Security Through Encryption
Different ways to achieve security of communication data Keep things under lock and key – Physical Encryption Through password protection
Sender, Listener, Eavesdropper
What is the most frequent concern you have about browsing and security? A.Someone might steal my password, credit card etc. B.I might get viruses on my machine C.My privacy might be compromised by eavesdropping to determine what I view, buy etc. D.All E.None
Encryption, Authentication, Non- repudiation Encryption – Make sure that a message, once encrypted, cannot be read by anyone. Perhaps your grades are mailed to you in this way, and accessible only with a password. – Without a password, message is visible, but looks like junk.
Encryption, Authentication, Non- Repudiation Authentication – Ensure that a message is sent by authentic person. – For example, ensure that is actually Bank of America’s website. – Ensure that is indeed from your friend.
Encryption, Authentication, Non- Repudiation Non-repudiation – Ensure that the sender cannot claim not to have sent a message that he/she sent. – For example, if you signed an agreement or tax return online, later you cannot claim that it was sent by someone else pretending to be you. – Similar to putting your thumbprint on a document.
What is https? Secure way of browsing – Ensures authenticity of web server that ‘serves’ the web page to the user, or ‘client’. – Encrypts the data so that the data transmissions, in both directions, cannot be read by eavesdropping.
Public Key Cryptography Symmetric key algorithm – Both sender and receiver have the same key – If I send you my password by SMS, and you use it to access my , that is the equivalent of a symmetric key algorithm Public key cryptography is an asymmetric key algorithm, where 1 public key is used to lock (encrypt) and another private to unlock (decrypt)
Some public key algorithms provide key distribution and secrecy (e.g., Diffie–Hellman key exchange), some provide digital signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA).
Asymmetric Key and Encryption Encryption: Anyone can encrypt a message using a public key. Only Alice can retrieve it. It is like a mailbox whose location is the public key. Anyone can drop stuff in, but only the owner can retrieve the message. Security depends on the secrecy of the private key. Knowing the public key is not enough to compute the private key.
Diffie-Hellman Key Exchange Can be used for authentication Can be used for a digital signature. Digital signature is like a wax seal on an envelop. Anyone can open the envelop, but the seal means that the sender was the original person – authentication and non-repudiation.
Using a key Shared secret can be the key used to encrypt transmission. – This symmetric key is faster to use than asymmetric keys – Keys can be discarded after each session, and new ones calculated for each fresh sessions
How it worksHow it works -- RSA Difficulty of factoring a large number – Given a large number, say 1219, it is time- consuming to factor it. – Have to go through prime numbers one by one, checking each to see if it is a factor. – But easy to verify that 23 and 53 are the two (prime) factors. Just multiply them together. Publicly described in 1977
RSA (Rivest, Shamir, Adleman) Cook had come up with it in 1973, 4 years earlier, but it was classified. – Is it right that RSA should get credit? Patent granted in the USA, but not elsewhere, due to earlier publication Bob uses Alice's public key to encrypt message to Alice, and Alice uses her private key to decrypt it. How would Alice know that it was Bob who sent that message? – Authentication?
Authentication To digitally sign the message: – Alice calculates a hash value of the message using a standard calculation. – She does the same operation as she would do to decrypt a message, using her private key, and generates a signature. – She attaches it to the message and sends it to Bob. – Bob does the same operation as he would do to encrypt the message, using Alice's public key. – If he gets back the message's hash value, he confirms that it has been signed by Alice.
How to ensure that the public key does belong to Alice? Certificate authority – When you go to a website, the browser has built- in software to check the public key supplied by the site against the key in a registry. – Registry maintained by Symantec etc. (Used to be Verisign) – Once you have a public key of the website, you can create a private key, and generate a shared secret key. Each private key is valid only for one session.
SSL Certificates SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. SSL Certificates Vendor applies for SSL certificate to certificate authority Certificate authority, such as GlobalSign, checks out vendor's credentials in real life – Issues certificate Vendor installs certificate on web server Browsers such as Firefox and Chrome will inspect and accept the certificate from reputed certificate authorities
Heartbleed
What is the Heartbleed bug? Exploits a vulnerability in OpenSSL software library, used to implement the Transport Layer Security protocol used in web, instant messaging etc. Exposes user’s passwords, cookies and other data to the attacker. Not a virus.
Why heartbleed? The TLS protocol involves establishing a connection (a session) between two entities A and B, like initiating a phone call. When connection is idle, one entity can ask the other ‘Are you alive? If so, send me the 4- letter word blah.’ Like checking the heartbeat.
Buffer over-read bug The extra data that is sent back is fetched from the server’s memory, due to the bug. It could include passwords and private keys. Like if someone you had called in to fix your plumbing were to look through your closets for information.
When was this bug introduced discovered, and fixed? Introduced in Dec. 2011, by one of the authors (Seggelmann) of the (open-source) software team. Discovered on April 1, by Neel Mehta of Google, and Codenomicon. Fixed right away, but servers have to use the new software.
What data is vulnerable? Servers carry users’ passwords, cookies, and session keys. Servers might also yield private SSL keys. Servers have to reissue their SSL certificates.
Which servers are vulnerable? Anyone using certain versions of OpenSSL – 17% of all servers – Most banks don’t use OpenSSL
What can a user do? Check websites on tester site to see if vulnerability has been fixed. Change passwords for those sites.
Did NSA know about this before? April 11, 2014 NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong. From bloomberg-news-story-that-nsa-knew
Which is true? 1.Heartbleed is a kind of virus that spreads through machines. 2.Heartbleed is a weakness in commonly used software that allows peeking into a server’s memory. 3.Heartbleed is easily fixed by fixing software on servers such as those owned by Amazon.com. 4.Heartbleed can be stopped by updating your web browser. A: 1, 2, 3, 4C: 2, 3, 4 B: 2, 3D: 1, 2, 4
Your worry? A: I don’t care; we all have to go some day! B: I am worried enough to change my passwords, but doubt if I will lose anything. C: I am very worried -- this could be the beginning of bigger stuff.