Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCI-1680 Security John Jannotti

Published byLucy Heath Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCI-1680 Security John Jannotti"— Presentation transcript:

1 CSCI-1680 Security John Jannotti
Based on lecture notes by Scott Shenker, Mike Freedman, and Rodrigo Fonseca

2 Today’s Lecture Classes of attacks Basic security requirements
Simple cryptographic methods Crypto toolkit (Hash, Digital Signature, …) DNSSec (in .pptx, won’t have time today) Certificate Authorities SSL / HTTPS

3 Basic Secure Communication Reqs
Availability: Will the network deliver data? Infrastructure compromise, DDoS Authentication: Who is this actor? Spoofing, phishing Integrity: Do messages arrive in original form? Confidentiality: Can adversary read the data? Sniffing, man-in-the-middle Provenance: Who is responsible for this data? Forging responses, denying responsibility Not who sent the data, but who created it

4 Other Desirable Security Properties
Authorization: is actor allowed to do this action? Access controls Accountability/Attribution: who did this activity? Audit/Forensics: what occurred in the past? A broader notion of accountability/attribution Appropriate use: is action consistent with policy? E.g., no spam; no games during business hours; etc. Freedom from traffic analysis: can someone tell when I am sending and to whom? Anonymity: can someone tell I sent this packet?

5 Internet’s Design: Insecure
Designed for simplicity in a naïve era “On by default” design Readily available zombie machines Attacks look like normal traffic Internet’s federated operation obstructs cooperation for diagnosis/mitigation

6 Eavesdropping - Message Interception (Attack on Confidentiality)
Unauthorized access to information Packet sniffers and wiretappers Illicit copying of files and programs B A Eavesdropper

7 Eavesdropping Attack: Example
tcpdump with promiscuous network interface On a switched network, what can you see? What might the following traffic types reveal about communications? DNS lookups (and replies) IP packets without payloads (headers only) Payloads Remember the ARP flooding attack?

8 Integrity Attack - Tampering
Stop the flow of the message Delay and optionally modify the message Release the message again B A Perpetrator

9 Authenticity Attack - Fabrication
Unauthorized assumption of other’s identity Generate and distribute messages under this identity Special case – replay attack A B Masquerader: from A

10 Attack on Availability
Destroy hardware (cutting fiber) or software Modify software in a subtle way Corrupt packets in transit Blatant denial of service (DoS): Crashing the server Overwhelm the server (use up its resource) Special case: Distributed Denial of Service (DDos) A B

11 Basic Forms of Cryptography

12 Confidentiality through Cryptography
Cryptography: communication over insecure channel in the presence of adversaries Studied for thousands of years Central goal: how to encode information so that an adversary can’t extract it …but a friend can General premise: a key is required for decoding Give it to friends, keep it away from attackers Two different categories of encryption Symmetric: efficient, requires key distribution Asymmetric (Public Key): simplifies key distribution, but more computationally expensive

13 Symmetric Key Encryption
Same key for encryption and decryption Both sender and receiver know key But adversary does not know key For communication, problem is key distribution How do the parties (secretly) agree on the key? What can you do with a huge key? One-time pad Huge key of random bits To encrypt/decrypt: just XOR with the key! Provably secure! …. provided: You never reuse the key … and it really is random Spies actually use these

14 Using Symmetric Keys Both the sender and the receiver use the same secret keys Internet Encrypt with secret key Decrypt with Plaintext Ciphertext Still vulnerable to traffic analysis.

15 Asymmetric Encryption (Public Key)
Idea: use two different keys, one to encrypt (e) and one to decrypt (d) A key pair Crucial property: knowing e does not tell you d Therefore e can be public: everyone knows it! If Alice wants to send to Bob, she fetches Bob’s public key (say from Bob’s home page) and encrypts with it Alice can’t decrypt what she’s sending to Bob … … but then, neither can anyone else (except Bob) e can be public, but it had better be authentic

16 Public Key / Asymmetric Encryption
Sender uses receiver’s public key Advertised to everyone Receiver uses complementary private key Must be kept secret Internet Encrypt with public key Decrypt with private key Plaintext Ciphertext

17 Works in Reverse Direction Too!
Sender signs his own private key Receiver verifies with public key Allows sender to prove he knows private key Internet Decrypt with public key Encrypt with private key Plaintext Ciphertext

18 Realizing Public Key Cryptography
Invented in the 1970s Revolutionized cryptography (Was actually invented earlier by British intelligence) How can we construct an encryption/decryption algorithm with public/private properties? Answer: Number Theory Most fully developed approach: RSA Rivest / Shamir / Adleman, 1977; RFC 3447 Based on modular multiplication of very large integers Very widely used (e.g., SSL/TLS for https)

19 CS166 – Introduction to Computer Systems Security
RSA: assumes it is difficult to factor a large integer with two large prime factors Elliptic Curve: discrete logarithm of a random elliptic curve in a finite field CS166 – Introduction to Computer Systems Security CS151 – Introduction to Cryptography and Computer Security

20 Cryptographic Toolkit

21 Cryptographic Toolkit
Confidentiality: Encryption Integrity: ? Authentication: ? Provenance: ?

22 Integrity: Cryptographic Hashes
Sender computes a digest of message m, i.e., H(m) H() is a publicly known hash function Send m in any manner Send digest d = H(m) to receiver in a secure way: Using another physical channel Using encryption (why does this help?) Upon receiving m and d, receiver re-computes H(m) to see whether result agrees with d .torrent files are an example

23 Operation of Hashing for Integrity
Internet Digest (SHA-256) Plaintext digest = digest’ NO corrupted msg

24 Cryptographically Strong Hashes
Hard to invert Given hash, adversary can’t find input that produces it Allows oblique reference to private objects (e.g., passwords) Send hash of object rather than object itself Hard to find collisions Adversary can’t find two inputs that produce same hash So can’t alter message without modifying digest Allows succinct reference to large objects (e.g. BitTorrent blocks) Here, “Can’t” means “Thought to be computationally infeasible” Properties

25 Effects of Cryptographic Hashing

26 Cryptographic Toolkit
Confidentiality: Encryption Integrity: Cryptographic Hash Authentication: ? Provenance: ?

27 Public Key Authentication
Each side only needs to know the other side’s public key No secret key need be shared A encrypts a nonce (random number) x using B’s public key B proves it can recover x A can authenticate itself to B in the same way A B E(x, PublicB) x

28 Cryptographic Toolkit
Confidentiality: Encryption Integrity: Cryptographic Hash Authentication: Decrypting nonce Provenance: ?

29 Digital Signatures Suppose Alice has published public key KE
If she wishes to prove who she is, she can send a message x encrypted with her private key KD Therefore: anyone w/ public key KE can recover x, verify that Alice must have sent the message It provides a digital signature Alice can’t deny it later  non-repudiation Well, she could claim her key was compromised

30 RSA Crypto & Signatures, con’t

31 Summary of Our Crypto Toolkit
If we can securely distribute a key, then Symmetric ciphers (e.g., AES) offer fast, presumably strong confidentiality Public key cryptography does away with problem of secure key distribution But not as computationally efficient Often addressed by using public key crypto to exchange a session key Not guaranteed secure But it would be a major result if it isn’t No efficient algorithm to factor large numbers.

32 Summary of Our Crypto Toolkit, con’t
Cryptographically strong hash functions provide major building block for integrity (e.g., SHA-1) As well as providing concise digests And providing a way to prove you know something (e.g., passwords) without revealing it (non-invertibility) But: worrisome recent results regarding their strength Public key also gives us signatures Including sender non-repudiation Turns out there’s a crypto trick based on similar algorithms that allows two parties who don’t know each other’s public key to securely negotiate a secret key even in the presence of eavesdroppers Diffie-Hellman exchange

33 PKIs and HTTPS

34 Public Key Infrastructure (PKI)
Public key crypto is very powerful … … but the realities of tying public keys to real world identities turn out to be quite hard PKI: Trust distribution mechanism Authentication via Digital Certificates Trust doesn’t mean someone is honest, just that they are who they say they are…

35 Managing Trust The most solid level of trust is rooted in our direct personal experience E.g., Alice’s trust that Bob is who they say they are Clearly doesn’t scale to a global network! In its absence, we rely on delegation Alice trusts Bob’s identity because Charlie attests to it …. …. and Alice trusts Charlie

36 Managing Trust, con’t Trust is not particularly transitive
Should Alice trust Bob because she trusts Charlie … … and Charlie vouches for Donna … … and Donna says Eve is trustworthy … … and Eve vouches for Bob’s identity? Two models of delegating trust Rely on your set of friends and their friends “Web of trust” -- e.g., PGP Rely on trusted, well-known authorities (and their minions) “Trusted root” -- e.g., HTTPS

37 PKI Conceptual Framework
Trusted-Root PKI: Basis: well-known public key serves as root of a hierarchy Managed by a Certificate Authority (CA) To publish a public key, ask the CA to digitally sign a statement indicating that they agree (“certify”) that it is indeed your key This is a certificate for your key (certificate = bunch of bits) Includes both your public key and the signed statement Anyone can verify the signature Delegation of trust to the CA They’d better not screw up (duped into signing bogus key) They’d better have procedures for dealing with stolen keys Note: can build up a hierarchy of signing

38 Components of a PKI

39 Digital Certificate Signed data structure that binds an entity with its corresponding public key Signed by a recognized and trusted authority, i.e., Certification Authority (CA) Provide assurance that a particular public key belongs to a specific entity Example: certificate of entity Y Cert = E({nameY, KYpublic}, KCAprivate) KCAprivate: private key of Certificate Authority nameY: name of entity Y KYpublic: public key of entity Y In fact, they may sign whatever glob of bits you give them Your browser has a bunch of CAs wired into it

40 Certification Authority
People, processes responsible for creation, delivery and management of digital certificates Organized in an hierarchy To verify signature chain, follow hierarchy up to root Root CA CA-1 CA-2

41 Registration Authority
People & processes responsible for: Authenticating the identity of new entities (users or computing devices), e.g., By phone, or physical presence + ID Issuing requests to CA for certificates The CA must trust the Registration Authority This trust can be misplaced

42 Certificate Repository
A database accessible to all users of a PKI Contains: Digital certificates Policy information associated with certs Certificate revocation information Vital to be able to identify certs that have been compromised Usually done via a revocation list

43 HTTPS After clicking https://www.amazon.com
https = “Use HTTP over SSL/TLS” SSL = Secure Socket Layer TLS = Transport Layer Security Successor to SSL, and compatible with it RFC 4346 Provides security layer (authentication, encryption) on top of TCP Fairly transparent to the app

44 HTTPS Connection (SSL/TLS), con’t
Browser (client) connects via TCP to Amazon’s HTTPS server Client sends over list of crypto protocols it supports Server picks protocols to use for this session Server sends over its certificate (all of this is in the clear) Browser Amazon SYN SYN ACK ACK Hello. I support (TLS+RSA+AES128+SHA1) or (SSL+RSA+3DES+MD5) or … Let’s use TLS+RSA+AES128+SHA1 Here’s my cert ~1 KB of data

45 Inside the Server’s Certificate
Name associated with cert (e.g., Amazon) Amazon’s public key A bunch of auxiliary info (physical address, type of cert, expiration time) URL to revocation center to check for revoked keys Name of certificate’s signatory (who signed it) A public-key signature of a hash of all this Constructed using the signatory’s private RSA key

46 Validating Amazon’s Identity
Browser retrieves cert belonging to the signatory These are hardwired into the browser If it can’t find the cert, then warns the user that site has not been verified And may ask whether to continue Note, can still proceed, just without authentication Browser uses public key in signatory’s cert to decrypt signature Compares with its own hash of Amazon’s cert Assuming signature matches, now have high confidence it’s indeed Amazon … … assuming signatory is trustworthy

47 HTTPS Connection (SSL/TLS), con’t
Browser constructs a random session key K Browser encrypts K using Amazon’s public key Browser sends E(K, KApublic) to server Browser displays All subsequent communication encrypted w/ symmetric cipher using key K E.g., client can authenticate using a password Browser Amazon Here’s my cert ~1 KB of data K E(K, KApublic) Agreed K E(password …, K) E(response …, K)

48 DNS Security Case study of security problems, build to a solution employing our cryptographic toolkit

49 Source: http://nsrc. org/tutorials/2009/apricot/dnssec/dnssec-tutorial

50 Root level DNS attacks Feb. 6, 2007:
Botnet attack on the 13 Internet DNS root servers Lasted 2.5 hours None crashed, but two performed badly: g-root (DoD), l-root (ICANN) Most other root servers use anycast

51 Do you trust the TLD operators?
Wildcard DNS record for all .com and .net domain names not yet registered by others September 15 – October 4, 2003 February 2004: Verisign sues ICANN Redirection for these domain names to Verisign web portal: “to help you search” and serve you ads…and get “sponsored” search

52 Defense: Replication and Caching
source: wikipedia

53 DNS Amplification Attack
DNS Amplification attack: ( 40 amplification ) DNS Query SrcIP: DoS Target (60 bytes) EDNS Reponse (3000 bytes) DNS Server DoS Source DoS Target 580,000 open resolvers on Internet (Kaminsky-Shiffman’06)

54 Solutions prevent ip spoofing disable open amplifiers victim
ip spoofed packets open amplifier attacker replies prevent ip spoofing disable open amplifiers Authentication, provenance … holistic approach to security victim

55 But should we believe it? Enter DNSSEC
DNSSEC protects against data spoofing and corruption DNSSEC also provides mechanisms to authenticate servers and requests DNSSEC provides mechanisms to establish authenticity and integrity

56 PK-DNSSEC (Public Key)
The DNS servers sign the hash of resource record set with its private (signature) keys Public keys can be used to verify the SIGs Leverages hierarchy: Authenticity of nameserver’s public keys is established by a signature over the keys by the parent’s private key In ideal case, only roots’ public keys need to be distributed out-of-band

57 Verifying the tree Question: www.cnn.com ? .(root) stub resolver
dns.cs.brown.edu A ? Src.cs.brown.edu ask .com server SIG (ip addr and PK of .com server) resolver stub resolver A ? xxx.xxx.xxx.xxx A ? .com transaction signatures ask cnn.com server SIG (ip addr and PK of cnn.com server) add to cache slave servers A ? SIG (xxx.xxx.xxx.xxx) transaction signatures cnn.com

58 Next Class Some new trends, Software-Defined Networking
Second-to-last class!

Download ppt "CSCI-1680 Security John Jannotti"

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CSCI-1680 Security Based on lecture notes by Scott Shenker and Mike Freedman Andrew Ferguson.

CSCI-1680 Security Based on lecture notes by Scott Shenker and Mike Freedman Andrew Ferguson.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Network and Communication Security COS 461: Computer Networks Spring 2010 (MW 3:00-4:20 in COS 105) Mike Freedman

Network and Communication Security COS 461: Computer Networks Spring 2010 (MW 3:00-4:20 in COS 105) Mike Freedman
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Similar presentations

Ads by Google