1. Chapter 9
Security

2. Topics Introduction Security channel Access control
Threats, mechanisms, cryptography
Security channel
Authentication, integrity, confidentiality
Access control
Firewall, secure mobile code
Security management
Examples
Kerberos, E-commerce

3. What Do We Need to Protect?
Data
Information we keep on computers (product design, financial records, personnel data)
Resources
Unauthorized use of computer time & space
Reputation
Misrepresentation, forgery, negative publicity

4. Fundamental Security Objectives
Confidentiality - Protection from unauthorized persons
Integrity - consistency of data; no unauthorized creation, alteration or destruction
Availability - ensuring access to legitimate users
Access control - ensuring appropriate use by authorized users

5. Security Threats Interception Interruption Modification Fabrication
Unauthorized access to a service or data
Eavesdropping
Interruption
Unavailable of service or data
Denial of service attack
Modification
Unauthorized changing of data
Fabrication
Adding data or activity normally not exist.
Security policy

6. Examples: Threat Eavesdropping Denial of service replay Client Server
Request
Response
replay
Eavesdropping
Attacker
Server
Denial of service

7. Example: Security Policy
Chinese Wall Model: widely used in financial world
Group datasets into “conflict of interest classes”
Subjects are allowed to access to at most one dataset belonging to each such conflict of interest class
Subject s can access company c’s data only if
a) s has already accessed c’s data or
b) s has not yet accessed any of c’s competitors’ data
s can write to c’s data only if s can not read any other company’s sensitive data
Mandatory security policy for UK Stock Exchange.

8. Security Mechanisms Encryption Authentication Authorization Auditing
Transform data to achieve confidentiality and integrity
Authentication
Verify the identify of user
Authorization
Check the permission
Auditing
Trace the accesses, used for analysis

9. Cryptography
Intruders and eavesdroppers in communication.

10. Classifications Symmetric cryptography: shared Key
P=DK(EK(P))
DES
Asymmetric cryptography: a pair of keys
P=DKD(EKE(P))
RAS
Hash function: one way function, not reversible
h=H(m)
MD5

11. Notations Notation Description KA, B Secret key shared by A and B
Public key of A
Private key of A

12. DES The principle of DES Outline of one encryption round
64-bit data block
The principle of DES
Outline of one encryption round

13. Key Generation

14. Attacking DES Cryptanalysis Brute-force
Relies on nature of the encryption algorithm and additional knowledge of the general types of plain texts (frequencies of letters etc.)
Some samples of plain- and cipher texts
Brute-force
Test every possible key on some cipher text until readable result be done in advance if key is not changed

15. Brute-force Key Search
Key size (bits)
Key space size
Mean time required
at 1 key test/msec 32
232 = 4.3 x 109
35.8 minutes
56 (DES)
256 = 7.2 x 1016
1,142 years
128
2128 = 3.4 x 1038
5.4 x 1024 = 300 billion big bangs
168
2168 = 3.7 x 1050
5.9 x 1036 big bangs
Don’t get impressed easily: DES can now be cracked in hours!

16. Triple DES

17. Public-Key Cryptosystems
Encryption
Decryption
Plaintext P
Ciphertext C P
DK-(.)
E K+ (.)
Public key K+
Private key K-
Encryption
Decryption
Plaintext P
Ciphertext C P
DK+(.)
E K- (.)
Private key K-
Public key K+

18. Idea
Questions:
* =?
= ?*?
Idea: Use easy algorithm for encryption. Use difficult algorithm for decryption
A user picks a public key/private key pair
publish the public key
private key not published

19. RSA: Rivest, Shamir and Adleman
Foundation: no known method that can efficiently find the prime factors of large numbers.
In RSA, private and public keys are constructed from very large prime numbers (consisting of hundreds of decimal digits)
Four steps to construct the keys:
Choose two very large prime numbers, p and q
Compute n = p x q and z = (p – 1) x (q – 1)
Choose a number d that is relatively prime to z
Compute the number e such that e x d = 1 mod z

20. How It Works? How it works? Higher cost of computation. Problems:
Encryption: C = Pe mod n
Decryption: P = Cd mod n
K+ = (e, n), K- = (d, n)
The intruder needs to factor n into p and q to crack the code.
Higher cost of computation.
Problems:
1) Is the number of primes infinite? Yes!
2) Are they scarce? Yes! 4% of the first 25 billion numbers. And the percentage drops as the numbers get bigger.
Implication: it is tricky to propose a new prime number. E.g., is 687,532,127 a prime?

21. Example (1) To find a key pair e, d:
1. Choose two large prime numbers, P and Q (each greater than 10100), and form:
n = P x Q
Z = (P–1) x (Q–1)
2. For d choose any number that is relatively prime with Z (that is, such that d has no common factors with Z).
We illustrate the computations involved using small integer values for P and Q:
P = 13, Q = 17 –> n = 221, Z = 192
d = 5
3. To find e solve the equation:
e x d = 1 mod Z
That is, e x d is the smallest element divisible by d in the series Z+1, 2Z+1, 3Z+1, ... .
e x d = 1 mod = 1, 193, 385, ...
385 is divisible by d
e = 385/5 = 77

22. Example (2)
To encrypt text using the RSA method, the plaintext is divided into equal blocks of length k bits where 2k < n (that is, such that the numerical value of a block is always less than n; in practical applications, k is usually in the range 512 to 1024).
k = 7, since 27 = 128
The function for encrypting a single block of plaintext M is:
E'(e, n, M) = Me mod n
for a message M, the ciphertext is M77 mod 221
The function for decrypting a block of encrypted text c to produce the original plaintext block is:
D'(d, n, c) = cd mod n
Rivest, Shamir and Adelman proved that E' and D' are mutual inverses (that is, E'(D'(x)) = D'(E'(x)) = x) for all values of P in the range 0 ≤ P ≤ n.

23. Secret Message

24. Signature
Remark: Goal of a signature is to guarantee, that the receiver is sure that the received message is from the sender. However, anyone with Gerd’s public key of Gerd can also read.

25. Message Digest Cryptographic checksum One-way function Relevance
Just as a regular checksum protects the receiver from accidental changes to the message , a cryptographic checksum protects the receiver from malicious changes.
One-way function
Given a cryptographic checksum for a msg, it is virtually impossible to figure out what msg produced that checksum; it is not computationally feasible to find two msg that hash to the same cryptographic checksum.
Relevance
If you are given a checksum for a message & you are able to compute exactly the same checksum for that message, then it is highly likely this message produced the checksum you were given.

26. Hash Function: MD5
For each round, four functions are applied. And each function has 16 iterations.

27. MD5: Iterations

28. Requirements Received msg: m MD5(m) Compare MD5(m)
Weak collision resistance: given m and h, difficult to find m’ such that h=H(m’)
Strong collision resistance: given h, difficult to find m and m’ such that H(m)=H(m’).

29. Tamper Proof Using K+ and K− Received msg: m K− { MD5(m) }
K+ K− { MD5(m)}
Compare
MD5(m)

30. Secure Channels Main model of DS: client-server How to secure a DS?
Servers may be distributed and replicated
How to secure a DS?
Establish secure communication between client/server
Authentication of communicating partners
Ensuring message integrity and confidentiality
Establish authorization
How to be sure on the server side, that a client is allowed to get the requested service?
Access control
Two principles:
Set-up phase precedes message exchange
Session keys to ensure message integrity

31. Setup Phase
Suppose Alice and Bob want to communicate with each other, Alice at machine M1 and Bob at machine M2:
1. Alice is setting up a communication channel,
a) Either by sending a message directly to Bob or
b) by sending a corresponding message to a trusted third party, helping to set up this channel
2. Once the channel has been set up, both sides know for sure, that they can exchange messages

32. Authentication on Shared Key

33. Optimization?

34. Reflection Attack
Consequence: use different challenges for initiator and responder

35. Scalability of Session Keys
Suppose we have N hosts each sharing a secret key with each of the other N-1 hosts
DS has (N-1)*N/2 secret session keys and each host has manage (N-1) session keys
For large N #session keys will be a problem
Instead you can install a trusted key distribution center KDC on one of the nodes of the DS

36. Authentication: Key Distribution Center

37. Improvement
Ticket
Using a ticket and letting Alice set up a connection to Bob.

38. Needham-Schroeder Authentication Protocol
In early distributed systems ( ) it was difficult to protect the servers
E.g. against masquerading attacks on a file server because there was no mechanism for authenticating the origins of requests
public-key cryptography was not yet available or practical
computers too slow for trap-door calculations
RSA algorithm not available until 1978
Needham and Schroeder therefore developed an authentication and key-distribution protocol for use in a local network
An early example of the care required to design a safe security protocol
Introduced several design ideas including the use of nonces.

39. Illustration nonce Q1: Why include B in message 2?
Nonce: a random number used only once. The purpose is to uniquely relate two messages to each other.
Q1: Why include B in message 2?
Q2: How about if a chuck knows an old key KA,B?

40. Enhancement
Protection against malicious reuse of a previously generated session key in the Needham-Schroeder protocol.

41. Authentication Using Public-Key Cryptography
Mutual authentication in a public-key cryptosystem.
Q: how to exchange public keys?

42. Message Integrity & Confidentiality

43. Digital Signature Goals:
To authenticate stored document files as well as messages
To protect against forgery
To prevent the signer from repudiating a signed document (denying their responsibility)
Encryption of a document in a secret key constitutes a signature
impossible for others to perform without knowledge of the key
strong authentication of document
strong protection against forgery
weak against repudiation (signer could claim key was compromised)

44. Illustration
Digital signing a message using public-key cryptography.

45. Digital Signature (2)
Digitally signing a message using a message digest.

46. Certificate Authority (CA)
Verify the owner of a public key
Maintain the (owner, public_key) by a certificate authority
CA are organized in a hierarchy.
For each merchant, it issues a certificate.
The names of CA are widely known, e.g. Verisign.
Chain of trust
Certified by a higher-level CA: the central authority: IPRA

47. CA Hierarchy IPRA= Internet Policy Registration Authority (root)
PCA= policy certification authority
User CA
PCA1
PCA2
IPRA
PCA3
CA = certification authority

48. Certificate Authorities in X.509

49. Signature Algorithm ID
X.509 Certificate Format
CA Digital Signature
Subject Unique ID
Issuer Unique ID
Subject Public
Key Info
Subject X.500 Name
Validity Period
Issuer (CA) X.500 Name
Signature Algorithm ID
Serial Number
Version
Algorithm ID
Public Key Value

50. SSL Handshake
(PK_alg, encr_alg, MD)
Optional
K-C { R }

51. SSL Record Protocol Message digest Application data Fragment/combine
abcdefghi
abc
def
ghi
Record protocol units
Fragment/combine
Compressed units
Compress
MAC
Hash
Encrypted
Encrypt
Message digest
TCP packet
Transmit

52. Confidential Group Communication
Goal: secure channels between each pair of nodes
Share one key?
Share a key between each pair of nodes?
Each node has its own private key but all the nodes share a public key.

53. Access Control

54. General Issues in Access Control
General model of controlling access to objects.

55. Access Control
Access control Matrix
Access Control List
Capabilities.

56. Protection Domains
The hierarchical organization of protection domains as groups of users.

57. Firewalls
Common implementations of a firewall, e.g. a packet-filtering router or an application gateway

58. Firewall Solutions
Definition - hardware &/or software components that restrict access between a restricted network & the Internet or between networks
Logically - a separator, restricter, analyzer
Rarely a single object
Restricts people to entering at a controlled point
Prevents attackers from getting close to other defenses (host controls)
Restricts people to leaving at a controlled point

59. Firewall Capabilities
Focus security decisions - single point to leverage control
Enforce security policy -minimize exceptions
Log Internet activity - analysis
Limit exposure - separate sensitive areas of one network from another or outside world

60. Firewall Limitations Can’t protect against malicious insiders
connections that don’t go through it
new threats
viruses
scans for source & destination addresses & port numbers, not details of data

61. Types of Firewalls Simple traffic logging systems
audit log file of files accessed (HTTPD)
site usage/demand hours/links/browsers used
IP Packet Screening Routers (packet filtering gateway)
not only looks at ‘can’ it route, but ‘should’ it
selectively routes or blocks packets based on rules
based on protocols, destination (port 80), known source IP addresses

62. Types of Firewalls (cont.)
Hardened Firewall Host (hardware)
Halts unauthorized users
Concentrates security, hides internal system names, centralizes & simplifies net management
Proxy Server (software)
Deals with external server requests on behalf of internal clients
May limit certain HTTP methods (CGI or Java applets)

63. Filtering Router Mail server (port=25) Filtering router Internet
Intranet
Check the source and destination address.
Make decisions based on security policies.

64. Filtering Router and Bastion Host
Firewall Architectures
Dual-homed host (two network interfaces)
One communicates externally, one internally
No direct communication internal to external hosts
Real Server
Proxy Client/Internal Host
Proxy
Server
Dual-homed Host
Internet

65. Advantages All accesses can be logged
Reduce the number of Internet connections by making it a caching proxy
Does not reveal the names and addresses of actual clients inside
But: slow down page downloading by an order of magnitude.

66. Other Variations Multiple Bastion Hosts
Performance, redundancy, need to separate data & servers
Usenet, SMNP/DNS, FTP/WWW
Merge Interior & Exterior Routers
Sufficient capability to specify inbound & outbound filters
Usually on the perimeter network
Merge Bastion Host & Exterior Router
Use Multiple Exterior Routers
Multiple connections to Internet or Internet + other sites
Multiple Perimeter Nets
Redundancy, privacy

67. Futures Third-generation Firewalls
combined features of packet filtering & proxy systems
Client & server apps with native support for proxied environments
Dynamic packet filtering
Packet rules modified “on the fly” in response to triggers
Underlying Internet protocol undergoing revisions - IPv6

68. Not Recommended Merging Bastion Host & Interior Router
Breach of host leaves access to internal net
Using Multiple Interior Routers
Routing software could decide fastest way to another internal system is via the perimeter net
Difficult to keep multiple interior routers configured correctly
Most important & complex set of packet filters
May need to use multiples to resolve performance bottlenecks or separate internal networks

69. Private Network

70. Virtual Private Network
Internet
Intranet B
Intranet A
Tunneling
Router RA
Router RB RB
Data
Station 200
Station 100
encrypted

71. Tunneling

72. Virus

73. Virus

74. Memory-Resident Virus
Runs whenever certain
interrupts occur.

75. Encrypted virus
To conceal signature.

76. Worms: Illustration Low address Program UNIX Address Space Statically
allocated
data
Stack
High address

77. Procedure Call E.g., finger aabbcc aa bb cc Buffer area allocated
by called fingerd
(512 bytes)
[PC]
ret
Return address
para2
para1
Stack
High address

78. Buffer Overflow E.g., finger aabb…zz 0100 aa bb cc … Malicious program
(binary)
[PC]
0100
Return address
para2
para1
Stack

79. Security Management

80. Key Establishment
The principle of Diffie-Hellman key exchange.

81. Key Distribution (1)
Secret-key distribution

82. Key Distribution (2)
Public-key distribution: Certificate

83. Secure Group Management
Securely admitting a new group member P.

84. Authorization Management

85. Capabilities A capability in Amoeba. 48 bits 24 bits 8 bits
Server port
Object
Rights
Check
A capability in Amoeba.

86. Capabilities Generation
Generation of a restricted capability from an owner capability.

87. Delegation Transfer the access rights on files, resources, etc.
Suppose Alice wants to delegate rights to Bob
If Alice knows everyone, broadcast the certificate
Otherwise, construct a certificate saying “The bearer of this certificate has rights R.”
Problems?
Using proxy, a token that allows its owner to operate with the rights granted in the token.

88. The General Structure of A Proxy

89. Delegating And Exercising Rights

90. Example: Kerberos (1)
Authentication in Kerberos.

91. Example: Kerberos (2)
Setting up a secure channel in Kerberos.

92. Electronic Payment Systems (1)
Payment systems based on direct payment between customer and merchant.
Paying in cash.
Using a check.
Using a credit card.

93. Electronic Payment Systems (2)
Payment systems based on money transfer between banks.
Payment by money order.
Payment through debit order.

94. Privacy Issue
Using cash
Using credit card
Online

95. Digital Money Suppose Alice wants to pay $12 to Bob
Contact her bank and request withdrawal $12
Bank hands out digital money (each note is signed)
Each note carries a unique serial number
Hand over the notes to Bob
Bob contact the bank if the money has been used.
Problem: privacy issue.
Solution: blind signature

96. E-cash
The principle of anonymous electronic cash using blind signatures.