Professional Documents
Culture Documents
Chapter 1 Introduction 1
Chapter 1: Introduction
Chapter 1 Introduction 2
The Cast of Characters
Alice and Bob are the good guys
Chapter 1 Introduction 3
Alice’s Online Bank
Alice opens Alice’s Online Bank (AOB)
What are Alice’s security concerns?
If Bob is a customer of AOB, what
are his security concerns?
How are Alice’s and Bob’s concerns
similar? How are they different?
How does Trudy view the situation?
Chapter 1 Introduction 4
CIA
CIA == Confidentiality, Integrity, and
Availability
AOB must prevent Trudy from
learning Bob’s account balance
Confidentiality: prevent unauthorized
reading of information
o Cryptography used for confidentiality
Chapter 1 Introduction 5
CIA
Trudy must not be able to change
Bob’s account balance
Bob must not be able to improperly
change his own account balance
Integrity: detect unauthorized
writing of information
o Cryptography used for integrity
Chapter 1 Introduction 6
CIA
AOB’s information must be available
whenever it’s needed
Alice must be able to make transaction
o If not, she’ll take her business elsewhere
Availability: Data is available in a timely
manner when needed
Availability a relatively new security issue
o Denial of service (DoS) attacks
Chapter 1 Introduction 7
Beyond CIA: Crypto
How does Bob’s computer know that
“Bob” is really Bob and not Trudy?
Bob’s password must be verified
o This requires some clever cryptography
What are security concerns of pwds?
Are there alternatives to passwords?
Chapter 1 Introduction 8
Beyond CIA: Protocols
When Bob logs into AOB, how does AOB
know that “Bob” is really Bob?
As before, Bob’s password is verified
Unlike the previous case, network security
issues arise
How do we secure network transactions?
o Protocols are critically important
o Crypto plays a major role in security protocols
Chapter 1 Introduction 9
Beyond CIA: Access Control
Once Bob is authenticated by AOB, then
AOB must restrict actions of Bob
o Bob can’t view Charlie’s account info
Chapter 1 Introduction 10
Beyond CIA: Software
Cryptography, protocols, and access control
are all implemented in software
o Software is foundation on which security rests
What are security issues of software?
o Real-world software is complex and buggy
o Software flaws lead to security flaws
o How does Trudy attack software?
o How to reduce flaws in software development?
o And what about malware?
Chapter 1 Introduction 11
Your Textbook
The text consists of four major parts
o Cryptography
o Access control
o Protocols
o Software
We’ll focus on technical issues
But, people cause lots of problems…
Chapter 1 Introduction 12
The People Problem
People often break security
o Both intentionally and unintentionally
o Here, we consider an unintentional case
For example, suppose you want to buy
something online
o Say, Information Security: Principles and
Practice, 3rd edition from amazon.com
Chapter 1 Introduction 13
The People Problem
To buy from amazon.com…
o Your browser uses the SSL protocol
o SSL relies on cryptography
o Many access control issues arise
o All security mechanisms are in software
Suppose all of this security stuff
works perfectly
o Then you would be safe, right?
Chapter 1 Introduction 14
The People Problem
What could go wrong?
Trudy tries man-in-the-middle attack
o SSL is secure, so attack does not “work”
o But, Web browser warns of problem
o What do you, the user, do?
If user ignores warning, attack works!
o None of the security mechanisms failed
o But user unintentionally broke security
Chapter 1 Introduction 15
Cryptography
“Secret codes”
The book covers
o Classic cryptography
o Symmetric ciphers
o Public key cryptography
o Hash functions++
o Advanced cryptanalysis
Chapter 1 Introduction 16
Access Control
Authentication
o Passwords
o Biometrics
o Other methods of authentication
Authorization
o Access Control Lists and Capabilities
o Multilevel security (MLS), security modeling,
covert channel, inference control
o Firewalls, intrusion detection (IDS)
Chapter 1 Introduction 17
Protocols
“Simple” authentication protocols
o Focus on basics of security protocols
o Lots of applied cryptography in protocols
Real-world security protocols
o SSH, SSL, IPSec, Kerberos
o Wireless: WEP, GSM
Chapter 1 Introduction 18
Software
Security-critical flaws in software
o Buffer overflow
o Race conditions, etc.
Malware
o Examples of viruses and worms
o Prevention and detection
o Future of malware?
Chapter 1 Introduction 19
Software
Software reverse engineering (SRE)
o How hackers “dissect” software
Digital rights management (DRM)
o Shows difficulty of security in software
o Also raises OS security issues
Software and testing
o Open source, closed source, other topics
Chapter 1 Introduction 20
Software
Operating systems
o Basic OS security issues
o “Trusted OS” requirements
o NGSCB: Microsoft’s trusted OS for the PC
Software is a BIG security topic
o Lots of material to cover
o Lots of security problems to consider
o But not nearly enough time…
Chapter 1 Introduction 21
Think Like Trudy
In the past, no respectable sources
talked about “hacking” in detail
o After all, such info might help Trudy
Recently, this has changed
o Lots of info on network hacking,
malware, how to hack software, and more
o Classes taught on virus writing, SRE, …
Chapter 1 Introduction 22
Think Like Trudy
Good guys must think like bad guys!
A police detective…
o …must study and understand criminals
In information security
o We want to understand Trudy’s methods
o We might think about Trudy’s motives
o We’ll often pretend to be Trudy
Chapter 1 Introduction 23
Think Like Trudy
Is it a good idea to discuss security
problems and attacks?
Bruce Schneier, referring to Security
Engineering, by Ross Anderson:
o “It’s about time somebody wrote a book
to teach the good guys what the bad
guys already know.”
Chapter 1 Introduction 24
Think Like Trudy
We must try to think like Trudy
We must study Trudy’s methods
We can admire Trudy’s cleverness
Often, we can’t help but laugh at Alice’s
and/or Bob’s stupidity
But, we cannot act like Trudy
o Except in this class …
o … and even then, there are limits
Chapter 1 Introduction 25
In This Course…
Thinklike the bad guy
Always look for weaknesses
o Find the weak link before Trudy does
It’s OK to break the rules
o What rules?
Think like Trudy
But don’t do anything illegal!
Chapter 1 Introduction 26
Part I: Crypto
Part 1 Cryptography 27
Chapter 2: Crypto Basics
MXDXBVTZWVMXNSPBQXLIMSCCSGXSCJXBOVQXCJZMOJZCVC
TVWJCZAAXZBCSSCJXBQCJZCOJZCNSPOXBXSBTVWJC
JZDXGXXMOZQMSCSCJXBOVQXCJZMOJZCNSPJZHGXXMOSPLH
JZDXZAAXZBXHCSCJXTCSGXSCJXBOVQX
plaintext from Lewis Carroll, Alice in Wonderland
Part 1 Cryptography 29
How to Speak Crypto
A cipher or cryptosystem is used to encrypt
the plaintext
The result of encryption is ciphertext
We decrypt ciphertext to recover plaintext
A key is used to configure a cryptosystem
A symmetric key cryptosystem uses the same
key to encrypt as to decrypt
A public key cryptosystem uses a public key
to encrypt and a private key to decrypt
Part 1 Cryptography 30
Crypto
Basic assumptions
o The system is completely known to the attacker
o Only the key is secret
o That is, crypto algorithms are not secret
This is known as Kerckhoffs’ Principle
Why do we make such an assumption?
o Experience has shown that secret algorithms
tend to be weak when exposed
o Secret algorithms never remain secret
o Better to find weaknesses beforehand
Part 1 Cryptography 31
Crypto as Black Box
key key
Part 1 Cryptography 32
Simple Substitution
Plaintext: fourscoreandsevenyearsago
Key:
Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Ciphertext:
IRXUVFRUHDQGVHYHQBHDUVDJR
Shift by 3 is “Caesar’s cipher”
Part 1 Cryptography 33
Ceasar’s Cipher Decryption
Suppose we know a Caesar’s cipher is
being used:
Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Given ciphertext:
VSRQJHEREVTXDUHSDQWV
Plaintext: spongebobsquarepants
Part 1 Cryptography 34
Not-so-Simple Substitution
Shift by n for some n {0,1,2,…,25}
Then key is n
Example: key n = 7
Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
Part 1 Cryptography 35
Cryptanalysis I: Try Them All
A simple substitution (shift by n) is used
o But the key is unknown
Given ciphertext: CSYEVIXIVQMREXIH
How to find the key?
Only 26 possible keys try them all!
Exhaustive key search
Solution: key is n = 4
Part 1 Cryptography 36
Simple Substitution: General Case
In general, simple substitution key can be
any permutation of letters
o Not necessarily a shift of the alphabet
For example
Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext J I C A X S E Y V D K W B Q T Z R H F M P N U L G O
Part 1 Cryptography 37
Cryptanalysis II: Be Clever
We know that a simple substitution is used
But not necessarily a shift by n
Find the key given the ciphertext:
PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOX
BTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQ
WAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGD
PEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTY
FTODXQHFTDPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQV
APBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHF
QAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWF
LQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFH
XAFQHEFZQWGFLVWPTOFFA
Part 1 Cryptography 38
Cryptanalysis II
Cannot try all 288 simple substitution keys
Can we be more clever?
English letter frequency counts…
0.14
0.12
0.10
0.08
0.06
0.04
0.02
0.00
A C E G I K M O Q S U W Y
Part 1 Cryptography 39
Cryptanalysis II
Ciphertext:
PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQ
WAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQ
VXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFH
XZHVFAGFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQW
AQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYY
DZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFF
ACFCCFHQWAUVWFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFH
FQAITIXPFHXAFQHEFZQWGFLVWPTOFFA
Part 1 Cryptography 40
Cryptanalysis: Terminology
Cryptosystem is secure if best know
attack is to try all keys
o Exhaustive key search, that is
Cryptosystem is insecure if any
shortcut attack is known
But then insecure cipher might be
harder to break than a secure cipher!
o What the … ?
Part 1 Cryptography 41
Double Transposition
Plaintext: attackxatxdawn
Permute rows
and columns
Ciphertext: xtawxnattxadakc
Key is matrix size and permutations:
(3,5,1,4,2) and (1,3,2)
Part 1 Cryptography 42
One-Time Pad: Encryption
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
h e i l h i t l e r
Plaintext: 001 000 010 100 001 010 111 100 000 101
Key: 111 101 110 101 111 100 000 101 110 000
Ciphertext: 110 101 100 001 110 110 111 001 110 101
s r l h s s t h s r
Part 1 Cryptography 43
One-Time Pad: Decryption
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
s r l h s s t h s r
Ciphertext: 110 101 100 001 110 110 111 001 110 101
Key: 111 101 110 101 111 100 000 101 110 000
Plaintext: 001 000 010 100 001 010 111 100 000 101
h e i l h i t l e r
Part 1 Cryptography 44
One-Time Pad
Double agent claims following “key” was used:
s r l h s s t h s r
Ciphertext: 110 101 100 001 110 110 111 001 110 101
“key”: 101 111 000 101 111 100 000 101 110 000
“Plaintext”: 011 010 100 100 001 010 111 100 000 101
k i l l h i t l e r
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
Part 1 Cryptography 45
One-Time Pad
Or claims the key is…
s r l h s s t h s r
Ciphertext: 110 101 100 001 110 110 111 001 110 101
“key”: 111 101 000 011 101 110 001 011 101 101
“Plaintext”: 001 000 100 010 011 000 110 010 011 000
h e l i k e s i k e
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
Part 1 Cryptography 46
One-Time Pad Summary
Provably secure
o Ciphertext gives no useful info about plaintext
o All plaintexts are equally likely
BUT, only when be used correctly
o Pad must be random, used only once
o Pad is known only to sender and receiver
Note: pad (key) is same size as message
So, why not distribute msg instead of pad?
Part 1 Cryptography 47
Real-World One-Time Pad
Project VENONA
o Soviet spies encrypted messages from U.S. to
Moscow in 30’s, 40’s, and 50’s
o Nuclear espionage, etc.
o Thousands of messages
Spy carried one-time pad into U.S.
Spy used pad to encrypt secret messages
Repeats within the “one-time” pads made
cryptanalysis possible
Part 1 Cryptography 48
VENONA Decrypt (1944)
[C% Ruth] learned that her husband [v] was called up by the army but
he was not sent to the front. He is a mechanical engineer and is now
working at the ENORMOUS [ENORMOZ] [vi] plant in SANTA FE, New
Mexico. [45 groups unrecoverable]
detain VOLOK [vii] who is working in a plant on ENORMOUS. He is a
FELLOWCOUNTRYMAN [ZEMLYaK] [viii]. Yesterday he learned that
they had dismissed him from his work. His active work in progressive
organizations in the past was cause of his dismissal. In the
FELLOWCOUNTRYMAN line LIBERAL is in touch with CHESTER [ix].
They meet once a month for the payment of dues. CHESTER is
interested in whether we are satisfied with the collaboration and
whether there are not any misunderstandings. He does not inquire
about specific items of work [KONKRETNAYa RABOTA]. In as much
as CHESTER knows about the role of LIBERAL's group we beg
consent to ask C. through LIBERAL about leads from among people
who are working on ENOURMOUS and in other technical fields.
“Ruth” == Ruth Greenglass
“Liberal” == Julius Rosenberg
“Enormous” == the atomic bomb
Part 1 Cryptography 49
Codebook Cipher
Literally, a book filled with “codewords”
Zimmerman Telegram encrypted via codebook
Februar 13605
fest 13732
finanzielle 13850
folgender 13918
Frieden 17142
Friedenschluss 17149
: :
Part 1 Cryptography 52
Zimmerman
Telegram
Decrypted
British had
recovered
partial
codebook
Then able to
fill in missing
parts
Part 1 Cryptography 53
Random Historical Items
Crypto timeline
Spartan Scytale transposition
cipher
Caesar’s cipher
Poe’s short story: The Gold Bug
Election of 1876
Part 1 Cryptography 54
Election of 1876
“Rutherfraud” Hayes vs “Swindling” Tilden
o Popular vote was virtual tie
Electoral college delegations for 4 states
(including Florida) in dispute
Commission gave all 4 states to Hayes
o Voted on straight party lines
Tilden accused Hayes of bribery
o Was it true?
Part 1 Cryptography 55
Election of 1876
Encrypted messages by Tilden supporters
later emerged
Cipher: Partial codebook, plus transposition
Codebook substitution for important words
ciphertext plaintext
Copenhagen Greenbacks
Greece Hayes
Rochester votes
Russia Tilden
Warsaw telegram
: :
Part 1 Cryptography 56
Election of 1876
Apply codebook to original message
Pad message to multiple of 5 words (total
length, 10,15,20,25 or 30 words)
For each length, a fixed permutation
applied to resulting message
Permutations found by comparing several
messages of same length
Note that the same key is applied to all
messages of a given length
Part 1 Cryptography 57
Election of 1876
Ciphertext: Warsaw they read all
unchanged last are idiots can’t situation
Codebook: Warsaw telegram
Transposition: 9,3,6,1,10,5,2,7,4,8
Plaintext: Can’t read last telegram.
Situation unchanged. They are all idiots.
A weak cipher made worse by reuse of key
Lesson? Don’t overuse keys!
Part 1 Cryptography 58
Early 20th Century
WWI Zimmerman Telegram
“Gentlemen do not read each other’s mail”
o Henry L. Stimson, Secretary of State, 1929
WWII golden age of cryptanalysis
o Midway/Coral Sea
o Japanese Purple (codename MAGIC)
o German Enigma (codename ULTRA)
Part 1 Cryptography 59
Post-WWII History
Claude Shannon father of the science of
information theory
Computer revolution lots of data to protect
Data Encryption Standard (DES), 70’s
Public Key cryptography, 70’s
CRYPTO conferences, 80’s
Advanced Encryption Standard (AES), 90’s
The crypto genie is out of the bottle…
Part 1 Cryptography 60
Claude Shannon
The founder of Information Theory
1949 paper: Comm. Thy. of Secrecy Systems
Fundamental concepts
o Confusion obscure relationship between
plaintext and ciphertext
o Diffusion spread plaintext statistics through
the ciphertext
Proved one-time pad is secure
One-time pad is confusion-only, while double
transposition is diffusion-only
Part 1 Cryptography 61
Taxonomy of Cryptography
Symmetric Key
o Same key for encryption and decryption
o Modern types: Stream ciphers, Block ciphers
Public Key (or “asymmetric” crypto)
o Two keys, one for encryption (public), and one
for decryption (private)
o And digital signatures nothing comparable in
symmetric key crypto
Hash algorithms
o Can be viewed as “one way” crypto
Part 1 Cryptography 62
Taxonomy of Cryptanalysis
From perspective of info available to Trudy…
o Ciphertext only Trudy’s worst case scenario
o Known plaintext
o Chosen plaintext
“Lunchtime attack”
Some protocols will encrypt chosen data
o Adaptively chosen plaintext
o Related key
o Forward search (public key crypto)
o And others…
Part 1 Cryptography 63
Chapter 3:
Symmetric Key Crypto
Part 1 Cryptography 64
Symmetric Key Crypto
Stream cipher generalize one-time pad
o Except that key is relatively short
o Key is stretched into a long keystream
o Keystream is used just like a one-time pad
Block cipher generalized codebook
o Block cipher key determines a codebook
o Each key yields a different codebook
o Employs both “confusion” and “diffusion”
Part 1 Cryptography 65
Stream Ciphers
Part 1 Cryptography 66
Stream Ciphers
Once upon a time, not so very long ago…
stream ciphers were the king of crypto
Today, not as popular as block ciphers
We’ll discuss two stream ciphers:
A5/1
o Based on shift registers
o Used in GSM mobile phone system
RC4
o Based on a changing lookup table
o Used many places
Part 1 Cryptography 67
A5/1: Shift Registers
A5/1 uses 3 shift registers
o X: 19 bits (x0,x1,x2, …,x18)
o Y: 22 bits (y0,y1,y2, …,y21)
o Z: 23 bits (z0,z1,z2, …,z22)
Part 1 Cryptography 68
A5/1: Keystream
At each iteration: m = maj(x8, y10, z10)
o Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1
If x8 = m then X steps
o t = x13 x16 x17 x18
o xi = xi1 for i = 18,17,…,1 and x0 = t
If y10 = m then Y steps
o t = y20 y21
o yi = yi1 for i = 21,20,…,1 and y0 = t
If z10 = m then Z steps
o t = z7 z20 z21 z22
o zi = zi1 for i = 22,21,…,1 and z0 = t
Keystream bit is x18 y21 z22
Part 1 Cryptography 69
A5/1
X x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18
Y y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16 y17 y18 y19 y20 y21
Z z0 z1 z2 z3 z4 z5 z6 z7 z8 z9 z10 z11 z12 z13 z14 z15 z16 z17 z18 z19 z20 z21 z22
Each variable here is a single bit
Key is used as initial fill of registers
Each register steps (or not) based on maj(x8, y10, z10)
Keystream bit is XOR of rightmost bits of registers
Part 1 Cryptography 70
A5/1
X 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
Y 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 1
Z 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 1
In this example, m = maj(x8, y10, z10) = maj(1,0,1) = 1
Register X steps, Y does not step, and Z steps
Keystream bit is XOR of right bits of registers
Here, keystream bit will be 0 1 0 = 1
Part 1 Cryptography 71
Shift Register Crypto
Shift register crypto efficient in hardware
Often, slow if implemented in software
In the past, very, very popular
Today, more is done in software due to
fast processors
Shift register crypto still used some
o Especially in resource-constrained devices
Part 1 Cryptography 72
RC4
A self-modifying lookup table
Table always contains a permutation of the
byte values 0,1,…,255
Initialize the permutation using key
At each step, RC4 does the following
o Swaps elements in current lookup table
o Selects a keystream byte from table
Each step of RC4 produces a byte
o Efficient in software
Each step of A5/1 produces only a bit
o Efficient in hardware
Part 1 Cryptography 73
RC4 Initialization
S[] is permutation of 0,1,...,255
key[] contains N bytes of key
for i = 0 to 255
S[i] = i
K[i] = key[i (mod N)]
next i
j = 0
for i = 0 to 255
j = (j + S[i] + K[i]) mod 256
swap(S[i], S[j])
next i
i = j = 0
Part 1 Cryptography 74
RC4 Keystream
At each step, swap elements in table and
select keystream byte
i = (i + 1) mod 256
j = (j + S[i]) mod 256
swap(S[i], S[j])
t = (S[i] + S[j]) mod 256
keystreamByte = S[t]
Use keystream bytes like a one-time pad
Note: first 256 bytes should be discarded
o Otherwise, related key attack exists
Part 1 Cryptography 75
Stream Ciphers
Stream ciphers were popular in the past
o Efficient in hardware
o Speed was needed to keep up with voice, etc.
o Today, processors are fast, so software-based
crypto is usually more than fast enough
Future of stream ciphers?
o Shamir declared “the death of stream ciphers”
o May be greatly exaggerated…
Part 1 Cryptography 76
Block Ciphers
Part 1 Cryptography 77
(Iterated) Block Cipher
Plaintext and ciphertext consist of
fixed-sized blocks
Ciphertext obtained from plaintext
by iterating a round function
Input to round function consists of
key and output of previous round
Usually implemented in software
Part 1 Cryptography 78
Feistel Cipher: Encryption
Feistel cipher is a type of block cipher
o Not a specific block cipher
Split plaintext block into left and right
halves: P = (L0, R0)
For each round i = 1, 2, ..., n, compute
Li = Ri1
Ri = Li1 F(Ri1, Ki)
where F is round function and Ki is subkey
Ciphertext: C = (Ln, Rn)
Part 1 Cryptography 79
Feistel Cipher: Decryption
Start with ciphertext C = (Ln, Rn)
For each round i = n, n1, …, 1, compute
Ri1 = Li
Li1 = Ri F(Ri1, Ki)
where F is round function and Ki is subkey
Plaintext: P = (L0, R0)
Decryption works for any function F
o But only secure for certain functions F
Part 1 Cryptography 80
Data Encryption Standard
DES developed in 1970’s
Based on IBM’s Lucifer cipher
DES was U.S. government standard
Development of DES was controversial
o NSA secretly involved
o Design process was secret
o Key length reduced from 128 to 56 bits
o Subtle changes to Lucifer algorithm
Part 1 Cryptography 81
DES Numerology
DES is a Feistel cipher with…
o 64 bit block length
o 56 bit key length
o 16 rounds
o 48 bits of key used each round (subkey)
Round function is simple (for block cipher)
Security depends heavily on “S-boxes”
o Each S-box maps 6 bits to 4 bits
Part 1 Cryptography 82
L R key
32 28 28
One
expand shift shift
32 48 28 28
Round
Ki
48 48 compress
S-boxes
of
DES
28 28
32
P box
32
32
32
L R key
Part 1 Cryptography 83
DES Expansion Permutation
Input 32 bits
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Output 48 bits
31 0 1 2 3 4 3 4 5 6 7 8
7 8 9 10 11 12 11 12 13 14 15 16
15 16 17 18 19 20 19 20 21 22 23 24
23 24 25 26 27 28 27 28 29 30 31 0
Part 1 Cryptography 84
DES S-box
8 “substitution boxes” or S-boxes
Each S-box maps 6 bits to 4 bits
Here is S-box number 1
input bits (0,5)
input bits (1,2,3,4)
| 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
------------------------------------------------------------------------------------
00 | 1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 0111
01 | 0000 1111 0111 0100 1110 0010 1101 0001 1010 0110 1100 1011 1001 0101 0011 1000
10 | 0100 0001 1110 1000 1101 0110 0010 1011 1111 1100 1001 0111 0011 1010 0101 0000
11 | 1111 1100 1000 0010 0100 1001 0001 0111 0101 1011 0011 1110 1010 0000 0110 1101
Part 1 Cryptography 85
DES P-box
Input 32 bits
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Output 32 bits
15 6 19 20 28 11 27 16 0 14 22 25 4 17 30 9
1 7 23 13 31 26 2 8 18 12 29 5 21 10 3 24
Part 1 Cryptography 86
DES Subkey
56 bit DES key, numbered 0,1,2,…,55
Left half key bits, LK
49 42 35 28 21 14 7
0 50 43 36 29 22 15
8 1 51 44 37 30 23
16 9 2 52 45 38 31
Right half key bits, RK
55 48 41 34 27 20 13
6 54 47 40 33 26 19
12 5 53 46 39 32 25
18 11 4 24 17 10 3
Part 1 Cryptography 87
DES Subkey
For rounds i=1,2,...,16
o Let LK = (LK circular shift left by ri)
o Let RK = (RK circular shift left by ri)
o Left half of subkey Ki is of LK bits
13 16 10 23 0 4 2 27 14 5 20 9
22 18 11 3 25 7 15 6 26 19 12 1
o Right half of subkey Ki is RK bits
12 23 2 8 18 26 1 11 22 16 4 19
15 20 10 27 5 24 17 13 21 7 0 3
Part 1 Cryptography 88
DES Subkey
For rounds 1, 2, 9 and 16 the shift ri is 1,
and in all other rounds ri is 2
Bits 8,17,21,24 of LK omitted each round
Bits 6,9,14,25 of RK omitted each round
Compression permutation yields 48 bit
subkey Ki from 56 bits of LK and RK
Key schedule generates subkey
Part 1 Cryptography 89
DES Last Word (Almost)
An initial permutation before round 1
Halves are swapped after last round
A final permutation (inverse of initial
perm) applied to (R16, L16)
None of this serves any security
purpose
Part 1 Cryptography 90
Security of DES
Security depends heavily on S-boxes
o Everything else in DES is linear
35+ years of intense analysis has revealed
no back door
Attacks, essentially exhaustive key search
Inescapable conclusions
o Designers of DES knew what they were doing
o Designers of DES were way ahead of their time
(at least wrt certain cryptanalytic techniques)
Part 1 Cryptography 91
Block Cipher Notation
P = plaintext block
C = ciphertext block
Encrypt P with key K to get ciphertext C
o C = E(P, K)
Decrypt C with key K to get plaintext P
o P = D(C, K)
Note: P = D(E(P, K), K) and C = E(D(C, K), K)
o But P D(E(P, K1), K2) and C E(D(C, K1), K2) when
K1 K2
Part 1 Cryptography 92
Triple DES
Today, 56 bit DES key is too small
o Exhaustive key search is feasible
But DES is everywhere, so what to do?
Triple DES or 3DES (112 bit key)
o C = E(D(E(P,K1),K2),K1)
o P = D(E(D(C,K1),K2),K1)
Why Encrypt-Decrypt-Encrypt with 2 keys?
o Backward compatible: E(D(E(P,K),K),K) = E(P,K)
o And 112 is a lot of bits
Part 1 Cryptography 93
3DES
Why not C = E(E(P,K),K) instead?
o Trick question still just 56 bit key
Why not C = E(E(P,K1),K2) instead?
A (semi-practical) known plaintext attack
o Pre-compute table of E(P,K1) for every possible
key K1 (resulting table has 256 entries)
o Then for each possible K2 compute D(C,K2) until
a match in table is found
o When match is found, have E(P,K1) = D(C,K2)
o Result gives us keys: C = E(E(P,K1),K2)
Part 1 Cryptography 94
Advanced Encryption Standard
Replacement for DES
AES competition (late 90’s)
o NSA openly involved
o Transparent selection process
o Many strong algorithms proposed
o Rijndael Algorithm ultimately selected
(pronounced like “Rain Doll” or “Rhine Doll”)
Iterated block cipher (like DES)
Not a Feistel cipher (unlike DES)
Part 1 Cryptography 95
AES: Executive Summary
Block size: 128 bits (others in Rijndael)
Key length: 128, 192 or 256 bits
(independent of block size in Rijndael)
10 to 14 rounds (depends on key length)
Each round uses 4 functions (3 “layers”)
o ByteSub (nonlinear layer)
o ShiftRow (linear mixing layer)
o MixColumn (nonlinear layer)
o AddRoundKey (key addition layer)
Part 1 Cryptography 96
AES ByteSub
Treat 128 bit block as 4x4 byte array
Part 1 Cryptography 97
AES “S-box”
Last 4 bits of input
First 4
bits of
input
Part 1 Cryptography 98
AES ShiftRow
Cyclic shift rows
Part 1 Cryptography 99
AES MixColumn
Invertible, linear operation applied to
each column
Block Subkey
ga mod p
gb mod p
Alice, a Bob, b
Alice computes (gb)a = gba = gab mod p
Bob computes (ga)b = gab mod p
They can use K = gab mod p as symmetric key
Part 1 Cryptography 150
Diffie-Hellman
Suppose Bob and Alice use Diffie-Hellman
to determine symmetric key K = gab mod p
Trudy can see ga mod p and gb mod p
o But… ga gb mod p = ga+b mod p gab mod p
If Trudy can find a or b, she gets K
If Trudy can solve discrete log problem,
she can find a or b
ga mod p gt mod p
gt mod p gb mod p
A(x,y)
B(x,y)
Alice, A Bob, B
{[M]Alice}Bob {[M]Alice}Charlie
[{M}Bob]Alice [{M}Bob]Charlie
E(Bob’s data, K)
E(Alice’s data, K)
Alice Bob
output x5 = x5 x4
x6 = x6 +x5
x7 = x7 (x6 0x0123456789ABCDEF)
Part 1 Cryptography 204
Tiger Hash Summary (1)
Hash and intermediate values are 192 bits
24 (inner) rounds
o S-boxes: Claimed that each input bit affects a,
b and c after 3 rounds
o Key schedule: Small change in message affects
many bits of intermediate hash values
o Multiply: Designed to ensure that input to S-box
in one round mixed into many S-boxes in next
S-boxes, key schedule and multiply together
designed to ensure strong avalanche effect
Part 1 Cryptography 205
Tiger Hash Summary (2)
Uses lots of ideas from block ciphers
o S-boxes
o Multiple rounds
o Mixed mode arithmetic
At a higher level, Tiger employs
o Confusion
o Diffusion
Suppose
o Unknown key: K
o Known inputs: X = 110, X = 010
o Known outputs: Sbox(X K) = 10, Sbox(X K) =
01
Know X K {000,101}, X K {001,110}
Then K {110,011} {011,100} K = 011
Like a known plaintext attack on S-box
Part 1 Cryptography 259
Differential Cryptanalysis
Attacking one S-box not very useful!
o And Trudy can’t always see input and output
To make this work we must do 2 things
1. Extend the attack to one round
o Have to deal with all S-boxes
o Choose input so only one S-box “active”
2. Then extend attack to (almost) all rounds
o Output of one round is input to next round
o Choose input so output is “good” for next round
Part 1 Cryptography 260
Differential Cryptanalysis
We deal with input and output differences
Suppose we know inputs X and X
o For X the input to S-box is X K
o For X the input to S-box is X K
o Key K is unknown
o Input difference: (X K) (X K) = X X
Input difference is independent of key K
Output difference: Y Y is (almost) input
difference to next round
Goal is to “chain” differences thru rounds
Part 1 Cryptography 261
Differential Cryptanalysis
If we obtain known output difference from
known input difference…
o May be able to chain differences thru rounds
o It’s OK if this only occurs with some probability
If input difference is 0…
o …output difference is 0
o Allows us to make some S-boxes “inactive” with
respect to differences
One
expand shift shift
8 12 8 8
XOR
Ki
compress
Round
12
6 6 of
TDES
8 8
SboxLeft SboxRight
4 4
8
XOR
8
L R key
Part 1 Cryptography 272
TDES Fun Facts
TDES is a Feistel Cipher
(L0,R0) = plaintext
For i = 1 to 4
Li = Ri-1
Ri = Li-1 F(Ri-1, Ki)
Ciphertext = (L4,R4)
F(Ri-1, Ki) = Sboxes(expand(Ri-1) Ki)
where Sboxes(x0x1x2…x11) =
(SboxLeft(x0x1…x5), SboxRight(x6x7…x11))
r0r1r2r3r4r5r6r7
r4r7r2r1r5r7r0r2r6r5r0r3
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 6 9 A 3 4 D 7 8 E 1 2 B 5 C F 0
Left S-box 1 9 E B A 4 5 0 7 8 6 3 2 C D 1 F
SboxLeft 2 8 1 C 2 D 3 E F 0 9 5 A 4 B 6 7
3 9 0 2 5 A D 6 E 1 8 B C 3 4 7 F
If dj = 1 then x = mod(xM,N)
end if
o x = mod(x2,N) next j
o x = mod(xM,N) return x
Computation time
differs in each case mod(x,N)
if x >= N
Can attacker take x=x%N
advantage of this? end if
return x
Part 1 Cryptography 299
Timing Attack Repeated Squaring
x=M
Choose M with M3 < N
for j = 1 to n
Choose M with M2 < N < M3 x = mod(x2,N)
Let x = M and x = M if dj == 1 then
x = mod(xM,N)
Consider j = 1
end if
o x = mod(x2,N) does no “%”
next j
o x = mod(xM,N) does no “%”
return x
o x = mod(x2,N) does no “%”
o x = mod(xM,N) does “%” only if d1=1
mod(x,N)
If d1 = 1 then j = 1 step takes if x >= N
longer for M than for M
x=x%N
But more than one round… end if
return x
Part 1 Cryptography 300
Timing Attack on RSA
An example of a chosen plaintext attack
Choose M0,M1,…,Mm-1 with
o Mi3 < N for i=0,1,…,m-1
Let ti be time to compute Mid mod N
o t = (t0 + t1 + … + tm-1) / m
Choose M0,M1,…,Mm-1 with
o Mi2 < N < Mi3 for i=0,1,…,m-1
Let ti be time to compute Mid mod N
o t = (t0 + t1 + … + tm-1) / m
If t > t then d1 = 1 otherwise d1 = 0
Once d1 is known, find d2 then d3 then …
subsets
e
l
Solve: AU = B
e where ui {0,1}
m
e
n Solution:
t
s U = [0001000001001]T
mxn mx1
Part 1 Cryptography
nx1 309
Example
We can restate AU = B as MV = W where
: EPm-1
SPm-1
(SPm-1, EPm-1)
SP0 EP0
C EP1
SP1
K
EP2
SP2
K C
EP
SP
SP0
F0 chain
EP1
SP1 F1 chain
EP0
0.29 1 in 1.31010
0.30 1 in 1.5109
0.31 1 in 1.8108
0.32 1 in 2.6107
0.33 1 in 4.0106
0.34 1 in 6.9105
0.35 1 in 1.3105
== equal error rate
Part 2 Access Control
distance 390
Attack on Iris Scan
Good photo of eye can be scanned
o Attacker could use photo of eye
Afghan woman was authenticated by
iris scan of old photo
o Story can be found here
To prevent attack, scanner could use
light to be sure it is a “live” iris
Bob rx rx r
Alice rx rx r rw rw
Bob rx rx r
Alice rx rx r rw rw
Bob rx rx r
Alice rx rx r rw rw
w ---
Bob r file2 Bob r file2
--- r
rw r
Fred r file3 Fred --- file3
r r
Compiler
Alice BILL
TOP SECRET
SECRET
Not all classifications are comparable, e.g.,
TOP SECRET {CAT} vs SECRET {CAT, DOG}
Part 2 Access Control 441
MLS vs Compartments
MLS can be used without compartments
o And vice-versa
But, MLS almost always uses compartments
Example
o MLS mandated for protecting medical records of
British Medical Association (BMA)
o AIDS was TOP SECRET, prescriptions SECRET
o What is the classification of an AIDS drug?
o Everything tends toward TOP SECRET
o Defeats the purpose of the system!
o Compartments-only approach used instead
Part 2 Access Control 442
Covert Channel
Bob: Check file Check file Check file Check file Check file
Data: 1 0 1 1 0
Time:
A. Covert_TCP C. Covert_TCP
sender receiver
Part 2 Access Control 451
Inference Control
Internal
Internet Firewall network
Q: Intention?
A: Restrict traffic to Web browsing
Part 2 Access Control 474
TCP ACK Scan
Attacker scans for open ports thru firewall
o Port scanning often first step in network attack
Attacker sends packet with ACK bit set,
without prior 3-way handshake
o Violates TCP/IP protocol
o ACK packet pass thru packet filter firewall
o Appears to be part of an ongoing connection
o RST sent by recipient of such packet
Disadvantages? link
o Speed
physical
FTP server
Web server
DNS server
Intranet with
Packet Application additional
Internet Filter Proxy defense
H0 H1 H2 H3 A0 A1 A2 A3
.10 .40 .40 .10 .10 .40 .30 .20
H0 H1 H2 H3
.10 .40 .38 .12
H0 H1 H2 H3 H0 H1 H2 H3
.10 .40 .40 .10 .10 .38 .364 .156
Russian
MIG
Angola
SAAF 2. E(N,K)
Impala
K 1. N
Namibia
K
Part 3 Protocols 520
MIG in the Middle
3. N
SAAF
Impala 4. E(N,K)
K Angola
2. N
5. E(N,K)
6. E(N,K)
Russian
MiG
1. N
Namibia
K
Part 3 Protocols 521
Authentication Protocols
Prove it
My password is “frank”
Alice Bob
Prove it
My password is “frank”
Alice Bob
Trudy
Part 3 Protocols 526
Authentication Attack
“I’m Alice”
Prove it
My password is “frank”
Trudy Bob
Alice Bob
Prove it
h(Alice’s password)
Alice Bob
Nonce
Nonce
“I’m Alice”, R
E(R,K)
E(R,K)
Alice, K Bob, K
RB, E(RA, K)
E(RB, K)
Alice, K Bob, K
Trudy Bob, K
3. “I’m Alice”, RB
4. RC, E(RB, K)
Trudy Bob, K
Part 3 Protocols 540
Mutual Authentication
Our one-way authentication protocol is
not secure for mutual authentication
o Protocols are subtle!
o In this case, “obvious” solution is not secure
Also, if assumptions or environment
change, protocol may not be secure
o This is a common source of security failure
o For example, Internet protocols
RB, E(“Bob”,RA,K)
E(“Alice”,RB,K)
Alice, K Bob, K
“I’m Alice”
{R}Alice
R
Alice Bob
Is this secure?
Trudy can get Alice to decrypt anything!
Prevent this by having two key pairs
Part 3 Protocols 544
Public Key Authentication
“I’m Alice”
[R]Alice
Alice Bob
Is this secure?
Trudy can get Alice to sign anything!
o Same a previous should have two key pairs
Part 3 Protocols 545
Public Keys
Generally, a bad idea to use the same
key pair for encryption and signing
Instead, should have…
o …one key pair for encryption/decryption
and signing/verifying signatures…
o …and a different key pair for
authentication
{R +1, K}Bob
Alice Bob
Is this secure?
o Alice is authenticated and session key is secure
o Alice’s “nonce”, R, useless to authenticate Bob
o The key K is acting as Bob’s nonce to Alice
No mutual authentication
Part 3 Protocols 548
Public Key Authentication
and Session Key
“I’m Alice”, R
[R, K]Bob
[R +1, K]Alice
Alice Bob
Is this secure?
o Mutual authentication (good), but…
o … session key is not protected (very bad)
Is this secure?
No! It’s subject to subtle MiM attack
o See the next slide…
Part 3 Protocols 550
Public Key Authentication
and Session Key
1. “I’m Alice”, R 2. “I’m Trudy”, R
4. { }Alice 3. {[R, K]Bob}Trudy
Is this secure?
Seems to be OK
o Anyone can see {R, K}Alice and {R +1, K}Bob
Part 3 Protocols 552
Timestamps
A timestamp T is derived from current time
Timestamps can be used to prevent replay
o Used in Kerberos, for example
Timestamps reduce number of msgs (good)
o A challenge that both sides know in advance
“Time” is a security-critical parameter (bad)
o Clocks not same and/or network delays, so must
allow for clock skew creates risk of replay
o How much clock skew is enough?
Alice Bob
Alice Bob
Trudy Bob
Alice Bob
E(KS, K)
E(messages, KS)
Alice, K Bob, K
ga mod p
gb mod p
Alice, a Bob, b
But Diffie-Hellman is subject to MiM
How to get PFS and prevent MiM?
Alice: K, a Bob: K, b
Session key KS = gab mod p
Alice forgets a, Bob forgets b
This is known as Ephemeral Diffie-Hellman
Neither Alice nor Bob can later recover KS
Are there other ways to achieve PFS?
Part 3 Protocols 563
Mutual Authentication,
Session Key and PFS
“I’m Alice”, RA
RB, [RA, gb mod p]Bob
SYN, SEQ a
Trudy Bob
5.
5.
5.
5. Alice
Part 3 Protocols 568
TCP Authentication Attack
Alice (quietly):
“Open sarsaparilla”
Q
If Alice does not
R S
know the secret…
…then Alice could come out from the correct side
with probability 1/2
If Bob repeats this n times and Alice does not know
secret, she can only fool Bob with probability 1/2n
In the real world, nothing happens at the right place at the right time.
It is the job of journalists and historians to correct that.
Mark Twain
Here’s my certificate
{K}Bob
IPSec is
transport
OS
transparent to IPSec network
applications
link
NIC
physical
IC,RC, proofA
Alice Bob
IC,RC, proofA
Alice Bob
IC,RC, proofA
Alice Bob
K, proofA, proofB computed as in main mode
Note that identities are hidden
o The only aggressive mode to hide identities
o So, why have a main mode?
Part 3 Protocols 620
Public Key Encryption Issue?
In public key encryption, aggressive mode…
Suppose Trudy generates
o Exponents a and b
o Nonces RA and RB
Trudy can compute “valid” keys and proofs:
gab mod p, K, SKEYID, proofA and proofB
All of this also works in main mode
IP header data
Where IP header is
IP header data
REPLY
E(timestamp + 1, KAB)
Alice’s Bob
Computer
E(R, K)
Alice, K Bob, K
IV, E(packet,KIV)
Alice, K Bob, K
KIV = (IV,K)
o That is, RC4 key is K with 3-byte IV pre-pended
The IV is known to Trudy
air
interface
Mobile
Base AuC
VLR
Station
“land line”
HLR
PSTN
Base Internet
etc. Home
Visited Station Network
Network Controller
RAND
SRES Call to
destination
No
Mobile Fake
encryption Base Station Base Station
high b SP
What happens if :
??? :
buffer overflows?
Program“returns” SP
to wrong location buffer
ret… NOT!
SP
A crash is likely overflow
ret
overflow
a SP
high b SP
choosing… ret
ret SP
a SP
o …on your machine
high b SP
mkdir
1. Allocate
space
2. Transfer
ownership
2. Create link to
password file
1st generation
2nd
generation
Part 4 Software 767
Flash Worm
Estimated that ideal flash worm could
infect the entire Internet in 15 seconds!
o Some debate as to actual time it would take
o Estimates range from 2 seconds to 2 minutes
In any case…
…much faster than humans could respond
So, any defense must be fully automated
How to defend against such attacks?
Part 4 Software 768
Rapid Malware Defenses
Master IDS watches over network
o “Infection” proceeds on part of network
o Determines whether an attack or not
o If so, IDS saves most of the network
o If not, only a slight delay
Beneficial worm
o Disinfect faster than the worm infects
Other approaches?
Part 4 Software 769
Push vs Pull Malware
Viruses/worms examples of “push”
Recently, a lot of “pull” malware
Scenario
o A compromised web server
o Visit a website at compromised server
o Malware loaded on you machine
Good paper: Ghost in the Browser
Part 4 Software 770
Botnet
Botnet: a “network” of infected machines
Infected machines are “bots”
o Victim is unaware of infection (stealthy)
Botmaster controls botnet
o Generally, using IRC
o P2P botnet architectures exist
Botnets used for…
o Spam, DoS attacks, keylogging, ID theft, etc.
So much time and so little to do! Strike that. Reverse it. Thank you.
Willy Wonka
Part 4 Software 790
Software Reverse
Engineering (SRE)
It works!
Can Trudy do “better”?
Part 4 Software 801
SRE Example
Again, IDA Pro disassembly
Assembly Hex
test eax,eax 85 C0 …
xor eax,eax 33 C0 …
serial.exe
serialPatch.exe
Save as serialPatch.exe
Part 4 Software 805
SRE Example
serial.exe
serialPatch.exe
key
Alice SDS Bob
Bob authenticates to SDS
Bob requests key from SDS
Bob can then access document, but only thru
special DRM software
Tamper-resistance
Obfuscation
scrambled encrypted
data data scrambled data
E(m,K)
program
program Page 1
Page 0
Page 2
Page 1
Page 0
Page 2
Page 3
Page 4
Page 4
Page 3
Operating system
Data, programs,
CPU, memory,
I/O devices, etc.
Operating system
Data, programs,
CPU, memory,
I/O devices, etc.
Objects Subjects
Reference monitor
Part 4 Software 928
Trusted Computing Base
TCB everything in the OS that we rely
on to enforce security
If everything outside TCB is subverted,
trusted OS would still be trusted
TCB protects users from each other
o Context switching between users
o Shared processes
o Memory protection for users
o I/O operations, etc.
Hardware
OS kernel
Operating system
User space
Hardware
Security kernel
Operating system
User space
u Application
n NCA t
t NCA r
r Application u
u User space s
s Kernel
t
t Regular OS e
e d
Nexus
d
Drivers
Conclusion 963
Course Summary
Crypto
o Basics, symmetric key, public key, hash
functions and other topics, cryptanalysis
Access Control
o Authentication, authorization, firewalls, IDS
Protocols
o Simplified authentication protocols
o Real-World protocols
Software
o Flaws, malware, SRE, development, trusted OS
Conclusion 964
Crypto Basics
Terminology
Classic ciphers
o Simple substitution
o Double transposition
o Codebook
o One-time pad
Basic cryptanalysis
Conclusion 965
Symmetric Key
Stream ciphers
o A5/1
o RC4
Block ciphers
o DES
o AES, TEA, etc.
o Modes of operation
Data integrity (MAC)
Conclusion 966
Public Key
Knapsack (insecure)
RSA
Diffie-Hellman
Conclusion 967
Hashing and Other
Birthday problem
Tiger Hash
HMAC
Clever uses (online bids, spam reduction, …)
Other topics
o Secret sharing
o Random numbers
o Information hiding (stego, watermarking)
Conclusion 968
Advanced Cryptanalysis
Enigma
Conclusion 969
Authentication
Passwords
o Verification and storage (salt, etc.)
o Cracking (math)
Biometrics
o Fingerprint, hand geometry, iris scan, etc.
o Error rates
Two-factor, single sign on, Web cookies
Conclusion 970
Authorization
History/system certification
ACLs and capabilities
Multilevel security (MLS)
o BLP, Biba, compartments, covert channel,
inference control
CAPTCHA
Firewalls
IDS
Conclusion 971
Simple Protocols
Authentication
o Using symmetric key
o Using public key
o Session key
o Perfect forward secrecy (PFS)
o Timestamps
Zero knowledge proof (Fiat-Shamir)
Conclusion 972
Real-World Protocols
SSH
SSL
IPSec
o IKE
o ESP/AH, tunnel/transport modes, …
Kerberos
Wireless: WEP & GSM
Conclusion 973
Software Flaws and Malware
Flaws
o Buffer overflow
o Incomplete mediation, race condition, etc.
Malware
o Brain, Morris Worm, Code Red, Slammer
o Malware detection
o Future of malware, botnets, etc.
Other software-based attacks
o Salami, linearization, etc.
Conclusion 974
Insecurity in Software
Software reverse engineering (SRE)
o Software protection
Digital rights management (DRM)
Software development
o Open vs closed source
o Finding flaws (do the math)
Conclusion 975
Operating Systems
OS security functions
o Separation
o Memory protection, access control
Trusted OS
o MAC, DAC, trusted path, TCB, etc.
NGSCB
o Technical issues
o Criticisms
Conclusion 976
Crystal Ball
Cryptography
o Well-established field
o Don’t expect major changes
o But some systems will be broken
o ECC is a major “growth” area
o Quantum crypto may prove worthwhile…
o …but for now it’s mostly (all?) hype
Conclusion 977
Crystal Ball
Authentication
o Passwords will continue to be a problem
o Biometrics should become more widely used
o Smartcard/tokens will be used more
Authorization
o ACLs, etc., well-established areas
o CAPTCHA’s interesting new topic
o IDS is a very hot topic
Conclusion 978
Crystal Ball
Protocols are challenging
Difficult to get protocols right
Protocol development often haphazard
o “Kerckhoffs’ Principle” for protocols?
o Would it help?
Protocols will continue to be a source of
subtle problem
Conclusion 979
Crystal Ball
Software is a huge security problem today
o Buffer overflows are on the decline…
o …but race condition attacks might increase
Virus writers are getting smarter
o Botnets
o Polymorphic, metamorphic, sophisticated attacks, …
o Future of malware detection?
Malware will continue to be a BIG problem
Conclusion 980
Crystal Ball
Other software issues
o Reverse engineering will not go away
o Secure development will remain hard
o Open source is not a panacea
OS issues
o NGSCB (or similar) might change things…
o …but, for better or for worse?
Conclusion 981
The Bottom Line
Security knowledge is needed today…
…and it will be needed in the future
Necessary to understand technical issues
o The focus of this class
But technical knowledge is not enough
o Human nature, legal issues, business issues, ...
o As with anything, experience is helpful
Conclusion 982
A True Story
The names have been changed…
“Bob” took my information security class
Bob then got an intern position
o At a major company that does lots of security
One meeting, an important customer asked
o “Why do we need signed certificates?”
o “After all, they cost money!”
The silence was deafening
Conclusion 983
A True Story
Bob’s boss remembered that Bob had taken
a security class
o So he asked Bob, the lowly intern, to answer
o Bob mentioned man-in-the-middle attack on SSL
Customer wanted to hear more
o So, Bob explained MiM attack in some detail
The next day, “Bob the lowly intern” became
“Bob the fulltime employee”
Conclusion 984
Appendix
Appendix 985
Appendix
Networking basics
o Protocol stack, layers, etc.
Math basics
o Modular arithmetic
o Permutations
o Probability
o Linear algebra
Appendix 986
Networking Basics
Appendix 987
Network
Includes
o Computers
o Servers
o Routers
o Wireless devices
o Etc.
Purpose is to
transmit data
Appendix 988
Network Edge
Network edge
includes…
…Hosts
o Computers
o Laptops
o Servers
o Cell phones
o Etc., etc.
Appendix 989
Network Core
Network core
consists of
o Interconnected
mesh of routers
Purpose is to
move data from
host to host
Appendix 990
Packet Switched Network
Telephone network is/was circuit switched
o For each call, a dedicated circuit established
o Dedicated bandwidth
Modern data networks are packet switched
o Data is chopped up into discrete packets
o Packets are transmitted independently
o No dedicated circuit is established
+ More efficient bandwidth usage
- But more complex than circuit switched
Appendix 991
Network Protocols
Study of networking focused on protocols
Networking protocols precisely specify
“communication rules”
Details are given in RFCs
o RFC is essentially an Internet standard
Stateless protocols do not “remember”
Stateful protocols do “remember”
Many security problems related to state
o E.g., DoS is a problem with stateful protocols
Appendix 992
Protocol Stack
Application layer protocols user
o HTTP, FTP, SMTP, etc. application space
Appendix 996
Client-Server Model
Client
o “speaks first”
Server
o responds to client’s request
Hosts are clients or servers
Example: Web browsing
o You are the client (request web page)
o Web server is the server
Appendix 997
Peer-to-Peer Paradigm
Hosts act as clients and servers
For example, when sharing music
o You are client when requesting a file
o You are a server when someone
downloads a file from you
In P2P, how does client find server?
o Many different P2P models for this
Appendix 998
HTTP Example
HTTP request
HTTP response
Appendix 999
cookie
Web Cookies
initial
session
Cookie
database
cookie
later
session
Appendix 1001
SMTP
SMTP used to deliver email from sender to
recipient’s mail server
Then POP3, IMAP or HTTP (Web mail)
used to get messages from server
As with many application protocols, SMTP
commands are human readable
Sender Recipient
SMTP SMTP
POP3
Appendix 1002
Spoofed email with SMTP
User types the red lines:
> telnet eniac.cs.sjsu.edu 25
220 eniac.sjsu.edu
HELO ca.gov
250 Hello ca.gov, pleased to meet you
MAIL FROM: <arnold@ca.gov>
250 arnold@ca.gov... Sender ok
RCPT TO: <stamp@cs.sjsu.edu>
250 stamp@cs.sjsu.edu ... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
It is my pleasure to inform you that you
are terminated
.
250 Message accepted for delivery
QUIT
221 eniac.sjsu.edu closing connection
Appendix 1003
Application Layer
DNS Domain Name Service
o Convert human-friendly names such as
www.google.com into 32-bit IP address
o A distributed hierarchical database
Only 13 “root” DNS server clusters
o Essentially, a single point of failure for Internet
o Attacks on root servers have succeeded…
o …but, attacks did not last long enough (yet)
Appendix 1004
Transport Layer
The network layer offers unreliable, “best
effort” delivery of packets
Any improved service must be provided by
the hosts
Transport layer: 2 protocols of interest
o TCP more service, more overhead
o UDP less service, less overhead
TCP and UDP run on hosts, not routers
Appendix 1005
TCP
TCP assures that packets…
o Arrive at destination
o Are processed in order
o Are not sent too fast for receiver: flow control
TCP also attempts to provide…
o Network-wide congestion control
TCP is connection-oriented
o TCP contacts server before sending data
o Orderly setup and take down of “connection”
o But no true connection, only logical “connection”
Appendix 1006
TCP Header
bits
0 8 16 24 31
SYN-ACK
Appendix 1014
NAT-less Example
source 11.0.0.1:1025
destination 12.0.0.1:80
source 12.0.0.1:80
destination 11.0.0.1:1025
Web
server Alice
IP: 12.0.0.1 IP: 11.0.0.1
Port: 80 Port: 1025
Appendix 1015
NAT Example
Appendix 1016
NAT: The Last Word
Advantage(s)?
o Extends IP address space
o One (or a few) IP address(es) can be
shared by many users
Disadvantage(s)?
o End-to-end security is more difficult
o Might make IPSec less effective
(IPSec discussed in Chapter 10)
Appendix 1017
IP Header
re-assembled
Appendix 1019
IP Fragmentation
One packet becomes multiple packets
Packets reassembled at destination
o Prevents multiple fragmentation/reassemble
Fragmentation is a security issue…
o Fragments may obscure real purpose of packet
o Fragments can overlap when reassembled
o Must reassemble packet to fully understand it
o Lots of work for firewalls, for example
Appendix 1020
IPv6
Current version of IP is IPv4
IPv6 is a “new-and-improved” version of IP
IPv6 is “bigger and better” than IPv4
o Bigger addresses: 128 bits
o Better security: IPSec
How to migrate from IPv4 to IPv6?
o Unfortunately, nobody thought about that…
So IPv6 has not really taken hold (yet?)
Appendix 1021
Link Layer
Link layer sends
packet from one
node to next
Links can be
different
o Wired
o Wireless
o Ethernet
o Point-to-point…
Appendix 1022
Link Layer
On host, implemented in adapter:
Network Interface Card (NIC)
o Ethernet card, wireless 802.11 card, etc.
o NIC is “semi-autonomous” device
NIC is (mostly) out of host’s control
o Implements both link and physical layers
Appendix 1023
Ethernet
Ethernet is a multiple access protocol
Many hosts access a shared media
o On a local area network, or LAN
With multiple access, packets can “collide”
o Data is corrupted and packets must be resent
How to efficiently deal with collisions in
distributed environment?
o Many possibilities, ethernet is most popular
We won’t discuss details here…
Appendix 1024
Link Layer Addressing
IP addresses live at network layer
Link layer also needs addresses Why?
o MAC address (LAN address, physical address)
MAC address
o 48 bits, globally unique
o Used to forward packets over one link
Analogy…
o IP address is like your home address
o MAC address is like a social security number
Appendix 1025
ARP
Address Resolution Protocol (ARP)
Used by link layer given IP address, find
corresponding MAC address
Each host has ARP table, or ARP cache
o Generated automatically
o Entries expire after some time (about 20 min)
o ARP used to find ARP table entries
Appendix 1026
ARP
ARP is stateless
ARP can send request and receive reply
Reply msgs used to fill/update ARP cache
LAN
MAC: AA-AA-AA-AA-AA-AA MAC: BB-BB-BB-BB-BB-BB
Appendix 1027
ARP Cache Poisoning
ARP is stateless, so…
Accept “reply”, even if no request sent
Trudy 111.111.111.003
CC-CC-CC-CC-CC-CC
111.111.111.001
LAN 111.111.111.002
AA-AA-AA-AA-AA-AA BB-BB-BB-BB-BB-BB
111.111.111.002 CC-CC-CC-CC-CC-CC
BB-BB-BB-BB-BB-BB 111.111.111.001 AA-AA-AA-AA-AA-AA
CC-CC-CC-CC-CC-CC
Appendix 1029
Modular Arithmetic
Appendix 1030
Clock Arithmetic
For integers x and n, “x mod n” is the
remainder when we compute x n
o We can also say “x modulo n”
Examples 0
o 33 mod 6 = 3 1
5
o 33 mod 5 = 3
o 7 mod 6 = 1 number “line”
o 51 mod 17 = 0 mod 6
o 17 mod 6 = 5
4 2
3
Appendix 1031
Modular Addition
Notation and fun facts
o 7 mod 6 = 1
o 7 = 13 = 1 mod 6
o ((a mod n) + (b mod n)) mod n = (a + b) mod n
o ((a mod n)(b mod n)) mod n = ab mod n
Addition Examples
o 3 + 5 = 2 mod 6
o 2 + 4 = 0 mod 6
o 3 + 3 = 0 mod 6
o (7 + 12) mod 6 = 19 mod 6 = 1 mod 6
o (7 + 12) mod 6 = (1 + 0) mod 6 = 1 mod 6
Appendix 1032
Modular Multiplication
Multiplication Examples
o 3 4 = 0 mod 6
o 2 4 = 2 mod 6
o 5 5 = 1 mod 6
o (7 4) mod 6 = 28 mod 6 = 4 mod 6
o (7 4) mod 6 = (1 4) mod 6 = 4 mod 6
Appendix 1033
Modular Inverses
Additive inverse of x mod n, denoted –
x mod n, is the number that must be
added to x to get 0 mod n
o -2 mod 6 = 4, since 2 + 4 = 0 mod 6
Multiplicative inverse of x mod n,
denoted x-1 mod n, is the number that
must be multiplied by x to get 1 mod n
o 3-1 mod 7 = 5, since 3 5 = 1 mod 7
Appendix 1034
Modular Arithmetic Quiz
Q: What is -3 mod 6?
A: 3
Q: What is -1 mod 6?
A: 5
Q: What is 5-1 mod 6?
A: 5
Q: What is 2-1 mod 6?
A: No number works!
Multiplicative inverse might not exist
Appendix 1035
Relative Primality
x and y are relatively prime if they
have no common factor other than 1
x-1 mod y exists only when x and y are
relatively prime
If it exists, x-1 mod y is easy to
compute using Euclidean Algorithm
o We won’t do the computation here
o But, an efficient algorithm exists
Appendix 1036
Totient Function
(n) is “the number of numbers less than n
that are relatively prime to n”
o Here, “numbers” are positive integers
Examples
o (4) = 2 since 4 is relatively prime to 3 and 1
o (5) = 4 since 5 is relatively prime to 1,2,3,4
o (12) = 4
o (p) = p-1 if p is prime
o (pq) = (p-1)(q-1) if p and q prime
Appendix 1037
Permutations
Appendix 1038
Permutation Definition
Let S be a set
A permutation of S is an ordered list
of the elements of S
o Each element of S appears exactly once
Suppose S = {0,1,2,…,n-1}
o Then the number of perms is…
o n(n-1)(n-2) (2)(1) = n!
Appendix 1039
Permutation Example
Let S = {0,1,2,3}
Then there are 24 perms of S
For example,
o (3,1,2,0) is a perm of S
o (0,2,3,1) is a perm of S, etc.
Perms are important in cryptography
Appendix 1040
Probability Basics
Appendix 1041
Discrete Probability
We only require some elementary facts
Suppose that S={0,1,2,…,N1} is the
set of all possible outcomes
If each outcome is equally likely, then
the probability of event E S is
o P(E) = # elements in E / # elements in S
Appendix 1042
Probability Example
Forexample, suppose we flip 2 coins
Then S = {hh,ht,th,tt}
o Suppose X = “at least one tail” = {ht,th,tt}
o Then P(X) = 3/4
Often, it’s easier to compute
o P(X) = 1 P(complement of X)
Appendix 1043
Complement
Again, suppose we flip 2 coins
Let S = {hh,ht,th,tt}
o Suppose X = “at least one tail” = {ht,th,tt}
o Complement of X is “no tails” = {hh}
Then
o P(X) = 1 P(comp. of X) = 1 1/4 = 3/4
We make use of this trick often!
Appendix 1044
Linear Algebra Basics
Appendix 1045
Vectors and Dot Product
Let be the set of real numbers
Then v n is a vector of n elements
For example
o v = [v1,v2,v3,v4] = [2,1, 3.2, 7] 4
The dot product of u,v n is
o u v = u1v1 + u2v2 +… + unvn
Appendix 1046
Matrix
A matrix is an n x m array
For example, the matrix A is 2 x 3
Appendix 1047
Matrix Addition
We can add matrices of the same size
Appendix 1048
Matrix Multiplication
Suppose A is m x n and B is s x t
Then C=AB is only defined if n=s, in
which case C is m x t
Why?
The element cij is the dot product of
row i of A with column j of B
Appendix 1049
Matrix Multiply Example
Suppose
Then
And AB is undefined
Appendix 1050
Matrix Multiply Useful Fact
Consider AU = B where A is a matrix and U
and B are column vectors
Let a1,a2,…,an be columns of A and
u1,u2,…,un the elements of U
Then B = u1a1 + u2a2 + … + unan
Example:
[ 31 45] [ 26 ] = 2[ ]
3
1
+ 6 [ ]
4
5
= [ 30
32
]
Appendix 1051
Identity Matrix
A matrix is square if it has an equal
number of rows and columns
For square matrices, the identity
matrix I is the multiplicative identity
o AI = IA = A
The 3 x 3 identity matrix is
Appendix 1052
Block Matricies
Block matrices are matrices of matrices
For example
Appendix 1053
Block Matrix Mutliplication
Block matrices multiplication example
For matrices
We have
Appendix 1055
Linear Independence
Linear independence can be extended
to more than 2 vectors
If vectors are linearly independent,
then none of them can be written as a
linear combination of the others
o None of the independent vectors is a
sum of multiples of the other vectors
Appendix 1056