cs 854 hot topics in computer and communications security l.
Download
Skip this Video
Download Presentation
CS 854 – Hot Topics in Computer and Communications Security

Loading in 2 Seconds...

play fullscreen
1 / 32

CS 854 – Hot Topics in Computer and Communications Security - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

CS 854 – Hot Topics in Computer and Communications Security. Fall 2006 Introduction to Cryptography and Security II. Announcements. First paper review is due on Monday Review one of the two mandatory papers FYI, I am the co-author of one of them.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CS 854 – Hot Topics in Computer and Communications Security' - aldon


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cs 854 hot topics in computer and communications security

CS 854 – Hot Topics in Computer and Communications Security

Fall 2006

Introduction toCryptography and Security II

announcements
Announcements
  • First paper review is due on Monday
    • Review one of the two mandatory papers
    • FYI, I am the co-author of one of them
digital signatures
Cryptographic technique analogous to hand-written signatures.

sender (Bob) digitally signs document, establishing he is document owner/creator.

verifiable, nonforgeable, nonrepudiable: recipient (Alice) can prove to third party that Bob, and no one else (including Alice), must have signed document

message integrity does not always require nonrepudiation

See later

Digital Signatures
cryptographic hash functions
Computationally expensive to sign long messages m

Goal: fixed-length, easy- to-compute digital “fingerprint” H(m)

message digest, cryptographic hash function

can compute KB(H(m)) instead of KB(m)

(Cryptographic) Hash Functions

large

message

m

H: Hash

Function

H(m)

-

-

properties of h m
Properties of H(m)
  • Input: arbitrarily long string of bits
  • Output: fixed-size (i.e., H() is many to one)
  • Given m, easy to compute H(m)
  • One-way property/pre-image resistant
    • For any given value x, it is computationally infeasible to find m such that H(m) = x
  • Weak-collision resistance/2nd pre-image resistant
    • For any given message m1, it is computationally infeasible to find m2 such that H(m1) = H(m2)
  • Strong-collision resistance/collision resistance
    • It is computationally infeasible to find a pair (m1,m2) such that H(m1) = H(m2)
does collision resistance imply preimage resistance
Does collision resistance imply preimage resistance?
  • Alfred Menezes: No1
    • G(x) is collision resistant hash function with n-bit output
    • H(x) = 1 || x if x has bitlength n
    • 0 || G(x) otherwise
    • H(x) is collision resistant, but not preimage resistant
  • Doug Stinson: Yes2
    • In Random Oracle Model
    • Under certain circumstances (e.g., uniform hash function)

1 Handbook of Applied Cryptography

2Some observations on the theory of cryptographic hash functions

message authentication code mac
Message Authentication Code (MAC)
  • MAC allows Alice and Bob to communicate such that each of them can be sure that received messages were not tampered with
    • no non-repudiation
  • Keyed hash function can be used for implementing MAC
    • e.g., x = SHA-1(k||m), transmit m and x
    • only Alice and Bob know k
    • not secure against length-extension attack
  • HMAC = H(k XOR a || H(k XOR b || m))

a,b: specified constants

H: preferably SHA-256

entity authentication
Entity Authentication
  • Prove that you are who you claim to be
  • Based on
    • what you know
      • password
    • what you own
      • badge
    • what you are
      • fingerprint
passwords
Passwords
  • User enters password, computer compares it with password in file
  • Bad if file gets stolen
  • Store only password hashes in file
    • Use salt to avoid dictionary attacks due to weak passwords
    • E.g., UNIX
  • Susceptible to replay attacks if attacker can sniff traffic exchanged between user and computer
    • Use secure channel (e.g., SSL, see later)
    • Challenge-response protocols
    • Zero-knowledge protocols
overview
Overview
  • Network security
  • Symmetric-key encryption
  • Public-key encryption
  • Message integrity and authentication
  • Entity authentication
  • Key distribution
  • Computer security
trusted intermediaries
Symmetric key problem:

How do two entities establish shared secret key over network?

requires secure channel (confidentiality, authentication, and message integrity)

Solution:

trusted key distribution center (KDC) acting as intermediary between entities

E.g., Needham Schroeder

Public key problem:

When Alice obtains Bob’s public key (from web site, e-mail, diskette), how does she know it is Bob’s public key, not Trudy’s?

requires authenticated channel and message integrity

Solution:

trusted certification authority (CA)

Trusted Intermediaries
certification authorities

+

+

Signingalgorithm

K

K

B

B

K

CA

Certification Authorities
  • Certification authority (CA): binds public key to particular entity, E.
  • E (person, website) registers its public key with CA.
    • E provides “proof of identity” to CA.
    • CA creates certificate binding E to its public key.
    • certificate contains E’s public key, E’s name and address (or IP address) and is digitally signed by CA.

Bob’s

public

key

CA

private

key

certificate for Bob’s public key, signed by CA

-

Bob’s

identifying information

certification authorities13

+

+

Verify signature

K

K

B

B

K

CA

Certification Authorities
  • When Alice wants Bob’s public key:
    • gets Bob’s certificate (from Bob or elsewhere)
    • apply CA’s public key to Bob’s certificate, get Bob’s public key
      • Alice needs to know CA’s public key

Bob’s

public

key

CA

public

key

+

a certificate contains
A certificate contains:
  • info about certificate owner, including algorithm and key value itself (not shown)
  • serial number (unique to issuer)
  • info about certificate issuer
  • valid dates
  • digital signature by issuer
ssl secure socket layer
SSL (Secure Socket Layer)
  • transport-layer security service
  • originally developed by Netscape
  • subsequently became Internet standard known as TLS (Transport Layer Security)
  • uses TCP to provide a reliable end-to-end service
  • server authentication
    • browser includes public keys for trusted CAs.
      • check your browser
    • browser receives server certificate, issued by trusted CA, from server
    • browser uses CA’s public key to validate certificate
  • client authentication
    • possible but typically applications use other means
ssl services
SSL Services
  • message integrity
    • using a MAC with shared secret key
    • similar to HMAC but with different padding
  • confidentiality
    • using symmetric encryption with a shared secret key defined by Handshake Protocol
    • AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128
    • message is compressed before encryption
ssl handshake protocol
SSL Handshake Protocol
  • allows server & client to:
    • authenticate each other
    • to negotiate encryption & MAC algorithms
    • to negotiate cryptographic keys to be used
  • comprises a series of messages in phases
    • Establish Security Capabilities
    • Server Authentication and Key Exchange
    • Client Authentication and Key Exchange
    • Finish
ssl handshake protocol18
SSL Handshake Protocol

RSA-based server authentication:

Phase 2: no server_key_exchange and certificate_request

Phase 3: no certificate, client_key_exchange contains pre-master secret encrypted with public key from server certificate, no certificate_verify

Phase 4: client & server compute master secret based on pre-master secret and initial random numbers, finished messages are authenticated/encrypted based on master secret

For client authentication: client sends signed transcript in certificate_verify

From Stallings

ssl tls good practices
SSL/TLS: Good Practices
  • never enter confidential information (e.g., password) into a Web page that does not have URL starting with https://...
    • even when the Web page says that it’s secure nonetheless…
  • pay attention to popup/warning messages related to SSL or certificates
    • messages can be cryptic…
    • see usability section later in course
    • but now you can understand these messages 
secure e mail

.

KS( )

+

+

-

KB(KS )

KA

KB

+

+

KS

m

.

-

KA( )

.

-

KA(H(m))

H( )

m

Internet

KS

.

+

KB( )

Secure e-mail

sender wants confidentiality, sender authentication, message integrity, and non-repudiation

Sender uses three keys: her private key, receiver’s public key and newly created symmetric key

pretty good privacy pgp
Pretty Good Privacy (PGP)
  • widely used secure-email application
  • developed by Phil Zimmermann, was target of 3-year federal investigation in USA
  • selected best available crypto algorithms to use
  • uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described.
  • integrated into a single program, easy to use
    • not always, see usability section later in course
  • on Unix, PC, Macintosh and other systems
  • originally free, now also have commercial versions available
pgp key management
PGP Key Management
  • no centralized CA, every user is own CA
    • can sign keys for users they know directly
  • key servers collect/distribute (signed) public keys
  • forms a “web of trust”
    • fully trust keys that I have signed
    • (partially) trust keys others have signed if have a chain of signatures to them
  • locally stored public keys are associated with trust indicators
    • I fully trust Bob (his public key) to sign keys
    • I partially trust Alice (her public key) to sign keys
  • users can also revoke their keys
web of trust
Web of Trust

From Stallings

overview24
Overview
  • Network security
  • Symmetric-key encryption
  • Public-key encryption
  • Message integrity and authentication
  • Entity authentication
  • Key distribution
  • Computer security
access control
Access Control
  • Different levels
    • Applications (e.g., database)
    • Operating system
    • Hardware
  • Access control matrix
    • Rows list resources, columns list people, entries list kind of access (read, write, execute,…)
    • Access control lists (ACLs): column-wise implementation
      • List of people that can access a resource
    • Capabilities: row-wise implementation
      • List of resources that a person can access
    • Hybrid
      • ACL upon first access, capability subsequently
multilevel security
Multilevel Security
  • Information has different levels of classification
    • Confidential, secret, top secret,…
  • Very well researched due to military funding
  • Security policy: Clearly and concisely expresses goals of protection mechanism
    • Confidentiality
      • To whom can what information be disclosed
    • Integrity
      • Who is allowed to modify what information
bell lapadula security policy model
Bell-LaPadula Security Policy Model
  • Proposed in 1973
  • Simple security property
    • No process may read data at a higher level
    • No read up (NRU)
    • People cleared to ‘confidential’ cannot access top secret data
  • *-property
    • No process may write to a lower level
    • No write down (NRW)
    • Process running as ‘top secret’ cannot write files at ‘confidential’ level (maybe inadvertently)
  • Mandatory access control
    • As opposed to discretionary access control
biba integrity model
Biba Integrity Model
  • Proposed in 1977
  • Ignores confidentiality
  • Low water mark principle: integrity of an object is the lowest level of all objects that contributed to its creation
  • Later in course: (Remotely) proving integrity of a computer (e.g., no virus)
other aspects of computer security
Other Aspects of Computer Security
  • Covert channels
    • Later in course
  • Software security
    • Buffer overflows
    • Cross-site scripting vulnerabilities
    • Later in course
  • Auditing
  • Intrusion detection and recovery
  • Computer forensics
cryptography security books
Cryptography/Security Books
  • Mark Stamp, Information Security
  • Doug Stinson, Cryptography
  • Bruce Schneier, Applied Cryptography
  • Ross Anderson, Security Engineeringhttp://www.cl.cam.ac.uk/~rja14/book.html
  • Viega & McGraw, Building Secure Software
  • Cranor & Garfinkel, Security and Usability
current upcoming cryptography security courses
Current/Upcoming Cryptography/Security Courses
  • Fall 2006:
    • C&O 685: The Mathematics of Public-Key Cryptography
  • Winter 2007:
    • CS 758: Cryptography/Network Security
  • Fall 2007 (planned):
    • CS 698 – Computer/Networks Security
conferences of interest
Conferences of Interest
  • Security: USENIX Security, ACM CCS, IEEE Security & Privacy, NDSS, SecureComm
  • Privacy: PET, WPES, SOUPS
  • Economics: WEIS
  • Usability: SOUPS, CHI
  • Pervasive computing: UbiComp, PerCom, Pervasive, PerSec