Embed Size (px)
DESCRIPTION
Overview of security. Clark Elliott, Depaul University Version 1.1. The players -- seekers. SeekerHonest : honest company requesting bids for the building of road framistats, that needs copper pipes SeekerSneaky : wants SeekerHonest to go down in flames, so they can build all the framistats - PowerPoint PPT Presentation
Citation preview
Overview of securityOverview of securityOverview of securityOverview of security
Clark Elliott, Depaul UniversityClark Elliott, Depaul University
Version 1.1Version 1.1
The players -- seekersThe players -- seekersThe players -- seekersThe players -- seekers
SeekerHonestSeekerHonest: honest company requesting bids : honest company requesting bids for the building of for the building of road framistats, road framistats, that needs that needs copper pipescopper pipes
SeekerSneakySeekerSneaky: wants SeekerHonest to go down in : wants SeekerHonest to go down in flames, so they can build all the framistatsflames, so they can build all the framistats
SeekerCheatLaterSeekerCheatLater: Accepts bids, but later refuses : Accepts bids, but later refuses to pay.to pay.
The players -- vendorsThe players -- vendorsThe players -- vendorsThe players -- vendors
VendorHonestAVendorHonestA -- vendor that plays by the rules, sends -- vendor that plays by the rules, sends bids for copper pipes.bids for copper pipes.
VendorHonestBVendorHonestB: : Plays by the rules, sends bid for copper Plays by the rules, sends bid for copper pipespipes
VendorSaboteurVendorSaboteur: Sabotages the bids of honest vendors: Sabotages the bids of honest vendors VVendorEavesdropperendorEavesdropper: Looks at the secret bids of honest : Looks at the secret bids of honest
vendors.vendors. VendorImposterVendorImposter: Fakes their identity, and replies from : Fakes their identity, and replies from
honest vendors, to steal business.honest vendors, to steal business.
Scenarios – one Scenarios – one Scenarios – one Scenarios – one
SeekerHonest sends out electronic bid requests. SeekerHonest sends out electronic bid requests. These are public, and contain the specifications of These are public, and contain the specifications of the bids sought.the bids sought.
"We are SeekerHonest. We build framistats for "We are SeekerHonest. We build framistats for roads. We need to purchase, from a subcontractor, roads. We need to purchase, from a subcontractor, 10,000 1-inch copper pipes of quality 10.5. Please 10,000 1-inch copper pipes of quality 10.5. Please send us your bids by April 12th, 2005. We will send us your bids by April 12th, 2005. We will notify you by April 30th if we select you as the notify you by April 30th if we select you as the pipe subcontrator. Signed: SeekerHonest"pipe subcontrator. Signed: SeekerHonest"
One One One One
VendorHonestA and VendorHonestB each reply VendorHonestA and VendorHonestB each reply with secret bids.with secret bids.
SeekerHonest reviews the bids and picks the one SeekerHonest reviews the bids and picks the one they find most attractive, selecting they find most attractive, selecting VendorHonestA.VendorHonestA.
SeekerH sends notification to VendorHB SeekerH sends notification to VendorHB declining their offer, and to VendorHA accepting declining their offer, and to VendorHA accepting their offer.their offer.
VendorHA and SeekerH complete their business.VendorHA and SeekerH complete their business.
One One One One
Message integrity, authentication, and privacy Message integrity, authentication, and privacy have all been upheldhave all been upheld
Scenarios – two Scenarios – two Scenarios – two Scenarios – two
Like scenario one, but Like scenario one, but SeekerCheatLaterSeekerCheatLater completes business with VendorHA.completes business with VendorHA.
VendorHA invests $100K in setting up to make VendorHA invests $100K in setting up to make copper pipe.copper pipe.
SeekerCheatLater abandons the project and SeekerCheatLater abandons the project and refuses to pay VendorHA for their loss, saying refuses to pay VendorHA for their loss, saying that the electronic agreements were all faked.that the electronic agreements were all faked.
Scenarios – two Scenarios – two Scenarios – two Scenarios – two
Message authentication and dating has been Message authentication and dating has been compromised; message compromised; message non-repudiabilitynon-repudiability has has been compromised.been compromised.
Scenarios – three Scenarios – three Scenarios – three Scenarios – three
After SeekerH sends out the messages to After SeekerH sends out the messages to VendorHA and VendorHB, SeekerSneaky who VendorHA and VendorHB, SeekerSneaky who has intercepted the messages, sends a follow-up has intercepted the messages, sends a follow-up message to VendorHB telling them they would message to VendorHB telling them they would like their services after all, and forming a contract like their services after all, and forming a contract with them as well.with them as well.
SeekerH now has 20,000 pipes and two vendors SeekerH now has 20,000 pipes and two vendors who want to get paid.who want to get paid.
Scenarios – three Scenarios – three Scenarios – three Scenarios – three
Message privacy and authentication have been Message privacy and authentication have been compromised.compromised.
Scenarios – four Scenarios – four Scenarios – four Scenarios – four
VendorSaboteurVendorSaboteur intercepts and sabotages the bids intercepts and sabotages the bids of VendorHA and VendorHB.of VendorHA and VendorHB.
““These pipes are expensive to make. We regret to These pipes are expensive to make. We regret to say that we must charge [insert an unworkably say that we must charge [insert an unworkably high amount]”high amount]”
VendorS then submits a bid for 120 percent of the VendorS then submits a bid for 120 percent of the real costs of the best original bid, and gets the real costs of the best original bid, and gets the contract.contract.
Scenarios – four Scenarios – four Scenarios – four Scenarios – four
Message integrity has been compromisedMessage integrity has been compromised
Scenarios – five Scenarios – five Scenarios – five Scenarios – five
VendorEavesdropperVendorEavesdropper looks at the secret bids of looks at the secret bids of honest vendors and then very carefully tweaks honest vendors and then very carefully tweaks their own bid to be just enough superioir to the their own bid to be just enough superioir to the other vendors in quality, speed, and/or price to get other vendors in quality, speed, and/or price to get the bid, if they want it.the bid, if they want it.
SeekerH’s secret bid protocol has now been SeekerH’s secret bid protocol has now been compromised and they form a contract with an compromised and they form a contract with an unethical business partner.unethical business partner.
Scenarios – five Scenarios – five Scenarios – five Scenarios – five
Message privacy has been violated.Message privacy has been violated.
Scenarios – six Scenarios – six Scenarios – six Scenarios – six
VendorImposterVendorImposter fakes replies from honest fakes replies from honest vendors to SeekerH:vendors to SeekerH:
““For further conversations on contract x123, For further conversations on contract x123, please use our secure email and site at…” please use our secure email and site at…” referring to VendorI’s email and site, but referring to VendorI’s email and site, but purporting to be VendorHA’s email and site.purporting to be VendorHA’s email and site.
Scenarios – six Scenarios – six Scenarios – six Scenarios – six
Message authentication has been compromised.Message authentication has been compromised.
Scenarios – seven Scenarios – seven Scenarios – seven Scenarios – seven
VendorEavesdropper sniffs the traffic coming VendorEavesdropper sniffs the traffic coming from VendorHA and steals the link address for the from VendorHA and steals the link address for the proposal, then sends its own unsolicited proposals proposal, then sends its own unsolicited proposals for subcontracting to SeekerH.for subcontracting to SeekerH.
VendorHA loses the time invested in developing VendorHA loses the time invested in developing salse leads.salse leads.
Scenarios – seven Scenarios – seven Scenarios – seven Scenarios – seven
Message link privacy has been compromised.Message link privacy has been compromised.
All compromised…All compromised…All compromised…All compromised…
Privacy (confidentiality)Privacy (confidentiality) AuthenticationAuthentication IntegrityIntegrity Non-repudiabilityNon-repudiability Message link privacyMessage link privacy
How cryptography can helpHow cryptography can helpHow cryptography can helpHow cryptography can help
Message privacy -- encrypt the message so that no Message privacy -- encrypt the message so that no one in the path between sender and receiver can one in the path between sender and receiver can read it.read it.
Message Integrity -- if no one can read the Message Integrity -- if no one can read the message the semantics of altering it are difficult. message the semantics of altering it are difficult. Usually, altering a message will render it Usually, altering a message will render it unintelligible. Encryption alone will not guarantee unintelligible. Encryption alone will not guarantee delivery however. delivery however.
How cryptography can helpHow cryptography can helpHow cryptography can helpHow cryptography can help
Message authentication – affix an unalterable Message authentication – affix an unalterable source and date tag to the message.source and date tag to the message.
Message non-repudiability – create a message that Message non-repudiability – create a message that could could only only be authored by one source at one time.be authored by one source at one time.
Message link integrity – encrypted headers can be Message link integrity – encrypted headers can be used at the link level to hide destinations.used at the link level to hide destinations.
The Web – strange protocolThe Web – strange protocolThe Web – strange protocolThe Web – strange protocol
IP IP TCP TCP HTTP HTTP CS person says, WHAT? This is silly!CS person says, WHAT? This is silly! TCP is designed to establish a connection that TCP is designed to establish a connection that
guarantees delivery of the packets, all of them, in guarantees delivery of the packets, all of them, in order, and intact.order, and intact.
HTTP is a HTTP is a connectionlessconnectionless protocol that breaks the protocol that breaks the connection after the requested document is connection after the requested document is returned (although a temporary connection can be returned (although a temporary connection can be requested).requested).
Web = document retrievalWeb = document retrievalWeb = document retrievalWeb = document retrieval The Web grew from The Web grew from gophergopher systems: “If you want a systems: “If you want a
document from the library send a request and I will document from the library send a request and I will ‘go fer it’”‘go fer it’”
Strictly simple document retrieval.Strictly simple document retrieval. Client sends a request for a documentClient sends a request for a document The server:The server:
– retrieves the document, sends it back, and breaks retrieves the document, sends it back, and breaks the connection, or…the connection, or…
– sends some other reply, such as an error message, sends some other reply, such as an error message, and breaks the connection, or…and breaks the connection, or…
– does not reply at all.does not reply at all.
Web = document retrievalWeb = document retrievalWeb = document retrievalWeb = document retrieval Even back-end server programs, which may Even back-end server programs, which may
additionally have additionally have side effects, side effects, always return always return documents to the client.documents to the client.
The Web -- messagesThe Web -- messagesThe Web -- messagesThe Web -- messages
The request is a messageThe request is a message The document returned is a messageThe document returned is a message Everything that applies to message security also Everything that applies to message security also
applies to the web, and e-commerce that uses a applies to the web, and e-commerce that uses a web-like structureweb-like structure
Web infrastructure attacksWeb infrastructure attacksWeb infrastructure attacksWeb infrastructure attacks
E-commerce that uses client/server is also subject E-commerce that uses client/server is also subject to structural security issues such as:to structural security issues such as:– Denial of service attacksDenial of service attacks– Worm attacks – self-propagating malicious Worm attacks – self-propagating malicious
code (with built in denial of service [e.g., code (with built in denial of service [e.g., Code Code RedRed], or site-defacement)], or site-defacement)
– DNS attacks (poison the DNS cache, redirect DNS attacks (poison the DNS cache, redirect traffic), steal domain management keys.traffic), steal domain management keys.
Web router attacksWeb router attacksWeb router attacksWeb router attacks
Attacks on routers:Attacks on routers:– Send messages TO the router – not designed for Send messages TO the router – not designed for
heavy traffic in this way; like a librarian heavy traffic in this way; like a librarian reading books instead of getting them for reading books instead of getting them for peoplepeople
– Use the router to initiate attacksUse the router to initiate attacks– Exploit trust relationships with other routersExploit trust relationships with other routers
See See http://www.cert.org/tech_tips/http://www.cert.org/tech_tips/
The Web – statelessThe Web – statelessThe Web – statelessThe Web – stateless
Because HTTP is a connectionless protocol it does Because HTTP is a connectionless protocol it does not support state maintenance. It is a not support state maintenance. It is a stateless stateless protocol.protocol.
Typical CS applications support state in the form Typical CS applications support state in the form of context defined by local variables: Let of context defined by local variables: Let x x be 4 in be 4 in routine MAIN. Call subroutine DoSomething and routine MAIN. Call subroutine DoSomething and set the local set the local xx to be 9. Return from DoSomething, to be 9. Return from DoSomething, throw out the local throw out the local x, x, and retrieve the value 4 from and retrieve the value 4 from the stack, thus restoring the stack, thus restoring xx in MAIN. in MAIN.
The Web – no stack The Web – no stack The Web – no stack The Web – no stack
Web applications have no stack.Web applications have no stack. All context information, such as the value of All context information, such as the value of x,x,
must be maintained by the distributed application must be maintained by the distributed application itself, explicitly.itself, explicitly.
The full state (context) may be passed back and The full state (context) may be passed back and forth, and restored on the server, but forth, and restored on the server, but at leastat least a a token token mustmust be stored on the client, passed to the be stored on the client, passed to the server, and used by the server as an index to server, and used by the server as an index to retrieve the state [a retrieve the state [a cookiecookie].].
The Web – Login exampleThe Web – Login exampleThe Web – Login exampleThe Web – Login example
Client form: “Enter your username”Client form: “Enter your username” Server replies: “Hello Frank, I need your Server replies: “Hello Frank, I need your
password”password” Client form “Enter your password”Client form “Enter your password” Server replies, “I got your password, but who are Server replies, “I got your password, but who are
you?”you?” Etc.Etc. Each new connection is Each new connection is new.new.
The Web – state insecurity The Web – state insecurity The Web – state insecurity The Web – state insecurity
Because the state must be maintained by the Because the state must be maintained by the application it lives in caches, on disk, wherever application it lives in caches, on disk, wherever the programmer has stashed it, all vulnerable to the programmer has stashed it, all vulnerable to security mistakes.security mistakes.
““Session variables,” “temporary internet files,” Session variables,” “temporary internet files,” “cookies” are all programming conveniences that “cookies” are all programming conveniences that simply make it easy to know where to look.simply make it easy to know where to look.
The Web – redundant data The Web – redundant data The Web – redundant data The Web – redundant data
The The cardinal sin of computer sciencecardinal sin of computer science is redundant is redundant data. But, the web is full of it. Browser caches, data. But, the web is full of it. Browser caches, replicated servers, server buffers, etc.replicated servers, server buffers, etc.
Cleaning up after an application (e.g., the state, Cleaning up after an application (e.g., the state, input data, keys) in one place might not mean it is input data, keys) in one place might not mean it is cleaned up elsewhere.cleaned up elsewhere.
Dark InformationDark InformationDark InformationDark Information
The web has much The web has much Dark InformationDark Information … … very simple, very useful.very simple, very useful. Where is the information hidden?Where is the information hidden? Put the jewels in the fake cabbage in the fridge.Put the jewels in the fake cabbage in the fridge. Use server Use server promiscuity promiscuity settings to hide dark settings to hide dark
information on the web.information on the web. Under unix the “.” attribute typically hides filesUnder unix the “.” attribute typically hides files
Dark Info…Dark Info…Dark Info…Dark Info…
But accessing the information must be secure!But accessing the information must be secure! https://www.ourlinux.edux/.abc/letters.htmhttps://www.ourlinux.edux/.abc/letters.htm
– Not generally available to search engines.Not generally available to search engines.– Once there is a single link to it, the information Once there is a single link to it, the information
is compromised, and no longer “dark”is compromised, and no longer “dark”
The web server and Dark The web server and Dark InfoInfo
The web server and Dark The web server and Dark InfoInfo
““http://http://machine.subplaceabc.net/a/b/file.htmlmachine.subplaceabc.net/a/b/file.html”” http://machine.subplaceabc.nethttp://machine.subplaceabc.net is translated into is translated into
some IP address: 192.168.1.12some IP address: 192.168.1.12 /a/b/file.html/a/b/file.html is ENTIRELY UP TO THE is ENTIRELY UP TO THE
SERVER to use as it wishes. This is just a string SERVER to use as it wishes. This is just a string that is passed to the server as an argument.that is passed to the server as an argument.
So, the server might, e.g., use tables, or So, the server might, e.g., use tables, or encryption, or (all covered here) to hide the actual encryption, or (all covered here) to hide the actual location of the real files.location of the real files.
Dark Info…Dark Info…Dark Info…Dark Info…
But accessing the information must be secure!But accessing the information must be secure! https://www.ourlinux.edux/.abc/letters.htmhttps://www.ourlinux.edux/.abc/letters.htm
– Not generally available to search engines.Not generally available to search engines.– Once there is a single link to it, the information Once there is a single link to it, the information
is compromised, and no longer “dark”is compromised, and no longer “dark”
Secret codesSecret codesSecret codesSecret codes
Table driven modelTable driven model Entry 7: “The blue sky speaks well of Joseph” Entry 7: “The blue sky speaks well of Joseph”
“Do not forget to pick up potatoes at the store on “Do not forget to pick up potatoes at the store on your way home.”your way home.”
Without other information cannot be broken, but Without other information cannot be broken, but requires a table entry for every utterance.requires a table entry for every utterance.
May be combined with encryption. May be combined with encryption.
Secret codes with EncryptionSecret codes with EncryptionSecret codes with EncryptionSecret codes with Encryption
Encryption can only be broken when something is Encryption can only be broken when something is known about the known about the plaintext. plaintext. If the plaintext is secret If the plaintext is secret code, then, generally, no isolated cracking code, then, generally, no isolated cracking algorithm exists.algorithm exists.
Code: x13DF7 Code: x13DF7 “Be on alert for airplanes” “Be on alert for airplanes” There is no cracking scheme that can come up There is no cracking scheme that can come up
with “x13DF7” from the cyphertext.with “x13DF7” from the cyphertext. Suppose that the “alert” is observed?Suppose that the “alert” is observed?
Symmetric key modelSymmetric key modelSymmetric key modelSymmetric key model
Sender and receiver share knowledge of what the Sender and receiver share knowledge of what the key is. No one else has this knowledge. Used to key is. No one else has this knowledge. Used to both encrypt, and decrypt a message.both encrypt, and decrypt a message.
One-time pad - OTPOne-time pad - OTPOne-time pad - OTPOne-time pad - OTP
A one-time-pad is the most basic symmetric key A one-time-pad is the most basic symmetric key encryption scheme, and is as effective as the encryption scheme, and is as effective as the length of the key. (Use GUIDgen?)length of the key. (Use GUIDgen?)
Sender and receiver each have an identical bit Sender and receiver each have an identical bit string which is as long as the message being sent. string which is as long as the message being sent. The message and the bit string are used together to The message and the bit string are used together to compose the encrypted message, and used again to compose the encrypted message, and used again to retrieve it. retrieve it.
Each key is used only once.Each key is used only once.
One-time pad – theory onlyOne-time pad – theory onlyOne-time pad – theory onlyOne-time pad – theory only
Is “perfect” encryption, but only theoretically. In Is “perfect” encryption, but only theoretically. In practice the problem is coming up with true practice the problem is coming up with true randomness of the pad, which is not something randomness of the pad, which is not something provable at this time.provable at this time.
Problems: Keystrokes (large granularity of scan), Problems: Keystrokes (large granularity of scan), digital computers (deterministic), etc.digital computers (deterministic), etc.
XOR implementation of one-XOR implementation of one-time padtime pad
XOR implementation of one-XOR implementation of one-time padtime pad
Message 1011 The original messageMessage 1011 The original message Key 1111 Secret, shared, keyKey 1111 Secret, shared, key XOR 0100 Secret messageXOR 0100 Secret message Send: 0100 Send: 0100 Receive 0100 Receive 0100 Key 1111 Same key appliedKey 1111 Same key applied XOR 1011 Original messageXOR 1011 Original message Discard key.Discard key.
Shorter keyShorter keyShorter keyShorter key
Like a one-time-pad but used more than once.Like a one-time-pad but used more than once. Repeats over and over until the end of the message Repeats over and over until the end of the message
is reached.is reached. Can be broken with letter frequency counts, and Can be broken with letter frequency counts, and
the like.the like.– Which letter is used most? Once tokens are Which letter is used most? Once tokens are
determined (words) what letter is used most determined (words) what letter is used most often to start a word? What are the vowels?often to start a word? What are the vowels?
Data encryption standardData encryption standardData encryption standardData encryption standard Known by its initials DESKnown by its initials DES Like a repeating key, but harder to crack.Like a repeating key, but harder to crack. One-way algorithm so that encrypted material can be One-way algorithm so that encrypted material can be
read without breaching security.read without breaching security. NSA (maybe??) insisted on a 56-bit key, which allows NSA (maybe??) insisted on a 56-bit key, which allows
information to be decrypted using modern PCs given information to be decrypted using modern PCs given enough time (now hours?)enough time (now hours?)
Very commonly in use (e.g., /etc/passwd file (note: Very commonly in use (e.g., /etc/passwd file (note: when encrypted messages are exposed, may allow when encrypted messages are exposed, may allow dictionary attack.)dictionary attack.)
Symmetric EncryptionSymmetric EncryptionSymmetric EncryptionSymmetric Encryption On a unix system:On a unix system: Hawk> crypt dog < junk.txt > junk.xHawk> crypt dog < junk.txt > junk.x Hawk> ls junk.*Hawk> ls junk.*
– junk.txt junk.xjunk.txt junk.x Hawk> crypt dog < junk.x > junk.txt2Hawk> crypt dog < junk.x > junk.txt2 Hawk> diff junk.txt junk.txt2Hawk> diff junk.txt junk.txt2 Hawk> Hawk>
– [ no difference][ no difference]
Cracking etc/passwdCracking etc/passwdCracking etc/passwdCracking etc/passwd /etc/passwd is used by many unix programs:/etc/passwd is used by many unix programs: dfiresto:*:1004:10060:Diane Firestone:/condor/ccpfclt/dfiresto:/usr/local/bin/t\cshdfiresto:*:1004:10060:Diane Firestone:/condor/ccpfclt/dfiresto:/usr/local/bin/t\csh elliott:*:1216:10320:Clark Elliott:/condor/cscfclt/elliott:/usr/local/bin/tcshelliott:*:1216:10320:Clark Elliott:/condor/cscfclt/elliott:/usr/local/bin/tcsh wsander:*:1219:10090:William H Sander:/condor/econfclt/wsander:/usr/local/bin/t\wsander:*:1219:10090:William H Sander:/condor/econfclt/wsander:/usr/local/bin/t\
csgcsg
Passwords were encrypted, but exposed.Passwords were encrypted, but exposed. ““passwd” was available to authenticate users:passwd” was available to authenticate users:
– Use crypt to encrypt the user’s password,Use crypt to encrypt the user’s password,– Compare to that in the /etc/passwd fileCompare to that in the /etc/passwd file
One-way algorithm is correctly used.One-way algorithm is correctly used.
Cracking etc/passwdCracking etc/passwdCracking etc/passwdCracking etc/passwd Any Any login will help reach the next level of access – login will help reach the next level of access –
so find at least one weak login id and exploit itso find at least one weak login id and exploit it Two of the most popular Unix and Linux Two of the most popular Unix and Linux
password crackers are "Crack“ and "John the password crackers are "Crack“ and "John the Ripper." Ripper."
http://www.openwall.com/john/http://www.openwall.com/john/ http://www.securityfocus.com/data/tools/crackers/http://www.securityfocus.com/data/tools/crackers/
crack5.0.tar.gzcrack5.0.tar.gz Copy /etc/passwd to local machine for ease of Copy /etc/passwd to local machine for ease of
cracking.cracking.
Cracking etc/passwdCracking etc/passwdCracking etc/passwdCracking etc/passwd Easy: Is pw blank, carriage return, or login?Easy: Is pw blank, carriage return, or login? Dictionary Attack: Dictionary Attack: Looking at the encrypted Looking at the encrypted
passwords in the local file, compare them to the passwords in the local file, compare them to the encryption of known words.encryption of known words.– Locate all dictionaries on the web.Locate all dictionaries on the web.– Encrypt each word to produce encrypted versionsEncrypt each word to produce encrypted versions– Sort the encrypted “words”Sort the encrypted “words”– Binary search for each password in the password Binary search for each password in the password
file.file.
Binary SearchBinary SearchBinary SearchBinary Search Each “look” excludes half of the entries in the Each “look” excludes half of the entries in the
remaining set.remaining set. So, log-2 of N looks.So, log-2 of N looks. E.g., 128 entries, 7 looks leaves one value.E.g., 128 entries, 7 looks leaves one value. How big a space for 500 looks?How big a space for 500 looks?
– (3 with 151 digits after it.)(3 with 151 digits after it.)
Cracking etc/passwdCracking etc/passwdCracking etc/passwdCracking etc/passwd A shadow file is now used, accessible by root, A shadow file is now used, accessible by root,
with only a pointer to the password entry in the with only a pointer to the password entry in the shadow file (and used by other programs through shadow file (and used by other programs through controlled setuid exectuables?)controlled setuid exectuables?)
Man page: “Man page: “setuidsetuid sets the effective user ID of sets the effective user ID of the current process…” Create an executable, set the current process…” Create an executable, set the running userid to, e.g., “root”, and execute the running userid to, e.g., “root”, and execute THAT binary code (only) with root privledges.THAT binary code (only) with root privledges.
Football, football, who has Football, football, who has the football?the football?
Football, football, who has Football, football, who has the football?the football?
Administration of symmetric key systems is Administration of symmetric key systems is difficult.difficult.– How does the secret key get distributed?How does the secret key get distributed?– Who is given the secret key?Who is given the secret key?– What happens when the key has to be changed? What happens when the key has to be changed?
(answer -- everything has to be distributed (answer -- everything has to be distributed again.)again.)
System is only as secure as the administration of itSystem is only as secure as the administration of it
Public key encryptionPublic key encryptionPublic key encryptionPublic key encryption
Non-symmetric keys come in pairsNon-symmetric keys come in pairs– One key used to encrypt.One key used to encrypt.– The other is used to decrypt.The other is used to decrypt.– Either key can be used for either purposeEither key can be used for either purpose
RSA (Rivest Shamir Adleman) algorithm is the RSA (Rivest Shamir Adleman) algorithm is the one commonly usedone commonly used– patented, expires in (?2000)patented, expires in (?2000)– company organized around thiscompany organized around this
Symmetric key vs. Public-Symmetric key vs. Public-keykey
Symmetric key vs. Public-Symmetric key vs. Public-keykey
Symmetric key is generally fasterSymmetric key is generally faster Public key is generally more secure because Public key is generally more secure because
administration is much easieradministration is much easier
So, an efficient, but administratively secure, So, an efficient, but administratively secure, structure is to use Symmetric Key encryption for structure is to use Symmetric Key encryption for the bulky messages, with single-session keys. The the bulky messages, with single-session keys. The session (or one-time) keys are encrypted, and session (or one-time) keys are encrypted, and distributed, using Public Key encryptiondistributed, using Public Key encryption
Using public-key encryptionUsing public-key encryptionUsing public-key encryptionUsing public-key encryption
Public keys are published in a “phone book” of Public keys are published in a “phone book” of public keys, available to allpublic keys, available to all
The matching private key is kept private, and The matching private key is kept private, and secretsecret
If If JoanJoan wants to send a secret message to wants to send a secret message to RayRay she she encrypts it using his public key. encrypts it using his public key.
The message cannot be read until after it is The message cannot be read until after it is decrypted using the secret key that only decrypted using the secret key that only Ray Ray knows --- hence only knows --- hence only Ray Ray can read the message.can read the message.
SigningSigningSigningSigning
If If Joan Joan wants a wants a signed signed copy of a message from copy of a message from Ray Ray she can request that he encrypt the message she can request that he encrypt the message using his private key. using his private key.
Anyone can now read the message (including a Anyone can now read the message (including a court of law) using court of law) using RayRay’s public key. Assuming a ’s public key. Assuming a valid publication of his public key, this identifies valid publication of his public key, this identifies RayRay as the author.as the author.
Singing depends on having a reliable source for Singing depends on having a reliable source for posting of public keys. posting of public keys.
Third party registrationThird party registrationThird party registrationThird party registration
Ray’Ray’s signature is only as good as the site where s signature is only as good as the site where his public key is posted.his public key is posted.
Third part vendors exist to guarantee the Third part vendors exist to guarantee the authenticity of public keys (to certify them), and authenticity of public keys (to certify them), and to give out public and private key pairs.to give out public and private key pairs.
CertificationCertificationCertificationCertification The idea is that once an authority is established this can The idea is that once an authority is established this can
be used to certify other sets of public/private keys.be used to certify other sets of public/private keys. For example, authority For example, authority C C can can sign sign (with their private (with their private
key) a document containing the public keys of party key) a document containing the public keys of party A A and party and party B B and identifying them as belonging to the and identifying them as belonging to the respective parties. This document can only be decrypted respective parties. This document can only be decrypted using using C C’s public key, verifying it as authentic.’s public key, verifying it as authentic.
In this way, both In this way, both A A and and B B are also known to have are also known to have attributable public keys.attributable public keys.
Public key (RSA) examplePublic key (RSA) examplePublic key (RSA) examplePublic key (RSA) example
S is "secret key," P is "public key," M is S is "secret key," P is "public key," M is "message," C is cyphertext."message," C is cyphertext.
C = P(M) the ciphertext can be had by applying C = P(M) the ciphertext can be had by applying the public key to the messagethe public key to the message
M = S(P(M)) the message can be had by applying M = S(P(M)) the message can be had by applying the secret key to the ciphertextthe secret key to the ciphertext
To work, the system must satisfy (due to Diffie and To work, the system must satisfy (due to Diffie and Hellman, 1976):Hellman, 1976):
(i) S(P(M)) = M for every M(i) S(P(M)) = M for every M
(ii) All (S,P) pairs are distinct(ii) All (S,P) pairs are distinct
(iii) Deriving S from P is as hard as reading the (iii) Deriving S from P is as hard as reading the ciphertextciphertext
(iv) Both S and P are easy to compute(iv) Both S and P are easy to compute
RSA implementationRSA implementationRSA implementationRSA implementation Rivest, Shamir, AdlemanRivest, Shamir, Adleman Public Key Public Key PP is the integer pair (N, p), is the integer pair (N, p), Secret Key Secret Key SS is the integer pair (N, s), is the integer pair (N, s), N, p, s, large numbers (e.g., N 200 digits, p/s 100 N, p, s, large numbers (e.g., N 200 digits, p/s 100
digits)digits) C = P(M) = M**p, mod N [apply public key]C = P(M) = M**p, mod N [apply public key] M = S(C) = C**s, mod N [apply secret key]M = S(C) = C**s, mod N [apply secret key] Can compute because of modulo operation; otherwise Can compute because of modulo operation; otherwise
M**p and C**s are impossibly large to compute.M**p and C**s are impossibly large to compute.
Generate 3 100-digit (or so) "random" prime Generate 3 100-digit (or so) "random" prime numbers, s, x, y such that s > x and s > y, (a way numbers, s, x, y such that s > x and s > y, (a way exists to exists to approximateapproximate this process efficiently) this process efficiently)
N = (x * y)N = (x * y) p such that (s * p) mod (x - 1) (y - 1) == 1p such that (s * p) mod (x - 1) (y - 1) == 1 Can be proven that M**(p * s) mod N = M for all Can be proven that M**(p * s) mod N = M for all
messages M.messages M.
RSA implementationRSA implementationRSA implementationRSA implementation
Large NumbersLarge NumbersLarge NumbersLarge Numbers Because the pairs (N,p) yield the public key, if the Because the pairs (N,p) yield the public key, if the
resulting number were small, then a brute force resulting number were small, then a brute force attack could expose N. This would not be good attack could expose N. This would not be good because (N,s), the secret key, has N as an because (N,s), the secret key, has N as an important component.important component.
In general it is hard to factor very large numbers, In general it is hard to factor very large numbers, and thus it is hard to know what are the large and thus it is hard to know what are the large prime numbers.prime numbers.
Simplified ExampleSimplified ExampleSimplified ExampleSimplified Example Based on P. 339 "Algorithms in C" (chapter 23) Based on P. 339 "Algorithms in C" (chapter 23)
by Robert Sedgewick:by Robert Sedgewick: Pick three prime numbers such that s > x and s > yPick three prime numbers such that s > x and s > y
– x = 2, y = 5, s = 7x = 2, y = 5, s = 7 Derive N, s, and p:Derive N, s, and p: Derive N:Derive N:
– N = x*y = 2*5 = 10N = x*y = 2*5 = 10– So, N = 10So, N = 10
Example: derive Example: derive ppExample: derive Example: derive pp Derive p: (note: x=2, y=5, N=10)Derive p: (note: x=2, y=5, N=10)
– modmod = (x - 1)(y - 1) = (2 - 1)(5 - 1) = 1 * 4 = 4 = (x - 1)(y - 1) = (2 - 1)(5 - 1) = 1 * 4 = 4– (s * p) mod 4 = 1(s * p) mod 4 = 1– (7 * p) mod 4 = 1(7 * p) mod 4 = 1
» p = 3 (one solution)p = 3 (one solution)» (7 * 3) mod 4 = 21 mod 4 = 1(7 * 3) mod 4 = 21 mod 4 = 1
– Or:Or:» p = 11 (another solution)p = 11 (another solution)» (7 * 11) mod 4 = 77 mod 4 = 1(7 * 11) mod 4 = 77 mod 4 = 1
M is the message, here just a number. N=10, p = 3, M is the message, here just a number. N=10, p = 3, s = 7.s = 7.
Examples using (a) M = 6, and (b) M = 8:Examples using (a) M = 6, and (b) M = 8:– (a) 6 ** 3 = 216 ... mod 10 = 6 ; 6 ** 7 = (a) 6 ** 3 = 216 ... mod 10 = 6 ; 6 ** 7 =
279936, mod 10 = 6279936, mod 10 = 6– (b) 8 ** 3 = 512 ... mod 10 = 2 ; 2 ** 7 = 128, (b) 8 ** 3 = 512 ... mod 10 = 2 ; 2 ** 7 = 128,
mod 10 = 8mod 10 = 8 Note: 6**(3*7)=21936950640377856, mod 10 = 6Note: 6**(3*7)=21936950640377856, mod 10 = 6
8**(3*7)=9223372036854775808, mod 10 = 88**(3*7)=9223372036854775808, mod 10 = 8
Example: apply P and SExample: apply P and SExample: apply P and SExample: apply P and S
KerberosKerberosKerberosKerberos User and service must have keys registered with the User and service must have keys registered with the
Authentication Server (AS). User key is derived from Authentication Server (AS). User key is derived from user password. (Football) service key is random.user password. (Football) service key is random.
User sends message to ASUser sends message to AS AS makes two copies of a brand new key -- the AS makes two copies of a brand new key -- the
session key.session key. AS puts one copy of the session key in a box, along AS puts one copy of the session key in a box, along
with the name “Football service” in plain text, locks it with the name “Football service” in plain text, locks it with the user key, and sends this to the user.with the user key, and sends this to the user.
[Previous step is necessary so that the user can (a) [Previous step is necessary so that the user can (a) verify that the decryption was successful, and (b) that verify that the decryption was successful, and (b) that the box came from the AS.]the box came from the AS.]
AS puts the other copy of the session key in a box, AS puts the other copy of the session key in a box, along with the name “Football user” in plain text, along with the name “Football user” in plain text, locks it with the service’s key, and returns this to the locks it with the service’s key, and returns this to the user as well.user as well.
User unlocks box 1 using the user key, verifies that User unlocks box 1 using the user key, verifies that decryption was successful by reading “Football decryption was successful by reading “Football service” and extracts the session key.service” and extracts the session key.
UserUser puts the current time in box 3, locks it with the session puts the current time in box 3, locks it with the session key, and passes box 2, and box 3 to the service. Timestamp key, and passes box 2, and box 3 to the service. Timestamp thwarts impersonation later.thwarts impersonation later.
Service Service opens box two with service key verifies the decryption opens box two with service key verifies the decryption by reading “Football user”, and box 3 with the session key by reading “Football user”, and box 3 with the session key (from box 2).(from box 2).
Football UserFootball User is now identified to is now identified to Football Service.Football Service. Box 2 is the Box 2 is the ticketticket box 3 is the box 3 is the authenticatorauthenticator.. Other kerberos topics: Ticket granting server, cross-realm Other kerberos topics: Ticket granting server, cross-realm
authentication.authentication. Thanks Thanks Brian TungBrian Tung for notes on Kerberos. for notes on Kerberos.
