Introduction to Practical Cryptography Lecture 2 Public Key Cryptography.

Introduction to Practical Cryptography

Lecture 2

Public Key Cryptography

Overview

• Some math

• Public key ciphers– RSA– Diffie-Hellman– ElGamal – Feige-Fiat-Shamir– Elliptic curve cryptography (general idea)

• Certificate Authorities

Some Math

• Modular arithmetic

• Fermat’s little theorem

• Euler’s Totient Function

• Groups

• Euclid – greatest common divisor

• Extended Euclidean – computing inverses

• Chinese Remainder Theorem

(only 21 slides)

Modular Arithmetic

• x mod n = remainder x/n12 mod 9 = 3

• Reduce intermediate results mod n(a+b) mod n = a mod n + b mod n

(ab) mod n = (a mod n) (b mod n) mod n

(a(b+c))mod n = (ab mod n + ac mod n) mod n

Fermat’s Little Theorem

• Any prime p and any a 1 a < p:

ap-1 mod p = 1

Also note that:

• For any x such that ax mod p = 1

x is a multiple of p-1; therefore, x = 0 mod p-1

Euler’s Totient Function

(n) = # of integers < n that are relatively prime to n

• If p is prime, (p) = p-1

• If n = pq, p and q are prime then

(n) = (p − 1)(q − 1)

• If gcd(a,n) = 1 then a(n) mod n = 1

Inverse Example

• a-1 mod n• x = a(n) -1 mod n• 5-1 mod 7

(7) = 656-1 mod 7 = 55 mod 7= (((52) mod 7)((52)mod7)5 mod 7) mod 7= (4)(4)(5) mod 7 = 3

5*3 mod 7 = 15 mod 7= 1

Group Definition

• A group (G, * ) is a set G together with a operator *  satisfying:

• Associative: a, b and c in G, (a * b) * c = a * (b * c). • Identity element e in G: For all a in G, e * a = a * e = a. • Invertible: a in G, there is a b in G such that a * b = b * a = e.• Closure: a and b in G, a * b belongs to G.

Multiplicative Group

• p prime• Z*p = 1,2,3 …. p-1, p• Let g Z*p

– order of g: smallest x for which gx = 1 mod p– 1,g,g2,g3, … gx-1

• There is at least one g Z*p that generates the entire group a Z*p , a = gi for some i {0,1,2 … p-2}– 1,g,g2,g3, … gp-2

Multiplicative Group

• p =7

• Z*7 = 1,2,3,4,5,6

• g = 3

• 1,3,2,6,4,5

Multiplicative Group

• Order of any element g is a divisor of p-1• Let g be generator of Z*p

• Let h Z*p and h ≠ g• h = gx for some x• h0,h1,h2, … = 1,gx,g2x,g3x …• Let q = order of h: hq = 1 = gqx

qx = 0 mod (p-1) (by Fermat) q = (p-1)/gcd(x,p-1)

Multiplicative Group

• Consider again Z*7 = 1,2,3,4,5,6

• h = 2: – subgroup: 1,h,h2 = 1,2,4– order 3 (h3 = 8 mod 7 = 1)

• h = 6– subgroup: 1,h = 1,6– Order 2 (h2 = 36 mod 7 = 1)

• 2 and 3 are divisors of p-1 (7-1 = 6)

More Math

• Let p,q be primes

• Have:– xp-1 mod p = 1 x = 1,2, … p-1– yq-1 mod q = 1 y = 1,2, … q-1

• If n = pq– Not true that xn-1 mod n = 1 for x = 1,2 … n-1

More Math

• Want t such that xt mod n = 1 for most x

• Requires xt mod p = 1 and xt mod q = 1

• From earlier, know this means p-1 divides t and q-1 divides t

• Smallest t with property is lcm(p-1,q-1) = (p-1)(q-1)/gcd(p-1,q-1)

GCD - Euclid’s Algorithm

gcd of x and y, x, y 0

g = y

while (x > 0) {g = x

x = y % x

y = g

}

g is gcd

Inverses: Extended Euclidean

• Want to find x such that ax mod n = 1

• a-1 = x mod n has unique solution only if a and n are relatively prime; otherwise, no solution

• Extended Euclid’s algorithm is one way to find inverse

Extended EuclideanFind inverse (x) of a mod n

n0 = na0 = ax0 = 0x = 1q = n0/a0r = n0 – qa0

while (r > 0) { tmp = x0-qxif (tmp 0) { tmp = tmp mod n}if (tmp < 0) { tmp = n – ((-tmp)mod n)}

x0 = xx = tmpn0 = a0

a0 = rq = n0/a0r = n0-qa0

}

if (a0 ≠ 1) then no inverseelse a-1 = x mod n

Chinese Remainder Theorem

• Why?

• Way of representing keys in RSA – will see later

• Composite number n = pq

• p,q are primes, p ≠ q

• (a,b) = (x mod p, x mod q)

Chinese Remainder Theorem

• First, check there is no x’ such that x’ mod p = a and x’ mod q = b

• Because x, x’ result in same (a,b)• Won’t know unique answer• x’ ≠ x does not exist• Proof:

d = x – x’d mod p = (x –x’) mod p = x mod p – x’ mod p = a – a = 0 d is a multiple of p Likewise, d is a multiple of q

Chinese Remainder Theorem

• Proof continuedd is a multiple of p and d is a multiple of q d is a multiple of lcm(p,q) p ≠ q, p and q are primes, pq = n lcm(p,q) = n d is a multiple of n x –x’ is a multiple of n x, x’ {0,1,2 … n-1} x – x’ {-n+1, -n +2, … n-2, n-1} x –x’ = 0 (no other multiple of n in the range) x = x’ For any (a,b); there is at most one solution for x such that a = x mod p, b = x mod q

Chinese Remainder Theorem – Finding x

• Garner’s FormulaLet x = q(((a –b)(q-1 mod p)) mod p) + b

• won’t show how this equation was obtained, only that it works: (a,b) = (x mod p, x mod q)

• First show 0 x n-1x 0 since both terms are 0 First term, call it t, is in range 0 to p-1 because of mod

p; b is in range 0 to q-1 by definitiont p-1 tq (p-1)qx = tq + b (p-1)q + (q-1) = pq -1 = n-1

Chinese Remainder Theorem – Finding x

• Now show x mod q = b

x mod q = (q(((a –b)(q-1 mod p)) mod p) + b) mod q

= (zq + b) mod q for some z

= zq mod q + b mod q

= 0 + b mod q

= b

Chinese Remainder Theorem – Finding x

• Now show x mod p = ax mod p = (q(((a –b)(q-1 mod p)) mod p) + b)

mod p= (((a - b) q-1)q + b) mod p = ((a - b) (q-1q) + b) mod p = a –b + b mod p= a mod p = a

Chinese Remainder Theorem - Usefulness

• RSA uses n = pq• If n is k bits, p and q are ~ k/2 bits• Addition:

– Addition mod n requires k bit addition and maybe k bit subtraction if addition result > n

– (a,b) representation uses two k/2 bit additions and possibly subtractions, so same amount of work

• Multiplication– multiplying two k bit numbers more than twice the

work of multiplying two k/2 bit numbers• Exponentiation

– even more savings

Trapdoor Function

• easy to compute in one direction• believed to be hard to compute in the opposite

direction (inverse) without secret information (the trapdoor)

Public Key Cryptography

• Uses a key pair – one component is public, one component is private

• Algorithms used in practice depend on the mathematical hardness of factoring or of computing discrete logs.

Uses

• Signatures– Non-repudiation: signature had to generated

by someone with private key

• Encrypt small amounts of data, such as in key exchange protocols

• Establish shared secret (Diffie-Hellman)

Distribution

• Publishing public keys– Certificates– Web site– Send as needed

RSA

• Generate two large distinct (at least 1024 bits) primes p and q; let n = pq

• Compute (n) = (p − 1)(q − 1).• Pick two integers e and d such that ed = 1 mod

(n) where 1 < e < (n) and e and (n) are coprime • The public key is <e,n>; the private key is <d,n>.• The security of the system relies on the difficulty

of factoring n.• Finding such primes is easy; factoring n is

believed to be hard.

RSA

• message m of length < n bits• Encrypt: c = me mod n• Decrypt: m = cd mod n• Why?

cd mod n = med mod n but ed = 1 mod (n)

= m k(n)+1 mod n= (m (n))km mod n= (1k)m mod n= m

(n) is t in the “xt mod n = 1” from earlier

RSA for Signatures

• Encryption with RSA is expensive.

• Typically used to encrypt short data:– Key for symmetric key cipher

• Signature:– Hash message, encrypt result with RSA– To verify: recipient decrypts signature, hashes

original data and compares results

RSA

• If encrypt m1, m2– c1 = m1e mod n– c2 = m2e mod n

• If m3 = m1m2, • c3 = (m1m2)e mod n = c1c2 mod n

• Solution– Padding: append to message before encrypting– Hashing: hash data to shorten before signing

RSA

Parameter sizes• n of 3072 bits equivalent security of 128-bit key

in AES• n of 15360 bits equivalent to 256-bit key in AES• NIST SP800-57, May 2006 Recommendation for

Key Management – Part 1

Diffie-Hellman Key Exchange

• Allows two entities, Alice and Bob, to establish a secret key

• p is a large prime• g < p

– With condition that:• The multiplicative group Zp

* denotes the numbers coprime to p

• Zp* is cyclic since p is prime

• g is a primitive root mod p every q < p is coprime to p q < p, q = gi mod p for some i

• g, p known in advance, can be public

Diffie-Hellman

• Alice picks x, secret• Bob picks y, secret • Alice computes Ta =gx mod p• Bob compute Tb = gy mod p• Alice and Bob exchange Ta, Tb

• Alice computes k = Tbx mod p

• Bob computes k = Tay mod p

• Shared key = k: Tbx = gyx = gxy = Ta

y

Diffie-Hellman

• Example (values are too small for use in practice)– p = 19, g =2 – x = 3, y = 8

– Ta = 23 = 8 (mod 19)

– Tb = 28 = 256 = 9 (mod 19)

– k = 93 = 729 = 7 (mod 19) = 88 = 7 (mod 19)

Note: 88 mod 19 = 40962 mod 19 = 112 mod 19 = 7

4096 mod 19 = 11

Diffie-Hellman Key Exchange

• If intercept TA and TB ,

• Can’t find x or y (discrete log problem)

• Thus can’t compute k

DH – Man-in-Middle Attack

AlicegSA = 8389

AdversarygSx = 5876

BobgSB = 9267

shared key k1 shared key k2

Work-around: have published gSA, but then everyone communicating with Alice needs to use same g,p

Diffie-Hellman

Parameter Sizes:

• p of 3072 bits, x,y of 256 bits equivalent to the security of a 128-bit key in AES

• p of 15360, x,y of 512 bits equivalent to the security of a 256-bit key in AES

ElGamal

• Prime p

• Random g,x g < p, x < p

• y = gx mod p

• Public key: (y,g,p)

• Private key: x

ElGamal Signature

• Message M• Choose k < p-1 and relatively prime to p-1• k is secret and unique per message• a = gk mod p• Solve for b in • M = [xa+kb] mod (p-1)• Signature of M is (a,b)• Verification: yaab mod p = gM mod p• If k reused or obtained, x can be obtained

ElGamal Signature Example

• Parametersp = 11, g = 2, x = 8 y = 28 mod 11 = 3Public key is (y,g,p) = (3,2,11)M = 5Suppose choose k = 9

• Signature of Ma = 29 mod 11 = 65 = (8*6+9b) mod 10 results in b = 3Signature of M is (6,3)

• Verification 3663 mod 11 = 25 mod 11((36 mod 11) (63 mod 11) mod 11) = 32 mod 113*7 mod 11 = 10

ElGamal Encryption

• EncryptChoose random k relatively prime to p-1y = gx mod pa = gk mod pb = ykM mod pCiphertext = (a,b)

• DecryptM = b/ax mod pax = gkx mod pb/ax = ykM/ax = gxkM/gxk = M mod p

Feige-Fiat-Shamir Basics

• n = product of two large primes • Trusted entity selects v, a quadratic residue mod n (i.e. x2 = v mod

n has a solution and v-1 mod n exists) • v is Alice’s public key. • s = sqrt(v-1) mod n (smallest such s) is Alice’s private key• Alice picks random r, r < n

– Computes x = r2 mod n• Bob sends Alice a random bit, b• If b = 0, Alice sends Bob r; else sends y = rs mod n• Bob verifies:

– If b = 0, Bob verifies that x = r2 mod n (Proves to Bob that Alice knows sqrt (x)).

– If b = 1, Bob verifies x = y2v mod n (y2v = r2s2v = r2v-1v = r2 mod n = x)• Repeat number of times until Bob is sure Alice knows s (and wasn’t

lucky in guessing a few times)

FFS - Identification

• n as before• Trusted entity selects k v values this time instead of just one: v =

(v1,v2, … vk)• v is Alice’s public key (a sequence of k values) • Corresponding s= (s1,s2, … sk) is Alice’s private key• Alice picks random r, r < n

– Computes x = r2 mod n• Bob sends Alice a random bit string, b = (b1,b2, … bk)• Alice computes stmp = product of all si’s for which bi = 1• Alice sends y = r(stmp) mod n to Bob• Bob computes vtmp = product of all vi’s for which bi = 1 • Bob verifies x = y2(vtmp) mod n• Repeat number of times, t, until Bob is sure Alice knows s (and

wasn’t lucky in guessing a few times)• Probability Alice fools Bob is 2-kt

FFS - Example

n = 35 (= 5*7)

vi, vi-1, si

1,1,14,9,39,4,211,16,416,11,929,29,8

k = 4 Don’t use 14, 9 are inverses, so can only use one of them

FFS - Example

• Public key: (4,11,16,29)• Private key: (3,4,9,8)• One round of protocol:

– Alice picks r = 16, 162 mod 35 = 11– Alice sends 11 to Bob– Bob picks b = (1,1,0,1) and sends to Alice– Alice computes (16)(3)(4)(8) mod 35 = 31and

sends to Bob– Bob computes (31)2(4)(11)(29) mod 35 = 11

FFS - Signature Scheme

• v, s as before (public key)• Alice picks t random r’s between 1 and n:• r1, r2, .. rt

• Computes xi = ri2 mod n for each I

• H = hash• m = message to sign• Alice:

– computes h = H(m, x1, x2 .. xt)– uses first kt bits of h as values for bij for i = 1 to t, j = 1 to k– computes ytmpi = product of si’s mod n where bij = 1– computes yi = (ri)(ytmpi) mod n– sends Bob m, all bij’s and all yi’s

• Bob:• computes ztmpi =product of vi’s mod n where bij = 1• computes zi = (yi

2)(ztmpi) mod n• Verifies first kt bits of H(m,z1,z2, .. zt) are the bij’s

Elliptic Curve

• Public key algorithm• Elliptic curves over finite fields• Just want to mention – won’t go into math• Tutorial on elliptic curves:

http://www.certicom.com/index.php?action=ecc_tutorial,home

Elliptic Curve

• set of points (x,y) such that y2 = x3 + ax + b • x, y, a, b R• If x3 + ax + b has no repeated factors, then the curve is a

group (under addition)• Example: y2 = x3 - 4x + 0.67

Elliptic Curve

• negative of a point P = (x,y) is its reflection over the x-axis: -P = (x,-y)

• P on elliptic curve, -P is on the curve. P,Q are on the curve

• P+Q (when Q ≠ P,-P)draw line through P and Qthe line will intersect the curve at a third point: -RP+Q = R (negative of the third point)

Additive Identity• vertical line from P to -P does not intersect the

elliptic curve at a third point• additive identity: O = point at infinity

P + (-P) = O

P + O = P

P+P• When y coordinate ≠ 0

• Use line tangent to P

P+P

• When y coordinate = 0

• 2P = P+P = O

• Note: 3P = P+2P = P + O = P

4P = 2P + 2P = O

5P,7P …. = P

6P,8P,10P … = 0

Elliptic Curve

• Raise points to powers – repeated multiplication• (gx)y = gxy = (gy)x

• Factoring hard• Discrete log hard

Elliptic Curve

• Public key, private key k = private key G is a point P = kG is public key

• DH: PA = kAG

PB = kBG

Shared secret kBkAG

ECC Key Size

• Key size: order of base point G• 256-383bits 128 bit AES key 512 256 bit AES key

Public Key Infrastructure (PKI)

PKI Overview

• Public Key Infrastructure: components necessary to distribute public keys– Certificates– Repository for obtaining/retrieving certificates– Certificate revocation– Evaluation of train of certificates using public

keys known/trusted in advance

Certificate Authority

• Central point for certificates

• Signs cert for Alice containing her public key

• Others need only CA’s public key

• Revocation? – Online real time – Offline CA –expiration date, certificate

revocation list

PKI Overview - Chains

• Bob receives certificate saying

[Alice’s public key is X]Carol

signed by Carol

• Suppose Bob doesn’t know/trust Carol, but trusts Ted, use chain

[Carol’s public key is Y] Ted

[Alice’s public key is X]Carol

PKI Overview - Terms

• Certificate: contains name, public key (and other information)

• CA: certificate authority, required components• Issuer: signer of certificate, vouches for it• Target: entity want to find path to• Verifier: evaluates chain of certificates• Principal: any entity with public key• Trust chain: verifiable chain, 1st certificate signed

by trust anchor

PKI Models - Monopoly

• 1 CA trusted by everyone– CA public key embedded in all software,

hardware– Issues all certificates

• Simple model, not practical– Infeasible to change key– How to remotely certify everyone– Security relies on trust in single entity

Monopoly + Help

• Registration authorities (RA)

• Distributed, verifies identities of entities requesting certificates

• CA trusts RAs

• All certificates signed by CA

Delegated CAs

Anchor CA

CA1 CA2 CAn

•Principals obtain certificates from delegates•Chain:

•Certificates signed by delegate•Delegate CA has certificate signed by anchor CA

Oligarchy

• List of trust anchors

• Example: Default list in browsers

• Users don’t know what a valid list is

Anarchy

• Example: PGP• Each user has to define own list of trust anchors• If receive certificate from someone not in own list, go to

public database and see if can find a chain from someone in own list

• Infeasible if every person participates – contributes certificates to public database

• Can chain derived from database really be trusted?– Alice gets certificate signed by Ted. Alice has Bob in her anchor

list. – Database tells her Bob trusts Carol, Carol trusts Dave, Dave

trusts Eve, Eve trusts Fred, Fred trusts Ted.– What if someone added fake certificates to database?– In contrast, more likely to trust a few CAs weren’t compromised.

CAs and Names

• CA can only vouch for certain names

• Hierarchy

CA for edu

CA for Columbia CA for Johns Hopkins

AlumniStudentsFaculty

AlumniStudentsFaculty

CA for gov

CA for whitehouse, congress

CA for agencies

Revocation

• Why needed?– Stolen private key– Person leaves company– Division spun off from company– Moore’s law – processing power increasing,

recommend size of key increases– Attacker falsely obtains valid certificate

• Methods– Expiration dates– Certificate revocation list (CRL)

Expiration date

• Time required to issue certificates, so most valid for months or years

• Too long to wait if key is stolen• Systems may not use CRLs and wait for

expiration date• Principals not renewing certificates due to cost

– Browsers may avoid checking expiration date because servers never bother to renew certificates

– Don’t want it to appear to the end user as if browser is broken

CRLs

• CA periodically issues signed list of revoked CRLs– Can quickly become large– Delta CRL – only changes since last CRL– Timing still an issue

• Online Certificate Status Protocol (OCSP) – used for obtaining the revocation status of X.509

certificate– RFC 2560– Send query to responder asking if certificate is valid,

responder checks database and replies– Timing still an issue - requires up-to-date list

Obtaining Certificate

• Issuers responsible for ensuring entity requesting a certificate is authorized to request it on the company's behalf – remote– physically present with id

• Errors happen• Example: Geotrust's (Equifax) cert verification process

– automated: request a cert for a particular website site triggers Geotrust to send an e-mail to the address included in the Web site's registrar records, includes code the recipient needs to phone in to complete the process

– mountain-america.net vs mountainamerica.net– http://blog.washingtonpost.com/securityfix/2006/02/

the_new_face_of_phishing_1.html

Styles of Certification

• At least 3 major styles

• X.509/PKIX — traditional hierarchical CA

• SPKI/SDSI — authorization certificates

• PGP web of trust (primarily for email)

What is in a Certificate?

• Public key

• Technical information, such as algorithm identifiers

• More identification information — company, location, etc.

• Expiration date

• Logos

• Certificate role

X.509

• Version • Serial Number • Algorithm ID • Issuer • Validity

– Not Before – Not After

• Subject • Subject Public Key Info

– Public Key Algorithm – Subject Public Key

• Issuer Unique Identifier (Optional) • Subject Unique Identifier (Optional) • Extensions (Optional)

– ... • Certificate Signature Algorithm • Certificate Signature

Examples

• Cs department certificate fall 2006

• Columbia University certificate fall 2006

Example

• Signer Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate

Authority • Validity dates

Not Before: Jul 7 19:51:50 2005 GMT Not After : Oct 7 19:51:50 2006 GMT

• Algorithms (RSA, SHA1, MD5)Signature Algorithm: sha1WithRSAEncryption

• Certificate Revocation List (CRL)X509v3 CRL Distribution Points:

URI:http://crl.geotrust.com/crls/secureca.crl

Example

• Certificate usage — encryption and authentication, but not for issuing other certificates

X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Non

Repudiation, Key Encipherment, Data Encipherment

…X509v3 Extended Key Usage: TLS Web Server

Authentication, TLS Web Client Authentication

Example

• If certificate was for vouching for other certificates, would contain:X509v3 extensions:

X509v3 Basic Constraints: critical

CA:TRUE

Root Certificate

• Issuer and subject are the same

• Manually install in application/installed in default list (example: browsers)

Utilities

• JAVA keytool

• openssl

keytool

• generate a new public/private key pair and put the public key in a self-signed certificate keytool -genkey -alias alice -keypass alicekey

• Use - keystore to specify keystoreDefault is .keystore

• keytool –h for options

• http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html

openssl

• Generate keyopenssl genrsa -out privkey.pem 2048

2048 bit RSA private key, also contains public key

• Self-signed cetificateopenssl req -new -x509 -key privkey.pem -out

cacert.pem -days 1095

http://www.openssl.org/docs/HOWTO

TSL/HTTPS not Always Sufficient

• Consider phishing

• Use of https not sufficient in preventing

Phishing Example1: Chase

Dear Customer,CONGRATULATIONS !!!We are very satisfied about the Reward Survey results and we've made improvements to

JPMorgan Chase Bank Online web page. To make all the customers happy we will credit every account that uses every day our online banking service with 100$.

Helping us better understand how our customers feel, benefits everyone. With the information collected we can decide to direct a number of changes to improve and expand our online services.We kindly ask you to spare two minutes of your time in taking part with this unique offer! This offer expires in 24h after you recieve this message.

To Continue click on the link below:https://chaseonline.chase.com/chaseonline/signup/sso_signup_filter.jsp?LOB=RBGSurvey

©2006 JPMorgan Chase & Co.

Link is then mapped to another url in href tag

Chase -headerFrom [email protected] Fri Oct 6 12:22:46 2006Return-Path: <[email protected]>Received: from cs.columbia.edu (cs.columbia.edu [128.59.16.20])

by parker.cs.columbia.edu (8.12.10/8.12.10) with ESMTP id k96GMijM008316(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)for <[email protected]>; Fri, 6 Oct 2006 12:22:44 -0400 (EDT)

Received: from exchange.rremc.local (mail.rremc.com [216.199.214.82])by cs.columbia.edu (8.12.10/8.12.10) with ESMTP id k96GMg5P026987for <[email protected]>; Fri, 6 Oct 2006 12:22:43 -0400 (EDT)

Received: from User ([62.81.199.90] RDNS failed) by exchange.rremc.local with Microsoft SMTPSVC(6.0.3790.1830); Fri, 6 Oct 2006 12:24:52 -0400

Reply-To: <[email protected]>From: "Chase Bank"<[email protected]>Subject: Chase OnlineSM $100 Reward Survey. Date: Fri, 6 Oct 2006 18:22:28 +0200MIME-Version: 1.0Content-Type: text/html;

charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 1X-MSMail-Priority: HighX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Bcc:Message-ID: <[email protected]>X-OriginalArrivalTime: 06 Oct 2006 16:24:52.0667 (UTC) FILETIME=[F3B928B0:01C6E963]X-PerlMx-Spam: Gauge=XIIIIII, Probability=16%, X-Seen-By filter2.cs.columbia.eduStatus: ROX-Status: AX-Keywords: X-UID: 19426

Phishing Example 2: ebay • <img

src="http://pics.ebaystatic.com/aw/pics/logos/ebay_95x39.gif" border="0" alt="eBay">

• <a href="http://pages.ebay.com/securitycenter/selling_safely.html">• href="http://pages.ebay.com">http://pages.ebay.com/education/

spooftutorial</a><br><br>• “Respond Now” link href="http://www.google.com/pagead/iclk?

sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://host217-37-160-25.in-addr.btopenworld.com:82/ebay.com/reg.php" border="0"><img src="http://pics.ebaystatic.com/aw/pics/buttons/btnRespondNow.gif" width="120" height="32" alt="Respond Now" border="0"></a></td>

ebay - header

Received: from hoemail1.lucent.com (hoemail1.dmz.lucent.com [192.11.226.41])by ihmail.ih.lucent.com (8.11.7p1+Sun/8.12.11) with ESMTP id l1769Lu07527for <[email protected]>; Wed, 7 Feb 2007 00:09:21 -0600 (CST)

Received: from mail.com (pd95b3a19.dip0.t-ipconnect.de [217.91.58.25])by hoemail1.lucent.com (8.13.8/IER-i) with SMTP id l1769EFE002509for <[email protected]>; Wed, 7 Feb 2007 00:09:15 -0600 (CST)

Message-Id: <[email protected]>From: "eBay member" <[email protected]>Subject: Question about Item -- Respond NowDate: Wed, 7 Feb 2007 07:17:33 +0100MIME-Version: 1.0Content-Type: text/html;

charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000X-Scanned-By: MIMEDefang 2.57 on 192.11.226.161Content-Length: 14656

TLS/HTTPS not Sufficient

• Most phishing emails display “https” link in email but href to http

• Sophisticated Phishers get certificate, use https– Phisher’s linkhttps://www.rbcbanking.com– Real Bank’s link (Royal Bank of Canada)https://www1.royalbank.com and https://www1.rbcroyalbank.com

• Mountain America example• In generalhttps://www.joephisher.com/banksname.comvs https://www.banksname.com

TLS/HTTPS not Sufficient

• If certificate signed by “trusted” CA, no warning displayed to user– Recall browser may have 100+ “trusted CAs”

• If certificate not signed by trusted CA, most people click to ok/proceed when warning pops up– Most people also ignore http vs https

Social Engineering

• Not Detected by tools/filters• Someone persuaded a reputable CA to issue

them a certificate for Mountain America, a credit union– The DNS name was www.mountain-america.net– looks legitimate, but real credit union site is at

www.mtnamerica.org.– (There’s also www.mountainamerica.com, a Las

Vegas travel site)– Which site was intended by the user?