Engineering Secure Software. Recap  Symmetric key: Benefit: fastest, mathematically the strongest Drawback: distributing the keys  Public key: Benefit:

Slides:

Advertisements

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Advertisements

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Cryptography and Authentication Lab ECE4112 Group4 Joel Davis Scott Allen Quinn.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Principles of Information Security, 2nd edition1 Cryptography.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Cryptography Basic (cont)

Chapter 5 Cryptography Protecting principals communication in systems.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Cryptographic Technologies

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

CSCI 6962: Server-side Design and Programming

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.

Computer Networks NYUS FCSIT Spring 2008 Milos STOLIC, Bs.C. Teaching Assistant

Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Masud Hasan Secue VS Hushmail Project 2.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.

每时每刻可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Encryption and Security Dylan Anderson Michael Huffman Julie Rothacher Dylan Anderson Michael Huffman Julie Rothacher.

David Evans CS200: Computer Science University of Virginia Computer Science Class 36: Public-Key Cryptography If you want.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Types of Electronic Infection

Based on Bruce Schneier Chapter 7: Key Length Dulal C. Kar.

Cryptography and Network Security (CS435) Part Eight (Key Management)

Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.

Encryption. Introduction The incredible growth of the Internet has excited businesses and consumers alike with its promise of changing the way we live.

ICOM 5018 Network Security and Cryptography Description This course introduces and provides practical experience in network security issues and cryptographic.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

CRYPTOGRAPHY PRESENTED BY : NILAY JAYSWAL BRANCH : COMPUTER SCIENCE & ENGINEERING ENTRY NO. : 14BCS033 1.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Digital Signatures and Digital Certificates Monil Adhikari.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Fall 2006CS 395: Computer Security1 Key Management.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Encryption Power Crunch Tyler Morgan. Encryption & Cryptography What it is, methods, and brief description of cryptography.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

Web Applications Security Cryptography 1

CompTIA Security+ Study Guide (SY0-401)

CompTIA Security+ Study Guide (SY0-501)

Engineering Secure Software

Applied Cryptography part 2

Applied Cryptography part 2

Unit 8 Network Security.

Presentation transcript:

Engineering Secure Software

Recap  Symmetric key: Benefit: fastest, mathematically the strongest Drawback: distributing the keys  Public key: Benefit: Easier to distribute the keys Drawback: Trusting public keys is tricky

SSL: Secure Sockets Layer  SSL (and TLS) are the public-key encryption standards today Protocols suffixed with “s” : https, ftps, etc. Another algorithm implementation best left to the experts  Untrusted public keys? For ~$30/year, you too can get your public key signed!! ○ Seriously, this is how it works ○ e.g. Verisign & GoDaddy are “ceritificate authorities” (CA) ○ Thus, trust the public key != trust the website Self-signed certificate? ○ Not usually a good idea to accept them, but… ○ If the key changes, you will be alerted ○ So you only need to trust the server once

Pretty Good Privacy  An open protocol created in 1991 Primarily used for encryption today Very popular in open source culture  Combines symmetric-key and public-key cryptography Symmetric is much faster and harder to crack than public-key Use public-key to distribute the symmetric key Untrusted recipient now has your symmetric key? ○ One-time symmetric key only ○ Use a secure PRNG to generate symmetric keys

PGP Web of Trust  How do you trust PGP public keys? There are no PGP “Certificate Authorities” Public key databases are open  How do you know that the food you’re eating is disease-free? ○ You trust the grocery store, who trusts the distributors, who trust the farmers ○ FDA is also a trusted third party ○ But, when you trust the farmers directly, you trust their food more  In the same way, PGP incentivizes short trust chains Each person can “sign” someone else’s key, connecting you to them in the web of trust Each “hop” diminishes the trust of a given public key You Grocery Store Distributor Farmers

PGP Mean Shortest Distance  How trusted should this key be? Geodesic paths (shortest paths) Compare the mean geodesic distance to the entire network mean “Closeness” in social network analysis  Relatively trusted by the community? Many will trust you You are trusted by people who trust you  Low MSD? Not as relatively trusted Fewer people trust you Then less-trusted people trust you

 Alt text: if you want to be extra safe, check that there's a big block of jumbled characters at the bottom. 

Cryptanalysis  Definition: “the analytic investigation of an information system with the goal of illuminating hidden aspects of that system” [NSA.gov]  In other words: breaking cryptography  Comes in many forms Brute force attacks Theoretical/Algorithmic weaknesses Side-channel attacks

Side Channel Attacks  Side channel Information emitted from a physical implementation of a cryptosystem  Side channel vulnerabilities are mutually exclusive from algorithmic vulnerabilities Although coding vulnerabilities can lead to side channel attacks  e.g. Password fields obscure the text to prevent someone from looking over your shoulder  e.g. Keeping the sticky on your monitor

Timing attacks  Use the timing of an operation to gain information  e.g. computing large prime numbers for SSL Constant concern for OpenSSL CVE “Square and multiply” algorithm  e.g. timing for checking for a password  e.g. cache-hit vs. cache-miss on a sensitive record

Data Remanence  Deleted data is not always deleted Hard drives release the memory, but it’s not necessarily overwritten Magnetic fields can remain even after it’s been overwritten  Many, many creative ways to do this… Freezing RAM with liquid nitrogen Hibernation files Core dumps

So many more…  Power monitoring attacks Can predict which branch of an if-statement was taken by monitoring power Particularly nasty on embedded devices Even AES can be broken this way  Acoustic analysis of hard drive sounds  “Chatter” - even the known existence of encrypted communication can be useful information

Lessons from Side Channels  Okay, so what? Can we even do anything about this? What must software engineers do?  Lesson 1: Identify your side channels Network chatter, timing, power, etc.  Lesson 2: You have not identified all of your side channels  Lesson 3: Better testing Realistic production environments Third-party testers with security experience

Keeping Up  Networking & crypto algorithms are constantly changing New networking protocols, new models Broken crypto algorithms  You will need to keep up with the news on algorithms Organizations: CWE, OWASP Bloggers & Researchers ○ Bruce Schneier: ○ Steve Gibson: ○ Gary McGraw: IEEE Privacy & Securitywww.cigital.com