Software Security Software Security TechnologiesTechnologies

Richard SinnRichard SinnPrincipal Architect / Security Architect, Principal Architect / Security Architect,

Yahoo, IncYahoo, IncLecturer, SJSULecturer, SJSU

AgendaAgenda

Basic Security TheoryBasic Security Theory

Essential PKIEssential PKI

Trust ModelsTrust Models

Threat ModelsThreat Models

Security Challenges in Email/Instant Security Challenges in Email/Instant CommunicationCommunication

Basic Security TheoryBasic Security Theory

The ProblemsThe Problems

Fundamental Fundamental People can read data in plain/clear textPeople can read data in plain/clear text Data is sent over public networkData is sent over public network

SpecificSpecific Spoofing – Fake the source of dataSpoofing – Fake the source of data Tampering – Change data in transit Tampering – Change data in transit Snooping – Monitor sensitive dataSnooping – Monitor sensitive data Replay – Intercept and resend data at a later Replay – Intercept and resend data at a later

timetime

The GoalsThe Goals

Confidentiality – Assurance of data privacyConfidentiality – Assurance of data privacy

Authentication – Assurance that an entity Authentication – Assurance that an entity is who he/she/it claims to beis who he/she/it claims to be

Integrity – Assurance of non-alterationIntegrity – Assurance of non-alteration

Availability – Assurance of data / services Availability – Assurance of data / services are availableare available

The ToolboxThe Toolbox

Symmetric Key EncryptionSymmetric Key Encryption Stream ciphersStream ciphers Block ciphersBlock ciphers

Message Digest and MACsMessage Digest and MACs

Public Key EncryptionPublic Key Encryption DHDH RSARSA

Digital SignatureDigital Signature

Symmetric Key EncryptionSymmetric Key Encryption

Symmetric Key EncryptionSymmetric Key Encryption

Plaintext – Original DataPlaintext – Original DataCiphertext – The GibberishCiphertext – The GibberishEncryption – Transformation from plaintext Encryption – Transformation from plaintext to cipher-textto cipher-textDecryption – Transformation from cipher-Decryption – Transformation from cipher-text to plaintexttext to plaintextAlgorithm – CipherAlgorithm – CipherSymmetric – Same key for Symmetric – Same key for encryption/decryptionencryption/decryption

Stream CiphersStream Ciphers

Takes the original data, divides it into Takes the original data, divides it into digits, and encrypts each digit one at a digits, and encrypts each digit one at a time.time.

C[i] = KS[i] XOR P[i]C[i] = KS[i] XOR P[i]

P[i] = KS[i] XOR C[i]P[i] = KS[i] XOR C[i]

RC4 – Stream cipher with variable key RC4 – Stream cipher with variable key length between 8 to 2048 bitslength between 8 to 2048 bits

Block CiphersBlock Ciphers

Divided up data into blocks of fixed lengthDivided up data into blocks of fixed length

64 or 128 bits64 or 128 bits

Various different modesVarious different modes Electronic Code Book (ECB)Electronic Code Book (ECB) Cipher-Block Chaining (CBC)Cipher-Block Chaining (CBC) Cipher Feedback (CFB)Cipher Feedback (CFB) Output Feedback (OFB) Output Feedback (OFB) Counter (CTR)Counter (CTR)

Electronic Codebook (ECB)Electronic Codebook (ECB)

Cipher Block Chaining (CBC)Cipher Block Chaining (CBC)

Cipher Feedback (CFB)Cipher Feedback (CFB)

Output Feedback (OFB)Output Feedback (OFB)

Counter (CTR)Counter (CTR)

Common Block CiphersCommon Block Ciphers

DES – IBM 1970. 64-bit, 56-bit key. 8 for DES – IBM 1970. 64-bit, 56-bit key. 8 for parity checkparity check

3DES - 3DES - C = DESk3(DES-1k2(DESk1(P))).C = DESk3(DES-1k2(DESk1(P))).

RC2 – Ron Rivest, RSA, 64-bit with RC2 – Ron Rivest, RSA, 64-bit with variable size key up to 128 bytesvariable size key up to 128 bytes

AES - AES - Fixed block size of 128 bits and a Fixed block size of 128 bits and a key size of 128, 192 or 256 bitskey size of 128, 192 or 256 bits

The ToolboxThe Toolbox

Symmetric Key EncryptionSymmetric Key Encryption Stream ciphersStream ciphers Block ciphersBlock ciphers

Message Digest and MACsMessage Digest and MACs

Public Key EncryptionPublic Key Encryption DHDH RSARSA

Digital SignatureDigital Signature

Message DigestMessage Digest

Call digest or hashCall digest or hashFixed-size checksum created by cryptographic Fixed-size checksum created by cryptographic hash functions hash functions PropertiesProperties Preimage resistant – Preimage resistant – H = Hash (m)H = Hash (m), Given H cannot , Given H cannot

find mfind m Second preimage resistant – Given m1, infeasible to Second preimage resistant – Given m1, infeasible to

find m2. find m2. Hash (m1) = Hash (m2)Hash (m1) = Hash (m2) Collision-resistant: Infeasible to find Collision-resistant: Infeasible to find m1m1 and and m2m2 such such

that that Hash (m1) = Hash (m2)Hash (m1) = Hash (m2)

Examples: MD5, SHA-1, etc.Examples: MD5, SHA-1, etc.

Message Authentication CodeMessage Authentication Code

MACMAC

Use secret key to address spoof data + Use secret key to address spoof data + hash problemhash problem

Examples: Data Authentication Code, Examples: Data Authentication Code, HMACHMAC

HMACk(m) = H( (K XOR opad) || H(( K HMACk(m) = H( (K XOR opad) || H(( K XOR ipad) || M ) )XOR ipad) || M ) )

The ToolboxThe Toolbox

Symmetric Key EncryptionSymmetric Key Encryption Stream ciphersStream ciphers Block ciphersBlock ciphers

Message Digest and MACsMessage Digest and MACs

Public Key EncryptionPublic Key Encryption DHDH RSARSA

Digital SignatureDigital Signature

Public Key CryptographyPublic Key Cryptography

Each party has two keys: one is the Each party has two keys: one is the private keyprivate key where it must be kept secret, where it must be kept secret, and one is the and one is the public keypublic key that can be that can be freely distributedfreely distributed

One encrypts and the other one decryptsOne encrypts and the other one decrypts

Performance limitPerformance limit

PK is usually used as means for secret PK is usually used as means for secret key exchangekey exchange

Diffie-Hellman (DH)Diffie-Hellman (DH)

Used for key agreementUsed for key agreementExchange of information over an insecure Exchange of information over an insecure medium that allows each of two parties medium that allows each of two parties (sender and recipient) to compute a value (sender and recipient) to compute a value that will be used to construct a secret key that will be used to construct a secret key for a symmetric cipher during the rest of for a symmetric cipher during the rest of the communication. the communication. DH is invented by Whitfield Diffie and DH is invented by Whitfield Diffie and Martin Hellman in 1976 Martin Hellman in 1976

Diffie-Hellman (DH)Diffie-Hellman (DH)Action Example Values

Alice and Bob agree on two integers: p and g, where p is a large prime number and g is called the base.

Let p = 29, g = 3.

Alice chooses a secret integer a. Then, she sends Bob ga mod p.

Let a = 5, then ga mod p = 35 mod 29 = 11.

Bob chooses a secret integer b. Then, he sends Alice gb mod p

Let b = 10, then gb mod p = 310 mod 29 = 5.

Alice computes ka = (gb mod p)a mod p. ka = (gb mod p)a mod p = 55 mod 29 = 22.

Bob computes kb = (ga mod p)b mod p. kb = (ga mod p)b mod p = 1110 mod 29 = 22.

Since ka = kb = k, a secret value is exchanged. The value 22 is secretly exchanged.

RSARSA

RSA is the public key algorithm invented in RSA is the public key algorithm invented in 1977 by Ron Rivest, Adi Shamir, and Len 1977 by Ron Rivest, Adi Shamir, and Len Adelman at MIT. Adelman at MIT.

Choose two large prime numbers Choose two large prime numbers pp and and qq randomly, randomly, unpredictably and independently of each other. unpredictably and independently of each other.

Compute Compute N = p qN = p q. . Compute Compute φ = (p − 1)(q − 1)φ = (p − 1)(q − 1). . Choose an integer Choose an integer ee where where 1 < e < φ1 < e < φ and is coprime and is coprime

to to φφ. Coprime indicates that e and . Coprime indicates that e and φφ does not have does not have common factor except 1 and –1.common factor except 1 and –1.

Compute Compute d = e-1 mode (φ)d = e-1 mode (φ)

RSA – Encryption ExampleRSA – Encryption ExampleAction Example Values

First prime (kept private): p Second prime (kept private): q Modulus (public): N = pq Public exponent (public): e Private exponent (kept private): d The public key is (N, e). The private key is (N, d).

Let: p = 11q = 3N = pq = 33e = 3d = 7The public key is (33, 3).The private key is (33, 7).

Plaintext = n Let n = 7

encrypt(n) = c = ne mod N where m is plaintext, and c is ciphertext.

encrypt(n) = n3 mod 33 = 73 mod 33 = 13.Thus, ciphertext = 13.

Digital SignatureDigital Signature

Use to ensure integrityUse to ensure integrityMAC is not useful due to the need of same MAC is not useful due to the need of same secret keysecret keyAlice can sign a message with her private Alice can sign a message with her private key, and anyone who has her public key key, and anyone who has her public key can verify the signed message. can verify the signed message. The message is usually cryptographically The message is usually cryptographically hashed, and then only the hash of the hashed, and then only the hash of the message is signed. message is signed.

Digital Signature - RSADigital Signature - RSAAction Example Values

Sign message m.Compute h = Hash(m)Signature = s = hd mod N

Reuse values from the RSA encryption / decryption example: d = 7, N = 33, e = 3

Let m = 123Assume h = Hash(123) = 5Signature = s = hd mod N = 57 mod 33 = 14

RSA Signature GenerationRSA Signature Generation

Digital Signature - RSADigital Signature - RSA

RSA Signature VerificationRSA Signature Verification

Action Example Values

Verify signatureReceive message m, and signature sCompute x = Hash(m)Compute y = se mod NMessage is verified if and only if x = y

Given s = 14, e = 3, and m = 123x = Hash(m) = 5y = se mod N = 143 mod 33 = 5Message is verified since x = y.

Essential PKIEssential PKI

GoalsGoals

How do you get someone else’s public key?How do you get someone else’s public key?

An infrastructure is needed:An infrastructure is needed: Well-defined Entry PointsWell-defined Entry Points Predictable SecurityPredictable Security End-User TransparencyEnd-User Transparency

Services:Services: AuthenticationAuthentication IntegrityIntegrity ConfientialityConfientiality

PKI StructurePKI Structure

PKI StructurePKI Structure

Certificate AuthorityCertificate AuthorityRegistration AuthorityRegistration AuthorityCertificate RepositoryCertificate RepositoryCRL RepositoryCRL RepositoryOCSP ResponderOCSP ResponderClientClientClient Key StoreClient Key StoreKey management serverKey management server

CertificateCertificate

The goal of a certificate in PKI is to The goal of a certificate in PKI is to provide a mechanism that binds the public provide a mechanism that binds the public key to the claimed owner in a trustworthy key to the claimed owner in a trustworthy manner. manner. This binding needs to ensure that the This binding needs to ensure that the integrity of the public key is preserved, and integrity of the public key is preserved, and the pubic key and any other associated the pubic key and any other associated identity information has been bound to the identity information has been bound to the claimed owner. claimed owner.

X.509 pubic-key certificateX.509 pubic-key certificate

Certificate PathCertificate Path

Alice holds Bob’s certificate.Alice holds Bob’s certificate.Bob’s certificate is signed by CA-2.Bob’s certificate is signed by CA-2.Alice accesses the certificate repository in the PKI to obtain CA-2’s certificate for Alice accesses the certificate repository in the PKI to obtain CA-2’s certificate for examination. examination. CA-2 is signed by CA-R that is also the root CA for Alice.CA-2 is signed by CA-R that is also the root CA for Alice.Since Alice’s certificate is signed by CA-1, and CA-1 is in turn signed by CA-R.Since Alice’s certificate is signed by CA-1, and CA-1 is in turn signed by CA-R.Alice should trust CA-2.Alice should trust CA-2.A valid certificate path for Bob is found: Bob->CA-2->CA-R. Another way of saying it A valid certificate path for Bob is found: Bob->CA-2->CA-R. Another way of saying it is that Bob’s certificate chained back to CA-R, and Alice successfully validate Bob’s is that Bob’s certificate chained back to CA-R, and Alice successfully validate Bob’s certificate. certificate.

Key and Cert ManagementKey and Cert Management

Trust ModelsTrust Models

Next QuestionNext Question

The public key is in a certificate signed by The public key is in a certificate signed by the CAthe CA

The public key is valid since I trust the CAThe public key is valid since I trust the CA

What does Trust mean?What does Trust mean?

Answer: (From X.509 specification)Answer: (From X.509 specification)

““A” trusts “B” when “A” assumes that “B” will A” trusts “B” when “A” assumes that “B” will behave exactly as “A” expects.behave exactly as “A” expects.

Trust ModelTrust Model

Capture how trust relationship is used in Capture how trust relationship is used in softwaresoftware

Once you have decided on the trust model Once you have decided on the trust model to use, the software you build should be to use, the software you build should be based on the trust model. based on the trust model.

Trust models definition is important Trust models definition is important because trust models might be implicitly because trust models might be implicitly assumed by an entity. assumed by an entity.

Strict Hierarchy Trust ModelStrict Hierarchy Trust Model

Strict Hierarchy Model - ExampleStrict Hierarchy Model - Example

Given Bob’s certificate is signed by Given Bob’s certificate is signed by CA-2.CA-2.CA-2’s certificate is signed by CA-R.CA-2’s certificate is signed by CA-R.CA-R is the root trust anchor for CA-R is the root trust anchor for Alice as well.Alice as well.With CA-R’s public key certificate, With CA-R’s public key certificate, Alice can obtain and verify CA-2’s Alice can obtain and verify CA-2’s certificate.certificate.With CA-2’s certificate verified and With CA-2’s certificate verified and trusted, Alice can use CA-2’s trusted, Alice can use CA-2’s certificate (with the corresponding certificate (with the corresponding public key) to verify Bob’s certificate.public key) to verify Bob’s certificate.Once Bob’s certificate is verified, Once Bob’s certificate is verified, Bob’s public key is trusted and can Bob’s public key is trusted and can be used to encrypt messages for be used to encrypt messages for Bob, verify digital signature, etc. Bob, verify digital signature, etc.

Distributed Trust ModelDistributed Trust Model

Distributed Trust ModelDistributed Trust Model

Hub Configuration – It is also called Star Hub Configuration – It is also called Star Configuration. Under this configuration, each Configuration. Under this configuration, each peer trust anchor is connected to a peer trust anchor is connected to a HubHub. This . This central hub is used to bridge communication central hub is used to bridge communication gaps between pairs of peer trust anchors. gaps between pairs of peer trust anchors. Mesh Configuration –In this configuration, all Mesh Configuration –In this configuration, all peer trust anchors are potentially cross-certified peer trust anchors are potentially cross-certified among each other. In the fully connected among each other. In the fully connected scenario (also called scenario (also called full meshfull mesh), this ), this configuration requires n2 cross-certification configuration requires n2 cross-certification agreements for agreements for nn peer trust anchors. peer trust anchors.

Web Trust ModelWeb Trust Model

Web Trust ModelWeb Trust Model

Advantages: Easy to implement, support Advantages: Easy to implement, support Internet, it is there.Internet, it is there.Disadvantages:Disadvantages: Identify Spoofing with “bad” CA certIdentify Spoofing with “bad” CA cert Decentralized Trust Management – user level Decentralized Trust Management – user level

managementmanagement Inability for Revocation – No CRL, OCSPInability for Revocation – No CRL, OCSP Distribution Problem – Who get what version Distribution Problem – Who get what version

of browsers?of browsers?

User-Centric Trust ModelUser-Centric Trust Model

Reputation Trust ModelReputation Trust Model

Centralized SystemCentralized System An authority is responsible for accumulating An authority is responsible for accumulating

evaluations of agents from other agents. This evaluations of agents from other agents. This authority then scores each agent with a reputation authority then scores each agent with a reputation score. score.

All reputations are public and global. All reputations are public and global. Reputations of service providers are scored by Reputations of service providers are scored by

consumers agents, and consumer agents’ reputations consumers agents, and consumer agents’ reputations are scored by service providers agent. are scored by service providers agent.

Reputations are built and own by the centralized Reputations are built and own by the centralized system. system.

Reputation Trust ModelReputation Trust Model

Centralized System DisadvantagesCentralized System Disadvantages Artificial reputation score Artificial reputation score Agent Spoofing Agent Spoofing The revenge factor The revenge factor

Decentralized SystemDecentralized System Agent A can obtain agent B’s reputation by Agent A can obtain agent B’s reputation by

proactively requesting and collecting other agent’s proactively requesting and collecting other agent’s evaluations for B evaluations for B

This evaluations will then be combined to form agent This evaluations will then be combined to form agent A’s reputation score for agent BA’s reputation score for agent B