer needed. They must be discarded and never revealed Key sizes: Research suggests 1024-bit moduli are too small (i.e., NSA can factor them) *If you are protecting 128-bit AES keys, 2,048-bit moduli are adequate* Example: 1. p = 47 and q = 71 2. n = p ⋅ q = 3337 3. The encryption key e must have no factors in common with: (p - 1)(q - 1) = 46 ⋅ 70 = 3220 4. Choose e at random to be 79. Calculate d: d = 79-1 mod 3220 = 1019 ← solved via extended Euclidean Alg. 5. Publish e and n, keep d secret. Discard p and q.
Problems facilitating signatures on computers
1. Computer files are trivial to copy 2. Computer files are easy to modify after they are signed
RSA Encryption
1. Divide a message X into numerical blocks xi that are smaller than n (with binary data, choose the largest power of 2 less than n). The encrypted messages, {X}, will be made up of similarly sized message blocks {xi}, of the same length 2. Apply the encryption formula: {xi} = xi mod n Example: 1. X = 6882326879666683 2. Break X into small blocks (3 digits here): x1 = 688 x2 = 232 x3 = 687 x4 = 966 x5 = 668 x6 = 003 3. The first block is encrypted as: 688^79 mod 3337 = 1570 = {x1} 4. Repeating the encryption operation on subsequent blocks yields: {X} = 1570 2756 2091 2276 2423 158
AES steps
1. KeyExpansions — round keys are derived from k using a key schedule 2. InitialRound a. AddRoundKey 3. Rounds a. SubBytes b. ShiftRows c. MixColumns d. AddRoundKey 4. Final Round (no MixColumns) a. SubBytes b. ShiftRows c. AddRoundKey
Unfortunate Privacy Truisms
1. Most people don't value their privacy until it is threatened or lost 2. Once invalidated or lost, you will need to regain your privacy over and over again...
Reasons certificates might be revoked
1. Private key compromise ‣ Example: CA DigiNotar was hacked in 2011, allegedly by government sponsored actors (whose government remains an open question) 2. Suspected or actual misbehavior by the holder of the private key ‣ Example: CA certifies a phishing site, thus side-stepping security warnings about a suspicious certificate 3. Cryptographic algorithm is broken or used with an insufficient key size ‣ Example: md5
Definitions of a system
1. Product or component 2. All of the above + an OS, communications and other infrastructure components 3. All of the above + one or more applications 4. All of the above + IT staff 5. All of the above + internal users and management 6. All of the above + customers and other external users
How do we generate prime numbers?
1. Select a random number of a desired length 2. Apply a Fermat primality test (best with base 2 for speed optimization) 3. Apply a certain number of Miller-Rabin primality tests (depending on the length and allowed error rate) 120 Pre-selection: test divisions by small prime numbers (up to few hundreds) or sieve out primes up to 10,000 - 1,000,000 considering many prime candidates of the form b + 2i b = large number I = up to a few thousands
Why do certificates expire at some point?
1. Sense that after some time, the likelihood of compromise is unacceptably high ‣ Unclear what that time period is 2. Algorithms age ‣ Recall our discussions about md5 and 1024-bit public / private key pairs 3. Certificates expire to ease bookkeeping with respect to revocations ‣ No need to keep track of the revocation status of an expired certificate (maybe)
Good design principles for access control
1. Simplicity makes designs and mechanisms easy to understand 2. Simplicity reduces the potential for inconsistencies within a policy or set of policies 3. Restriction minimizes the power of an entity 4. Entities can communicate with other entities only when necessary 5. "Communication" is used in the widest possible sense, including that of imparting information by not communicating
Human errors made while considering a security regime fall into three categories:
1. Slips and lapses at the level of skill 2. Mistakes at the level of rules 3. Mistakes at the cognitive level
Pros of signatures
1. The signature is authentic. 2. The signature is unforgettable. 3. The signature is not reusable. 4. The signed document is unalterable. 5. The signature cannot be repudiated. None of these statements is completely true, but we'll live with the shortcomings for now...
Trustworthy
A system or component that won't fail
Principle of Separation of Privilege
A system should not grant permission based on a single condition. Example: Ubuntu Linux privilege escalation; user must be in group sudo to use sudo(8) Entry in /etc/group: sudo:x:27:walter walter@eve:~$ id uid=1000(walter) gid=1000(walter) groups=1000(walter),4(adm),24(cdrom),27(sudo)
BAN (Burrows-Abadi-Needham) Logic A | ≡ X A |~ X A I⇒ X A | ⊲ X #X {X}k A ↔^K B
A | ≡ X Alice believes X A |~ X Alice once said X A |⇒ X Alice has jurisdiction over X A |⊲ X Alice sees X #X X is fresh {X}k X is encrypted under the key k A ↔^K B A and B share the key k
How primitives map to the algorithm (DH ratchet, MAC, symmetric, hash ratchet)
DH ratchet: Elliptic curve Diffie-Hellman (ECDH) with Curve25519 Message authentication codes (MAC, authentication): Keyed-Hash Message Authentication Code (HMAC) based on SHA-256 Symmetric encryption: AES, partially in Cipher Block Chaining mode (CBC) with padding as per PKCS #5 and partially in Counter mode (CTR) without padding Hash ratchet: HMAC
SELinux context framework
Contexts are attributes used to determine if access should be allowed between a process and an object user:role:type:range Contexts consist of 3 required fields and 1 optional field: user:role:type:range (optional) Example with required fields: system_u:system_r:xserver_t Adding optional multi-level security: system_u:system_r:xserver_t:SystemLow-SystemHigh
Double Ratchet Algorithm
Developed by Trevor Perrin and Moxie Marlinspike (2013) Specifically designed for instant messaging Goal: after initial key exchange, manage shortlived session keys •A cryptographic ratchet is a function that only moves forward •With a prior state value, all future values can be computed • Impossible to calculate an older value from any values beyond it • Client advances one of two hash ratchets (one for sending, one for receiving) - Both are seeded with a common secret from a DH ratchet • Continually provide the remote host with a new public DH value and advance the DH ratchet whenever a new DH value from the remote host arrives • As soon as a new common secret is established, a new hash ratchet is initialized
SubBytes Step
Each byte in the state is replaced with its entry in a fixed 8- bit lookup table (a substitution box), S; Bi,j = S(Ai,j).
AddRoundKey Step
Each byte of the state is XORed with a byte of the round subkey.
MixColumns Step
Each column of the state is multiplied with a fixed polynomial c(x).
Polynymity
From Greek pseudonumon, neuter of pseudonumos, falsely named And poly meaning many, with polynymity meaning many named
Symmetric Key Cryptography
How do two actors communicate securely? 1. Alice and Bob agree on a cryptosystem and key AES Kab 2. Alice encrypts her plaintext message using the chosen cryptosystem and key. This creates a ciphertext message. X, Kab ⇒ {X} Kab 3. Alice sends the ciphertext message to Bob. {X} kab 4. Bob decrypts the cipher text message with the same cryptosystem and key {X} ,kAB ⇒ X
Alternative Trapdoor Function
Ideal property: f and f^ -1 become more difficult at the same rate w.r.t. to the size of the numbers at hand ‣ Elliptic Curves satisfy this property ‣ Unlike factoring, the math isn't as straightforward conceptually
Nymity
Identifiability Measures the degree to which information is personally identifiable or recoverable.
Role of x.500 in LDAP
In essence, LDAP is just an access protocol to an x.500 directory service LDAP is commonly directly implemented in X.500 servers
Eavesdropping and cryptography
Larger keyspaces supporting longer passwords and pin numbers are good, right? ➞ Doesn't affect the "shoulder surfing" attack Master passwords based on a serial number provide a convenient fallback ➞ Serial numbers are rarely protected. (Mechanics, service technicians, janitors, etc. have access to them) What about a physical token? ➞ Potential for replication if an attacker can gain access to it
Operations over the curve
Let's call this operation * Any two points on the curve can be processed by this operation to get a new point: A * B = C It is possible to apply to the same point and subsequent results n number of times A * A = B A * B = C A * C = D
Two-factor Authentication
Let's formalize two-factor authentication as a challenge-response protocol 1. S⟶A: N 2. A⟶P: N, PIN 3. P⟶A: {N, PIN}K 4. A⟶S: {N, PIN}K S = Server P = Password Generator PIN = Personal Identification Number
NaCl: Networking and Cryptography library
Library designed to avoid programming mistakes endemic to low-level libraries D. J. Bernstein's implementation of Curve25519, plus: •No data flow from secrets to load addresses •No data flow from secrets to branch conditions •No padding oracles •Centralizing randomness •Avoiding unnecessary randomness •Extremely high speed
Needham-Shroeder Protocol
Like the basic key exchange protocol, but with nonces instead of timestamps: 1. A⟶C: A, B, Na 2. C⟶A: {Na, B, Kab, {Kab, A} } Kbc } Kac 3. A⟶B: {Kab, A} Kbc 4. B⟶A: {Nb}Kab 5. A⟶B: {Nb - 1} Kab * 4 - 5 B checks if A is alert Works if all of the actors behave themselves, and attacks only come from the outside
Mistakes at the cognitive level
Many of us simply don't understand the problem Example: picture-in-picture attack
Security through obscurity [is/is not] good security
Many people think that a security system becomes more secure if its internal structure is secret Example: A secret encryption algorithm 63 BUT: The exact opposite is the case
SELinux object classes and rules
Object classes are used in the policy and in access decisions to more finely specify what access is allowed file object class has the permissions create, read, write, and unlink unix_stream_socket object class has the permissions create, connect, and sendto Rules bring all of these elements together: allow user_t user_home_t:file { create read write unlink };
Stack overflows
Objective: Execute arbitrary code on target by hijacking application flow control • Extremely common and well known bug in C/C++ programs ‣ First major exploit: 1988 Morris worm • Some knowledge required ‣ Operation of functions and the stack ‣ Assembly language
Privilege Escalation
Some accounts have more privilege than others Example: UID 0 in Unix is the super user This attack exploits a bug, design flaw or configuration problem in an OS or application
Simple Authentication
Scenario: Alice wants to gain access to her workstation, but needs to authenticate via Bob
Stream Ciphers
Some encryption algorithms use a non-repeating stream of key elements to encipher characters of a message Definition: Let E be an encryption algorithm, and let Ek(X) be the encryption of message X with key k. Let a message X = x1x2... , where each xi is of a fixed length, and let k = k1k2... . Then a stream cipher is a cipher for which Ek(X) = Ek1(x1)Ek2(x2)... . If the key stream k of a stream cipher repeats itself, it is a periodic cipher.
Security vs. Privacy
Security: ‣ Accountable to Commander, President or Board of Directors ‣ Access and use controls defined by the system owner ‣ Generally focused on protecting against outsiders ‣ Short-term risk based assessment. (How likely is it?) 6 months Privacy: ‣ Accountable to the subject of the data ‣ Access and use controls defined by design, use limitation, subject consent and legislation ‣ Requires protecting against outsiders, insiders, and system owners ‣ Long-term capabilities based assessment (Is it possible?) 30 years
Digital signatures with encryption (6 steps)
Think of the signatures as proof of authorship and the encryption as the envelope Alice can use two key pairs • For encryption: kP,A,Enc, kS,A,Enc • For signing: kP,A,Sign, kS,A,Sign Advantages: one key pair can be surrendered without affecting the other, one key could be escrowed without affecting the other, keys can expire at different times Timestamps used with the protocol can prevent message reuse 1. Alice signs a message {X}Ks,a 2. Alice encrypts the message with Bob's public key and sends it to him {{X}Ks,a}Kp,b 3. Bob decrypts the message with his private key {{X}Ks,a}Kp,b , kS,B = {X}Ks,a 4. Bob verifies with Alice's public key and recovers the message {X}Ks,a , Kp,a = X 5: Bob signs the message with his private key, encrypts it with Alice's public key, and sends it back to Alice {{X}Ks,b}Kp,a 6: Alice decrypts the message with her private key, verifies with Bob's public key and recovers the message 6.1 {{X}Ks,b}Kp,a , Ks,a = {X}Ks,b 6.2 {X}Ks,b, Kp,b = X
Smartcard banking protocol
Transaction takes place between Alice's smart card and a vending machine owned by Bob, which contains his smart card 1. A⟶B: {A, Na} k 2. B⟶A: {B, Nb, A, Na}k 3. A⟶B: {A, Na, B, Nb, X} k X = electronic check
Privilege Levels in Linux
Users have a corresponding ASCII username useradd(8) limits this to 32 characters in Ubuntu The operating system identifies users by an integer known as a UID Not all UIDs are created equally: • root (0), the superuser • daemon (1) and sys (3), handle some aspects of the network • lp (7), used for the printer system. • mail (8), email delivery • nobody (65534), owns no files and sometimes used as a default user for unprivileged operations
What can a blockchain attacker do?
What can an attacker do? ‣ Refuse to relay valid transactions to other nodes ‣ Attempt to create blocks that include or exclude specific transactions at will ‣ Attempt to create a 'longer chain' of blocks that make previously accepted blocks become 'orphans'
What can't an attacker do?
What can't an attacker do? ‣ Create bitcoins outside of the legitimate mining process ✴ Technically, this is possible, but will be rejected by all other nodes on the network ‣ Steal bitcoins from another user's account ‣ Make payments on a user's behalf or attempt to masquerade as another user
Certificate Authority (PKI)
When you use a certificate, you are relying on the trustworthiness of the issuer • CA issues and signs certificates • Certificates may be for end users • Or, they may be for sub-CAs • Web browsers come with a large set of CAs built in - Your vendor trusts them, but do you? - Are they honest? - Competent? - Does their threat model match yours? • What is a sub-CA allowed to do? - Does it issue certificates for its own jurisdiction, or for any domain? • What authority, if any, is embodied by a CA?
Ophcrack
Windows password cracker based on rainbow tables • Runs on Windows, Linux/Unix, Mac OS X, ... • Cracks LM and NTLM hashes • Free tables available for Windows XP and Vista/7 • Live image available to simplify the cracking
md5
• 128-bit hash function Commonly used as checksum for downloads: $ md5sum ubuntu-14.04.3-desktop-amd64.iso cab6dd5ee6d649ed1b24e807c877c0ae ubuntu-14.04.3-desktop-amd64.iso • Input: 512-bit blocks, divided into 32-bit sub-blocks • Output: Set of four 32-bit blocks, concatenated • After input padding, main loop processes input through four rounds Four non-linear functions, a different one for each round: F (X, Y, Z) = (X ∧ Y) ∨ ((¬X) ∧ Z) G (X, Y, Z) = (X ∧ Z) ∨ (Y ∧ (¬Z)) H (X, Y, Z) = X ⊕ Y ⊕ Z I (X, Y, Z) = Y ⊕ (X ∨ ((¬Z)) If the corresponding bits of X, Y, and Z are independent and unbiased, then each bit of the result will also be
Bots
• A piece of software that runs an automated task over the Internet ‣ Not necessarily malicious (e.g., web crawlers, slack (ones), wikipedia (ones) etc.) • Can spread via a Virus, Worm, or Trojan Horse (similar to a virus, but doesn't replicate itself) • Malicious (ones) are typically designed for spam, denial service attacks, site traffic generation, and game resource harvesting.
Users
• A user is an identity tied to a single entity • Specific systems may add additional constraints • Systems represent user identity in a number of different ways • The same system may use different representation of identity in different contexts
Reconnaissance
• Attacker needs to find vulnerabilities before exploiting them • Reconnaissance can be conducted physically, on the host, or over the network Port scanning and OS fingerprinting are common forms of network recon.
Limits of formal verification
• Bad Assumption: What if Mallory stole k? • Smartcard hardware is not sufficient to guarantee security • Implementation flaw: what if k is actually two keys — a transaction key and an undiversified bank key?
Quantum Cryptography
• Canonical problem for quantum computing: prime number factorization • Shor's algorithm: BQP problem making factoring and discrete logarithm computations easy ‣ Given a sufficiently large quantum computer (~4,000 qubits for a 2048-bit key) ‣ No such computer exists in 2019
Elliptic curve cryptosystem
• Choose the following elements: - a prime number as a maximum - a curve equation, - and a public point on the curve. • A private key is a number n, and a public key is the public point "dotted" with itself n times. • Computing the private key from the public key is called the [elliptic curve discrete logarithm function]. [trapdoor function]
WEP Attack
• Classic example of Related Key attack • Client adapters and APs share WEP key; encryption provided by RC4, a stream cipher ‣ Same key can't be used twice ‣ WEP includes a 24-bit IV in each packet ‣ RC4 key for a packet is IV concatenated with the WEP key Protocol weakness: WEP keys need to be changed manually, which happens infrequently Attacker assumes that the same WEP key is used to encrypt all packets • 24-bit IV means ~17M possibilities • Birthday Paradox leads to a 50% chance of two packets out of every ~5000 sharing the same IV ‣ 99% chance after ~12,500 packets • Once IV is known, attacker can work backwards to recover the WEP key (assuming some known plaintext)
RSA
• First full-fledged public key encryption algorithm - 1978: Ron Rivest, Adi Shamir, and Leonard Adleman • If you need a public key encryption algorithm, this is one to use • Simple to understand and implement - Security comes from the difficulty of factoring large numbers Slow — use to transfer symmetric session keys for the bulk of the encryption
SELinux
• Gives users and administrators more access control than the base OS provides • Access can be constrained on such variables as which users and applications can access which resources • Access controls are determined by a policy ‣ Can't be changed by careless users or misbehaving applications • Adds finer granularity to access controls - Control fundamental OS operations: you specify who can unlink, append only, move a file, etc. - Specify access for network resources and interprocess communication (IPC) • SELinux users are not equivalent to Linux users - They cannot change via su or sudo - Many Linux users will use the same SELinux user - SELinux users that are generic have the suffix "_u", such as user_u. • SELinux roles are defined by the policy - Examples: unprivileged user, web administrator, database administrator - Objects have the role object_r - roles have the suffix "_r", such as user_r • SELinux types are the primary means of determining access - a type has the suffix "_t", such as user_t
Synchronous Stream Ciphers
• Goal: simulate a random, infinitely long key - Extract bits from a register to use as the key ‣ Contents of the register change on the basis of the current contents of the register Period of 8: 10110001 10110001 10110001...
SHA-256
• If you need a one-way hash function, this is the one to use • 256-bit SHA-2 hash function designed by the NSA Should be used as checksum for downloads: $ sha256sum ubuntu-14.04.3-desktop-amd64.iso 756a42474bc437f614caa09dbbc0808038d1a586d172894c1 13bb1c22b75d580 ubuntu-14.04.3-desktop-amd64.iso • Input: 512-bit blocks, divided into 32-bit words • Output: After 64 rounds, the final result is the sum, by individual words modulo 2^32, of the result of this transformation and the original eight word input Ch (E, F, G) = (E ∧ F) ⊕ (¬E ∧ G) Ma (A, B, C) = (A ∧ B) ⊕ (A ∧ C) ⊕ (C ∧ C) ∑0 (A) = (A ⋙ 2) ⊕ (A ⋙ 13) ⊕ (A ⋙ 22) ∑1 (E) = (E ⋙ 6) ⊕ (E ⋙ 11) ⊕ (E ⋙ 25)
Advanced Encryption Standard (AES)
• If you need a symmetric key algorithm, this is the one to use • Based on Rijndael, winner of the 2001 NIST AES competition • Key sizes: 128-, 192- or 256-bit • Block size: 128-bit • Rounds: 10, 12 or 14 (depending on key size) • A substitution-permutation network • Works via a combination of both substitution and permutation operations ‣ Fast in both hardware and software • Operates on 4x4 column-major order matrix of bytes (state)
One-way functions
• Input maps to unique output • Given x, it is easy to compute f (x) • Given f (x), it is hard to compute x Analogy: breaking a window It's easy to smash a window into a thousand pieces; not easy to put it back together
Challenge-Response Protocols
• Problem with one-way authentication schemes: no guarantee messages make it to the intended recipient • This can be solved with a two-way protocol 1. Alice initiates an authentication session 2. Bob responds with proof that he received Alice's message ‣ Alice validates Bob's message
Forms of cryptanalysis
• Known-plaintext attack - Some portion of the plaintext for the given ciphertext is known ‣ Typically not useful these days • Chosen-plaintext attack - Any plaintext can be encrypted with a given cryptosystem and key, but the (private) key itself cannot be analyzed • Related-key attack - Observe operation of cipher under several different keys whose values are initially unknown, but a relationship between the keys can be discerned • Ciphertext-only attack • No access to other information directly involved in the cryptosystem, but might leverage some information related to the plaintext ‣ The statistics of the language the plaintext is written in • Side-channel attack - Information gained from the physical implementation of a cryptosystem, rather than brute force attack or theoretical weaknesses in the algorithm(s)
su (1) and sudo (8)
• Logging in as root is considered to be dangerous these days ‣ Block root ssh access via /etc/ssh/sshd_config PermitRootLogin no option • An alternative: su to root • A better alternative: only run one privileged command at a time • example: sudo service apache2 restart
Access Control
• Mediate access to files, communication ports and other system resources ‣ Example: r for read permission, w for write permission, x for execute permission, and - for no access at all
fail2ban
• Monitors log files for brute force attacks ‣ /var/log/auth.log, /var/log/ apache/access.log • Blocking mechanisms ‣ firewall rules, updates to TCP Wrapper's hosts.deny table, email notifications, or any user-defined action that can be carried out by a Python script. Common Software to monitor: Apache, sshd, Postfix
Requirements for cryptographically strong hash functions
• Must be collision-free: hard to generate two inputs with the same hash value • The output must not be dependent on the input in any discernible way • A single bit change in the input changes, on average, half of the bits in the hash value • Given a hash value, it is computationally infeasible to find the input that hashes to that value
Elliptic curve cryptography
• Next generation of public key cryptography • Provides a significantly more secure foundation than first generation systems like RSA Numbers need to be restricted to a fixed range ‣ Points on the curve are whole numbers in a fixed range. ‣ Numbers roll over when a maximum is hit. ‣ The maximum is chosen to be a prime number. In this case, the curve is called a prime curve and is suitable for cryptography. Set of affine points of elliptic curve y^2 = x^3 - x over finite field F89 Messages are represented as points on the curve
Collision attack
• Note that md5's output space is finite (128 bits), thus collisions must exist ‣ But it should be infeasible to find them
How is privileged enforced?
• OS System Calls • Linux: getuid() returns the real user id of a calling process • Example: attempt to kill a root owned process as a user Target process: root 32661 0.0 0.0 21856 380 ? S Jan18 0:00 /sbin/udevd --daemon User attempts to kill it: walter@eve:~$ kill -9 32661 -bash: kill: (32661) - Operation not permitted kill(2) checks the UID of the calling process and bails out: getpid() = 2391 kill(32661, SIGKILL) = -1 EPERM (Operation not permitted)
Challenge-Response
• One-time authentication mechanism using a non-repeating challenge from a server • The response is a function of the challenge and a secret known to the client challenge: 00193 Wed Sep 11 11:22:09 2015 response: ab0dh1kd0jkfj1kye./
Nonce
• One-time token • Used to avoid a replay attack
Protocol
• Participants must know the protocol and all of the steps to follow • Everyone involved in the protocol must agree to follow it • The protocol must be unambiguous • The protocol must be complete • *It should not be possible to do more or learn more than what is specified in the protocol*
Practical considerations for key management
• Passing around symmetric keys is messy • Public-key Cryptography helps us somewhat ‣ Public Key Infrastructure
Eavesdropping
• Passively watching a channel can yield a lot of information ‣ Even if payloads are encrypted, packet headers can still be useful • Monitoring software can be installed on a host or network device
Reverse Engineering
• Plaintext secrets are often hardcoded in a binary program • Low-level examination of the binary can yield those secrets: ‣ Running it with a debugger ‣ Profiling contents of memory ‣ Disassembling and examining assembler code
Smart cards
• Portable device with a CPU, I/O and a few thousand bytes of memory • "Something you have" rather than "something you know" • Can compute portions of cryptographic protocols for security and convenience purposes
Initialization Vector Pitfall
• Predictable IVs for each transaction ‣ CBC mode: enables online attacks with chosen-plaintext Example: Alice's medical record for a specific condition 1. Assume Mallory can predict IVs: Ivm and Iva 2. Mallory's chosen plaintext: Xm = Ivm ⊕ Iva ⊕ "false" 3. Application encrypts: {Xm}= Ek (IVm ⊕ Xm) = Ek (IVm ⊕ (IVm ⊕ IVa ⊕ "false")) {Xm}= Ek (IVA ⊕ "false") 4. Mallory compares ciphertexts: {Xm}= {Xa}?
Non-disclosure
• Premise: vulnerability information helps attackers, and shouldn't be shared • Situation in computer security up to the mid-1990s - Enforced via vendor legal intimidation and censorship
John the Ripper, attack modes
• Primarily for Unix, but runs on 15 different platforms • Supports many different hash algorithms via system's crypt(3) 1. Dictionary attack • Text string is encrypted in the same format as the password being examined • Both cipher text representations are compared • John can apply a number of "mangling" rules to the dictionary words before encryption Choose a base word → notredame "Leetify" → n0tr3d4m3 Append / prepend things → g0n0tr3d4m3! 2. Brute force attack • John attempts to go through all possible plaintexts, encrypting each one in the same format as the password being examined • Both cipher text representations are compared • Optimization: John makes use of character frequency tables to try plaintexts containing more frequently used characters first
(Full) Disk Encryption
• Protects individual disk blocks • Each block (typically 512 or 2,048 bytes) is encrypted ‣ CBC Mode ‣ Block number is used as the IV ‣ Includes blocks on the free list • Encryption is agnostic to operating system file formats • Can be done via the OS or by the disk hardware • Software: Bitlocker (Windows), FileVault (MacOS), eCryptfs (Linux), softraid (OpenBSD) • Hardware: Hitachi, Micron, Seagate, Samsung, and Toshiba offer TCG OPAL SATA drives ‣ Key management takes place in the disk controller ‣ 128- or 256-bit encryption ‣ Authentication requires the CPU via software pre-boot authentication environment or a BIOS password
File System Encryption
• Protects individual files - Meta-data are exposed, including file size access patterns, and more ‣ Leaks information versus Disk Encryption • Most useful for protecting remote file systems - Client-side unlocking difficult (how to you handle the free list?) - Space must be specified and allocated for the entire file system at creation time • Possibility of different keys for different subtrees, held by different users • Common options ‣ EFS extension of NTFS (Windows) ‣ Transparent encryption extension of EXT4 (Linux) ‣ Transparent encryption extension of F2FS (Linux)
Pluggable Authentication Modules (PAM), configuration files
• Provides authentication modules for applications ‣ Solves problem of developers writing their own authentication modules ‣ Suite of shared libraries with common configurations • During authentication, program invokes library routine pam_authenticate ‣ The routine accesses configuration files in /etc/pam.d ‣ Example: sshd will access /etc/pam.d/sshd (1) account (2) required (3) pam_nologin.so • First field describes the auth. related mechanism treated by the line • Second field controls the calling of the modules ‣ required means failure of the module makes authentication fail • Third field is the name of the module (dynamic library) • Stacking: modules are invoked successively • Configuration determines the order ‣ Caller can make no assumptions about how the modules work ‣ Authentication is in effect hidden from the application using PAM
Bar Mitzvah Attack
• Related attack on RC4 • Invariance weakness - Preserves part of the state permutation process throughout the initialization process - When processed by the PRGA, determines the least significant bits of the allegedly pseudo-random output stream along a long prefix of the stream L-shaped key pattern in RC4 keys These biased stream bytes are XORed with the plaintext bytes, resulting in significant leakage of plaintext bytes from the ciphertext bytes Bottom Line: never use RC4
Client-Side Exploitation
• Remote server attacks a vulnerability in a local client ‣ Web browsers ‣ Mobile apps ‣ Cloud-based apps
What did Turing do?
• Served as a cryptanalyst at Bletchley Park during WWII ‣ Designed the electromechanical "Bombe" to decipher Enigma codes
sgid attribute and pitfalls
• Set-group-id (sgid) attribute means a program is run with the privilege of the group associated with that program, and not the user invoking it • Programmer is in a rush and makes a program sgid root ‣ What are the implications of this?
suid attribute
• Set-user-id (suid) attribute means a program is run with the privilege of the owner, and not the user invoking it • Can be used safely in some circumstances ‣ Example: creation of a normal user account for a specific piece of software several users need common access to • Extremely dangerous to use when ownership is associated with privileged accounts -rw*s*r-xr-- 1 root dip 321552 Apr 21 2015 pppd
Bitcoin Blocks
• Small sets of recorded transactions • Each block contains a SHA-256 hash of the previous transaction, thus creating the chain • Blocks are computationally hard to create
Backdoors
• Something left behind on a system or network to grant an attacker future access ‣ Credentials, user-land software, or kernel-land software ‣ Firewall holes and routing rules
Remote Exploitation of Bugs
• Target vulnerabilities on a server • Does not require some previous level of access • Goal is unauthorized access ‣ Could also target data and meta-data Example: ProFTPD IAC - Remote Root Exploit
Local Exploitation of Bugs
• Target vulnerabilities on a single host system • Requires some level of access to that system • Goal is usually privilege escalation ‣ Could also target data and meta-data
Bitcoin Blockchain and Transactions
• The block chain is a shared public ledger • All confirmed transactions are included in the block chain • A transaction is a transfer of value between bitcoin wallets that gets included in the blockchain • Each bitcoin wallet has a private key used for signing transactions ‣ The signature proves that the transaction came from the owner of the wallet ‣ The signature also prevents the transaction from being altered after it has issued
Denial of Service (DoS)
• The goal isn't to gain access, but to make a resource unavailable to users • Can take place at the host or network level • Often associated with extortion and activism
Passwords
• The most common user-facing embodiment of a key • And one of the biggest practical problems facing security engineering today Trouble with passwords • People can't remember infrequently-used, frequentlychanged, or many similar items • The same passwords are reused for different applications
Cons of two-factor authentication
• Time-consuming: minutes instead of seconds • Complicated: entry of a lot of information, including long strings of digits - Customers may revert to physical branches, callcenters and paper checks ‣ Loss of cost savings of online banking
Possible attack against digital dignatures
• Trouble can arise when the same algorithm is used for both encryption and digital signature verification ‣ In these cases, the digital signature operation is the inverse of the encryption operation Assume Mallory is a legitimate user with her own public and private key Mallory records Alice's message to Bob in Step 2 of the protocol: {{X}Ks,a}Kp,b Mallory replays the message to Bob, claiming it came from her {{X}Ks,a}Kp,b Bob decrypts the message, and tries to verify Mallory's signature by applying Mallory's public key. The resulting message is non-sense: Result: {{X}Ks,a}Kp,m *attacker could be detected at this step Bob proceeds with the protocol and sends Mallory a receipt: {{{{X}Ks,a}Kp,m}Ks,b}Kp,m Mallory recovers X by: 1. Decrypting the message with her private key 2. Encrypting it with Bob's public key 3. Decrypting it again with her private key 4. Encrypting it with Alice's public key
Two ways to encrypt a drive
• Two ways to do this ‣ Disk Encryption ‣ File System Encryption • Addresses possibility of an attacker circumventing OS filesystem controls by reading the data via external means • In practice, the implementation and strength of these approaches is quite different
One-time passwords
• Use a password once, then invalidate it ‣ Defeats eavesdropping • Commonly found in two-factor authentication schemes
Hash tables
• Useful data structures that allow searching in O(1) time ‣ Facilitated by a hash function Example: size_t precision = 2; size_t hash(const char* str) { return (*(size_t*)str)>> precision; }
Validation Authority (PKI)
• Verifies the digital certificate of a user • Serves as a trusted third party 206 Q. Why use a VA? A. Facilitates scalability by providing clients with one point of access for CA discovery
Registration Authority (PKI)
• Verifies the identities of users requesting certificates • Tells CA to issue certificate if user is validated 205 RFC 4210: "The functions that the registration authority may carry out will vary from case to case but MAY include personal authentication, token distribution, revocation reporting, name assignment, key generation, archival of key pairs, et cetera."
Colossus Mark 1
‣ First programmable, electronic, digital computer ‣ Designed to break the Lorenz cipher
Graph Isomorphism
‣ If two graphs are identical except for the names of the points, they are isomorphic ‣ For a large graph, finding whether two graphs are isomorphic is an NP-complete problem Can be used for zero-knowledge proofs
Real random
‣ Measured from physical phenomena (Real Random) It cannot be reliably reproduced. If you run the generator twice with exactly the same input, you will get two completely unrelated random sequences Example: timing of read/write head movement, noise from a transistor
Pseudo-random numbers
‣ Produced by computers (Pseudo-random) 1. It looks random. Passes all statistical tests of randomness that we can find* 2. It is unpredictable. Computationally infeasible to predict what the next random bit will be, given complete knowledge of the algorithm, hardware, and all previous bits • Seed Sx is treated as a secret • A seed will yield the same sequence when reused • /dev/random - blocking pseudo-random number generator (hash implementation via SHA) ‣ Handy way to check the entropy pool: $ cat /proc/sys/kernel/random/entropy_avail • • /dev/urandom - unlimited non-blocking pseudorandom number generator • Python: import random (Mersenne Twister) >>> random.seed(1) >>> random.random()
Hamiltonian cycles
‣ e.g., Alice knows a circular, continuous path along the lines of a graph that passes through each point exactly once ‣ This is another computationally hard problem ‣ Bob can know the graph, but not its Hamiltonian Cycle Can be used for zero-knowledge proofs
