Loading in 5 sec....

CSci 8271 Security and Privacy in Computing Lecture 1 IntroductionPowerPoint Presentation

CSci 8271 Security and Privacy in Computing Lecture 1 Introduction

- 112 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' CSci 8271 Security and Privacy in Computing Lecture 1 Introduction' - lorand

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Introduction

- Csci 8271: Security and Privacy in Computing
- Sixth offering

- Yongdae Kim
- 9 year-old hard-working, but not bright prof :-)
- E-mail: kyd(at)cs.umn.edu preferred
- Phone: 612-626-7526
- Office hour: EECS 4-225E
- W 5:00 ~ 6:00 PM
- Google chat @yongdaek
- Else by appointment

- 17+ in-class students and 3 UNITE students

Basic Information

- 3 units
- W 6:30 ~ 9:00
- KHKH 3-111
- Catalog description
- This course discusses about recent security and privacy issues on broad range of computer systems and networks.
- Various threats on each system, attacks and countermeasures will be addressed.

- Prerequisite (Or who’s ahead?)
Count how many courses you have taken among

- (Basic, Advanced) Algorithm, Data Structures
- (Basic, Advanced) Network, Operating System
- Computer Security
- Cryptography

Course Objectives

- To learn
- To learn security threats each system has
- To learn basic security primitives used in computer and network security
- To learn how to apply these primitives in designing secure systems
- To learn how to claim the security of systems

Textbooks

- Required
- Bunch of papers!!!

- Optional
- Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. Van Oorschot, Scott A. Vanstone (Editor), CRC Press, ISBN 0849385237, Available on-line at http://www.cacr.math.uwaterloo.ca/hac/

Student Expectations

- Keep up with material
- complete relevant readings before class
- browse lecture slides

- Lecture Participation
- Presentation
- Draft slides should be sent to me at least 1 week ahead.

- Reading report: 2 per week (except next week)
- format available
- Everyone including presenter.
- Paper1 = MD5(studentID)%(# of papers), Paper2 = Paper1+1

- Evaluation of presentation: criteria available soon
- Discussion
- Feedback!!!!

- Presentation
- Read your email regularly (at least twice a day).
- Research project

Class Information

- Lecture format
- Slides
- Presentation by me and you

- Browse the course Web site often
- http://www-users.itlabs.umn.edu/classes/Fall-2011/csci8271/
- check it regularly
- news and lecture notes (in PDF) will all be there

- Please read your email!

Grading

- Distribution (Tentative)
- Scale: A, A-, B+, B, B-, …
- Lecture presentation: 24%
- Reading report: 36% (=3% x 12)
- Research project: 40%
- Proposal: 5%
- Interim Report: 5%
- Paper: 25%
- Presentation: 5%

- Policy
- I prefer hard course, good grade!
- Can be changed depending on you
- Which way? $&#($@(

Project

- Individual or Group Project (at most 3 in a group)
- Subject should be confirmed by instructor
- Important Dates
- Pre-proposal: Sep 25, 11:59 PM.
- Full Proposal: Oct 4, 11:59 PM.
- Interim report: Nov 11, 11:59 PM
- Final report: Dec 6, 11:59 PM.

- Research paper
- Though small, try to solve any problem. Extra credit will be given.
- Design, attack, implementation, analysis!
- Example: #@*)#*)!@

- No idea? Come to my office!

Course Outline

- See Calendar in class web page.

Course Format

- First 1 weeks cover basics
- Blackbox analysis
- introduce properties of PKC, SKC
- Not much mathematics involved!

- Blackbox analysis
- After that!!!
- Introducing the system
- Discussion on security issues for the systems
- Introducing the solutions for the systems
- Discussion on the solutions
- Feasibility, Issues, Improvement

Useful Information

- Paper search
- Google Scholar: http://scholar.google.com
- Citeseer: http://citeseer.nj.nec.com/cs
- Cryptology ePrint Archive: http://eprint.iacr.org/
- ACM Digital Library: http://portal.acm.org/
- IEEE Explorer: http://ieeexplore.ieee.org/

- Major conferences
- Security: IEEE Symposium on Security and Privacy, ACM CCS, Usenix Security, NDSS, …
- Networking and systems: Sigcomm, Mobicom, NSDI, OSDI, SOSP, Usenix Annual, FAST, …

- Other links are available at class web site.

Useful Information (Cnt.)

- Crypto packages
- OpenSSL: http://www.openssl.org
- MIRACL: Multiprecision Integer and Rational Arithmetic C/C++ Library, http://indigo.ie/~mscott/
- Crypto++ by Wei Dai: http://www.eskimo.com/~weidai/cryptlib.html
- Number Theory Library by Shoup: http://shoup.net/ntl/
- JCSI - Java Crypto and Security Implementation: http://www.wedgetail.com/jcsi/

Attacks

Normal Flow

Destination

Source

Interruption: Availability

Interception: Confidentiality

Destination

Destination

Source

Source

Modification: Integrity

Fabrication: Authenticity

Destination

Destination

Source

Source

Taxonomy of Attacks

- Passive attacks
- Eavesdropping
- Traffic analysis

- Active attacks
- Masquerade
- Replay
- Modification of message content
- Denial of service

Big picture

Trusted third party

(e.g. arbiter, distributor

of secret information)

Bob

Alice

Information

Channel

Message

Message

Secret

Information

Secret

Information

Eve

Encryption

- Why do we use key?
- Or why not use just a shared encryption function?

Adversary

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

insecure channel

m

m

Plaintext source

destination

Alice

Bob

SKE with Secure channel

Adversary

d Secure channel

Key source

e

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

Insecure channel

m

m

Plaintext source

destination

Alice

Bob

PKE with insecure channel

Passive

Adversary

e Insecure channel

Key source

d

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

Insecure channel

m

m

Plaintext source

destination

Alice

Bob

Symmetric vs. Public key Enc

- Symmetric key encryption
- if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e
- Usually e = d

- Public key encryption
- Every entity has a private key SKand a public key PK
- Public key is known to all
- It is computationally infeasible to find SK from PK
- Only SK can decrypt a message encrypted by PK

- If A wishes to send a private message M to B
- A encrypts M by B’s public key, C = EBPK(M)
- B decrypts C by his private key, M = DBSK(C)

- Every entity has a private key SKand a public key PK

Digital Signatures

- Primitive in authentication and non-repudiation
- Signature
- Process of transforming the message and some secret information into a tag

- Nomenclature
- M is set of messages
- S is set of signatures
- SA: M ! S for A, kept private
- VA is verification transformation from M to S for A, publicly known

Key Establishment, Management

- Key establishment
- Process to whereby a shared secret key becomes available to two or more parties
- Subdivided into key agreement and key transport.

- Key management
- The set of processes and mechanisms which support key establishment
- The maintenance of ongoing keying relationships between parties

Hash function and MAC

- A hash function is a function h
- compression
- ease of computation
- Properties
- one-way: for a given y, find x’ such that h(x’) = y
- collision resistance: find x and x’ such that h(x) = h(x’)

- Examples: SHA-1, MD-5

- MAC (message authentication codes)
- both authentication and integrity
- MAC is a family of functions hk
- ease of computation (if k is known !!)
- compression, x is of arbitrary length, hk(x) has fixed length
- computation resistance

- Example: HMAC

MAC construction from Hash

- Prefix
- M=h(k||x)
- appending y and deducing h(k||x||y) form h(k||x) without knowing k

- Suffix
- M=h(x||k)
- possible a birthday attack, an adversary that can choose x can construct x’ for which h(x)=h(x’) in O(2n/2)

- STATE OF THE ART: HMAC (RFC 2104)
- HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding
- The outer hash operates on an input of two blocks
- Provably secure

PKE with insecure channel

Passive

Adversary

e Insecure channel

Key source

d

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

Insecure channel

m

m

Plaintext source

destination

Alice

Bob

Digital Signature

- Integrity
- Authentication
- Non-repudiation

I did not have intimate relations with that woman,…, Ms. Lewinsky

WJ Clinton

Authentication

- How to prove your identity?
- Prove that you know a secret information

- When key K is shared between A and Server
- A S: HMACK(M) where M can provide freshness
- Why freshness?

- Digital signature?
- A S: SigSK(M) where M can provide freshness

- Comparison?

Identification

- Something known - passwords, PINs, keys…
- a^*ehk3&(dAs

- Something possessed - cards, handhelds…
- Something inherent - biometrics

Password Authentication

- Stored either in the clear, or “encrypted” with OWF
- Increasing security
- Rules reduce the chance of easy passwords
- Salt increases search space for a dictionary attack
- Pass phrases - more security

- Attacks
- Replay of fixed passwords
- Exhaustive search:8 character password has 40-50 bits
- More directed dictionary attacks:Crack

Challenge-response authentication

- Alice is identified by a secret she possesses
- Bob needs to know that Alice does indeed possess this secret
- Alice provides responseto a time-variant challenge
- Response depends on both secret and challenge

- Using
- Symmetric encryption
- One way functions

Challenge Response using SKE

- Alice and Bob share a key K
- Taxonomy
- Unidirectional authentication using timestamps
- Unidirectional authentication using random numbers
- Mutual authentication using random numbers

- Unilateral authentication using timestamps
- Alice Bob: EK(tA, B)
- Bob decrypts and verified that timestamp is OK
- Parameter Bprevents replay of same message in B A direction

Challenge Response using SKE

- Unilateral authentication using random numbers
- Bob Alice: rb
- Alice Bob: EK(rb, B)
- Bob checks to see if rb is the one it sent out
- Also checks “B” - prevents reflection attack

- rb must be non-repeating

- Mutual authentication using random numbers
- Bob Alice: rb
- Alice Bob: EK(ra, rb, B)
- Bob Alice: EK(ra, rb)
- Alice checks that ra, rb are the ones used earlier

Kerberos vs. PKI vs. IBE

- Still debating
- Let’s see one by one!

EKBT(k, A, L), EKAT(k, NA, L, B)

EKBT(k, A, L), Ek(A, TA, Asubkey)

Ek(TA, Bsubkey)

Kerberos (cnt.)T

- EKBT(k, A, L): Token for B
- EKAT(k, NA, L, B): Token for A
- L: Life-time
- NA?

- Ek(A, TA, Asubkey): To prove B that A knows k
- TA: Time-stamp

- Ek(B, TA, Bsubkey): To prove A that B knows k

B

A

EKAG(kAB, NA’, L, B), EkGB(kAB, A, L, NA’), B, NA’

EKGT(kAG, A, L), EKAT(kAG, NA, L, G)

A, G, NA

EKGT(kAG, A, L), EkAG(A, TA), B, NA’

EKGB (kAB, A, L, NA’), EkAB(A, TA’, Asubkey)

Ek(TA’, Bsubkey)

Kerberos (Scalable)T (AS)

G (TGS)

B

A

Public Key Certificate

- Public-key certificates are a vehicle
- public keys may be stored, distributed or forwarded over unsecured media

- The objective
- make one entity’s public key available to others such that its authenticity and validity are verifiable.

- A public-key certificate is a data structure
- data part
- cleartext data including a public key and a string identifying the party (subject entity) to be associated therewith.

- signature part
- digital signature of a certification authority over the data part
- binding the subject entity’s identity to the specified public key.

- data part

CA

- a trusted third party whose signature on the certificate vouches for the authenticity of the public key bound to the subject entity
- The significance of this binding must be provided by additional means, such as an attribute certificate or policy statement.

- the subject entity must be a unique name within the system (distinguished name)
- The CA requires its own signature key pair, the authentic public key.
- Can be off-line!

Data Part

- a validity period of the public key
- a serial number or key identifier identifying the certificate
- additional information about the subject entity (e.g., street or network address)
- additional information about the key (e.g., algorithm and intended use);
- quality measures related to the identification of the subject entity, the generation of the key pair, or other policy issues;
- information facilitating verification of the signature (e.g., a signature algorithm identifier, and issuing CA’s name)
- the status of the public key (cf. revocation certificates).

ID-based Cryptography

- No public key
- Public key = ID (email, name, etc.)
- PKG
- Private key generation center
- SKID = PKGS(ID)
- PKG’s public key is public.
- distributes private key associated with the ID

- Encryption: C= EID(M)
- Decryption: DSK(C) = M

Discussion (PKI vs. Kerberos vs. IBE)

- On-line vs. off-line TTP
- Implication?

- Non-reputation?
- Revocation?
- Scalability?
- Trust issue?
- DigiNotar and Comodo!

Download Presentation

Connecting to Server..