CSci 2011 Discrete Mathematics

Document Sample
CSci 2011 Discrete Mathematics Powered By Docstoc
					    SENG 5199-3
 Data and Network
         Lecture 2
Introduction + Basic Crypto
         Yongdae Kim
         Class web page, e-mail
E-mail policy
  Include [5199-3] in the subject of your e-mail
Active participation will make the class more
  Especially, forum.
              Course Content
Ch 1, Introduction
Ch 5, Cryptography
Ch 2, Usability and Psychology
Software Security
Ch 3, Protocols
Ch 4, Access Control
Ch 6, Distributed Systems
Ch 7, Economics
Ch 26, System Evaluation and Assurance
Applications (Part II)
          News This Week (1)
TXT design flow

Facebook + SSL

Keylogger at Tunisia
          Design Hierarchy
What are we trying
 to do?                    Policy

How?                     Protocols

With what?           Hardware, crypto,
      Security vs Dependability
Dependability = reliability + security
Reliability and security are often strongly
 correlated in practice

But malice is different from error!
  Reliability: “Bob will be able to read this file”
  Security: “The Chinese Government won’t be able
   to read this file”

Proving a negative can be much harder …
            Methodology 101
Sometimes you do a top-down development.
 In that case you need to get the security
 spec right in the early stages of the project
More often it’s iterative. Then the problem is
 that the security requirements get detached
In the safety-critical systems world there are
 methodologies for maintaining the safety
In security engineering, the big problem is
 often maintaining the security requirements,
 especially as the system – and the
 environment – evolve
               Threat Model
What property do we want to ensure against
 what adversary?

Who is the adversary?
What is his goal?
What are his resources?
  e.g. Computational, Physical, Monetary…
What is his motive?
What attacks are out of scope?
Attack: attempt to breach system security

Threat: a scenario that can harm a system
 (System unavailable)

Vulnerability: the “hole” that allows an
 attack to succeed (TCP)

Security goal: “claimed” objective; failure
 implies insecurity
         Goals: Confidentiality
Confidentiality of information means that it
 is accessible only by authorized entities

  Contents, Existence, Availability, Origin,
   Destination, Ownership, Timing, etc… of:
  Memory, processing, files, packets, devices,
   fields, programs, instructions, strings...
               Goals: Integrity
Integrity means that information can only be
 modified by authorized entities

  e.g. Contents, Existence, Availability, Origin,
   Destination, Ownership, Timing, etc… of:
  Memory, processing, files, packets, devices,
   fields, programs, instructions, strings...
            Goals: Availability
Availability means that authorized entities
 can access a system or service.

A failure of availability is often called Denial
 of Service:
  Packet dropping
  Account freezing
  Queue filling
         Goals: Accountability
Every action can be traced to “the
 responsible party.”

Example attacks:
  Microsoft cert
  Guest account
  Stepping stones
          Goals: Dependability
A system can be relied on to correctly
 deliver service
Dependability failures:
  Therac-25: a radiation therapy machine
    whose patients were given massive overdoses (100
     times) of radiation
    bad software design and development practices:
     impossible to test it in a clean automated way
  Ariane 5: expendable launch system
    the rocket self-destructing 37 seconds after launch
     because of a malfunction in the control software
    A data conversion from 64-bit floating point value to 16-
     bit signed integer value
             Interacting Goals
Failures of one kind can lead to failures of
 another, e.g.:
  Integrity failure can cause Confidentiality failure
  Availability failure can cause integrity,
   confidentiality failure
          Security Assessment



“Security by Obscurity:”
  a system that is only
   secure if the adversary
   doesn’t know the details.
  is not secure!
             Rules of Thumb
Be conservative: evaluate security under the
 best conditions for the adversary

A system is as secure as the weakest link.

It is best to plan for unknown attacks.
             Security & Risk
We only have finite resources for security…

     Product A             Product B
     Prevents              Prevents
     Attacks:              Attacks:
     U,W,Y,Z               V,X
     Cost $10K             Cost $20K

If we only have $20K, which should we buy?
The risk due to a set of attacks is the
 expected (or average) cost per unit of time.
One measure of risk is Annualized Loss
 Expectancy, or ALE:
                          ALE of attack A

          attack A
                     ( pA × L A )

  Annualized attack            Cost per attack
             Risk Reduction
A defense mechanism may reduce the risk
 of a set of attacks by reducing LA or pA. This
 is the gross risk reduction (GRR):

              Σ    (pA × LA – p’A×L’A)
            attack A

The mechanism also has a cost. The net
 risk reduction (NRR) is GRR – cost.
          News This Week (2)
Smartphone USB to attack PC

ISP to record data

Evercookie and fingerprinting
Basic Cryptography

     Yongdae Kim
        The main players


Alice                      Bob
                           Normal Flow
                  Source               Destination

  Interruption: Availability       Interception: Confidentiality

Source               Destination   Source               Destination

   Modification: Integrity          Fabrication: Authenticity

Source               Destination   Source               Destination
          Taxonomy of Attacks
Passive attacks
  Traffic analysis

Active attacks
  Modification of message content
  Denial of service
              Big picture
                Trusted third party
              (e.g. arbiter, distributor
               of secret information)

 Message                                   Message

   Secret                                     Secret
Information                                Information

     Terminology for Encryption
A denotes a finite set called the alphabet
M denotes a set called the message space
  M consists of strings of symbols from an alphabet
  An element of M is called a plaintext
C denotes a set called the ciphertext space
  C consists of strings of symbols from an alphabet
  An element of C is called a ciphertext
 K denotes a set called the key space
   An element of K is called a key
Ee is an encryption function where e  K
Dd called a decryption function where d  K

      Encryption              c           Decryption
      Ee(m) = c        insecure channel   Dd(c) = m

            m                                   m

    Plaintext source                      destination

        Alice                               Bob

Why do we use key?
  Or why not use just a shared encryption function?
    SKE with Secure channel


                      d           Secure channel
  Key source


  Encryption                   c               Decryption
  Ee(m) = c        Insecure channel            Dd(c) = m

        m                                            m

Plaintext source                               destination

    Alice                                          Bob
  PKE with insecure channel

        e   Insecure channel
                                          Key source


  Encryption              c               Decryption
  Ee(m) = c            Insecure channel   Dd(c) = m

        m                                       m

Plaintext source                          destination

    Alice                                   Bob
  Public key should be authentic!

           e’                    e




Need to authenticate public keys
            Digital Signatures
Primitive in authentication and non-
  Process of transforming the message and some
   secret information into a tag
  M is set of messages
  S is set of signatures
  SA: M ! S for A, kept private
  VA is verification transformation from M to S for
   A, publicly known
     Key Establishment, Management
Key establishment
  Process to whereby a shared secret key becomes
   available to two or more parties
  Subdivided into key agreement and key

Key management
  The set of processes and mechanisms which
   support key establishment
  The maintenance of ongoing keying relationships
   between parties
         Symmetric vs. Public key
                Pros                          Cons

                                  The key must remain secret
                                   at both ends
     High data throughput
SKE                               O(n2) keys to be managed
     Relatively short key size
                                  Relatively short lifetime of
                                   the key

    O(n) keys
    Only the private key
                                  Low data throughput
PKE  must be kept secret
                                  Much larger key sizes
    longer key life time
    digital signature
      Symmetric key Encryption
Symmetric key encryption
  if for each (e,d) it is easy computationally easy to
   compute e knowing d and d knowing e
  Usually e = d
Block cipher
  breaks up the plaintext messages to be
   transmitted into blocks of a fixed length, and
   encrypts one block at a time
Stream cipher
  encrypt individual characters of plaintext
   message one at a time, using encryption
   transformation which varies with time
              Hash function and MAC
A hash function is a function h
   compression
   ease of computation
   Properties
     one-way: for a given y, find x’ such that h(x’) = y
     collision resistance: find x and x’ such that h(x) = h(x’)
   Examples: SHA-1, MD-5

MAC (message authentication codes)
   both authentication and integrity
   MAC is a family of functions hk
     ease of computation (if k is known !!)
     compression, x is of arbitrary length, hk(x) has fixed length
     computation resistance
   Example: HMAC
          MAC construction from Hash
   M=h(k||x)
   appending y and deducing h(k||x||y) form h(k||x) without
    knowing k
   M=h(x||k)
   possible a birthday attack, an adversary that can choose x
    can construct x’ for which h(x)=h(x’) in O(2n/2)

   HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding
   The outer hash operates on an input of two blocks
   Provably secure
        PKE with insecure channel


        e   Insecure channel
                                          Key source


  Encryption              c               Decryption
  Ee(m) = c            Insecure channel   Dd(c) = m

        m                                       m

Plaintext source                          destination

    Alice                                   Bob
            Digital Signature
I did not
with that
How to prove your identity?
  Prove that you know a secret information
When key K is shared between A and Server
  A  S: HMACK(M) where M can provide freshness
  Why freshness?

Digital signature?
  A  S: SigSK(M) where M can provide freshness

      Encryption and Authentication

Redundancy-then-Encrypt: EK(M, R(M))
Hash-then-Encrypt: EK(M, h(M))
Hash and Encrypt: EK(M), h(M)
MAC and Encrypt: Eh1(K)(M), HMACh2(K)(M)
MAC-then-Encrypt: Eh1(K)(M, HMACh2(K)(M))
      Challenge-response authentication
Alice is identified by a secret she possesses
  Bob needs to know that Alice does indeed possess
   this secret
  Alice provides response to a time-variant
  Response depends on both secret and challenge

  Symmetric encryption
  One way functions
      Challenge Response using SKE
Alice and Bob share a key K
  Unidirectional authentication using
  Unidirectional authentication using random
  Mutual authentication using random numbers
Unilateral authentication using timestamps
  Alice  Bob: EK(tA, B)
  Bob decrypts and verified that timestamp is OK
  Parameter B prevents replay of same message in
   B  A direction
       Challenge Response using SKE
Unilateral authentication using random
  Bob  Alice: rb
  Alice  Bob: EK(rb, B)
  Bob checks to see if rb is the one it sent out
     Also checks “B” - prevents reflection attack
  rb must be non-repeating
Mutual authentication using random
  Bob  Alice: rb
  Alice  Bob: EK(ra, rb, B)
  Bob  Alice: EK(ra, rb)
  Alice checks that ra, rb are the ones used earlier
       Challenge-response using OWF
Instead of encryption, used keyed MAC hK
Check: compute MAC from known
 quantities, and check with message
  Bob  Alice: rb
  Alice  Bob: ra, hK(ra, rb, B)
  Bob  Alice: hK(ra, rb, A)
          Kerberos vs. PKI vs. IBE
Still debating 
Let’s see one by one!
   A, B, a TTP share long-term pairwise secret keys a priori
   TTP either plays the role of KDC and itself supplies the
    session key, or serves as a key translation center (KTC)
   A and B share no secret, T shares a secret with each
   Goal: for B to verify A’s identity, establishing shared key
   A requests for credential to allow it to authenticate itself
   T plays the role of a KDC, returning to A a session key
    encrypted for A and a ticket encrypted for B
   The ticket contains the session key and A’s identity
                                                  Kerberos (cnt.)
           T                                      •EKBT(k, A, L): Token for B
               EKBT(k, A, L), EKAT(k, NA, L, B)   •EKAT(k, NA, L, B): Token for A
                                                  •L: Life-time

                                                  •Ek(A, TA, Asubkey): To prove B that A knows k
A, B, NA

                                                  •TA: Time-stamp

                                                  •Ek(B, TA, Bsubkey): To prove A that B knows k

                                                      EKBT(k, A, L), Ek(A, TA, Asubkey)
           A                                                                                       B
                                                               Ek(TA, Bsubkey)
               Kerberos (cnt.)
   AS (Authentication Server) in Kerberos paper

 Properties
   secure and synchronized clocks
   If password-based, protocol is susceptible to
    password-guessing attack
   Asubkey and Bsubkey allow transfer of a key from A
    to B
   Lifetime is intended to allow A to re-use the
                                      Kerberos (Scalable)
T (AS)                                                                                               G (TGS)
               EKGT(kAG, A, L), EKAT(kAG, NA, L, G)
A, G, NA

                                                      EKGB (kAB, A, L, NA’), EkAB(A, TA’, Asubkey)
           A                                                                                            B
                                                               Ek(TA’, Bsubkey)
                 Public Key Certificate
Public-key certificates are a vehicle
    public keys may be stored, distributed or forwarded over
     unsecured media
The objective
    make one entity’s public key available to others such that
     its authenticity and validity are verifiable.
A public-key certificate is a data structure
    data part
      cleartext data including a public key and a string identifying
       the party (subject entity) to be associated therewith.
    signature part
      digital signature of a certification authority over the data part
      binding the subject entity’s identity to the specified public key.
a trusted third party whose signature on the
 certificate vouches for the authenticity of the
 public key bound to the subject entity
  The significance of this binding must be provided
   by additional means, such as an attribute
   certificate or policy statement.
the subject entity must be a unique name
 within the system (distinguished name)
The CA requires its own signature key pair,
 the authentic public key.
Can be off-line!
                             Data Part
 a validity period of the public key
 a serial number or key identifier identifying the certificate
 additional information about the subject entity (e.g., street or network
 additional information about the key (e.g., algorithm and intended
 quality measures related to the identification of the subject entity, the
  generation of the key pair, or other policy issues;
 information facilitating verification of the signature (e.g., a signature
  algorithm identifier, and issuing CA’s name)
 the status of the public key (cf. revocation certificates).
        ID-based Cryptography
No public key
Public key = ID (email, name, etc.)
  Private key generation center
  PKG’s public key is public.
  distributes private key associated with the ID
Encryption: C= EID(M)
Decryption: DSK(C) = M
    Discussion (PKI vs. Kerberos vs. IBE)
On-line vs. off-line TTP
Trust issue?

Shared By: