Security John Black UNR Fall 2000. Security Why Security? –Adversaries (bad guys) First Example:...

Security

John Black

UNR

Fall 2000

Security

• Why Security?– Adversaries (bad guys)

• First Example: login-screen spoofing– Make a fake login screen– Store passwords of unsuspecting users

Thompson’s Turing Award Lecture

• Thompson’s Turing Award Lecture– Write a program which prints its own source – Put backdoor into login program via the

compiler (each compilation inserts a backdoor)– Put backdoor into compiler itself– Have compiler code reproduce its own source– Now compile, then delete sources and backdoor

remains ONLY IN THE BINARIES!

Password Guessing

• Many users pick poor (easy-to-guess) passwords– Password guessers are programs that try

common passwords (eg, English words)– These attacks can often be performed offline

(ie, at the attackers home without knowledge of the site being attacked)

Other Attacks

• Timing Attacks– How long a function takes to compute can leak

information about what keys are being used

• Paging Attacks– Watching page faults can leak info too

• Power Analysis– Watching the amount of power a piece of hardware

consumes can let an attacker lift the key!

Internet Worm

• ‘finger’ attack– The Unix finger program uses the ‘gets()’

function of C (this is no longer true)– gets() does NOT check for buffer overflow– One could attack a machine by deliberately

giving ‘finger’ a long command-line argument to overflow its buffer, thereby overwriting the return address

Internet Worm, cont.

• Since ‘finger’ runs as root, we get root:

Command Line Argument goes here, but is really machine code

Return Address

Stack Parameter from cmd line

Overwrite Return Address to force jump to code above

Execution Stack

Other Attacks

• Besides trying to gain access to a system we could try and DENY access– Famous case in Feb 2000: Yahoo and others

shut down by a DDOS attack (Distributed Denial of Service)

– Notoriously hard to stop– Culprits were not caught

That was Security

• The topics we just covered are part of a vast area called “Security”

• Another sub-area is Cryptography, which we now discuss briefly

Intro to Cryptography

• Social Aspects– Should we have access to strong cryptography?– Governments would like to keep a special

backdoor for use against criminals• Would this be abused?• Are YOU comfortable knowing the government

could look in on you?

– Governments consider crypto a MUNITION• Export is illegal

And now the fun stuff

• Cryptography is basically math• First we address the “privacy problem”• The simplest setting is the symmetric key or

private key setting• Alice (A) and Bob (B) want to communicate

PRIVATELY over an insecure channel• To begin with, they share a common key K

– A key is a fixed-length randomly-chosen string

Privacy, Symmetric Case

• Solution is to use a block cipher under some mode of operation

• Lets say AES is used (Advanced Encryption Standard, newly ratified Oct, 2000)

• A wants to send msg M to B:– A computes C=AES(K, M) and sends to B– B computes AES (K, M) to recover M– M is called the “plaintext”; C is called the “ciphertext”

A BAdversaryK K

-1

Facts about Symmetric Cryptography

• Anyone seeing AES(K, M) cannot learn anything without K– Exception: they learn that SOME

communication is taking place and they learn the approximate length

• Encryption and Decryption is FAST for symmetric cryptography

Key Distriubtion

• But how do we distribute the keys??– If A and B can meet in person, this is not hard;

but meeting in person is impractical in an electronic age

– The solution came about in the early 1980s: asymmetric cryptography, aka public-key cryptography

Asymmetric Crypto

• In this setting A runs some algorithm and computes two (mathematically related) keys: sk and pk (secret key and public key)

• pk is advertised to the world, but sk is kept secret• To send a message M to A we compute C=E(pk,

M) and send to A• A receives C and computes D(sk, C) = M

– Here E() is the encryption function and D() is the decryption function

Notes on Asymmetric Crypto

• Once I encrypt with C=E(pk, M) even I cannot understand C any longer– Only someone holding sk can decrypt

• Asymmetric crypto is based on hard mathematical problems– A typical hard problem is this: take n = pq where p and q

are 512-bit primes; if you were given n (but not p and q) could you compute p and q in a “reasonable” amount of time?

– No one knows how to solve the above problem efficiently

• Asymmetric crypto tends to be sllllllow

Change of Topic: Authentication

• Authentication is an integral part of cryptography, but has nothing to do with privacy

• A wants to send a message to B such that B can be certain (with high probability) that A did in fact originate the message

Authentication, Symmetric Case

• Symmetric setting:– A and B share a common key K

– We use an algorithm known as a MAC (Message Authentication Code)

– A wants to send M to B• A computes t=MAC(K, M) and sends (M,t) to B

• B receives (M’, t’)

• B computes MAC(K, M’) and compares to t’– If equal, B ACCEPTS

– If unequal, B REJECTS

Authentication, cont.

• Any M sent from A should verify 100% of the time

• Any M sent from someone other than A (who does not possess K), should never verify (unless they get extremely lucky)

• Authentication in the symmetric setting is FAST

• The string t=MAC(K,M) is called the “tag”

Intuition on MACs

• Think of a big table with all possible msgs in one column and random independent 64-bit strings in the second column

• What is the probability the adversary could guess the proper tag for an M she had not seen before? Answer: 1 in 2^64

Message M Tag t

Empty String 1011…10001…10111…00011…0

0100Etc… Random bits

Authentication, Asymmetric Setting

• In asymmetric setting there is no shared key• Instead of “MAC” we call our tag a

“signature”• To sign a message M

– A generates sk, pk as before– A computes s=E(sk, M) and broadcasts (M,s)

• To verify A’s signature on M– Compute D(pk, s)=M and compare to M

Authentication Facts, Asymmetric Setting

• As before, no one but the holder of sk can generate valid signatures which will verify under use of pk

• As with asymmetric privacy, these algorithms are sllllow

• There is still a problem: what if someone masquerades as A and distributes a bogus pk as the public key?

Certification Authorities (CAs)

• A CA is a company which will sign the public keys of others with their private key so we can be sure of the validity of those public keys– Where do we then get the public key of the CA

to verify this? It’s built in to the browser!– What if the browser is hacked? Well, I guess

we’re hosed…

Secure Socket Layer (SSL)

• This is the security protocol used in browsers

• Here’s how it works:– (1) User U requests secure connection with

Vendor V– (2) V replies with its public key pk and a

signature from some CA– (3) U verifies that pk is properly signed by CA

SSL, cont.

– (4) U generates some random session key S to be used with symmetric algorithms

– (5) U computes C=E(pk, S) and sends to V– (6) V computes D(sk, C)=S– Both parties now have S and communicate

using both symmetric privacy and authentication (ie, block cipher and MAC algorithms)