Internet and Web Security Internet and Web Security

dewberryeventSecurity

Nov 2, 2013 (3 years and 11 months ago)

129 views

1
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Internet and Web Security
Internet and Web Security
TCP/IP NetworksTCP/IP Networks
Threats, Attacks and Threats, Attacks and
SafeguardsSafeguards
CryptographyCryptography
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Security Defined
Security Defined
 Security involves the protection of assetsSecurity involves the protection of assets
 assets are defined as assets are defined as anything with valueanything with value
 Some assets are tangible, others are notSome assets are tangible, others are not
 Examples of assets:Examples of assets:
 Business plans Business plans
 Confidential source code Confidential source code
 Private cryptographic keys Private cryptographic keys
 Ideas Ideas
 Identity Identity
 Money (physical and digital) Money (physical and digital)
 Privacy Privacy
 Reputation and nameReputation and name
2
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Why Is Security Difficult?
Why Is Security Difficult?
 An attacker need only find one weak point to An attacker need only find one weak point to
enter the system; a defender needs to make enter the system; a defender needs to make
sure that all possible entry points are sure that all possible entry points are
defended. defended.
 The usability of a system is inversely The usability of a system is inversely
proportional to its security. proportional to its security.
 Security is often tacked on to an application Security is often tacked on to an application
as an afterthought.as an afterthought.
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Why is Internet Security even
Why is Internet Security even
more
more
difficult?
difficult?
 TCP/IP was designed with robustness and TCP/IP was designed with robustness and
not security in mindnot security in mind
 Anyone with Internet access can be a Anyone with Internet access can be a
attackerattacker
 Hacking cookbooks and tools widely Hacking cookbooks and tools widely
availableavailable
 Security is a process not a productSecurity is a process not a product
 Lack of integrated security frameworksLack of integrated security frameworks
3
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Categories of Attacks
Categories of Attacks
 IntegrityIntegrity
 ConfidentialityConfidentiality
 AuthenticationAuthentication
 Denial of ServiceDenial of Service
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Integrity
Integrity
 ThreatsThreats
 modification of user datamodification of user data
 Modification of memoryModification of memory
 Modification of message traffic in transitModification of message traffic in transit
 Trojan horsesTrojan horses
 ConsequencesConsequences
 Loss of informationLoss of information
 Compromise of machineCompromise of machine
 Vulnerability to other threatsVulnerability to other threats
4
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Confidentiality
Confidentiality
 ThreatsThreats
 Eavesdropping on the NetEavesdropping on the Net
 Theft of information from serverTheft of information from server
 Theft of data from clientTheft of data from client
 Information about network Information about network
configurationconfiguration
 Information about which client talks to Information about which client talks to
which serverwhich server
 ConsequenceConsequence
 loss of informationloss of information
 loss of privacyloss of privacy
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Authentication
Authentication
 ThreatsThreats
 impersonation of legitimate usersimpersonation of legitimate users
 data forgerydata forgery
 ConsequencesConsequences
 Misrepresentation of userMisrepresentation of user
 Belief that false information is validBelief that false information is valid
5
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Denial of service
Denial of service
 ThreatsThreats
 killing of user threadskilling of user threads
 flooding machine with bogus requestsflooding machine with bogus requests
 filling up disk or memoryfilling up disk or memory
 isolating machine by DNS attacksisolating machine by DNS attacks
 ConsequencesConsequences
 DisruptiveDisruptive
 annoyingannoying
 prevent user from getting anything doneprevent user from getting anything done
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Who threatens us?
Who threatens us?
 ThrillThrill--seeking malicious hackersseeking malicious hackers
 CompetitorsCompetitors
 EnemiesEnemies
 Other adversariesOther adversaries
 school, games, romance, commerce, etc.school, games, romance, commerce, etc.
 Child molesters, pedophiles, murderersChild molesters, pedophiles, murderers
 Buggy softwareBuggy software
 LowLow--clue usersclue users
 Security professionals (to demonstrate problems)Security professionals (to demonstrate problems)
6
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Hacker Trends
Hacker Trends
 Increased sophistication of attacks.Increased sophistication of attacks.
 Copious “cookbooks” and packaged kits.Copious “cookbooks” and packaged kits.
 Great emphasis on operational security, including Great emphasis on operational security, including
use of encryption.use of encryption.
 Most “hackers” aren’t worthy of the name.Most “hackers” aren’t worthy of the name.
 A few are A few are very very good.good.
 The hackers share tools and knowledge more than The hackers share tools and knowledge more than
the good guys do.the good guys do.
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
What are the Attacks?
What are the Attacks?
7
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
TCP/IP Network Layers
TCP/IP Network Layers
Ethernet, FDDI, ATM, packet radio, Ethernet, FDDI, ATM, packet radio,
etc.etc.
IPIP
TCP or UDPTCP or UDP
Application LevelApplication Level
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Application Level
Application Level
 Talks to a host with some protocol (e.g. Talks to a host with some protocol (e.g.
HTTP, FTP, SMTP, POP3, etc.)HTTP, FTP, SMTP, POP3, etc.)
 TCP supplies a reliable connection to the TCP supplies a reliable connection to the
other endother end
 Any one can invent a new protocol between Any one can invent a new protocol between
two hosts.two hosts.
 Application level protocols are often used as Application level protocols are often used as
the means to carry out the attacksthe means to carry out the attacks
8
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
TCP
TCP
 Sets up “circuit” between client and serverSets up “circuit” between client and server
 Breaks a stream of data into packetsBreaks a stream of data into packets
 Reassembles packets into a streamReassembles packets into a stream
 Services have names, but are really 1 Services have names, but are really 1 –– 65535 65535
(ports)(ports)
 TCP lacks strong authentication of origin and TCP lacks strong authentication of origin and
destinationdestination
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
UDP
UDP
 Connectionless messageConnectionless message
 No error correctionNo error correction
 Suitable for some network services that Suitable for some network services that
don’t have to be reliable, like voicedon’t have to be reliable, like voice
 Services are numberedServices are numbered
9
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
IP
IP
 Packets have limited sizesPackets have limited sizes
 May be dropped in transit if congestionMay be dropped in transit if congestion
 May arrive out of orderMay arrive out of order
 May be duplicatedMay be duplicated
 Addressing by IP numberAddressing by IP number
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
IP Routing
IP Routing
 forwards packets one hop toward destinationforwards packets one hop toward destination
 forwarding is tableforwarding is table--drivendriven
 tables installed manually, or by some tables installed manually, or by some
protocolprotocol
 routers are usually special purpose devicesrouters are usually special purpose devices
 can filter and log packets, if not too busycan filter and log packets, if not too busy
 core routers are much too busy: ~70% of core routers are much too busy: ~70% of
capacitycapacity
10
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Physical Layer
Physical Layer
 SniffableSniffable if on same netif on same net
 There are attacks that fiddle at this levelThere are attacks that fiddle at this level
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Domain Name System (DNS)
Domain Name System (DNS)
 Each host has an IP number, i.e. 135.104.2.7Each host has an IP number, i.e. 135.104.2.7
 Humans prefer names: Humans prefer names: faa.dot.govfaa.dot.gov
 toptop--level domains: level domains: govgov, ., .eduedu, .com, .net, .org, , .com, .net, .org,
..grgr
 DNS is a distributed database, delegating to DNS is a distributed database, delegating to
lower authoritieslower authorities
 There are There are DoSDoSand masquerading attacks and masquerading attacks
that fiddle DNSthat fiddle DNS
11
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Attacks against all of the
Attacks against all of the
above
above
 There are attacks targeted at every level of the There are attacks targeted at every level of the
TCP/IP protocol stackTCP/IP protocol stack
 Examples:Examples:
 Application layer Application layer –– Session HijackingSession Hijacking
 TCP layer TCP layer –– SYN floodingSYN flooding
 IP layer IP layer –– IP SpoofingIP Spoofing
 Physical layer Physical layer –– Sniffing packetsSniffing packets
 DNS DNS –– DNS contaminationDNS contamination
 IP Routing IP Routing –– IP SpoofingIP Spoofing
 TCP/IP lacks intrinsic authentication and integrity TCP/IP lacks intrinsic authentication and integrity
mechanismsmechanisms
 Hosts Hosts misconfigurationsmisconfigurations and implementation flawsand implementation flaws
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
More on Attacks
More on Attacks
 Attacks against protocolsAttacks against protocols
 Passive attacksPassive attacks
 Active attacksActive attacks
 Denial of Service attacksDenial of Service attacks
 Buffer overflowsBuffer overflows
12
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Attacks against protocols
Attacks against protocols
 Generally concerned with violating data integrity or Generally concerned with violating data integrity or
confidentialityconfidentiality
 May be active or passiveMay be active or passive
 Active attacks are concerned with inserting Active attacks are concerned with inserting
messages to subvert a protocolmessages to subvert a protocol
 Passive attacks are concerned with eavesdropping Passive attacks are concerned with eavesdropping
to gain informationto gain information
 Attack sourcesAttack sources
 “Man in the middle”“Man in the middle”
 Cheating clientCheating client
 Cheating serverCheating server
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Passive attacks
Passive attacks
 Password collection has been going on Password collection has been going on
since at least late 1993.since at least late 1993.
 Other uses are possible:Other uses are possible:
 NFS file handle collectionNFS file handle collection
 SMB sniffing (l0phtcrack)SMB sniffing (l0phtcrack)
 Credit card numbersCredit card numbers
 DNS spoofingDNS spoofing
13
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Active Attacks
Active Attacks
 IP spoofing.IP spoofing.
 Session hijacking possible with canned Session hijacking possible with canned
programs.programs.
 Requires eavesdropping ability.Requires eavesdropping ability.
 Canned programs seem to be available.Canned programs seem to be available.
 Cryptographic stunts.Cryptographic stunts.
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
More Active Attacks
More Active Attacks
 DNS cache contaminationDNS cache contamination
 Exploit script widely availableExploit script widely available
 Was once done for commercial purposes; Was once done for commercial purposes;
resulted in a Federal indictment.resulted in a Federal indictment.
 False route advertisementsFalse route advertisements
 Given wellGiven well--publicized accidental incidents, publicized accidental incidents,
a deliberate version seems likely.a deliberate version seems likely.
 We don’t have good defenses.We don’t have good defenses.
14
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Routing Attacks
Routing Attacks
 Routers advertise their own local nets, plus Routers advertise their own local nets, plus
what they’ve learned from their neighbors.what they’ve learned from their neighbors.
 Routers believe even dishonest neighbors.Routers believe even dishonest neighbors.
 Routers further away must believe everything Routers further away must believe everything
they hear.they hear.
 Authentication must be endAuthentication must be end--toto--end, not just end, not just
hophop--byby--hop.hop.
 Theoretical solutions just starting to appear Theoretical solutions just starting to appear
in the literature.in the literature.
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
IP Spoofing
IP Spoofing
 Attack described in a 1985 paper by Morris.Attack described in a 1985 paper by Morris.
 Attacker appears to come from a particular IP Attacker appears to come from a particular IP
address, but does not really control that address, but does not really control that
address.address.
 First known use against Tsutomu Shimomura First known use against Tsutomu Shimomura
by hacker by hacker MitnickMitnick-- but it's hard to detect.but it's hard to detect.
 Cryptographic authentication is a strong Cryptographic authentication is a strong
defense, but is rarely used.defense, but is rarely used.
15
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Implications of Active
Implications of Active
Attacks
Attacks
 Remote login is no longer secure, even Remote login is no longer secure, even
when protected by handwhen protected by hand--held held
authenticators.authenticators.
 Login through a firewall is not safe, Login through a firewall is not safe,
either.either.
 Other protocols are subject to similar Other protocols are subject to similar
attacks.attacks.
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Denial of service (
Denial of service (
DoS
DoS
)
)
attacks
attacks
 Generally concerned not with gainingGenerally concerned not with gaining
illegitimate access, but with denying accessillegitimate access, but with denying access
for legitimate usersfor legitimate users
 MotivationsMotivations
 MaliceMalice
 RevengeRevenge
 Personal gainPersonal gain
 Frequently relies on unsafe assumptions in Frequently relies on unsafe assumptions in
codecode
 These attacks are surprisingly popularThese attacks are surprisingly popular
16
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Characteristics of
Characteristics of
DoS
DoS
attacks
attacks
 A relatively recent form of attackA relatively recent form of attack
 –– CERT has no CERT has no DoSDoS advisories before 1996advisories before 1996
 Tend for the most part to be easy to detect,Tend for the most part to be easy to detect,
recoverrecover
 Rarely motivated by simple curiosity, andRarely motivated by simple curiosity, and
hence benignhence benign
 Frequently exploit a fundamental designFrequently exploit a fundamental design
weaknessweakness
 But may as well attack implementation flawsBut may as well attack implementation flaws
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Classes of
Classes of
DoS
DoS
attacks
attacks
 Resource starvationResource starvation
 Removal or modification of dataRemoval or modification of data
 Crashes, assaults on system integrityCrashes, assaults on system integrity
17
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Example: ECHO/ CHARGEN
Example: ECHO/ CHARGEN
 Sometimes benign services can beSometimes benign services can be
dangerousdangerous
 especially when coupled with a network withespecially when coupled with a network with no no
flow controlflow control
 Simple exploit: take the output of the UDPSimple exploit: take the output of the UDP
CHARGEN port, feed it to the UDPCHARGEN port, feed it to the UDP ECHOECHO
port.port.
 Most hosts still ship with these servicesMost hosts still ship with these services
enabled by defaultenabled by default
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Or, on a larger scale...
Or, on a larger scale...
 SmurfSmurf
 Forge as source address someone you’re not Forge as source address someone you’re not
fondfond ofof
 Send ICMP echo request with forged source toSend ICMP echo request with forged source to
large remote networklarge remote network
 If intervening routers do not filter broadcasts, allIf intervening routers do not filter broadcasts, all
hosts on remote net respond to forged source hosts on remote net respond to forged source
withwith ICMP echo repliesICMP echo replies
 can generate in excess of 80Mbps from wellcan generate in excess of 80Mbps from well--
connectedconnected LANsLANs
18
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Dealing with this...
Dealing with this...
 Don’t run services you don’t needDon’t run services you don’t need
 Recognize that even the most benign Recognize that even the most benign
systemsystemcan be misusedcan be misused
 This isn’t a bug, it isn’t even really a This isn’t a bug, it isn’t even really a
misfeaturemisfeature
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
SYN Flooding
SYN Flooding
 The first really big The first really big DoSDoS attackattack
 Source published in PHRACK, 2600Source published in PHRACK, 2600
 Exploits design flaw in TCPExploits design flaw in TCP
 Used against major ISPs (and just Used against major ISPs (and just
aboutabout everybody else) in 1996everybody else) in 1996
 Probably ushered in the age of the Probably ushered in the age of the DoSDoS
19
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
TCP handshake
TCP handshake
Client
Server
SYN
SYN ACK
ACK
data data
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
The problem with this
The problem with this
 After sending After sending SYN+ ACK SYN+ ACK , the server must , the server must
maintain statemaintain state
 Connections are kept in a (small) backlog Connections are kept in a (small) backlog
queue until queue until ACK ACK is received or a timer is received or a timer
expiresexpires
 This timer was far too long in This timer was far too long in every every TCP TCP
implementation (3 minutes or more)implementation (3 minutes or more)
 After all, you don’t want to throw away valid After all, you don’t want to throw away valid
connectionsconnections
20
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Dealing with this
Dealing with this
 Four approachesFour approaches
 Grow queue as connections arrive ( Grow queue as connections arrive ( doesn’t scale doesn’t scale
))
 Lower timeout as connections arrive ( Lower timeout as connections arrive ( unfairly unfairly
punishes legitimate users on slow links punishes legitimate users on slow links ))
 Randomly drop queue entries under load ( Randomly drop queue entries under load (
punishes all users, but will hopefully hit attackers punishes all users, but will hopefully hit attackers
hardest hardest ))
 Have firewall track and screen packets or mediate Have firewall track and screen packets or mediate
connections ( connections ( expensive in firewall memory expensive in firewall memory ))
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
SYN flooding in context
SYN flooding in context
 An operating system flaw?An operating system flaw?
 or is it? Maybe it’s a design flawor is it? Maybe it’s a design flaw
 Certainly can only be repaired by OS Certainly can only be repaired by OS
vendorsvendors
 Invariably coupled with IP spoofing Invariably coupled with IP spoofing
 So maybe it’s an administration problem?So maybe it’s an administration problem?
 Revealed a new motivation for Revealed a new motivation for DoSDoS
attacks: they’re fun!attacks: they’re fun!
21
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Dealing with starvation
Dealing with starvation
 Avoid handing out resources arbitrarilyAvoid handing out resources arbitrarily
 Consider limiting based on IP, but don’t rely on itConsider limiting based on IP, but don’t rely on it
 Don’t do heavy computation until you’ve Don’t do heavy computation until you’ve
authenticatedauthenticated
 … and avoid computationally expensive authentication… and avoid computationally expensive authentication
 Never wait for clients in a thread that other clients Never wait for clients in a thread that other clients
depend ondepend on
 Identify and minimize critical sections and synchronization Identify and minimize critical sections and synchronization
pointspoints
 Use timeoutsUse timeouts
 Accept there are things you can’t fixAccept there are things you can’t fix
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
DoS
DoS
survival tips
survival tips
 Install vendor patchesInstall vendor patches
 Protect physical resourcesProtect physical resources
 Limit access to data, web treesLimit access to data, web trees
 Assign quotasAssign quotas
 Properly configure routers, serversProperly configure routers, servers
 No IP spoofingNo IP spoofing
 No directed broadcastsNo directed broadcasts
 Have adequate backups, reserve resourcesHave adequate backups, reserve resources
22
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Distributed
Distributed
DoS
DoS
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
DDoS
DDoS
features
features
 Large number of attackerLarge number of attacker--processes processes
controlled by a master processcontrolled by a master process
 Each Each DDoSDDoS attacking process uses attacking process uses
common common DoSDoS techniques:techniques:
 Smurf Smurf
 SYN floodSYN flood
 UDP & ICMP floodUDP & ICMP flood
 IP SpoofingIP Spoofing
23
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
DDoS
DDoS
Tools
Tools
 Trin00Trin00
 attacker, masters and attacker, masters and deamonsdeamons communication via communication via
UDPUDP
 uses password authentication uses password authentication
 UDP flood.UDP flood.
 TFNTFN
 attacker, masters and attacker, masters and deamonsdeamons communication via communication via
TCP/UDP/SSH/ICMPTCP/UDP/SSH/ICMP
 ICMP/SYN/UDP/Smurf style flood.ICMP/SYN/UDP/Smurf style flood.
 StacheldrahtStacheldraht
 attackerattacker--master communication via encrypted TCPmaster communication via encrypted TCP
 MasterMaster--daemons communication via ICMP daemons communication via ICMP echoreplyechoreply
 Very difficult to detectVery difficult to detect
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
DDoS
DDoS
detection
detection
 Intrusion Detection Systems can detect Intrusion Detection Systems can detect
most attacksmost attacks
 When attackers use encryption (e.g. When attackers use encryption (e.g.
StacheldrahtStacheldraht) attacks can not be ) attacks can not be
detected by IDSdetected by IDS
 Only evidence is the increase in traffic Only evidence is the increase in traffic
and packet lossesand packet losses
24
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
DDoS
DDoS
protection
protection
 Ingress FilteringIngress Filtering
 Regular securityRegular security--hole patchinghole patching
 Private IP addresses wherever possiblePrivate IP addresses wherever possible
 Rate limitingRate limiting control protocolscontrol protocols
 Content Delivery NetworksContent Delivery Networks
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Buffer Overflows
Buffer Overflows
 C uses character arrays for strings.C uses character arrays for strings.
 It doesn’t check bounds (and the language It doesn’t check bounds (and the language
design makes such checking hard).design makes such checking hard).
 Too may programmers say “this array is big Too may programmers say “this array is big
enough” enough” ---- and it is, for normal purposes…and it is, for normal purposes…
 Technique first introduced in the Internet Technique first introduced in the Internet
Worm of 1988 Worm of 1988 ---- but we still see new but we still see new
examples.examples.
 Easy to preventEasy to prevent
25
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Race Conditions
Race Conditions
 Mostly local attacks to gain root Mostly local attacks to gain root
privileges.privileges.
 Low probability of success each try Low probability of success each try ----
but attempts are cheap, and the but attempts are cheap, and the
attacker only has to win once.attacker only has to win once.
 Most common variety: temporary files Most common variety: temporary files
being created in /being created in /tmptmp or other worldor other world--
writeable directory.writeable directory.
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
A few other types of attacks
A few other types of attacks
 ““Stupid user” attacksStupid user” attacks
 Never underestimate the power of a wellNever underestimate the power of a well--meaning meaning
legitimate user to subvert even the most welllegitimate user to subvert even the most well--
designed security systemdesigned security system
 “Magic” attacks“Magic” attacks
 There are attacks you don’t know about.There are attacks you don’t know about.
26
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
How do we defend
How do we defend
ourselves?
ourselves?
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Cryptology
Cryptology
 Generalized methods to hide (encrypt) Generalized methods to hide (encrypt)
and authenticate informationand authenticate information
 Generalized methods to expose and Generalized methods to expose and
substitute informationsubstitute information
 Encryption = maintaining information Encryption = maintaining information
secret/confidentialsecret/confidential
 Authentication = proving and Authentication = proving and
maintaining information integritymaintaining information integrity
27
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Cryptographic work can be
Cryptographic work can be
at different levels
at different levels
 algorithms/primitives: e.g. encryption algorithms/primitives: e.g. encryption
algorithms, signature algorithms, hash algorithms, signature algorithms, hash
algorithmsalgorithms
 protocols between more than 1 party: protocols between more than 1 party:
e.g.secure socket layer (SSL)e.g.secure socket layer (SSL)
 systems: e.g. O/S, file systemssystems: e.g. O/S, file systems
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Some applications of
Some applications of
cryptography
cryptography
 network, operating systems securitynetwork, operating systems security
 private internet, telephone communicationsprivate internet, telephone communications
 electronic paymentselectronic payments
 database securitydatabase security
 software protectionsoftware protection
 pay televisionpay television
 confidential, authentic military confidential, authentic military
communicationscommunications
28
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Open vs. Closed System
Open vs. Closed System
design
design
 Open desigOpen design: the algorithm, protocol, or n: the algorithm, protocol, or
system design may be public system design may be public
information. The only secret will be the information. The only secret will be the
private or symmetric key(s)private or symmetric key(s)
 Closed desigClosed design: as much information as n: as much information as
possible is keptpossible is kept
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Types of Security
Types of Security
 unconditional or “information unconditional or “information
theoretic”: the security is provable free theoretic”: the security is provable free
of assumptionsof assumptions
 reducible or “provable”: one can prove reducible or “provable”: one can prove
that the security is as valid as some that the security is as valid as some
common unproven assumptioncommon unproven assumption
 ad hoc: the security seems goodad hoc: the security seems good
29
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Types of algorithms
Types of algorithms
 Symmetric (Encryption)Symmetric (Encryption)
ReceiverSender
BobAlice
K K
M ciphertext Mciphertext
Enc
K
Dec
K
encryption
decryption
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Types of algorithms
Types of algorithms
 Symmetric (Authentication)Symmetric (Authentication)
ReceiverSender
BobAlice
K K
M M, Auth
k
(M) OKM, Auth
k
(M)
Auth
K
Verify
K
authentication
verification
30
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Types of algorithms
Types of algorithms
 Public Key (Asymmetric Encryption)Public Key (Asymmetric Encryption)
ReceiverSender
BobAlice
pubkey privkey
M ciphertext Mciphertext
Enc
pubkey
Dec
privkey
encryption
decryption
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Types of algorithms
Types of algorithms
 Public Key (Asymmetric Public Key (Asymmetric
Authentication)Authentication)
ReceiverSender
BobAlice
privkey pubkey
M M, Sign
privkey
(M) OKM, Sign
privkey
(M)
Sign
privkey
Verify
pubkey
authentication
verification
31
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Digital Signatures
Digital Signatures
 A public key technique to authenticate A public key technique to authenticate
information in a information in a nonnon--repudiablerepudiable wayway
 may be legally bindingmay be legally binding
 Recipient knows:Recipient knows:
a) that the message is that of the supposed a) that the message is that of the supposed
sendersender
b) can prove (a) to a third partyb) can prove (a) to a third party
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Why Public Key is so
Why Public Key is so
important
important
 It lessens the number of keys neededIt lessens the number of keys needed
 Less reliance on a “trusted center” for Less reliance on a “trusted center” for
system availability and secrecysystem availability and secrecy
 NonNon--repudiationrepudiation
32
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Encryption Algorithms
Encryption Algorithms
 Caesar CipheCaesar Cipher: {a, b, c … z}r: {a, b, c … z} {1, 2, 3, … 26}{1, 2, 3, … 26}
Enc(X) = Enc(x1 … Enc(X) = Enc(x1 … xNxN) = x1 + 3 mod 26 … ) = x1 + 3 mod 26 … xNxN + 3 mod 26 = + 3 mod 26 =
C1 … CNC1 … CN
E.G. Enc(“Security”) = Enc(19,5,3,21,18,9,20,25) = E.G. Enc(“Security”) = Enc(19,5,3,21,18,9,20,25) =
22,8,6,24,21,12,23,2 = “22,8,6,24,21,12,23,2 = “VhfxulybVhfxulyb””
 Generalizations of Caesar CipherGeneralizations of Caesar Cipher
(all weak security)(all weak security)
 Shift: Enc k (x) = x+k mod 26Shift: Enc k (x) = x+k mod 26
 Affine: Enc Affine: Enc
k1,k2 k1,k2
(x) = k1 *x + k2 mod 26(x) = k1 *x + k2 mod 26
 Substitution: Enc Substitution: Enc
permperm
(x) = perm(x)(x) = perm(x)
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Other
Other
Historial
Historial
Ciphers
Ciphers
 WWII Japanese Purple MachineWWII Japanese Purple Machine
 WWII American use of NavajoWWII American use of Navajo
 WWII German Enigma machineWWII German Enigma machine
D. Kahn. The D. Kahn. The CodebreakersCodebreakers. Macmillan Co., New York, 1967.. Macmillan Co., New York, 1967.
33
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Unconditionally Secure Cipher
Unconditionally Secure Cipher
 OneOne--time padtime pad
key = random* bits = 1100010011100100011…key = random* bits = 1100010011100100011…
message = bits = 1110011001100110001…message = bits = 1110011001100110001…
cipher text = cipher text = XOR XOR of key, message = 0010001010000010010...of key, message = 0010001010000010010...
 Problems: number of random bits = length of all messages Problems: number of random bits = length of all messages
being encrypted (not reusable), random bits must be known being encrypted (not reusable), random bits must be known
to both sender and recipient.to both sender and recipient.
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Pseudo
Pseudo
-
-
random number
random number
generators
generators
Problems:Problems:
 getting many truly random bits is slowgetting many truly random bits is slow
 getting many shared truly random bits is more getting many shared truly random bits is more
awkwardawkward
 getting “good randomness” is important for many getting “good randomness” is important for many
crypto algorithmscrypto algorithms
Solution:Solution:
 theory: pseudotheory: pseudo--random strings that are random strings that are
“polynomial time indistinguishable” from truly “polynomial time indistinguishable” from truly
random stringsrandom strings
 practice: use DES, hash functions generate bits practice: use DES, hash functions generate bits
from a random from a random seed seed (FIPS 186)(FIPS 186)
34
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Data Encryption Standard (DES)
Data Encryption Standard (DES)
 (symmetric key) Enc k (M) = wild permutation, (symmetric key) Enc k (M) = wild permutation, XOR’sXOR’s
of M, Sof M, S--boxes, and kboxes, and k
 16 “rounds,” 6416 “rounds,” 64--bit block input and output not clean bit block input and output not clean
and concise (like RSA and oneand concise (like RSA and one--time pad)time pad)
 Standard for encryption of unclassified data since Standard for encryption of unclassified data since
19771977
 56 bits yield valid concerns about vulnerability to 56 bits yield valid concerns about vulnerability to
“exhaustive key search”“exhaustive key search”
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
DES
DES


The Data Encryption
The Data Encryption
Standard
Standard
35
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Triple DES (3
Triple DES (3
-
-
DES)
DES)
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
RSA (public key encryption *)
RSA (public key encryption *)
 Public key: (N,e)Public key: (N,e)
 Private key: (p,q,d): p,q large primes;Private key: (p,q,d): p,q large primes;
 N = N = pqpq; d : (m; d : (m
ee
))
d d
= m mod N= m mod N
* RSA encryption can be modified easily to work as the RSA signature function
36
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
RSA (public key encryption [2])
RSA (public key encryption [2])
 Express message M as a number between 1 and NExpress message M as a number between 1 and N
 Compute Compute EncRSAEncRSA
N,eN,e
(M) = M (M) = M
ee
mod Nmod N
 Compute Compute DecRSADecRSA
p,q,dp,q,d
(M (M
ee
) = (M ) = (M
e e
) )
d d
= M mod N= M mod N
 Assumed hard:Assumed hard:
 factoring,factoring,
 discrete logs modulo Ndiscrete logs modulo N
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
RSA (public key signatures)
RSA (public key signatures)
 Hash message M to a number Hash message M to a number HH(M)(M)
 Compute Compute SignRSASignRSA
p,q,dp,q,d
(M) = (M) = HH(M)(M)
dd
mod Nmod N
 VerifyRSAVerifyRSA
N,eN,e
(M, (M, SignRSA(MSignRSA(M)) = “OK” if )) = “OK” if
SignRSA(M)SignRSA(M)
ee
= = HH(M) mod N(M) mod N
37
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Digital Fingerprints: One
Digital Fingerprints: One
-
-
Way
Way
Hash Functions
Hash Functions
 Cryptographically “compress” any message, M, to a Cryptographically “compress” any message, M, to a
fixed sized string, H(M).fixed sized string, H(M).
 Design goal is to make it computationally infeasible Design goal is to make it computationally infeasible
to find any M to find any M
11
and M and M
22
with H(M with H(M
11
) = H(M ) = H(M
22
).).
 What good are oneWhat good are one--way functions?way functions?
1. Encrypting passwords (UNIX, S/Key)1. Encrypting passwords (UNIX, S/Key)
2. Constructing digital signatures2. Constructing digital signatures
3. Message integrity and authentication3. Message integrity and authentication
4. Part of many other cryptographic applications:4. Part of many other cryptographic applications:
–– PseudoPseudo--random generatorsrandom generators
–– Identification protocolsIdentification protocols
–– Coin flipping by telephoneCoin flipping by telephone
–– Digital Digital timestampingtimestamping
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Birthday attacks
Birthday attacks
 Alice prepares two version of a contractAlice prepares two version of a contract
 one very favorable to Bob one very favorable to Bob -- contract 1contract 1
 the other would bankrupt Bob the other would bankrupt Bob -- contract 2contract 2
 Alice makes subtle changes to contractAlice makes subtle changes to contract
 e.g. replace a space with spacee.g. replace a space with space--backspacebackspace--space space
characters by making or not making change on 32 lines, 2 characters by making or not making change on 32 lines, 2
3232
different docs.different docs.
 Alice compares hash documents for both docs with Alice compares hash documents for both docs with
all changesall changes
 if hash output 64 bits, should find a match using 2 if hash output 64 bits, should find a match using 2
3232
different docsdifferent docs
 Alice gets Bob to sign contract 1 of contract for Alice gets Bob to sign contract 1 of contract for
which she has a contract 2 collisionwhich she has a contract 2 collision
 Alice can convince a judge that Bob signed contract Alice can convince a judge that Bob signed contract
2.2.
38
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Countermeasures
Countermeasures
 Use hash function with long output 160 bits would Use hash function with long output 160 bits would
require 2 require 2
8080
documentsdocuments
 Always make some cosmetic change to a document Always make some cosmetic change to a document
before signingbefore signing
 Compress before signingCompress before signing
 eliminates redundancyeliminates redundancy
 Hash message, append hash to message, hash again.Hash message, append hash to message, hash again.
 hash value is the two hash results concatenated hash value is the two hash results concatenated
togethertogether
 this method never proven secure or insecurethis method never proven secure or insecure
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Structure of MD4, MD5, and SHA
Structure of MD4, MD5, and SHA
1.1.Pad message to a multiple of 512 bits:Pad message to a multiple of 512 bits:
2.2.Compute digest of padded message in 512Compute digest of padded message in 512--bit bit
chunks:chunks:
39
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Key Exchange:Establishing a
Key Exchange:Establishing a
(symmetric) Session Key k
(symmetric) Session Key k
BobAlice
pubkeyBob
privkeyAlice
privkeyBob
pubkeyAlice
k
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Impersonation Attack
Impersonation Attack
FakeBob
Alice
pubkeyFakeBob
privkeyAlice
privkeyFakeBob
pubkeyAlice
“I am Bob”
Important Information
40
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Certification Authority (CA)
Certification Authority (CA)
“Bob”
Misc info
CA Signature
“Bob”
Misc info
Pubkey Bob
certificate
binds a name to a public key
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Typical Contents of Certificates
Typical Contents of Certificates
and
and
CRLs
CRLs
41
©2001-2002 Dr. D. Martakos, Dr. H. Margaritis
Digital Signatures in Practice
Digital Signatures in Practice