Class on Security
-
Upload
bevis-rowe -
Category
Documents
-
view
19 -
download
0
description
Transcript of Class on Security
![Page 1: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/1.jpg)
Class on Security
Raghu
![Page 2: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/2.jpg)
Current state of Security
Cracks appear all the time
Band Aid solutions Applications are not
designed properly OS designs are not good Internet is a can of
worms Hardware is secure
Applications
Operating System
Hardware
![Page 3: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/3.jpg)
Problems
Badly designed Libraries Trojans exploit Buffer Overflow attack – read
exploits on MDAC Most attacks originate on the Internet How?
– Social Engineering Messenger Mail
![Page 4: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/4.jpg)
Problems Continued
Credit Card thefts are quite common Passwords are stolen Social Security is stolen Why?
– Shared secret– Is shared secret really a secret?
No
![Page 5: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/5.jpg)
Solutions
None!– Not really, none in the current set up
So what can be done?– Some sort of overhaul is required– So what can we do to avoid shared
secret?
![Page 6: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/6.jpg)
The first step
Public – Private Key encryption You encrypt/decrypt using one key, and the
corresponding decryption/encryption happens through the other key.
If encryption is done using public key, decryption is done using private key, and vice versa.
![Page 7: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/7.jpg)
Public – private key contd
Your public Key is known to everyone. Only you have the private key. All authentication based on challenge response Your private key is never exposed*
* Standard terms and conditions apply
![Page 8: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/8.jpg)
Example of a Secure System
SSL – Secure Sockets Layer– Based on Public Private Key– Server’s Public key is stored at the client side– Data exchanged is encrypted with session key
![Page 9: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/9.jpg)
SSL connection establishment
Client hello Server hello Client sends session key, password Communication is encrypted using session
key
![Page 10: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/10.jpg)
SSL
Can someone impersonate server?
– As long as the client knows the public key of the server - NO
![Page 11: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/11.jpg)
SSL continued
SSL was designed even before the internet was up.
SSL is well thought through. It is a nice example of public – private key scheme that works.
Public – Private key systems should replace Shared Secret systems
![Page 12: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/12.jpg)
Digital Certificates
Alice goes and asks Bob for a certificate. Bob generates* a public – private key
pair and gives it to Alice. Bob generates a document and places
on it the following– Alice’s Name/Info– Alice’s public Key– Bob’s Info which can be the Certificate– Signature
ALICE
Pub Key of Alice
Bob’s Info – [certificate]
Signature
* Is this Completely Correct?
![Page 13: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/13.jpg)
Signature??
Bob takes Alice’s Public key and finds its Hash Then he encrypts the above value with his private
key This is the signature
Public Key
Kpub [A]
Hashing Algorithm
H(Kpub[A])RSA
Encryptor
Bob’s Private Key
Kpriv[B]
Priv[B]{H(Kpub[A])}
![Page 14: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/14.jpg)
So what is a signature
Your Identity
The certificate proves that you are indeed who you claim you are.
So can I get a certificate in the name Ronaldo Luiz Nazário de Lima
– Yes – Then what is the point?
![Page 15: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/15.jpg)
You are who you claim?
I claim to be a person, say Ronaldo for instance.
I produce a certificate saying the holder of this certificate is Ronaldo
Now If I do have the private key corresponding to the public key on the certificate, then I am indeed the person who owns the certificate.
![Page 16: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/16.jpg)
So where does that leave us
Suppose Alice wants to talk to the server Bob How does Bob know if Alice is indeed Alice? Digital Certificates helps Bob identify Alice Suppose Bob trusts Trent Alice has a certificate signed by Trent, which says –
this certificate belongs to Alice Bob Sees the certificate and agrees that Alice is
indeed Alice. Can Mallory steal the certificate and pose as Alice to
Bob?
![Page 17: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/17.jpg)
Stolen Certificates?
We show our digital certificate everywhere for authentication.
So can someone who has seen the certificate not replicate it.– Sure, Yes.– So what good is a certificate
![Page 18: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/18.jpg)
Challenge Response
This problem is solved by challenge response.
Mallory has Alice’s certificate– Does she become Alice
Bob does a challenge response.– He sends a random number encrypted in the
public key on the certificate.– If Mallory produces the random number from the
encrypted value, great, impersonation achievedOtherwise she is not the holder of the certificate.
![Page 19: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/19.jpg)
So where can certificates be used
Authentication If I have a certificate from ASU, I can get
authenticated using my certificate. – No ASU id required– No password required
If I have a certificate from my bank, I can log on to the Bank’s website without a password.
Moreover, If I have a certificate from the government, do I need to show my Social Security Number at every step?
![Page 20: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/20.jpg)
Recap
Shared Secrets are pretty much shared non secrets– Why? A password is entered on every computer that you
have to log on.– My Social Security # is in a number of offices.
Wherever I worked on campus Division of Graduate Studies Human Resources Financial Aid Services
– Great, so how many people know my secret? I have lost count
![Page 21: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/21.jpg)
Recap
We saw two protocols that work Why do they work
– They are NOT based on shared secrets– If we all shift to using the public private key
system, my private key will never be revealed*
*Blah, Blah Apply
Will tell the reason in a few slides
![Page 22: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/22.jpg)
Fixing Bad designs
We saw how to fix the problem of authentication using Public Private Key systems
We saw how to get rid of shared secrets
What about credit cards?– That is another mess that can be cleaned
![Page 23: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/23.jpg)
Fixing Credit Cards
Bob – card Provider Alice – card holder Bob provides a credit card based on Public –
private key Alice signs the hash of a bill using the private
key Bob decrypts the sign using Alice’s public
key
![Page 24: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/24.jpg)
Small Terms and Conditions
Private Key of a digital certificate is stored on a computer
How secure is a computer– Not very secure
What can a Virus do?– Delete files, format system….,
No this is old hat– Steal your Private Key.
Your certificate is as good as nothing– It can install a spurious certificate
![Page 25: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/25.jpg)
Viruses
How many trojans*/ viruses in the open– Probably thousands
* NOT USC Trojans
![Page 26: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/26.jpg)
How is a computer made secure
Anti – Virus Firewall Anti Spyware
….
….
…. So these software protect the Computer Now who protects these software?
![Page 27: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/27.jpg)
Attacks on Anti viruses
Anti virus is a process It can be easily identified It can be killed It can be patched on Examples
– SpamThru Trojan– Beast– Win32.Glieder.AF
![Page 28: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/28.jpg)
So what am I doing
Trying to create an anti virus process that is undetectable
A funky name coined for this project is– “The Undetectable Virus Detector”
Steganography principles
![Page 29: Class on Security](https://reader036.fdocuments.in/reader036/viewer/2022062321/5681345e550346895d9b441e/html5/thumbnails/29.jpg)