Software Security Technologies Richard Sinn Principal Architect / Security Architect, Yahoo, Inc...
-
Upload
chloe-mcallister -
Category
Documents
-
view
222 -
download
1
Transcript of Software Security Technologies Richard Sinn Principal Architect / Security Architect, Yahoo, Inc...
Software Security Software Security TechnologiesTechnologies
Richard SinnRichard SinnPrincipal Architect / Security Architect, Principal Architect / Security Architect,
Yahoo, IncYahoo, IncLecturer, SJSULecturer, SJSU
AgendaAgenda
Basic Security TheoryBasic Security Theory
Essential PKIEssential PKI
Trust ModelsTrust Models
Threat ModelsThreat Models
Security Challenges in Email/Instant Security Challenges in Email/Instant CommunicationCommunication
Basic Security TheoryBasic Security Theory
The ProblemsThe Problems
Fundamental Fundamental People can read data in plain/clear textPeople can read data in plain/clear text Data is sent over public networkData is sent over public network
SpecificSpecific Spoofing – Fake the source of dataSpoofing – Fake the source of data Tampering – Change data in transit Tampering – Change data in transit Snooping – Monitor sensitive dataSnooping – Monitor sensitive data Replay – Intercept and resend data at a later Replay – Intercept and resend data at a later
timetime
The GoalsThe Goals
Confidentiality – Assurance of data privacyConfidentiality – Assurance of data privacy
Authentication – Assurance that an entity Authentication – Assurance that an entity is who he/she/it claims to beis who he/she/it claims to be
Integrity – Assurance of non-alterationIntegrity – Assurance of non-alteration
Availability – Assurance of data / services Availability – Assurance of data / services are availableare available
The ToolboxThe Toolbox
Symmetric Key EncryptionSymmetric Key Encryption Stream ciphersStream ciphers Block ciphersBlock ciphers
Message Digest and MACsMessage Digest and MACs
Public Key EncryptionPublic Key Encryption DHDH RSARSA
Digital SignatureDigital Signature
Symmetric Key EncryptionSymmetric Key Encryption
Symmetric Key EncryptionSymmetric Key Encryption
Plaintext – Original DataPlaintext – Original DataCiphertext – The GibberishCiphertext – The GibberishEncryption – Transformation from plaintext Encryption – Transformation from plaintext to cipher-textto cipher-textDecryption – Transformation from cipher-Decryption – Transformation from cipher-text to plaintexttext to plaintextAlgorithm – CipherAlgorithm – CipherSymmetric – Same key for Symmetric – Same key for encryption/decryptionencryption/decryption
Stream CiphersStream Ciphers
Takes the original data, divides it into Takes the original data, divides it into digits, and encrypts each digit one at a digits, and encrypts each digit one at a time.time.
C[i] = KS[i] XOR P[i]C[i] = KS[i] XOR P[i]
P[i] = KS[i] XOR C[i]P[i] = KS[i] XOR C[i]
RC4 – Stream cipher with variable key RC4 – Stream cipher with variable key length between 8 to 2048 bitslength between 8 to 2048 bits
Block CiphersBlock Ciphers
Divided up data into blocks of fixed lengthDivided up data into blocks of fixed length
64 or 128 bits64 or 128 bits
Various different modesVarious different modes Electronic Code Book (ECB)Electronic Code Book (ECB) Cipher-Block Chaining (CBC)Cipher-Block Chaining (CBC) Cipher Feedback (CFB)Cipher Feedback (CFB) Output Feedback (OFB) Output Feedback (OFB) Counter (CTR)Counter (CTR)
Electronic Codebook (ECB)Electronic Codebook (ECB)
Cipher Block Chaining (CBC)Cipher Block Chaining (CBC)
Cipher Feedback (CFB)Cipher Feedback (CFB)
Output Feedback (OFB)Output Feedback (OFB)
Counter (CTR)Counter (CTR)
Common Block CiphersCommon Block Ciphers
DES – IBM 1970. 64-bit, 56-bit key. 8 for DES – IBM 1970. 64-bit, 56-bit key. 8 for parity checkparity check
3DES - 3DES - C = DESk3(DES-1k2(DESk1(P))).C = DESk3(DES-1k2(DESk1(P))).
RC2 – Ron Rivest, RSA, 64-bit with RC2 – Ron Rivest, RSA, 64-bit with variable size key up to 128 bytesvariable size key up to 128 bytes
AES - AES - Fixed block size of 128 bits and a Fixed block size of 128 bits and a key size of 128, 192 or 256 bitskey size of 128, 192 or 256 bits
The ToolboxThe Toolbox
Symmetric Key EncryptionSymmetric Key Encryption Stream ciphersStream ciphers Block ciphersBlock ciphers
Message Digest and MACsMessage Digest and MACs
Public Key EncryptionPublic Key Encryption DHDH RSARSA
Digital SignatureDigital Signature
Message DigestMessage Digest
Call digest or hashCall digest or hashFixed-size checksum created by cryptographic Fixed-size checksum created by cryptographic hash functions hash functions PropertiesProperties Preimage resistant – Preimage resistant – H = Hash (m)H = Hash (m), Given H cannot , Given H cannot
find mfind m Second preimage resistant – Given m1, infeasible to Second preimage resistant – Given m1, infeasible to
find m2. find m2. Hash (m1) = Hash (m2)Hash (m1) = Hash (m2) Collision-resistant: Infeasible to find Collision-resistant: Infeasible to find m1m1 and and m2m2 such such
that that Hash (m1) = Hash (m2)Hash (m1) = Hash (m2)
Examples: MD5, SHA-1, etc.Examples: MD5, SHA-1, etc.
Message Authentication CodeMessage Authentication Code
MACMAC
Use secret key to address spoof data + Use secret key to address spoof data + hash problemhash problem
Examples: Data Authentication Code, Examples: Data Authentication Code, HMACHMAC
HMACk(m) = H( (K XOR opad) || H(( K HMACk(m) = H( (K XOR opad) || H(( K XOR ipad) || M ) )XOR ipad) || M ) )
The ToolboxThe Toolbox
Symmetric Key EncryptionSymmetric Key Encryption Stream ciphersStream ciphers Block ciphersBlock ciphers
Message Digest and MACsMessage Digest and MACs
Public Key EncryptionPublic Key Encryption DHDH RSARSA
Digital SignatureDigital Signature
Public Key CryptographyPublic Key Cryptography
Each party has two keys: one is the Each party has two keys: one is the private keyprivate key where it must be kept secret, where it must be kept secret, and one is the and one is the public keypublic key that can be that can be freely distributedfreely distributed
One encrypts and the other one decryptsOne encrypts and the other one decrypts
Performance limitPerformance limit
PK is usually used as means for secret PK is usually used as means for secret key exchangekey exchange
Diffie-Hellman (DH)Diffie-Hellman (DH)
Used for key agreementUsed for key agreementExchange of information over an insecure Exchange of information over an insecure medium that allows each of two parties medium that allows each of two parties (sender and recipient) to compute a value (sender and recipient) to compute a value that will be used to construct a secret key that will be used to construct a secret key for a symmetric cipher during the rest of for a symmetric cipher during the rest of the communication. the communication. DH is invented by Whitfield Diffie and DH is invented by Whitfield Diffie and Martin Hellman in 1976 Martin Hellman in 1976
Diffie-Hellman (DH)Diffie-Hellman (DH)Action Example Values
Alice and Bob agree on two integers: p and g, where p is a large prime number and g is called the base.
Let p = 29, g = 3.
Alice chooses a secret integer a. Then, she sends Bob ga mod p.
Let a = 5, then ga mod p = 35 mod 29 = 11.
Bob chooses a secret integer b. Then, he sends Alice gb mod p
Let b = 10, then gb mod p = 310 mod 29 = 5.
Alice computes ka = (gb mod p)a mod p. ka = (gb mod p)a mod p = 55 mod 29 = 22.
Bob computes kb = (ga mod p)b mod p. kb = (ga mod p)b mod p = 1110 mod 29 = 22.
Since ka = kb = k, a secret value is exchanged. The value 22 is secretly exchanged.
RSARSA
RSA is the public key algorithm invented in RSA is the public key algorithm invented in 1977 by Ron Rivest, Adi Shamir, and Len 1977 by Ron Rivest, Adi Shamir, and Len Adelman at MIT. Adelman at MIT.
Choose two large prime numbers Choose two large prime numbers pp and and qq randomly, randomly, unpredictably and independently of each other. unpredictably and independently of each other.
Compute Compute N = p qN = p q. . Compute Compute φ = (p − 1)(q − 1)φ = (p − 1)(q − 1). . Choose an integer Choose an integer ee where where 1 < e < φ1 < e < φ and is coprime and is coprime
to to φφ. Coprime indicates that e and . Coprime indicates that e and φφ does not have does not have common factor except 1 and –1.common factor except 1 and –1.
Compute Compute d = e-1 mode (φ)d = e-1 mode (φ)
RSA – Encryption ExampleRSA – Encryption ExampleAction Example Values
First prime (kept private): p Second prime (kept private): q Modulus (public): N = pq Public exponent (public): e Private exponent (kept private): d The public key is (N, e). The private key is (N, d).
Let: p = 11q = 3N = pq = 33e = 3d = 7The public key is (33, 3).The private key is (33, 7).
Plaintext = n Let n = 7
encrypt(n) = c = ne mod N where m is plaintext, and c is ciphertext.
encrypt(n) = n3 mod 33 = 73 mod 33 = 13.Thus, ciphertext = 13.
Digital SignatureDigital Signature
Use to ensure integrityUse to ensure integrityMAC is not useful due to the need of same MAC is not useful due to the need of same secret keysecret keyAlice can sign a message with her private Alice can sign a message with her private key, and anyone who has her public key key, and anyone who has her public key can verify the signed message. can verify the signed message. The message is usually cryptographically The message is usually cryptographically hashed, and then only the hash of the hashed, and then only the hash of the message is signed. message is signed.
Digital Signature - RSADigital Signature - RSAAction Example Values
Sign message m.Compute h = Hash(m)Signature = s = hd mod N
Reuse values from the RSA encryption / decryption example: d = 7, N = 33, e = 3
Let m = 123Assume h = Hash(123) = 5Signature = s = hd mod N = 57 mod 33 = 14
RSA Signature GenerationRSA Signature Generation
Digital Signature - RSADigital Signature - RSA
RSA Signature VerificationRSA Signature Verification
Action Example Values
Verify signatureReceive message m, and signature sCompute x = Hash(m)Compute y = se mod NMessage is verified if and only if x = y
Given s = 14, e = 3, and m = 123x = Hash(m) = 5y = se mod N = 143 mod 33 = 5Message is verified since x = y.
Essential PKIEssential PKI
GoalsGoals
How do you get someone else’s public key?How do you get someone else’s public key?
An infrastructure is needed:An infrastructure is needed: Well-defined Entry PointsWell-defined Entry Points Predictable SecurityPredictable Security End-User TransparencyEnd-User Transparency
Services:Services: AuthenticationAuthentication IntegrityIntegrity ConfientialityConfientiality
PKI StructurePKI Structure
PKI StructurePKI Structure
Certificate AuthorityCertificate AuthorityRegistration AuthorityRegistration AuthorityCertificate RepositoryCertificate RepositoryCRL RepositoryCRL RepositoryOCSP ResponderOCSP ResponderClientClientClient Key StoreClient Key StoreKey management serverKey management server
CertificateCertificate
The goal of a certificate in PKI is to The goal of a certificate in PKI is to provide a mechanism that binds the public provide a mechanism that binds the public key to the claimed owner in a trustworthy key to the claimed owner in a trustworthy manner. manner. This binding needs to ensure that the This binding needs to ensure that the integrity of the public key is preserved, and integrity of the public key is preserved, and the pubic key and any other associated the pubic key and any other associated identity information has been bound to the identity information has been bound to the claimed owner. claimed owner.
X.509 pubic-key certificateX.509 pubic-key certificate
Certificate PathCertificate Path
Alice holds Bob’s certificate.Alice holds Bob’s certificate.Bob’s certificate is signed by CA-2.Bob’s certificate is signed by CA-2.Alice accesses the certificate repository in the PKI to obtain CA-2’s certificate for Alice accesses the certificate repository in the PKI to obtain CA-2’s certificate for examination. examination. CA-2 is signed by CA-R that is also the root CA for Alice.CA-2 is signed by CA-R that is also the root CA for Alice.Since Alice’s certificate is signed by CA-1, and CA-1 is in turn signed by CA-R.Since Alice’s certificate is signed by CA-1, and CA-1 is in turn signed by CA-R.Alice should trust CA-2.Alice should trust CA-2.A valid certificate path for Bob is found: Bob->CA-2->CA-R. Another way of saying it A valid certificate path for Bob is found: Bob->CA-2->CA-R. Another way of saying it is that Bob’s certificate chained back to CA-R, and Alice successfully validate Bob’s is that Bob’s certificate chained back to CA-R, and Alice successfully validate Bob’s certificate. certificate.
Key and Cert ManagementKey and Cert Management
Trust ModelsTrust Models
Next QuestionNext Question
The public key is in a certificate signed by The public key is in a certificate signed by the CAthe CA
The public key is valid since I trust the CAThe public key is valid since I trust the CA
What does Trust mean?What does Trust mean?
Answer: (From X.509 specification)Answer: (From X.509 specification)
““A” trusts “B” when “A” assumes that “B” will A” trusts “B” when “A” assumes that “B” will behave exactly as “A” expects.behave exactly as “A” expects.
Trust ModelTrust Model
Capture how trust relationship is used in Capture how trust relationship is used in softwaresoftware
Once you have decided on the trust model Once you have decided on the trust model to use, the software you build should be to use, the software you build should be based on the trust model. based on the trust model.
Trust models definition is important Trust models definition is important because trust models might be implicitly because trust models might be implicitly assumed by an entity. assumed by an entity.
Strict Hierarchy Trust ModelStrict Hierarchy Trust Model
Strict Hierarchy Model - ExampleStrict Hierarchy Model - Example
Given Bob’s certificate is signed by Given Bob’s certificate is signed by CA-2.CA-2.CA-2’s certificate is signed by CA-R.CA-2’s certificate is signed by CA-R.CA-R is the root trust anchor for CA-R is the root trust anchor for Alice as well.Alice as well.With CA-R’s public key certificate, With CA-R’s public key certificate, Alice can obtain and verify CA-2’s Alice can obtain and verify CA-2’s certificate.certificate.With CA-2’s certificate verified and With CA-2’s certificate verified and trusted, Alice can use CA-2’s trusted, Alice can use CA-2’s certificate (with the corresponding certificate (with the corresponding public key) to verify Bob’s certificate.public key) to verify Bob’s certificate.Once Bob’s certificate is verified, Once Bob’s certificate is verified, Bob’s public key is trusted and can Bob’s public key is trusted and can be used to encrypt messages for be used to encrypt messages for Bob, verify digital signature, etc. Bob, verify digital signature, etc.
Distributed Trust ModelDistributed Trust Model
Distributed Trust ModelDistributed Trust Model
Hub Configuration – It is also called Star Hub Configuration – It is also called Star Configuration. Under this configuration, each Configuration. Under this configuration, each peer trust anchor is connected to a peer trust anchor is connected to a HubHub. This . This central hub is used to bridge communication central hub is used to bridge communication gaps between pairs of peer trust anchors. gaps between pairs of peer trust anchors. Mesh Configuration –In this configuration, all Mesh Configuration –In this configuration, all peer trust anchors are potentially cross-certified peer trust anchors are potentially cross-certified among each other. In the fully connected among each other. In the fully connected scenario (also called scenario (also called full meshfull mesh), this ), this configuration requires n2 cross-certification configuration requires n2 cross-certification agreements for agreements for nn peer trust anchors. peer trust anchors.
Web Trust ModelWeb Trust Model
Web Trust ModelWeb Trust Model
Advantages: Easy to implement, support Advantages: Easy to implement, support Internet, it is there.Internet, it is there.Disadvantages:Disadvantages: Identify Spoofing with “bad” CA certIdentify Spoofing with “bad” CA cert Decentralized Trust Management – user level Decentralized Trust Management – user level
managementmanagement Inability for Revocation – No CRL, OCSPInability for Revocation – No CRL, OCSP Distribution Problem – Who get what version Distribution Problem – Who get what version
of browsers?of browsers?
User-Centric Trust ModelUser-Centric Trust Model
Reputation Trust ModelReputation Trust Model
Centralized SystemCentralized System An authority is responsible for accumulating An authority is responsible for accumulating
evaluations of agents from other agents. This evaluations of agents from other agents. This authority then scores each agent with a reputation authority then scores each agent with a reputation score. score.
All reputations are public and global. All reputations are public and global. Reputations of service providers are scored by Reputations of service providers are scored by
consumers agents, and consumer agents’ reputations consumers agents, and consumer agents’ reputations are scored by service providers agent. are scored by service providers agent.
Reputations are built and own by the centralized Reputations are built and own by the centralized system. system.
Reputation Trust ModelReputation Trust Model
Centralized System DisadvantagesCentralized System Disadvantages Artificial reputation score Artificial reputation score Agent Spoofing Agent Spoofing The revenge factor The revenge factor
Decentralized SystemDecentralized System Agent A can obtain agent B’s reputation by Agent A can obtain agent B’s reputation by
proactively requesting and collecting other agent’s proactively requesting and collecting other agent’s evaluations for B evaluations for B
This evaluations will then be combined to form agent This evaluations will then be combined to form agent A’s reputation score for agent BA’s reputation score for agent B