CIS6

Security: 

Security

Echelon in Action: 

Echelon in Action Enercon GmbH develops a new type of wind energy generator ... Shortly afterwards, US company Kennetech files a patent for identical technology in the US ... Kennetech obtained a court order preventing Enercon from operating in the US Loss to Enercon: 100 million DM, 300 jobs

Other Typical Echelon Uses: 

Other Typical Echelon Uses Aiding transfer of $200M Indonesian deal from NEC to AT&T Forwarding details of Thomson­CSF deal in Brazil to Raytheon Obtaining Japanese research on advanced automobiles for Ford, GM, and Chrysler

Other Typical Echelon Uses: 

Other Typical Echelon Uses Providing information to US negotiators facing Japanese car companies in trade dispute Intercepting Mexican trade representatives during NAFTA negotiations Intercepting Canadian negotiations for sale of 3 reactors to South Korea Monitoring activities of Robert Maxwell

Security Requirements: 

Security Requirements Confidentiality Protection from disclosure to unauthorised persons Integrity Maintaining data consistency Authentication Assurance of identity of person or originator of data Non­repudiation Originator of communications can't deny it later

Security Requirements: 

Security Requirements Availability Legitimate users have access when they need it Access control Unauthorised users are kept out These are often combined User authentication for access control purposes Non­repudiation combined with authentication

Security Threats: 

Security Threats Information disclosure/information leakage Integrity violation Masquerading Denial of service Illegitimate use Generic threat: Backdoors, trojan horses, insider attacks

Slide8: 

Most Internet security problems are access control or authentication ones Denial of service is also popular, but mostly an annoyance Security problems in dedicated systems not yet widespread, but prevention is better than cure ...

Attack types: 

Attack types Passive attack can only observe communications or data Active attack can actively modify communications or data very difficult, but very effective Mail forgery & modification TCP/IP spoofing, session hijacking

Security Mechanisms : 

Security Mechanisms Three basic building blocks are used: Encryption is used to provide confidentiality, can provide authentication and integrity protection Digital signatures are used to provide authentication, integrity protection, and non­repudiation Checksums/hash algorithms are used to provide integrity protection, can provide authentication One or more security mechanisms are combined to provide a security service

Services, Mechanisms, Algorithms: 

Services, Mechanisms, Algorithms A typical security protocol provides one or more services Services are built from mechanisms Mechanisms are implemented with algorithms Services signatures encryption hashing DSA RSA RSA DES SHA1 MD5 protocol mechanisms algorithms

Conventional encryption: 

Conventional encryption Uses shared key Problem of secure communication of large message in secret reduced to one of small key Alternative: key agreement A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption Anasdkjadiuer dsflkjdflkjwqpweur asdkljasldj234 ads;fklkjlrq elkjsdfjlsdfp sdlkfjsldjf A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption Anasdkjadiuer dsflkjdflkjwqpweur asdkljasldj234 ads;fklkjlrq elkjsdfjlsdfp sdlkfjsldjf

Public key encryption: 

Public key encryption Uses matched public/private key pairs Anyone can encrypt with he public key, only one person can decrypt with private key A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption Anasdkjadiuer dsflkjdflkjwqpweur asdkljasldj234 ads;fklkjlrq elkjsdfjlsdfp sdlkfjsldjf A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption Anasdkjadiuer dsflkjdflkjwqpweur asdkljasldj234 ads;fklkjlrq elkjsdfjlsdfp sdlkfjsldjf Private key Public key

Public key encryption : 

Public key encryption How can you use two different keys? One is the inverse of the other: key1 = 3, key2 = 1/3, message M = 4 Encryption: Ciphertext C = M × key1 = 4 × 3 = 12 Decryption: Plaintext M = C × key2 = 12 × 1/3 = 4 One key is published, one is kept private public­key crytopgraphy

Example: RSA: 

Example: RSA n, e = public key, n = product of two primes p and q d = private key e . d = 1 mod((p-1)(q-1)) Encryption: C = M e mod n Decryption: M = C d mod n p, q = 5, 7 n = p × q = 35 e = 5 5.d = 1 mod 24, thus d = 5

Slide16: 

message M = 4 Encryption C = 4 5 mod 35 = 9 Decryption M = 9 5 mod 35 = 9049 mod 35 = 4

Hash function: 

Hash function Unique fingerprint for a message Anyone can modify message and generate new hash A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption Hash Message hash

Hash function: 

Hash function Map variable­length input to fixed­length output Requirements Can't deduce input from output Can't generate a given output (CRC fails this requirement) Can't find two inputs which produce the same output (CRC also fails this requirement) Used to Produce fixed­length fingerprint of arbitrary­length data Produce data checksums to enable detection of modifications Distill passwords down to fixed­length encryption keys Also called message digests or fingerprints

MAC: 

MAC Message Authentication Code: add a password/key to hashcode Only owner of key can generate MAC A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption MAC Message MAC

MAC: 

MAC Hash algorithm + key to make hash value dependant on the key Most common form is HMAC (hash MAC) hash( key, hash( key, data )) Key affects both start and end of hashing process MD2, MD4, MD5: various weaknesses, 128 bits SHA-1: designed by NSA, 160 bits RIPEMD-160: 160 bits HMAC-SHA: SHA-1 turned into MAC

Digital signatures: 

Digital signatures Combines hash with digital signature algorithm A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption Hash signature sign Message hash Sender’s private key

Digital signatures: 

Digital signatures Signature checking A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption signature Hash Verify ? Sender’s public key

Message/data encryption: 

Message/data encryption Combines conventional and pblic-key encryption A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryptionC A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption encrypt encrypt Encrypted session key Session key Recipient’s public key

Message/data encryption: 

Message/data encryption Public key encryption provides secure channel for excahnging conventional keys A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryption Encrypted session key decrypt decrypt A clear text message must be sent to somewhere else without anybody being able to read it. This is done through encryptionC Session key Recipient’s private key

Historical Ciphers: 

Historical Ciphers Nonstandard hieroglyphics, 1900BC Atbash cipher (Old Testament, reversed Hebrew alphabet, 600BC) Caesar cipher: letter = letter + 3 `fish' `ilvk' rot13: Add 13/swap alphabet halves Usenet convention used to hide possibly offensive jokes Applying it twice restores original text

Substitution Ciphers: 

Substitution Ciphers Simple substitution cipher: a = p, b = m, c = f, ... Break via letter frequency analysis Polyalphabetic substitution cipher 1. a = p, b = m, c = f, ... 2. a = l, b = t, c = a, ... 3. a = f, b = x, c = p, ... Break by decomposing into individual alphabets, then solve as simple substitution

One­time Pad (1917): 

One­time Pad (1917) OTP is unbreakable provided Pad is never reused Unpredictable random numbers are used (physical sources, eg radioactive decay) Message s e c r e t 18 5 3 17 5 19 OTP + 15 8 1 12 19 5 7 13 4 3 24 24 g m d c x x

Slide28: 

Used by Russian spies The Washington­Moscow “hot line” CIA covert operations Many “snake oil” algorithms claim unbreakability by claiming to be a OTP Pseudo­OTP's give pseudo­security Cipher machines attempted to create approximations to OTP's, first mechanically, then electronically

Cipher machines (~1920): 

Cipher machines (~1920) Basic component: wired rotor simple substitution Step rotor after each letter polyalphabetic substitution, period 26 A Q

Cipher machines: 

Cipher machines Chain multiple rotors each rotor steps the next after a full turn

Cipher machines: 

Cipher machines 2 rotors: period is 26 x 26 = 676 3 rotors: period is 26 x 26 x 26 = 17576 Key: rotor wiring start position

Slide32: 

Famous rotor machines US: Converter M­209 UK: TYPEX Japan: Red, Purple Germany: Enigma

Enigma secure if used properly: 

Enigma secure if used properly Use of predictable openings: ”Mein Fuehrer! …” “Nothing to report” Use of the same key over an extended period Encryption of the same message with old (compromised) and new keys Device treated as a magic black box, a mistake still made today Inventors believed it was infallible

Stream ciphers: 

Stream ciphers Binary pad (keystream) use XOR instead of addition plaintext 1 0 0 1 0 1 1 keystream 0 1 0 1 1 0 1 ciphertext 1 1 0 0 1 1 0 keystream 0 1 0 1 1 0 1 plaintext 1 0 0 1 0 1 1

Stream Ciphers (ctd): 

Stream Ciphers (ctd) Using the keystream and ciphertext, we can recover the plaintext Using the plaintext and ciphertext, we can recover the keystream Using two ciphertexts from the same keystream, we can recover the XOR of the plaintexts Any two components of an XOR­based encryption will recover the third Never reuse a key with a stream cipher Better still, never use a stream cipher

Stream Ciphers (ctd): 

Stream Ciphers (ctd) Vulnerable to bit-flipping attacks plaintext: QT-TRNSFER USD $000010,00 FRM ACCNT 12345-67 TO ciphertext: aMz0rspLtxMfpUn7UxOrtLm42ZuweeM0qaPtI7wEptAnxfL 00101101 00101100 ciphertext: aMz0rspLtxMfpUn7TxOrtLm42ZuweeM0qaPtI7wEptAnxfL plaintext: QT-TRNSFER USD $10010,00 FRM ACCNT 12345-67 TO

RC4: 

RC4 Stream cipher optimised for fast software implementation 2048­bit key Former trade secret of RSADSI, reverse­engineered and posted to the net in 1994 while( length­­ ) { x++; sx = state[ x ]; y += sx; sy = state[ y ]; state[ y ] = sx; state[ x ] = sy; *data++ ^= state[ ( sx+sy ) & 0xFF ]; }

RC4: 

RC4 Extremely fast Used in SSL (Netscape, MSIE), Lotus Notes, Windows password encryption, MS Access, Adobe Acrobat, MS PPTP, Oracle Secure SQL, ... Usually used in a manner which allows the keystream to be recovered (Windows password encryption, Windows server authentication, Windows NT SYSKEY, early Netscape server key encryption, some MS server/browser key encryption, MS PPTP, MS Access, ...) Every MS product which is known to use it has got it wrong at some time Illustrates the problem of treating a cipher as a magic black box Recommendation: Avoid this, it's too easy to get wrong

Block ciphers: 

Block ciphers Originated with early 1970's IBM effort to develop banking security systems First result was Lucifer, most common variant has 128­bit key and block size It wasn't secure in any of its variants Called a Feistel or product cipher

Well-known block-ciphers: 

Well-known block-ciphers DES, 56 bits 3DES, 112 or 168 bits Blowfish, 448 bits IDEA, used in PGP, 128 bits CAST-128 used in PGP 5.x, 128bits RC2, 1024 bits Skipjack, chipcards, 80 bits GOST, Russian version of DES AES, successor of DES, 128, 192, 256 bits - will take years

Breaking DES: 

Breaking DES Can build a DES­breaker using Field­programmable gate array (FPGA), software­programmable hardware Application­specific IC (ASIC) 100 MHz ASIC = 100M keys per second per chip Chips = $10 in 5K+ quantities $50,000 = 500 billion keys/sec = 20 hours/56-bit-key (40­bit DES takes 1 second)

Slide42: 

$1M = 1 hour per key ( 1 / 20 sec for 40 bits) $10M = 6 minutes per key ( 1 / 200 sec for 40 bits) (US black budget is ~$25­30 billion) (distributed.net = ~70 billion keys/sec with 20,000 computers) EFF (US non­profit organisation) broke DES in 2½ days September 1998: German court rules DES “out of date and unsafe” for financial applications

Key management: 

Key management Key management is the hardest part of cryptography Two classes of keys Short­term session keys (sometimes called ephemeral keys) Generated automatically and invisibly Used for one message or session and discarded Long­term keys Generated explicitly by the user Long­term keys are used for two purposes Authentication (including access control, integrity, and non­repudiation) Confidentiality (encryption) Establish session keys Protect stored data

Key management problems: 

Key management problems Key certification Distributing keys Obtaining someone else's public key Distributing your own public key Establishing a shared key with another party Confidentiality: Is it really known only to the other party? Authentication: Is it really shared with the intended party? Key storage Revocation Revoking published keys Determining whether a published key is still valid

Key lifetimes and key compromise: 

Key lifetimes and key compromise Authentication keys Public keys may have an extremely long lifetime (decades) Private keys/conventional keys have shorter lifetimes (a year or two) Confidentiality keys Should have as short a lifetime as possible If the key is compromised Revoke the key Effects of compromise Authentication: Signed documents are rendered invalid unless timestamped Confidentiality: All data encrypted with it is compromised

Key distribution: 

Key distribution A retains private key and sends public key to B M intercepts key and substitutes his own key M can decrypt all messages and fake signature A B B A M

Key distribution: 

Key distribution A Certification Authority solves this problem: CA signs A’s key to guarantee authenticiy M cannot substitute a key, because CA will not sign it

Obtaining a certificate: 

Obtaining a certificate 1. A generates a key pair and signs the public key and identification information with the private key Proves that A holds the private key corresponding to the public key Protects the public key and ID information while in transit to the CA 2. CA verifies A’s signature on the key and ID information 2a. Optional: CA verifies A’s ID through out­of­band means email/phone callback Business/credit bureau records, in­house records

Slide49: 

3. CA signs the public key and ID with the CA key, creating a certificate CA has certified the binding between the key and ID 4. A verifies the key, ID, and CA's signature Ensures the CA didn't alter the key or ID Protects the certificate in transit 5. A and/or the CA publish the certificate

Steganography: 

Steganography From the Greek for “hidden writing”, secures data by hiding rather than encryption Encryption is usually used as a first step before steganography Encrypted data looks like white noise Steganography hides this noise in other data By replacing existing noise By using it as a model to generate innocuous­looking data

Hiding information in noise: 

Hiding information in noise All data from analogue sources contains noise Background noise Sampling/quantisation error Equipment/switching noise Extract the natural noise and replace it with synthetic noise Replace least significant bit(s) Various modulation techniques Examples of channels Digital images (PhotoCD, GIF, BMP, PNG) Sound (WAV files) ISDN voice data

Generating Synthetic Data : 

Generating Synthetic Data Usually only has to fool automated scanners Needs to be good enough to get past their detection threshold Two variants Use a statistical model of the target language to generate plausible­looking data “Wants to apply more or right is better than this mechanism. Our only way is surrounded by radio station. When leaving. This mechanism is later years”. Works like a text compressor in reverse Can be made arbitrarily close to real text

Slide53: 

Use a grammatical model of actual text to build plausible­ sounding data “{Steganography|Stego} provides a {means|mechanism} for {hiding|encoding} {hidden|secret} {data|information} in {plain|open} {view|sight}”. More work than the statistical model method, but can provide a virtually undetectable channel Problems with steganography The better the steganography, the lower the bandwidth Main use is as an argument against crypto restrictions

Watermarking: 

Watermarking Uses redundancy in image/sound to encode information Requirements Invisibility Little effect on compressability Robustness High detection reliability Security Inexpensive

Defeating Watermarking : 

Defeating Watermarking Lossy compression (JPEG) Resizing Noise insertion (print+scan) Cropping Interpretation attacks (neutralise ownership evidence) Automated anti­watermarking software available (eg UnZign)

Security is harder than you think: 

Security is harder than you think All software has bugs Under normal circumstances a 99.99% bug-free program will rarely cause a problem A 99.99% security-bug-free program can be exploited by ensuring the 0.01% case is always encountered this converts the 0.01% failure to 100% failure!

Slide57: 

Customers have come to expect buggy software Correctness is not a selling point Expensive and time­consuming software validation and verification is hard to justify Solution: Confine security functionality into a small subset of functions, the trusted computing base (TCB) In theory the TCB is small and relatively easy to analyse In practice vendors end up stuffing everything into the TCB, making it a UTCB Consumers buy the product anyway (see above)

Example: buffer overflow: 

Example: buffer overflow In the last year or two Buffer Overflows have appeared in splitvt, syslog, mount/umount, sendmail, lpr, bind, gethostbyname(), modstat, cron, login, sendmail again, the query CGI script, newgrp, AutoSofts RTS inventory control system, host, talkd, getopt(), sendmail yet again, FreeBSD's crt0.c, WebSite 1.1, rlogin, term, ffbconfig, libX11, passwd/yppasswd/nispasswd, imapd, ipop3d, SuperProbe, lpd, xterm, eject, lpd again, host, mount, the NLS library, xlock, libXt and further X11R6 libraries, talkd, fdformat, eject, elm, cxterm, ps, fbconfig, metamail, dtterm, df, an entire range of SGI programs, ps again, chkey, libX11, suidperl, libXt again, lquerylv, getopt() again, dtaction, at, libDtSvc, eeprom, lpr yet again, smbmount, xlock yet again, MH­6.83, NIS+, ordist, xlock again, ps again, bash, rdist, login/scheme, libX11 again, sendmail for Windows NT, wm, wwwcount, tgetent(), xdat, termcap, portmir, writesrv, rcp, opengroup, telnetd, rlogin, MSIE, eject, df, statd, at again, rlogin again, rsh, ping, traceroute, Cisco 7xx routers, xscreensaver, passwd, deliver, cidentd, Xserver, the Yapp conferencing server, multiple problems in the Windows95/NT NTFTP client, the Windows War and Serv­U FTP daemon, the Linux dynamic linker, filter (part of elm­2.4), the IMail POP3 server for NT, pset, rpc.nisd, Samba server, ufsrestore, DCE secd, pine, dslip, Real Player, SLMail, socks5, CSM Proxy, imapd (again), Outlook Express, Netscape Mail, mutt, MSIE, Lotus Notes, MSIE again, libauth, login, iwsh, permissions, unfsd, Minicom, nslookup, zpop, dig, WebCam32, smbclient, compress, elvis, lha, bash, jidentd, Tooltalk, ttdbserver, dbadmin, zgv, mountd, pcnfs, Novell Groupwise, mscreen, xterm, Xaw library, Cisco IOS, mutt again, ospf_monitor, sdtcm_convert, Netscape (all versions), mpg123, Xprt, klogd, catdoc, junkbuster, SerialPOP, and rdist

Slide59: 

Typical case: Long URL's Data at the end of the URL overwrites the program counter/return address When the subroutines returns, it jumps to the attackers code URL buffer Local data Program counter http://www. fakeurl.com 78A6B5d43 08FF430A2

Fixing overflow problems: 

Fixing overflow problems More careful programming Isolate security functionality into carefully­checked code Make the stack non­executable Compiler­based solutions Build bounds checking into the code (very slow) Build stack checking into the code (slight slowdown) Rearrange stack variables (no slowdown)

Storage Protection : 

Storage Protection Sensitive data is routinely stored in RAM, but RAM can be swapped to disk at any moment Users of one commercial product found multiple copies of their encryption password in the Windows swap file “Suspend to disk” feature in laptops is particularly troublesome Other processes may be able to read it from memory Data can be recovered from RAM after power is removed

Protecting Memory : 

Protecting Memory Locking sensitive data into memory isn't easy Unix: mlock() usable by superuser only Win16: No security Win95/98: VirtualLock() does nothing WinNT: VirtualLock() doesn't work as advertised (data is still swapped) Scan memory for data: VirtualQueryEx() VirtualUnprotectEx() ReadProcessMemory()

Slide63: 

Create DIY swapfile using memory­mapped files Memory is swapped to a known file rather than system swapfile File is wiped after use Problems: Truly erasing disk data is impossible Data isn't wiped on system crash/power loss

Slide64: 

Force memory to remain in use at all times Background thread touches memory periodically Crashes? Performance penalty? Allocate non­pageable memory Requires a kernel driver Mapping memory from kernel to user address space is difficult

Storage sanitation: 

Storage sanitation Problems in erasing disk data Defect management systems move/remap data, making it inaccesible through normal means Journaling filesystems retain older data over long periods of time Online compression schemes compress fixed overwrite patterns to nothing, leaving the target data intact Disk cacheing will discard overwrites if the file is unlinked immediately afterwards (Win95/98, WinNT) Many Windows file­wipers are caught by this

Recovering data: 

Recovering data One or two passes can be easily recovered by “error cancelling” Read actual (digital) data Read raw analog signal Subtract expected signal due to data from actual analog signal Result is previous (overwritten) data US government standard (DoD 5200.28) with fixed patterns (all 0's, all 1's, alternating 0's and 1's) is particularly bad Design overwrite patterns to match HD encoding methods

Advanced data recovery: 

Advanced data recovery Ferrofluid + optical microscopes Defeated by modern high­density storage systems Scanning probe microscopes overcame this problem Oscillating probe is scanned across the surface of the object Change in probe movement measured by laser interferometer Can be built for a few thousand dollars Commercial ones specifically set up for disk platter analysis are available

Slide68: 

Magnetic Force Microscopes can be used as expensive read channels, but can do far more Erase bands (partially­overwritten data at the edges) retain previous track images Overwriting one set of data with another causes track width modulation Erased/degaussed drives can often still be read with an MFM Modern high­density media can't be effectively degaussed with commercial tools

Thus ...: 

Thus ... Use the smallest, highest­density drives possible If data is sensitive, destroy the media Where does your returned­under­warranty drive end up? For file servers, business data, always destroy the media (there's always something sensitive on there)

Recovering memory data: 

Recovering memory data Electrical stress causes ion migration in DRAM cells Data can be recovered using special (undocumented) test modes which measure changes in cell thresholds At room temperature, decay can take minutes or hours At cryogenic temperatures, decay can take weeks? months? A quick overwrite doesn't help much Solution is to only store data for short periods Relocate data periodically Toggle bits in memory

Random number generation: 

Random number generation Key generation requires large quantities of unpredictable random numbers Very difficult to produce on a PC Most behaviour is predictable User input can be unpredictable, but isn't available on a standalone server Many implementations leave it to application developers (who invariably get it wrong)

Bad RNGs: 

Bad RNGs Netscape a = mixbits( time.tv_usec ); b = mixbits( getpid() + time.tv_sec + ( getppid() << 12 ); seed = MD5( a, b ); nonce = MD5( seed++ ); key = MD5( seed++ ); Kerberos V4 srandom( time.tv_usec ^ time.tv_sec ^ getpid() ^ gethostid() ^ counter++ ); key = random();

Slide73: 

MIT_MAGIC_COOKIE key = rand() % 256; SESAME key = rand();

Types of generators: 

Types of generators Generator consists of two parts Polling mechanism to gather random data Pseudo­random number generator (PRNG) to “stretch” the output Physical source Various hardware generators, Hotbits (radioactive decay) Physical source + postproc. SG100 Multi­source polling SKIP, cryptlib Single­source polling PGP 2.x, PGP 5.x, /dev/random Secret nonce + PRNG Applied Cryptography, BSAFE Secret fixed value + PRNG ANSI X9.17 Known value + PRNG Netscape, Kerberos V4, Sesame, and many more

Randomness sources: 

Randomness sources Process and thread information Mouse and keyboard activity Memory and disk usage statistics System timers Network statistics GUI­related information Run periodic background polls of sources Try and estimate the randomness available, if insufficient Perform further polling Inform the user

Effectiveness of the Randomness Source : 

Effectiveness of the Randomness Source Effects of configuration Minimal PC hardware (one HD, one CD) produces half the randomness of maximum PC hardware (multiple HD's, CD, network card, SCSI HD and CD) Effects of system load and usage Statistics change little over time on an unloaded machine A reboot drastically affects the system state Reboot the machine after generating a high­value key

Complex Industrial Systems: 

Complex Industrial Systems Security cannot be added as an afterthought Protection only as good as underlying OS NSA (almost) given up on CORBA Convergence between industrial and commerce systems

Complex Industrial Systems: 

Complex Industrial Systems Will increasingly use open communications Internet mobile links Will use standard components built-in backdoors? Known bugs and security risks

Complex Industrial Systems: 

Complex Industrial Systems Multi-level security information divided in classes of protection any user can only access data up to a certain level of protection complicated authentication difficult to maintain in dynamically changing configuratio nasty consequences for system design