The RSA Algorithm. Content Review of Encryption RSA An RSA example.
FlipIt: A Game-Theory Handle on Password - RSA Conference
Transcript of FlipIt: A Game-Theory Handle on Password - RSA Conference
![Page 1: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/1.jpg)
Session ID:
Session Classification:
Ari Juels
RSA, The Security Division of EMC
FlipIt: A Game-Theory Handle on Password Reset and Other
Renewal Defenses
IAM-108
Intermediate
Slides drawn from presentation by Prof. Ronald L. Rivest, MIT
![Page 2: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/2.jpg)
Outline
Overview and Context
The Game of “FLIPIT”
Non-Adaptive Play
Adaptive Play
Applications of FLIPIT
Lessons
Discussion
![Page 3: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/3.jpg)
Cryptography is mostly about using
mathematics and secrets to achieve
confidentiality, integrity, or other security
objectives.
Cryptography
![Page 4: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/4.jpg)
We make assumptions as necessary, such as
ability of parties to generate unpredictable
keys and to keep them secret, or inability of
adversary to perform certain computations.
Cryptography
![Page 5: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/5.jpg)
Murphy’s Law: “If anything can go wrong, it will!”
![Page 6: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/6.jpg)
Assumptions may fail. Badly. (Maginot Line)
![Page 7: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/7.jpg)
In an adversarial situation, assumption may fail
repeatedly...
(ref Advanced Persistent Threats)
Even worse
![Page 8: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/8.jpg)
Most crypto is like Maginot line...
We work hard to make up good keys and distribute them properly, then we sit back and wait for the attack.
There is a line we assume adversary can not cross (theft of keys).
8
![Page 9: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/9.jpg)
Total key loss
To be a good security professional, there shouldn’t be limits on your paranoia!
(The adversary won’t respect such limits...)
Are we being sufficiently paranoid??
9
![Page 10: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/10.jpg)
Lincoln’s Riddle
Your talking point bullet text here
Your next talking point bullet text here
Third talking point, etc.
Bullet can be indented by pressing the Tab key
Third-level bullet created by pressing Tab key again
Reverse indents with Shift + Tab keys
10
Q: “If I call a dog’s tail a leg, how many legs does it have?”
A: “Four. It doesn’t matter what you call a tail; it is still a tail.”
![Page 11: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/11.jpg)
Corollary to Lincoln’s Riddle
Calling a bit-string a “secret key” doesn’t actually make it secret...
Rather, it just identifies it as an interesting target for the adversary!
11
![Page 12: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/12.jpg)
Our goal
To develop new models for scenarios involving total key loss.
Especially those scenarios where theft is stealthy or covert
(not immediately noticed by good guys).
To help develop a basic science of cybersecurity.
12
![Page 13: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/13.jpg)
FlipIt
The Game of “FLIPIT”
(a.k.a. “Stealthy Takeover”)
joint work with
Marten van Dijk, Alina Oprea, and Ronald L. Rivest
(RSA Labs & MIT)
13
![Page 14: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/14.jpg)
FlipIt is a two-player game
FLIPIT is rather symmetric, and we say “player i”
to refer to an arbitrary player.
14
![Page 15: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/15.jpg)
There is a contested critical secret or resource
Examples:
A password
A digital signature key
A computer system
A mountain pass
15
![Page 16: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/16.jpg)
State of secret or resource is binary
16
Good Bad
Clean Compromised
Secret Guessed or Stolen
Blue Red
Controlled by Defender Controlled by Attacker
![Page 17: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/17.jpg)
A player can “move” (take control) at any time
17
Defender move puts resource into Good state
= Initialize Reset Recover Disinfect
Attacker move puts resource into Bad state
= Compromise Corrupt Steal Infect
Time is continuous, not discrete.
Players move at same time with probability 0.
![Page 18: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/18.jpg)
Examples of moves
18
Create password or signing key
Steal password or signing key
Re-install system software.
Use zero-day attack to install rootkit.
Send soldiers to mountain pass.
Send soldiers to mountain pass.
![Page 19: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/19.jpg)
Continuous back-and-forth warfare…
Note that Attacker can take over at any time.
There is no “perfect defense.”
Only option for Defender is to re-take control later by moving again.
The game may go on forever…
19
![Page 20: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/20.jpg)
Moves are “stealthy”
In practice, compromise is often undetected...
In FLIPIT, players do not immediately know when the other player makes a move! (Unusual in game theory literature!)
Player’s uncertainty about system state increases with time since his last move.
20
![Page 21: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/21.jpg)
Moves are “stealthy”
A move may take control (“flip”) or have no effect (“flop”).
Uncertainty means flops are unavoidable.
21
![Page 22: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/22.jpg)
Moves may be informative
A player learns the state of the system only when she moves.
In basic FLIPIT, each move has feedback that
reveals all previous moves.
(In variants, move reveals only current state, or time since other player last moved...)
22
![Page 23: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/23.jpg)
Movie of FLIPIT game, global view
![Page 24: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/24.jpg)
Movie of FLIPIT game, defender’s view
![Page 25: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/25.jpg)
25
How to play FlipIt well?
![Page 26: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/26.jpg)
Non-adaptive play
A non-adaptive strategy plays on blindly, independent of other player’s moves.
In principle, a non-adaptive player can pre-compute his entire (infinite!) list of moves before the game starts.
Some interesting non-adaptive strategies:
Periodic play
Exponential (memoryless) play
Renewal strategies: i.i.d. intermove times
26
![Page 27: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/27.jpg)
Periodic play
Player i may play periodically with rate αi and period 1/αi
E.g. for α0= 1/3, we might have:
27
![Page 28: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/28.jpg)
Exponential play
If Attacker plays exponentially with rate α1, then her moves form a memoryless Poisson process; she plays independently in each interval of time of size dt with probability α1 dt.
Probability that intermove delay is at most x is
28
-α1x 1 – e
E.g., for α1 = 1/2, we might have:
![Page 29: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/29.jpg)
Non-adaptive play
A key theorem: Among a large class of non-adaptive strategies (renewal strategies) for Attacker and Defender, the optimal strategy is either periodic or not playing at all.
29
![Page 30: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/30.jpg)
Adaptive play
An adaptive player pays attention to her opponent’s moves and adjusts her play accordingly.
Periodic strategy not very effective against adaptive Attacker, who can learn to move just after each Defender move.
Examining periodic vs. adaptive play yields our first, simple lesson: Standard password reset policies are badly conceived!
30
![Page 31: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/31.jpg)
Password reset
Password reset can be modeled in FLIPIT
The Defender takes control by resetting his password.
The Attacker takes control by stealing a password.
Both actions have an associated cost
Passwords can be purchased online in underground markets; tens of dollars for a consumer e-mail password
Password reset has a human cost; help-desk costs for password reset suggest a cost of tens of dollars.
31
![Page 32: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/32.jpg)
Password reset
A Defender benefits by controlling her e-mail account: Her identity is not subject to misuse.
An Attacker benefits by controlling a stolen e-mail account: It may be used to send spam, facilitate identity theft, etc.
Most organizations require users to reset their passwords at regular intervals, e.g., every 90 days.
32
![Page 33: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/33.jpg)
Standard password reset:
Can we do better?
33
periodic (90-day interval) vs. adaptive
t
![Page 34: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/34.jpg)
Alternative password reset
34
exponential (90-day mean) vs. adaptive
t
For realistic parameterizations, Attacker will control
resource a majority of the time
But Defender will have much more control than with
periodic password reset
![Page 35: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/35.jpg)
Optimal password reset
35
vs. adaptive
t
We do know that we can do slightly better than exponential
Delayed Exponential (DE): Wait X days, and then move exponentially
Also ensures users aren’t hit with immediate, sequential resets
????
![Page 36: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/36.jpg)
Choosing parameters
36
vs. adaptive
t
We can estimate costs as already suggested (e.g., costs of help-desk calls)
But the best approach is probably just to choose something “reasonable,” e.g.,
X = 10 days; DE mean = 90 days
????
![Page 37: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/37.jpg)
37
Where else might FlipIt
be applied?
![Page 38: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/38.jpg)
Territorial control
38
Defender
Insurgent
![Page 39: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/39.jpg)
Defender
Insurgent
Territorial control
39
![Page 40: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/40.jpg)
Territorial control (cyberspace)
40
Defender
Attacker
![Page 41: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/41.jpg)
Audit of treaties / cloud security
41
Not enriching uranium
Enriching uranium
Encrypting files at rest
Not encrypting files at rest
![Page 42: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/42.jpg)
Lessons
1. Be prepared to deal with repeated total failure (loss of control).
2. Play fast! Aim to make opponent drop out (Agility!)
(Reboot server frequently; change password often)
3. Arrange game so that your moves cost much less than your opponent’s!
Cheap to refresh passwords or keys, easy to reset system to pristine state (as with a virtual machine)
42
![Page 43: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/43.jpg)
Apply Slide
If you read about FlipIt, you’ll probably
find applications we haven’t thought of
In any case, you might…
Randomize your password reset intervals
Design new infrastructure to be agile, i.e., low cost in the FlipIt sense
E.g., allow virtual machines to be easily rebuilt
43
![Page 44: FlipIt: A Game-Theory Handle on Password - RSA Conference](https://reader031.fdocuments.in/reader031/viewer/2022021006/620385f7da24ad121e4a6819/html5/thumbnails/44.jpg)
Over to you…
44
Speaker
Audience
Visit www.rsa.com/flipit