Csci 8271 security and privacy in computing lecture 1 introduction
Download
1 / 43

CSci 8271 Security and Privacy in Computing Lecture 1 Introduction - PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on

CSci 8271 Security and Privacy in Computing Lecture 1 Introduction. Fall 2011 Yongdae Kim. Introduction. Csci 8271: Security and Privacy in Computing Sixth offering Yongdae Kim 9 year-old hard-working, but not bright prof :-) E-mail: kyd(at)cs.umn.edu preferred Phone: 612-626-7526

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' CSci 8271 Security and Privacy in Computing Lecture 1 Introduction' - lorand


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Csci 8271 security and privacy in computing lecture 1 introduction

CSci 8271 Security and Privacy in ComputingLecture 1Introduction

Fall 2011

Yongdae Kim


Introduction
Introduction

  • Csci 8271: Security and Privacy in Computing

    • Sixth offering

  • Yongdae Kim

    • 9 year-old hard-working, but not bright prof :-)

    • E-mail: kyd(at)cs.umn.edu preferred

    • Phone: 612-626-7526

    • Office hour: EECS 4-225E

      • W 5:00 ~ 6:00 PM

      • Google chat @yongdaek

      • Else by appointment

  • 17+ in-class students and 3 UNITE students


Basic information
Basic Information

  • 3 units

  • W 6:30 ~ 9:00

  • KHKH 3-111

  • Catalog description

    • This course discusses about recent security and privacy issues on broad range of computer systems and networks.

    • Various threats on each system, attacks and countermeasures will be addressed.

  • Prerequisite (Or who’s ahead?)

    Count how many courses you have taken among

    • (Basic, Advanced) Algorithm, Data Structures

    • (Basic, Advanced) Network, Operating System

    • Computer Security

    • Cryptography


Course objectives
Course Objectives

  • To learn

    • To learn security threats each system has

    • To learn basic security primitives used in computer and network security

    • To learn how to apply these primitives in designing secure systems

    • To learn how to claim the security of systems


Textbooks
Textbooks

  • Required

    • Bunch of papers!!!

  • Optional

    • Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. Van Oorschot, Scott A. Vanstone (Editor), CRC Press, ISBN 0849385237, Available on-line at http://www.cacr.math.uwaterloo.ca/hac/


Student expectations
Student Expectations

  • Keep up with material

    • complete relevant readings before class

    • browse lecture slides

  • Lecture Participation

    • Presentation

      • Draft slides should be sent to me at least 1 week ahead.

    • Reading report: 2 per week (except next week)

      • format available

      • Everyone including presenter.

      • Paper1 = MD5(studentID)%(# of papers), Paper2 = Paper1+1

    • Evaluation of presentation: criteria available soon

    • Discussion

    • Feedback!!!!

  • Read your email regularly (at least twice a day).

  • Research project


Class information
Class Information

  • Lecture format

    • Slides

    • Presentation by me and you

  • Browse the course Web site often

    • http://www-users.itlabs.umn.edu/classes/Fall-2011/csci8271/

    • check it regularly

    • news and lecture notes (in PDF) will all be there

  • Please read your email!


Grading
Grading

  • Distribution (Tentative)

    • Scale: A, A-, B+, B, B-, …

    • Lecture presentation: 24%

    • Reading report: 36% (=3% x 12)

    • Research project: 40%

      • Proposal: 5%

      • Interim Report: 5%

      • Paper: 25%

      • Presentation: 5%

  • Policy

    • I prefer hard course, good grade!

    • Can be changed depending on you

      • Which way? $&#($@(


Project
Project

  • Individual or Group Project (at most 3 in a group)

  • Subject should be confirmed by instructor

  • Important Dates

    • Pre-proposal: Sep 25, 11:59 PM.

    • Full Proposal: Oct 4, 11:59 PM.

    • Interim report: Nov 11, 11:59 PM

    • Final report: Dec 6, 11:59 PM.

  • Research paper

    • Though small, try to solve any problem. Extra credit will be given.

    • Design, attack, implementation, analysis!

    • Example: #@*)#*)!@

  • No idea? Come to my office!


Course outline
Course Outline

  • See Calendar in class web page.


Course format
Course Format

  • First 1 weeks cover basics

    • Blackbox analysis

      • introduce properties of PKC, SKC

      • Not much mathematics involved!

  • After that!!!

    • Introducing the system

    • Discussion on security issues for the systems

    • Introducing the solutions for the systems

    • Discussion on the solutions

      • Feasibility, Issues, Improvement


Useful information
Useful Information

  • Paper search

    • Google Scholar: http://scholar.google.com

    • Citeseer: http://citeseer.nj.nec.com/cs

    • Cryptology ePrint Archive: http://eprint.iacr.org/

    • ACM Digital Library: http://portal.acm.org/

    • IEEE Explorer: http://ieeexplore.ieee.org/

  • Major conferences

    • Security: IEEE Symposium on Security and Privacy, ACM CCS, Usenix Security, NDSS, …

    • Networking and systems: Sigcomm, Mobicom, NSDI, OSDI, SOSP, Usenix Annual, FAST, …

  • Other links are available at class web site.


Useful information cnt
Useful Information (Cnt.)

  • Crypto packages

    • OpenSSL: http://www.openssl.org

    • MIRACL: Multiprecision Integer and Rational Arithmetic C/C++ Library, http://indigo.ie/~mscott/

    • Crypto++ by Wei Dai: http://www.eskimo.com/~weidai/cryptlib.html

    • Number Theory Library by Shoup: http://shoup.net/ntl/

    • JCSI - Java Crypto and Security Implementation: http://www.wedgetail.com/jcsi/


The main players

Eve

Yves?

The main players

Bob

Alice


Attacks
Attacks

Normal Flow

Destination

Source

Interruption: Availability

Interception: Confidentiality

Destination

Destination

Source

Source

Modification: Integrity

Fabrication: Authenticity

Destination

Destination

Source

Source


Taxonomy of attacks
Taxonomy of Attacks

  • Passive attacks

    • Eavesdropping

    • Traffic analysis

  • Active attacks

    • Masquerade

    • Replay

    • Modification of message content

    • Denial of service


Big picture
Big picture

Trusted third party

(e.g. arbiter, distributor

of secret information)

Bob

Alice

Information

Channel

Message

Message

Secret

Information

Secret

Information

Eve


Encryption
Encryption

  • Why do we use key?

    • Or why not use just a shared encryption function?

Adversary

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

insecure channel

m

m

Plaintext source

destination

Alice

Bob


Ske with secure channel
SKE with Secure channel

Adversary

d Secure channel

Key source

e

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

Insecure channel

m

m

Plaintext source

destination

Alice

Bob


Pke with insecure channel
PKE with insecure channel

Passive

Adversary

e Insecure channel

Key source

d

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

Insecure channel

m

m

Plaintext source

destination

Alice

Bob


Symmetric vs public key enc
Symmetric vs. Public key Enc

  • Symmetric key encryption

    • if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e

    • Usually e = d

  • Public key encryption

    • Every entity has a private key SKand a public key PK

      • Public key is known to all

      • It is computationally infeasible to find SK from PK

      • Only SK can decrypt a message encrypted by PK

    • If A wishes to send a private message M to B

      • A encrypts M by B’s public key, C = EBPK(M)

      • B decrypts C by his private key, M = DBSK(C)


Public key should be authentic

e

e’

Ee’(m)

Public key should be authentic!

  • Need to authenticate public keys

Ee(m)

e

Ee(m)


Digital signatures
Digital Signatures

  • Primitive in authentication and non-repudiation

  • Signature

    • Process of transforming the message and some secret information into a tag

  • Nomenclature

    • M is set of messages

    • S is set of signatures

    • SA: M ! S for A, kept private

    • VA is verification transformation from M to S for A, publicly known


Key establishment management
Key Establishment, Management

  • Key establishment

    • Process to whereby a shared secret key becomes available to two or more parties

    • Subdivided into key agreement and key transport.

  • Key management

    • The set of processes and mechanisms which support key establishment

    • The maintenance of ongoing keying relationships between parties



Hash function and mac
Hash function and MAC

  • A hash function is a function h

    • compression

    • ease of computation

    • Properties

      • one-way: for a given y, find x’ such that h(x’) = y

      • collision resistance: find x and x’ such that h(x) = h(x’)

    • Examples: SHA-1, MD-5

  • MAC (message authentication codes)

    • both authentication and integrity

    • MAC is a family of functions hk

      • ease of computation (if k is known !!)

      • compression, x is of arbitrary length, hk(x) has fixed length

      • computation resistance

    • Example: HMAC


Mac construction from hash
MAC construction from Hash

  • Prefix

    • M=h(k||x)

    • appending y and deducing h(k||x||y) form h(k||x) without knowing k

  • Suffix

    • M=h(x||k)

    • possible a birthday attack, an adversary that can choose x can construct x’ for which h(x)=h(x’) in O(2n/2)

  • STATE OF THE ART: HMAC (RFC 2104)

    • HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding

    • The outer hash operates on an input of two blocks

    • Provably secure


Pke with insecure channel1
PKE with insecure channel

Passive

Adversary

e Insecure channel

Key source

d

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

Insecure channel

m

m

Plaintext source

destination

Alice

Bob


Digital signature
Digital Signature

  • Integrity

  • Authentication

  • Non-repudiation

I did not have intimate relations with that woman,…, Ms. Lewinsky

WJ Clinton


Authentication
Authentication

  • How to prove your identity?

    • Prove that you know a secret information

  • When key K is shared between A and Server

    • A  S: HMACK(M) where M can provide freshness

    • Why freshness?

  • Digital signature?

    • A  S: SigSK(M) where M can provide freshness

  • Comparison?


Identification
Identification

  • Something known - passwords, PINs, keys…

    • a^*ehk3&(dAs

  • Something possessed - cards, handhelds…

  • Something inherent - biometrics


Password authentication
Password Authentication

  • Stored either in the clear, or “encrypted” with OWF

  • Increasing security

    • Rules reduce the chance of easy passwords

    • Salt increases search space for a dictionary attack

    • Pass phrases - more security

  • Attacks

    • Replay of fixed passwords

    • Exhaustive search:8 character password has 40-50 bits

    • More directed dictionary attacks:Crack


Challenge response authentication
Challenge-response authentication

  • Alice is identified by a secret she possesses

    • Bob needs to know that Alice does indeed possess this secret

    • Alice provides responseto a time-variant challenge

    • Response depends on both secret and challenge

  • Using

    • Symmetric encryption

    • One way functions


Challenge response using ske
Challenge Response using SKE

  • Alice and Bob share a key K

  • Taxonomy

    • Unidirectional authentication using timestamps

    • Unidirectional authentication using random numbers

    • Mutual authentication using random numbers

  • Unilateral authentication using timestamps

    • Alice  Bob: EK(tA, B)

    • Bob decrypts and verified that timestamp is OK

    • Parameter Bprevents replay of same message in B  A direction


Challenge response using ske1
Challenge Response using SKE

  • Unilateral authentication using random numbers

    • Bob  Alice: rb

    • Alice  Bob: EK(rb, B)

    • Bob checks to see if rb is the one it sent out

      • Also checks “B” - prevents reflection attack

    • rb must be non-repeating

  • Mutual authentication using random numbers

    • Bob  Alice: rb

    • Alice  Bob: EK(ra, rb, B)

    • Bob  Alice: EK(ra, rb)

    • Alice checks that ra, rb are the ones used earlier


Kerberos vs pki vs ibe
Kerberos vs. PKI vs. IBE

  • Still debating 

  • Let’s see one by one!


Kerberos cnt

A, B, NA

EKBT(k, A, L), EKAT(k, NA, L, B)

EKBT(k, A, L), Ek(A, TA, Asubkey)

Ek(TA, Bsubkey)

Kerberos (cnt.)

T

  • EKBT(k, A, L): Token for B

  • EKAT(k, NA, L, B): Token for A

  • L: Life-time

  • NA?

  • Ek(A, TA, Asubkey): To prove B that A knows k

  • TA: Time-stamp

  • Ek(B, TA, Bsubkey): To prove A that B knows k

B

A


Kerberos scalable

EKAG(kAB, NA’, L, B), EkGB(kAB, A, L, NA’), B, NA’

EKGT(kAG, A, L), EKAT(kAG, NA, L, G)

A, G, NA

EKGT(kAG, A, L), EkAG(A, TA), B, NA’

EKGB (kAB, A, L, NA’), EkAB(A, TA’, Asubkey)

Ek(TA’, Bsubkey)

Kerberos (Scalable)

T (AS)

G (TGS)

B

A


Public key certificate
Public Key Certificate

  • Public-key certificates are a vehicle

    • public keys may be stored, distributed or forwarded over unsecured media

  • The objective

    • make one entity’s public key available to others such that its authenticity and validity are verifiable.

  • A public-key certificate is a data structure

    • data part

      • cleartext data including a public key and a string identifying the party (subject entity) to be associated therewith.

    • signature part

      • digital signature of a certification authority over the data part

      • binding the subject entity’s identity to the specified public key.


CA

  • a trusted third party whose signature on the certificate vouches for the authenticity of the public key bound to the subject entity

    • The significance of this binding must be provided by additional means, such as an attribute certificate or policy statement.

  • the subject entity must be a unique name within the system (distinguished name)

  • The CA requires its own signature key pair, the authentic public key.

  • Can be off-line!


Data part
Data Part

  • a validity period of the public key

  • a serial number or key identifier identifying the certificate

  • additional information about the subject entity (e.g., street or network address)

  • additional information about the key (e.g., algorithm and intended use);

  • quality measures related to the identification of the subject entity, the generation of the key pair, or other policy issues;

  • information facilitating verification of the signature (e.g., a signature algorithm identifier, and issuing CA’s name)

  • the status of the public key (cf. revocation certificates).


Id based cryptography
ID-based Cryptography

  • No public key

  • Public key = ID (email, name, etc.)

  • PKG

    • Private key generation center

    • SKID = PKGS(ID)

    • PKG’s public key is public.

    • distributes private key associated with the ID

  • Encryption: C= EID(M)

  • Decryption: DSK(C) = M


Discussion pki vs kerberos vs ibe
Discussion (PKI vs. Kerberos vs. IBE)

  • On-line vs. off-line TTP

    • Implication?

  • Non-reputation?

  • Revocation?

  • Scalability?

  • Trust issue?

  • DigiNotar and Comodo!


ad