Security

i206 Fall 2010

John Chuang

Some slides adapted from Coulouris, Dollimore and Kindberg; Dave Messerschmidt; Adrian Perrig

John Chuang 2

Security

Bits & BytesBinary Numbers

Number Systems

Gates

Boolean Logic

Circuits

CPU Machine Instructions

Assembly Instructions

Program Algorithms

Application

Memory

Data compression

Compiler/Interpreter

OperatingSystem

Data Structures

Analysis

I/O

Memory hierarchy

Design

Methodologies/Tools

Process

Truth tableVenn DiagramDeMorgan’s Law

Numbers, text,audio, video, image, …

Decimal, Hexadecimal, Binary

AND, OR, NOT, XOR, NAND, NOR,etc.

Register, CacheMain Memory,Secondary Storage

Context switchProcess vs. ThreadLocks and deadlocks

Op-code, operandsInstruction set arch

Lossless v. lossyInfo entropy & Huffman code Adders, decoders,

Memory latches, ALUs, etc.

DataRepresentation

Data

Data storage

Principles

ALUs, Registers,Program Counter, Instruction Register

Network

Distributed Systems Security

Cryptography

Standards & Protocols

Inter-processCommunication

Searching, sorting,Encryption, etc.

Stacks, queues,maps, trees, graphs, …

Big-O

UML, CRC

TCP/IP, RSA, …

ConfidentialityIntegrityAuthentication…

C/S, P2PCaching

sockets

Formal models

Finite automataregex

John Chuang 3

Introduction

What is security? What do we mean by a secure system?

John Chuang 4

Attacks

Eavesdropping - passwords, credit card

numbers, etc. Tampering of data

- Birthday attack Impersonation

- Replay attack- Man-in-the-middle

attack (e.g., IP address spoofing)

- Phishing attack

Unauthorized access- System vulnerabilities- Social engineering (e.g.,

bribe, black-mail)- Password guessing (e.g.,

dictionary attack) Denial-of-Service attack Spam Trojan horses, viruses,

worms …

Wide ranging scope Some common attacks:

John Chuang 5

Security Properties “CIA” and “AAA”

Confidentiality- Prevents eavesdropping

Integrity- Prevents modification of data

Authentication- Proves your identity to another party; prevents

impersonation Accountability (non-repudiation)

- Enables failure analysis; serves as deterrent Authorization

- Prevents misuse Availability

- Safeguards against denial-of-service

John Chuang 6

Cryptography

Cryptographic primitives:- Encryption

-Symmetric-key (e.g., DES, AES) -Asymmetric-key (e.g., RSA)

- Cryptographic hash (message digest)-e.g., MD5, SHA-1

- Digital signature-e.g., PKCS

John Chuang 7

The Principals

Alice Bob Carol …and… Eve (eavesdropper -- passive attacker) Mallory (active attacker -- can intercept, modify, and forward messages)

Trent/Trudy (trusted 3rd party)

John Chuang 8

QuickTime™ and a decompressor

are needed to see this picture.

http://xkcd.com/177/Eve’s Story

John Chuang 9

Encryption

Encryption/decryption algorithms are published Encryption/decryption keys are kept secret Symmetric cryptography

- e-key = d-key- Principals need to share the symmetric key, and keep it secret

Asymmetric (public-key) cryptography- e-key != d-key- One key made public; the other kept private

encryption decryptionplaintext plaintext

e-key d-key

ciphertext

John Chuang 10

Symmetric Cryptography

Many schemes are available: DES, 3DES, AES, RC4, IDEA, …

In general, the strength of an encryption scheme is a function of the key length (because of exhaustive key search)

Moving target as hardware capabilities improve over time- DES (data encryption standard, 1975) uses 56 bit key length; became vulnerable to exhaustive key search

- Replaced in 2002 by AES (advanced encryption standard, 1998) which uses key lengths of 128, 192, or 256 bits

John Chuang 11

Each principal has public key K and private key K-1

K-1 is kept secret, and cannot be deduced from K K is made available to all Encryption and decryption with K and K-1 are commutative: {{D}K-1}K = {{D}K}K-1 = D

Challenge: how to choose K and K-1?

Asymmetric Cryptography

encryption

private key public key

document D document Ddecryption

encryption

private keypublic key

document D document Ddecryption

John Chuang 12

RSA

Algorithm by Rivest, Shamir, Adleman (1977) for generating K and K-1 based on the fact that factoring is hard

RSA key generation:- Choose n, e, d such that:

- n=p*q where p and q are two large and distinct prime numbers

- e*d = k(p-1)(q-1)+1 where k is a positive integer Public key: {n,e}; Private key: {n,d}

- RSA key lengths 1024 bits or 2048 bits (256 or 512 bits no longer secure)

- n and e are published; p, q, and d are kept private

Given document D:- encryption: ciphertext = c = D e (mod n)- decryption: plaintext = D = c d (mod n)

John Chuang 13

Performance

Asymmetric cryptography 3-5 orders of magnitude slower than symmetric cryptography

Use asymmetric cryptography to exchange symmetric key; data encrypted using symmetric cryptography:

A B: {KAB}KB, {D}KAB

Asymmetric cryptography has other important uses as well …

John Chuang 14

Authentication

Based on one or more of the following:- Something you are (e.g., fingerprint, pattern on iris, DNA sample)

- Something you know (e.g., password, PIN, mother’s maiden name)

- Something you have (e.g., ATM card, Driver’s License, private key K-1)

John Chuang 15

Digital Signature (Version 0.1)

Alice signs document by encrypting it with her own private key

A B: {D}KA-1

Bob verifies the signature by decrypting it using A’s public key, i.e., compute D = {{D}KA

-1 }KA

Two outcomes: - digital signature provides non-repudiation (accountability)

- Alice is authenticated to Bob. (How?) There is another problem -- performance

encryption

private key public key

Document D Document Ddecryption

John Chuang 16

Cryptographic Hash/ Message Digest

Digest function maps arbitrary length message D to fixed length digest H(D)-MD5 (128 bit digest) and SHA-1 (160 bit digest) are commonly used

One-way function: given H(D), can't find D

Collision-free: infeasible for attacker to generate D and D' such that H(D) = H(D')-Otherwise vulnerable to the birthday attack

message

digest

John Chuang 17

Birthday Attack

Alice prepares two contracts D (fair) and D’ (fraudulent) that produce the same hash, i.e., H(D) = H(D’)

Alice asks Bob to sign D, takes Bob’s signature and attach it to D’

The “birthday paradox”:- Need 183 persons in a room to have a 50% chance that someone has the same birthday as you

- But only need 23 persons in a room to have a 50% chance that two persons share the same birthday

Implication: digest length has to be much longer than 8-9 bits

John Chuang 18

Digital Signature (Version 1.0)

A B: D, {H(D)}KA-1

Bob:- Computes hash of message, H(D)- “Decrypts” signature: {{H(D)}KA

-1 }KA

- Verifies H(D) = {{H(D)}KA-1 }KA

signature

Sender: Alice

Alice's Private Key Alice's Public Key

verifysignature

computesignature

computedigest

computedigest

Receiver: Bob

D D

signature

John Chuang 19

Public Key Management

How does Bob know that KA is really the public key of Alice?

John Chuang 20

Public Key Certificate

A binding of key to identity, signed by a certificate authority (CA)

A, KA, {H(A, KA)}KCA

-1

PKI (public key infrastructure) provides support for certificate hierarchy with root certificate at the top of the tree

CA signature

Alice’s certificate

John Chuang 21

Summary

So, what have we achieved with digital signatures?- Authentication- Integrity- Non-repudiation (accountability)

Can combine with encryption to provide:- Confidentiality

John Chuang 22

Security Properties “CIA” and “AAA”

Confidentiality- Prevents eavesdropping

Integrity- Prevents modification of data

Authentication- Proves your identity to another party; prevents

impersonation Accountability (non-repudiation)

- Enables failure analysis; serves as deterrent Authorization

- Prevents misuse Availability

- Safeguards against denial-of-service

John Chuang 23

Availability

Denial-of-Service (DoS) Attack: - Making a computer resource or service unavailable to users by overwhelming the computational and/or communication resources of the victim system

DoS statistics (Moore et al., Usenix 2001): - Prevalence: 13,000 DoS attacks recorded in 3 weeks

- Duration: an attack can last for hours- Intensity: 600,000 packets per second

2008 ISP Infrastructure Security Report (Arbor, 2008)- Largest DDoS attack peak traffic volume of 40Gbps

John Chuang 24

TCP SYN Flood Attack

TCP session establishment- A B: SYN- B A: SYN + ACK- A B: ACK

B has to keep state for every half-open connection, and an idle connection is closed only after long timeout

An attacker sends many SYN messages (with spoofed source IP addresses) to victim B

Legitimate clients cannot establish TCP session with B

Process A Process B

SYN3-Way handshake to establish TCP session

SYN + ACK

Conversation

ACK

Teardown

FIN

FIN + ACK

ACK

Data + ACK

Data + ACK

John Chuang 25

Distributed DoS (DDoS) Attack

Attacker takes over machines via viruses or Trojan horses and launches DoS attack from these “zombies” or “bots”

No effective defense:- No direct cryptographic solution- Approaches: filtering, traceback

Misaligned incentives- Individuals not motivated to patch their machines

John Chuang 26

Botnets

A network of bots (Trojan horses) under the command & control of botnet operator

Botnet operators may control millions of machines and use them to launch DDoS attacks, send spam, perform keylogging, commit click fraud,…- Estimate: 70-90% of spam come from botnets

Underground market for botnet service- e.g., $500 for a DDoS attack using 10K bots- e.g., sites asked to pay $10-50k in extortion

Sou

rce:

Cis

co