Chapter 9 Security. Topics Introduction Threats, mechanisms, cryptography Security channel Authentication, integrity, confidentiality Access control Firewall,

Chapter 9

Security

Topics Introduction

Threats, mechanisms, cryptography Security channel

Authentication, integrity, confidentiality Access control

Firewall, secure mobile code Security management Examples

Kerberos, E-commerce

What Do We Need to Protect? Data

Information we keep on computers (product design, financial records, personnel data)

Resources Unauthorized use of computer time & space

Reputation Misrepresentation, forgery, negative

publicity

Fundamental Security Objectives Confidentiality - Protection from

unauthorized persons Integrity - consistency of data; no

unauthorized creation, alteration or destruction

Availability - ensuring access to legitimate users

Access control - ensuring appropriate use by authorized users

Security Threats Interception

Unauthorized access to a service or data Eavesdropping

Interruption Unavailable of service or data Denial of service attack

Modification Unauthorized changing of data

Fabrication Adding data or activity normally not exist.

Security policy

Examples: Threat

Client ServerRequest

Response

replay

Attacker Server

Denial of service

Eavesdropping

Example: Security Policy Chinese Wall Model: widely used in

financial world Group datasets into “conflict of interest

classes” Subjects are allowed to access to at most

one dataset belonging to each such conflict of interest class

Subject s can access company c’s data only if

a) s has already accessed c’s data or b) s has not yet accessed any of c’s

competitors’ data s can write to c’s data only if s can not read

any other company’s sensitive data Mandatory security policy for UK Stock

Exchange.

Security Mechanisms Encryption

Transform data to achieve confidentiality and integrity

Authentication Verify the identify of user

Authorization Check the permission

Auditing Trace the accesses, used for analysis

Cryptography

Intruders and eavesdroppers in communication.

Classifications Symmetric cryptography: shared Key

P=DK(EK(P)) DES

Asymmetric cryptography: a pair of keys P=DKD(EKE(P)) RAS

Hash function: one way function, not reversible h=H(m) MD5

Notations

Notation Description

KA, B Secret key shared by A and B

Public key of A

Private key of A

K A

K A

DES

a) The principle of DESb) Outline of one encryption round

64-bit data block

Key Generation

Attacking DES Cryptanalysis

Relies on nature of the encryption algorithm and additional knowledge of the general types of plain texts (frequencies of letters etc.)

Some samples of plain- and cipher texts Brute-force

Test every possible key on some cipher text until readable result be done in advance if key is not changed

Brute-force Key SearchKey size (bits)

Key space size Mean time requiredat 1 key test/sec

32 232 = 4.3 x 109 35.8 minutes

56 (DES) 256 = 7.2 x

1016

1,142 years

128 2128 = 3.4 x

1038

5.4 x 1024 = 300 billion big bangs

168 2168 = 3.7 x

1050

5.9 x 1036 big bangs

Don’t get impressed easily: DES can now be cracked in hours!

Triple DES

Public-Key Cryptosystems

E K+ (.)

Public key K+

Plaintext P Ciphertext C P

Encryption Decryption

DK-(.)

Private key K

E K- (.)

Public key K+

Plaintext P Ciphertext C P

Encryption Decryption

DK+(.)

Private key K

Idea Questions:

314159265358979 * 314159265358979=? 3912571506419387090594828508241 = ?*?

Idea: Use easy algorithm for encryption. Use difficult algorithm for decryption

A user picks a public key/private key pair publish the public key private key not published

RSA: Rivest, Shamir and Adleman Foundation: no known method that can

efficiently find the prime factors of large numbers.

In RSA, private and public keys are constructed from very large prime numbers (consisting of hundreds of decimal digits)

Four steps to construct the keys: Choose two very large prime numbers, p and q Compute n = p x q and z = (p – 1) x (q – 1) Choose a number d that is relatively prime to z Compute the number e such that e x d = 1 mod z

How It Works? How it works?

Encryption: C = Pe mod n Decryption: P = Cd mod n K+ = (e, n), K = (d, n) The intruder needs to factor n into p and q to crack the

code. Higher cost of computation. Problems:

1) Is the number of primes infinite? Yes! 2) Are they scarce? Yes! 4% of the first 25 billion

numbers. And the percentage drops as the numbers get bigger.

Implication: it is tricky to propose a new prime number. E.g., is 687,532,127 a prime?

Example (1)To find a key pair e, d: 1. Choose two large prime numbers, P and Q (each greater than 10100), and form:

n = P x Q Z = (P–1) x (Q–1)

2. For d choose any number that is relatively prime with Z (that is, such that d has no common factors with Z).

We illustrate the computations involved using small integer values for P and Q:

P = 13, Q = 17 –> n = 221, Z = 192 d = 5

3. To find e solve the equation:e x d = 1 mod Z

That is, e x d is the smallest element divisible by d in the series Z+1, 2Z+1, 3Z+1, ... .

e x d = 1 mod 192 = 1, 193, 385, ...385 is divisible by de = 385/5 = 77

Example (2)To encrypt text using the RSA method, the plaintext is divided into equal blocks

of length k bits where 2k < n (that is, such that the numerical value of a block is always less than n; in practical applications, k is usually in the range 512 to 1024).

k = 7, since 27 = 128 The function for encrypting a single block of plaintext M is:

E'(e, n, M) = Me mod nfor a message M, the ciphertext is M77 mod 221

The function for decrypting a block of encrypted text c to produce the original plaintext block is:

D'(d, n, c) = cd mod nRivest, Shamir and Adelman proved that E' and D' are mutual inverses

(that is, E'(D'(x)) = D'(E'(x)) = x) for all values of P in the range 0 ≤ P ≤ n.

Secret Message

Signature

Remark: Goal of a signature is to guarantee, that the receiver is sure that the received message is from the sender. However, anyone with Gerd’s public key of Gerd can also read.

Message Digest Cryptographic checksum

Just as a regular checksum protects the receiver from accidental changes to the message , a cryptographic checksum protects the receiver from malicious changes.

One-way function Given a cryptographic checksum for a msg, it is virtually

impossible to figure out what msg produced that checksum; it is not computationally feasible to find two msg that hash to the same cryptographic checksum.

Relevance If you are given a checksum for a message & you are

able to compute exactly the same checksum for that message, then it is highly likely this message produced the checksum you were given.

Hash Function: MD5

For each round, four functions are applied. And each function has 16 iterations.

MD5: Iterations

Requirements

m MD5(m)Received msg:

MD5(m) Compare

Weak collision resistance: given m and h, difficult to find m’ such that h=H(m’)

Strong collision resistance: given h, difficult to find m and m’ such that H(m)=H(m’).

Tamper Proof

m 　　　　 K− { MD5(m) }Received msg:

MD5(m) Compare

K+ K− { MD5(m)}

Using K+ and K−

Secure Channels Main model of DS: client-server

Servers may be distributed and replicated How to secure a DS?

Establish secure communication between client/server

Authentication of communicating partners Ensuring message integrity and confidentiality

Establish authorization How to be sure on the server side, that a client is

allowed to get the requested service? Access control

Two principles: Set-up phase precedes message exchange Session keys to ensure message integrity

Setup Phase Suppose Alice and Bob want to

communicate with each other, Alice at machine M1 and Bob at machine M2: 1. Alice is setting up a communication

channel, a) Either by sending a message directly to Bob or b) by sending a corresponding message to a trusted

third party, helping to set up this channel 2. Once the channel has been set up, both

sides know for sure, that they can exchange messages

Authentication on Shared Key

Optimization?

Reflection Attack

Consequence: use different challenges for initiator and responder

Scalability of Session Keys Suppose we have N hosts each sharing

a secret key with each of the other N-1 hosts DS has (N-1)*N/2 secret session keys and

each host has manage (N-1) session keys For large N #session keys will be a problem Instead you can install a trusted key

distribution center KDC on one of the nodes of the DS

Authentication: Key Distribution Center

Improvement

Using a ticket and letting Alice set up a connection to Bob.

Ticket

Needham-Schroeder Authentication Protocol In early distributed systems (1974-84) it was difficult to

protect the servers E.g. against masquerading attacks on a file server because

there was no mechanism for authenticating the origins of requests

public-key cryptography was not yet available or practical computers too slow for trap-door calculations RSA algorithm not available until 1978

Needham and Schroeder therefore developed an authentication and key-distribution protocol for use in a local network

An early example of the care required to design a safe security protocol

Introduced several design ideas including the use of nonces.

Illustration nonc

e

Nonce: a random number used only once. The purpose is to uniquely relate two messages to each other.

Q1: Why include B in message 2?Q2: How about if a chuck knows an old key KA,B?

Enhancement

Protection against malicious reuse of a previously generated session key in the Needham-Schroeder protocol.

Authentication Using Public-Key Cryptography

Mutual authentication in a public-key cryptosystem.

Q: how to exchange public keys?

Message Integrity & Confidentiality

Digital Signature Goals:

To authenticate stored document files as well as messages To protect against forgery To prevent the signer from repudiating a signed document

(denying their responsibility) Encryption of a document in a secret key constitutes a

signature- impossible for others to perform without knowledge of the

key- strong authentication of document- strong protection against forgery- weak against repudiation (signer could claim key was

compromised)

Illustration

Digital signing a message using public-key cryptography.

Digital Signature (2)

Digitally signing a message using a message digest.

Certificate Authority (CA) Verify the owner of a public key

Maintain the (owner, public_key) by a certificate authority

CA are organized in a hierarchy. For each merchant, it issues a certificate. The names of CA are widely known, e.g.

Verisign. Chain of trust

Certified by a higher-level CA: the central authority: IPRA

CA Hierarchy

User User User

User User User User User

CA CA

CA

CA CA CA

PCA1 PCA2

IPRA

PCA3

CA

CA

IPRA= Internet Policy Registration Authority (root)

PCA= policy certification authority

CA = certification authority

Certificate Authorities in X.509

X.509 Certificate Format

CA Digital Signature

Subject Unique IDIssuer Unique ID

Subject PublicKey Info

Subject X.500 NameValidity Period

Issuer (CA) X.500 NameSignature Algorithm ID

Serial NumberVersion

Algorithm ID

Public Key Value

SSL Handshake(PK_alg, encr_alg, MD)

K-C { R }

Optional

SSL Record ProtocolApplication data abcdefghi

abc def ghiRecord protocol units

Fragment/combine

Compressed units

Compress

MAC

Hash

Encrypted

Encrypt

TCP packet

Transmit

Message digest

Confidential Group Communication Goal: secure channels between

each pair of nodes Share one key? Share a key between each pair of

nodes? Each node has its own private key

but all the nodes share a public key.

Access Control

General Issues in Access Control

General model of controlling access to objects.

Access Control Access control

Matrix• Access Control

List• Capabilities.

Protection Domains

The hierarchical organization of protection domains as groups of users.

Firewalls

Common implementations of a firewall, e.g. a packet-filtering router or an application gateway

Firewall Solutions Definition - hardware &/or software

components that restrict access between a restricted network & the Internet or between networks

Logically - a separator, restricter, analyzer Rarely a single object

Restricts people to entering at a controlled point Prevents attackers from getting close to other

defenses (host controls) Restricts people to leaving at a controlled point

Firewall Capabilities Focus security decisions - single

point to leverage control Enforce security policy -minimize

exceptions Log Internet activity - analysis Limit exposure - separate sensitive

areas of one network from another or outside world

Firewall Limitations Can’t protect against

malicious insiders connections that don’t go through it new threats viruses

scans for source & destination addresses & port numbers, not details of data

Types of Firewalls Simple traffic logging systems

audit log file of files accessed (HTTPD) site usage/demand hours/links/browsers used

IP Packet Screening Routers (packet filtering gateway) not only looks at ‘can’ it route, but ‘should’ it selectively routes or blocks packets based on

rules based on protocols, destination (port 80),

known source IP addresses

Types of Firewalls (cont.) Hardened Firewall Host (hardware)

Halts unauthorized users Concentrates security, hides internal system

names, centralizes & simplifies net management

Proxy Server (software) Deals with external server requests on

behalf of internal clients May limit certain HTTP methods (CGI or Java

applets)

Filtering Router

Internet

Mail server(port=25)

Filtering router

Intranet

Check the source and destination address.

Make decisions based on security policies.

Filtering Router and Bastion Host

Firewall Architectures Dual-homed host (two network interfaces)

One communicates externally, one internally No direct communication internal to external

hosts

Real Server

Proxy Client/Internal Host

Proxy Server

Dual-homed HostInternet

Advantages All accesses can be logged Reduce the number of Internet

connections by making it a caching proxy

Does not reveal the names and addresses of actual clients inside

But: slow down page downloading by an order of magnitude.

Other Variations Multiple Bastion Hosts

Performance, redundancy, need to separate data & servers Usenet, SMNP/DNS, FTP/WWW

Merge Interior & Exterior Routers Sufficient capability to specify inbound & outbound filters Usually on the perimeter network

Merge Bastion Host & Exterior Router Use Multiple Exterior Routers

Multiple connections to Internet or Internet + other sites Multiple Perimeter Nets

Redundancy, privacy

Futures Third-generation Firewalls

combined features of packet filtering & proxy systems

Client & server apps with native support for proxied environments

Dynamic packet filtering Packet rules modified “on the fly” in response to

triggers Underlying Internet protocol undergoing

revisions - IPv6

Not Recommended Merging Bastion Host & Interior Router

Breach of host leaves access to internal net

Using Multiple Interior Routers Routing software could decide fastest way to

another internal system is via the perimeter net Difficult to keep multiple interior routers

configured correctly Most important & complex set of packet filters May need to use multiples to resolve

performance bottlenecks or separate internal networks

Private Network

Virtual Private Network

Station 100Station 200

InternetIntranet A Intranet B

Router RBRouter RATunneling

200 Data RB

encrypted

Tunneling

Virus

Virus

Memory-Resident Virus

Runs whenever certaininterrupts occur.

Encrypted virus

To conceal signature.

Worms: Illustration

Program

Staticallyallocated

data

Stack

Low address

High address

UNIX Address Space

Procedure Call

StackHigh address

para1para2

ret[PC] Return address

Buffer area allocatedby called fingerd(512 bytes)

E.g., finger aabbcc aabbcc

Buffer Overflow

para1para20100[PC] Return address

E.g., finger aabb…zz aabbcc……

0100

Malicious program(binary)

Stack

Security Management

Key Establishment

The principle of Diffie-Hellman key exchange.

Key Distribution (1)

Secret-key distribution

Key Distribution (2)

Public-key distribution: Certificate

Secure Group Management

Securely admitting a new group member P.

Authorization Management

Capabilities

48 bits 24 bits 8 bits 48 bits

Server port Object Rights Check

A capability in Amoeba.

Capabilities Generation

Generation of a restricted capability from an owner capability.

Delegation Transfer the access rights on files,

resources, etc. Suppose Alice wants to delegate rights to

Bob If Alice knows everyone, broadcast the

certificate Otherwise, construct a certificate saying “The

bearer of this certificate has rights R.” Problems? Using proxy, a token that allows its owner to operate

with the rights granted in the token.

The General Structure of A Proxy

Delegating And Exercising Rights

Example: Kerberos (1)

Authentication in Kerberos.

Example: Kerberos (2)

Setting up a secure channel in Kerberos.

Electronic Payment Systems (1)

Payment systems based on direct payment between customer and merchant.

a) Paying in cash.b) Using a check.c) Using a credit

card.

Electronic Payment Systems (2)

Payment systems based on money transfer between banks.

a) Payment by money order.b) Payment through debit order.

Privacy Issue Using cash Using credit card Online

Digital Money Suppose Alice wants to pay $12 to Bob

Contact her bank and request withdrawal $12 Bank hands out digital money (each note is

signed) Each note carries a unique serial number

Hand over the notes to Bob Bob contact the bank if the money has been

used. Problem: privacy issue. Solution: blind signature

E-cash

The principle of anonymous electronic cash using blind signatures.