EE 515 IS 523 Think Like an Adversary Lecture

Скачать презентацию EE 515 IS 523 Think Like an Adversary Lecture

8dc3bb7d73a90a34a5f9719138931d1b.ppt

Количество слайдов: 49

EE 515/IS 523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim

Recap ^ http: //security 101. kr ^ E-mail policy 4 Include [ee 515] or [is 523] in the subject of your e -mail ^ Student Survey 4 http: //bit. ly/Si. K 9 M 3 ^ Project Preproposal: Sep 24 th

Basic Cryptography Yongdae Kim

SKE with Secure channel Adversary Key source d Secure channel e Encryption Ee(m) = c m c Insecure channel Decryption Dd(c) = m m Plaintext source destination Alice Bob

PKE with insecure channel Passive Adversary e Insecure channel Key source d Encryption Ee(m) = c m c Insecure channel Decryption Dd(c) = m m Plaintext source destination Alice Bob

Public key should be authentic! e e’ Ee(m) Ee’(m) e Ee(m) ^ Need to authenticate public keys

Digital Signatures ^ Primitive in authentication and nonrepudiation ^ Signature 4 Process of transforming the message and some secret information into a tag ^ Nomenclature 4 M is set of messages 4 S is set of signatures 4 SA: M ! S for A, kept private 4 VA is verification transformation from M to S for A, publicly known

Key Establishment, Management ^ Key establishment 4 Process to whereby a shared secret key becomes available to two or more parties 4 Subdivided into key agreement and key transport. ^ Key management 4 The set of processes and mechanisms which support key establishment 4 The maintenance of ongoing keying relationships between parties

Symmetric vs. Public key Pros Cons ^The key must remain secret at both ends ^ High data throughput SKE ^O(n 2) keys to be managed ^ Relatively short key size ^Relatively short lifetime of the key ^O(n) keys ^Only the private key must be kept secret PKE ^longer key life time ^digital signature ^Low data throughput ^Much larger key sizes

Symmetric key Encryption ^ Symmetric key encryption 4 if for each (e, d) it is easy computationally easy to compute e knowing d and d knowing e 4 Usually e = d ^ Block cipher 4 breaks up the plaintext messages to be transmitted into blocks of a fixed length, and encrypts one block at a time ^ Stream cipher 4 encrypt individual characters of plaintext message one at a time, using encryption transformation which varies with time

Hash function and MAC ^ A hash function is a function h 4 compression 4 ease of computation 4 Properties -one-way: for a given y, find x’ such that h(x’) = y -collision resistance: find x and x’ such that h(x) = h(x’) 4 Examples: SHA-1, MD-5 ^ MAC (message authentication codes) 4 both authentication and integrity 4 MAC is a family of functions hk -ease of computation (if k is known !!) -compression, x is of arbitrary length, hk(x) has fixed length -computation resistance 4 Example: HMAC

How Random is the Hash function?

Applications of Hash Function ^File integrity ^File identifier ^Hash table ^Digital signature Sign = SSK(h(m)) ^Password verification stored hash = h(password) ^Generating random numbers

MAC construction from Hash ^ Prefix 4 M=h(k||x) 4 appending y and deducing h(k||x||y) form h(k||x) without knowing k ^ Suffix 4 M=h(x||k) 4 possible a birthday attack, an adversary that can choose x can construct x’ for which h(x)=h(x’) in O(2 n/2) ^ STATE OF THE ART: HMAC (RFC 2104) 4 HMAC(x)=h(k||p 1||h(k|| p 2||x)), p 1 and p 2 are padding 4 The outer hash operates on an input of two blocks 4 Provably secure

How to use MAC? ^ A & B share a secret key k ^ A sends the message x and the MAC M←Hk(x) ^ B receives x and M from A ^ B computes Hk(x) with received M ^ B checks if M=Hk(x)

PKE with insecure channel Passive Adversary e Insecure channel Key source d Encryption Ee(m) = c m c Insecure channel Decryption Dd(c) = m m Plaintext source destination Alice Bob

Digital Signature I did not have intimate relations with that woman, …, Ms. Lewinsky ^ Integrity ^ Authentication ^ Non-repudiation

Digital Signature with Appendix M h m Mh x S VA Mh mh SA, k S s* s* = SA, k(mh) u 2 {True, False} u = VA(mh, s*)

Authentication ^ How to prove your identity? 4 Prove that you know a secret information ^ When key K is shared between A and Server 4 A S: HMACK(M) where M can provide freshness 4 Why freshness? ^ Digital signature? 4 A S: Sig. SK(M) where M can provide freshness ^ Comparison?

Encryption and Authentication ^ EK(M) ^ ^ ^ Redundancy-then-Encrypt: EK(M, R(M)) Hash-then-Encrypt: EK(M, h(M)) Hash and Encrypt: EK(M), h(M) MAC and Encrypt: Eh 1(K)(M), HMACh 2(K)(M) MAC-then-Encrypt: Eh 1(K)(M, HMACh 2(K)(M))

Challenge-response authentication ^ Alice is identified by a secret she possesses 4 Bob needs to know that Alice does indeed possess this secret 4 Alice provides response to a time-variant challenge 4 Response depends on both secret and challenge ^ Using 4 Symmetric encryption 4 One way functions

Challenge Response using SKE ^ Alice and Bob share a key K ^ Taxonomy 4 Unidirectional authentication using timestamps 4 Unidirectional authentication using random numbers 4 Mutual authentication using random numbers ^ Unilateral authentication using timestamps 4 Alice Bob: EK(t. A, B) 4 Bob decrypts and verified that timestamp is OK 4 Parameter B prevents replay of same message in B A direction

Challenge Response using SKE ^ Unilateral authentication using random numbers 4 Bob Alice: rb 4 Alice Bob: EK(rb, B) 4 Bob checks to see if rb is the one it sent out -Also checks “B” - prevents reflection attack 4 rb must be non-repeating ^ Mutual authentication using random numbers 4 Bob Alice: rb 4 Alice Bob: EK(ra, rb, B) 4 Bob Alice: EK(ra, rb) 4 Alice checks that ra, rb are the ones used earlier

Challenge-response using OWF ^ Instead of encryption, used keyed MAC h. K ^ Check: compute MAC from known quantities, and check with message ^ SKID 3 4 Bob Alice: rb 4 Alice Bob: ra, h. K(ra, rb, B) 4 Bob Alice: h. K(ra, rb, A)

Access Control in a Nutshell Yongdae Kim

Kerberos vs. PKI vs. IBE ^ Still debating ^ Let’s see one by one!

Kerberos (cnt. ) A, B, NA EKBT(k, A, L), EKAT(k, NA, L, B) T A • EKBT (k, A, L): Token for B • EKAT(k, NA, L, B): Token for A • L: Life-time • NA? • Ek(A, TA, Asubkey): To prove B that A knows k • TA: Time-stamp • Ek(B, TA, Bsubkey): To prove A that B knows k EKBT(k, A, L), Ek(A, TA, Asubkey) Ek(TA, Bsubkey) B

Kerberos (Scalable) A, G, NA EKGT(k. AG, A, L), EKAT(k. AG, NA, L, G) T (AS) A G (TGS) A’ N B, ’), ’ NA B, A ), , N A , L , T (A , A G B A (k A , Ek B L) E k. G , , B) , A , k AG , L ( ’ GT NA , EK k AB ( AG EK EKGB (k. AB, A, L, NA’), Ek. AB(A, TA’, Asubkey) Ek(TA’, Bsubkey) B

Public Key Certificate ^ Public-key certificates are a vehicle 4 public keys may be stored, distributed or forwarded over unsecured media ^ The objective 4 make one entity’s public key available to others such that its authenticity and validity are verifiable. ^ A public-key certificate is a data structure 4 data part -cleartext data including a public key and a string identifying the party (subject entity) to be associated therewith. 4 signature part -digital signature of a certification authority over the data part -binding the subject entity’s identity to the specified public key.

CA ^ a trusted third party whose signature on the certificate vouches for the authenticity of the public key bound to the subject entity 4 The significance of this binding must be provided by additional means, such as an attribute certificate or policy statement. ^ the subject entity must be a unique name within the system (distinguished name) ^ The CA requires its own signature key pair, the authentic public key. ^ Can be off-line!

ID-based Cryptography ^ No public key ^ Public key = ID (email, name, etc. ) ^ PKG 4 Private key generation center 4 SKID = PKGS(ID) 4 PKG’s public key is public. 4 distributes private key associated with the ID ^ Encryption: C= EID(M) ^ Decryption: DSK(C) = M

Discussion (PKI vs. Kerberos vs. IBE) ^ On-line vs. off-line TTP 4 Implication? ^ ^ Non-reputation? Revocation? Scalability? Trust issue?

OS Security ^ OS Security is essentially concerned with four problems: 4 User authentication links users to processes. 4 Access control is about deciding whether a process can access a resource. 4 Protection is the task of enforcing these decisions: ensuring a process does not access resources improperly. 4 Isolation is the separation of processes’ resources from other processes.

Access Control ^ The OS mediates access requests between subjects and objects. Subject ? Object Reference monitor ^ This mediation should (ideally) be impossible to avoid or circumvent.

Definitions ^ Subjects make access requests on objects. ^ Subjects are the ones doing things in the system, like users, processes, and programs. ^ Objects are system resources, like memory, data structures, instructions, code, programs, files, sockets, devices, etc… ^ The type of access determines what to do to the object, for example execute, read, write, allocate, insert, append, list, lock, administer, delete, or transfer

Access Control ^ Discretionary Access Control: 4 Access to objects (ﬁles, directories, devices, etc. ) is permitted based on user identity 4 Each object is owned by a user. 4 Owners can specify freely (at their discretion) how they want to share their objects with other users, - by specifying which other users can have which form of access to their objects. 4 Discretionary access control is implemented on any multi-user OS (Unix, Windows NT, etc. ). ^ Mandatory Access Control: 4 Access to objects is controlled by a system-wide policy - for example to prevent certain ﬂows of information. 4 In some forms, the system maintains security labels for both objects and subjects - based on which access is granted or denied. 4 Labels can change as the result of an access 4 Security policies are enforced without the cooperation of users or application programs. 4 Mandatory access control for Linux: http: //www. nsa. gov/research/selinux/

Access Control Matrix Obj 1 Obj 2 Obj 3 … Obj n Subj 1 rwlx - - l Subj 2 rwl rlx rwl - - Subj 3 - - - rl r Subj m rl lw rl rw r

Representations O 1 O 2 … ^ An access control matrix can be represented internally in S 1 rwl wl different ways: wlk S 2 ida rl ^ Access Control Lists (ACLs) S 3 store the columns with the … Sm rwlx wi w objects ^ Capability lists store the rows with the subjects ^ Role-based systems group rights according to the “role” of a subject.

Access Control Lists ^ The ACL for an object lists the access rights of each subject (usually users). ^ To check a request, look in the object’s ACL. ^ ACLs are used by most OSes and network file systems, e. g. NT, Unix, and AFS.

ACL Problems ^ To be secure, the OS must authenticate that the user is who (s)he claims to be. ^ To revoke a user’s access, we must check every object in the system. ^ There is often no good way to restrict a process to a subset of the user’s rights.

Capabilities ^ Capabilities store the allowed list of object accesses with each subject. ^ When the subject requests access to object O, it must provide a “ticket” granting access to O. ^ These tickets are stored in an OS-protected table associated to each process. ^ No widely-used OS uses pure capabilities. ^ Some systems have “capability-like” features: e. g. Kerberos, NT, OLPC, Android

ACL vs. Capabilities ^ Capabilities do not require authentication: the OS just checks each ticket on access requests. ^ Capabilities can be passed, or delegated, from one process to another. ^ We can limit the privileges of a process, by removing unnecessary tickets from the table.

Roles S 1 S 2 S 3 … Sm R 1 O 2 … On R 2 O 1 O 2 … On

Unix/POSIX Access Control kyd@dio (~) % id uid=3259(kyd) gid=717(faculty) groups=717(faculty), 1686(mess), 1847(S 07 C 8271), 1910(F 07 C 5471), 2038(S 08 C 8271) kyd@dio (~) % ls -l News_and_Recent_Events. zip -rw-rw-rw- 1 kyd faculty 714904 Feb 22 10: 00 News_and_Recent_Events. zip kyd@dio (/web/classes 02/Spring-2011/csci 5471) % ls –al drwxrwsr-x 4 kyd S 11 C 5471 512 Jan 19 10: 23. / drwxr-xr-x 46 root daemon 1024 Feb 17 23: 04. . / drwxrwsr-x 3 kyd S 11 C 5471 512 Feb 16 00: 36 Assignment/

Mandatory Access Control policies ^ Restrictions to allowed information flows are not decided at the user’s discretion (as with Unix chmod), but instead enforced by system policies. ^ Mandatory access control mechanisms are aimed in particular at preventing policy violations by untrusted application software, which typically have at least the same access privileges as the invoking user.

Data Pump/Data Diode ^ Like “air gap” security, but with one-way communication link that allow users to transfer data from the low-confidentiality to the high- confidentiality environment, but not vice versa. ^ Examples: 4 Workstations with highly confidential material are configured to have read-only access to low confidentiality file servers.

The covert channel problem ^ Reference monitors see only intentional communications channels, such as files, sockets, memory. ^ However, there are many more “covert channels”, which were neither designed nor intended to transfer information at all. ^ A malicious high-level program can use these to transmit high-level data to a low-level receiving process, who can then leak it to the outside world. ^ Examples for covert channels: 4 Resource conflicts – If high-level process has already created a file F, a low-level process will fail when trying to create a file of same name → 1 bit information. 4 Timing channels – Processes can use system clock to monitor their own progress and infer the current load, into which other processes can modulate information. 4 Resource state – High-level processes can leave shared resources (disk head position, cache memory content, etc. ) in states that influence the service response times for the next process. 4 Hidden information in downgraded documents – Steganographic embedding techniques can be used to get confidential information past a human downgrader (least-significant bits in digital photos, variations of punctuation/spelling/whitespace in plaintext, etc. ).