Embed Size (px)
Citation preview
EE515/IS523 Think Like an
AdversaryLecture 7
UI and Psychological Failures
Yongdae Kim
Recap http://syssec.kaist.ac.kr/courses/ee515 E-mail policy
Include [ee515] or [is523] in the subject of your e-mail
Class Presentation Assignments are made Always check calendar Text only posting, email!
Preproposal meeting this week Group leader sends me three 30-min time windows between
Wednesday and Friday (evening is OK)
RecapAccess Control Matrix
ACL, Capabilities, Role-based ACL
User InterfaceToo many warnings…Password Authentication
Text, graphical, hardware token, biometrics, …
Phishing: Psychological failure!
Policy and Usability
Cost of Reading Policy Cranor et al.
TR= p x R x n p is the population of all Internet users R is the average time to read one policy n is the average number of unique sites Internet users visit
annually
p = 221 million Americans online (Nielsen, May 2008)
R = avg time to read a policy = # words in policy / reading rate To estimate words per policy:
Measured the policy length of the 75 most visited websites Reflects policies people are most likely to visit
Reading rate = 250 WPM Mid estimate: 2,514 words / 250 WPM = 10 minutes
n = number of unique sites per yearNielsen estimates Americans visit 185 unique
sites in a month:but that doesn’t quite scale x12, so 1462 unique
sites per year.
TR= p x R x n
= 221 million x 10 minutes x 1462 sitesR x n = 244 hours per year per person
P3P: Platform for Privacy Preferences
A framework for automated privacy discussionsWeb sites disclose their privacy practices in
standard machine-readable formatsWeb browsers automatically retrieve P3P privacy
policies and compare them to users’ privacy preferences
Sites and browsers can then negotiate about privacy terms
Why Johnny Can’t Encrypt
- A Usability Evaluation of PGP 5.0-
Alma Whitten and J.D. TygarUsenix Sec’99
Presented by Yongdae Kim
Some of the Slides borrowed from Jeremy Hyland
Defining Usable Security Software
Security software is usable if the people who are expected to use it:are reliably made aware of the security tasks they
need to perform.are able to figure out how to successfully perform
those tasks don't make dangerous errorsare sufficiently comfortable with the interface to
continue using it.
Why is usable security hard?
1. The unmotivated users“Security is usually a secondary goal”
2. Policy AbstractionProgrammers understand the representation but
normal users have no background knowledge.
3. The lack of feedbackWe can’t predict every situation.
4. The proverbial “barn door”Need to focus on error prevention.
5. The weakest linkAttacker only needs to find one vulnerability
Why Johnny can’t encrypt?PGP 5.0
Pretty Good PrivacySoftware for encrypting and signing dataPlug-in provides “easy” use with email clientsModern GUI, well designed by most standards
Usability Evaluation following their definitionIf an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all?
Usability Evaluation Methods
Cognitive walk throughMentally step through the software as if we were a
new user. Attempt to identify the usability pitfalls.Focus on interface learnablity.
Results
Cognitive Walk Through Results
Irreversible actions Need to prevent costly errors
Consistency Status message: “Encoding”?!?
Too much information More unneeded confusion Show the basic information, make more advanced
information available only when needed.
User TestUser Test
PGP 5.0 with Eudora12 participants all with at least some college and
none with advanced knowledge of encryptionParticipants were given a scenario with tasks to
complete within 90 minTasks built on each otherParticipants could ask some questions through
User Test Results 3 users accidentally sent the message in clear text
7 users used their public key to encrypt and only 2 of the 7 figured out how to correct the problem
Only 2 users were able to decrypt without problems
Only 1 user figured out how to deal with RSA keys correctly.
A total of 3 users were able to successfully complete the basic process of sending and receiving encrypted emails.
One user was not able to encrypt at all
Conclusion Reminder
If an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all?
Is this a failure in the design of the PGP 5.0 interface or is it a function of the problem of traditional usable design vs. design for usable secure systems?
What other issues? What kind of similar security issues? What do we learn from this paper?
Why (Special Agent)Johnny (Still) Can’t
Encrypt:A Security Analysis of the APCO
Project 25 Two-Way Radio System
S. Clark, T. Goodspeed, P. Metzger, Z. Wasserman, K. Xu, M. Blaze
Usenix Sec’11Presented by Yongdae Kim
Slides borrowed from Matt Blaze
APCO Project 25 (“P25”) Standard (in the US and elsewhere) for digital two-
way radio (voice and low-speed text)Widely fielded by government: local police & fire dept,
federal law enforcement & security services, DoDStandard under ongoing development since early 90’s.P25 products increasingly available since early 2000’s.
Drop-in replacement for analog FM systemsUser narrow band channels, limited infrastructureCan use simplex, repeaters, or trunked infrastructure
Cryptographic security optionsContent confidentiality (encryption)
P25 EquipmentWide range of COTS
subscriber radios availableMobile, portable, base and
infrastructure
Several US vendorsMotorola dominates in federal
law enforcement sector
Equipment features and user interfaces (somewhat) standardized across vendors.
P25: Deployed Examples
The P25 Voice ProtocolNarrow-band radio channel (12.5 Khz)
Co-exists with analog FM9,600 bps (4,800 2bit symbols/sec)
IMBE vocoderReasonable speech qualityTrain of 1,728 bit voice frames that encode 180ms
of audio
“Broadcast” modelAll transmissions “one-way”, no ACKs or sessionsError correction codes
Header Data UnitHeader
Data UnitLogical Link Data Unit 1Logical Link Data Unit 1
Logical Link Data Unit 2Logical Link Data Unit 2
Logical Link Data Unit 1Logical Link Data Unit 1
Logical Link Data Unit 2Logical Link Data Unit 2
Terminator Data Unit
Terminator Data Unit
P25 Optional Security Features
Symmetric key encryption Unclassified: AES, DES, … Classified: various Type I
Traffic keys must be loaded into radios in advance Via keyloader device or over-
the-air rekeying Keys can expire, self destruct
No “sessions” Sender radio selects crypto
mode & key Up to receiver to decrypt
Received cleartext always demodulated & played
Received ciphertext decrypted & played if correct key available
No authentication
Sender’s radio makes all security decisions Radios can be configured
for always clear, always encrypted, or user selected
User-selected is standard configuration
HighlightsApparently ad hoc design
No formal (or informal) security requirements specified in P25 standard
But traffic encryption itself isn’t obviously broken
But does suffer significant protocol weaknessNo authenticationSusceptible to (active and passive) traffic analysis
Radio unit IDs sent in clear even when encryption enabled
Vulnerable to very efficient Denial of Service 13 dB energy advantage to attacker
Serious crypto-usability weakness
Passive and Active Traffic Analysis
Subscriber radio’s unit ID, TalkGroup ID, NAC sent with every transmission24 bit unit ID is typically unique to each radioEffectively identifies individual radio + agency it
belongs to
Standard supports encryption of Unit IDBut they found UID always in clear, if crypto
enabled
Radios typically automatically respond to pingsActive adversary can easily discover idle radiosTransparent to pinged radio
ScenarioPing response is sufficient to allow
automated direction findings of targeted radiosRequires two bases at fixed location with phased
directional antenna
Adversary can thus create a real0time map of selected radios, even when they are “idle”
Significant potential threat in military environment
Denial of Service (in theory)
P25 uses aggressive error correction codes But individual subfields of transmission are error-corrected
separately
Adversary can select a single subfield to jam within frame Pattern at start of transmission makes synchronization easy
Voice frame is 1,728 bits, including critical 64bits NID subfield that IDs frame type Jamming 64 bits renders entire 1,728 bit frame useless 32 symbols of jamming per 864 symbols
Jammer needs 14dB less energy than the transmitter Compare: Analog FM requires (about) equal energy to jam Jamming digital spread spectrum requires much more
energy
Denial of Service (in practice)
How hard is to build a P25 subfield jammer?TI CC1110 is a single-chip digital radio
transceiver chipSupports native protocol very similar to P25Sufficiently close to recognize start of P25
frames…
User in GirlTech IMME toy instant messenger ($15)So they developed their own P25 jammer
firmware…Their first jammer
Scenario: Selective Jamming
Need not to jam every P25 transmissionJammer is low duty cycle
Spends most time in receiving modeCan be programmed to recognize certain types of
transmissions and interfere only with them
Easy to configure a jammer that recognizes and disables only encrypted P25 signalsForce users to switch to clear in order for
communication to work
Potential Usability Problems
Poor feedback about crypto stateTransmit crypto is controlled by an obscurely
marked toggle switchSwitch’s state has no effect on received audio
Clear always accepted in encrypted mode Encrypted accepted in clear mode (if keyed)
Frequent rekeying + unreliable rekeyingMany agencies use short-lived keysBut, re-keying is difficult and unreliable
Poor Crypto Feedback Remember “Why Johnny can’t encrypt?” Radios are typically configured to control outbound
crypto with a two-position switch Often obscurely marked, out of view
Little feedback to user about crypto state other than the switch itself “Encrypted” icon on display Configurable “clear” beep warning
But the same beep used to indicate other things.
Little chance for other users to notice or help Received cleartext always accepted, even when their own
switch is in the “secure” position
Motorola XTS5000: Clear Mode
Motorola XTS5000: Secure Mode
No Ad Hoc Field Keying If even a single user lacks
current keys, there is usually nothing a team can doKey cannot be created or
entered by hand into radioKeyloader hardware is not
typically available in the field.
OTAR frequently fails in practice
Often only practical option is for an entire operation to go to clear
P25 COMSEC in practiceThe P25 traffic analysis and DoS attacks they
found are potentially serious, but require some expertise and resources on part of adversaryCurrent off-the-shelf equipment can’t easily
implement most of the protocol-level attacks we found without modification Inexpensive software-defined radio will soon change this,
however
Not much can be done to mitigate these vulnerabilities without changing P25 protocols in any case
More serious are usability weaknesses that can be easily exploited by anyone, today:A significant volume of law-enforcement-sensitive cleartext
regularly goes over the air, without users unaware.A significant volume of law-enforcement-sensitive cleartext
regularly goes over the air, without users unaware.
Unintended Sensitive P25 Cleartext
They accidently misconfigured a P25 radio in their lab, and were surprised to hear chatter from a federal tactical surveillance operation This turned out not to have been a fluke event
They subsequently collected statistics about unintended over-the-air sensitive cleartext in several metropolitan areas Focused on confidential tactical law-enforcement traffic
Omitted local agencies, non-covert operations (e.g. interop networks, uninformed FPS patrols), etc.
No encrypted traffic captured Used only readily-available, unmodified consumer-grade
equipment Live monitored samples of traffic, recorded traffic statistics.
Intercepting the Federal Spectrum
2000 discrete VHF and UHF voice channels allocated to Federal government 24 MHz of spectrum 12.5 KHz channels Law enforcement mixed in
among less sensitive users Some agency channels are
widely known, others not.
Easy to identify the channels used locally for covert tactical LE activities They are the ones with
encrypted traffic on them.
Many P25 receivers on market
Icom R-2500 Aimed at hobby “scanner”
market, includes P25 options
Legally available to anyone
Results Searched the Federal VHF and UHF spectrum for the
frequencies used for sensitive tactical networks Likely candidate frequencies easy to identify: they carry
mostly encrypted traffic
Configured a small network of R-2500 receivers in several metropolitan areas with software to systemically scan these networks and log incidence of cleartext Periodically “live monitored” samples of cleartext audio Did not retain identifiable information about agencies or
targets
In each metropolitan area: Most tactical traffic was apparently successfully encrypted But still > 20 min (mean) sensitive cleartext per city per day
High variance; lower volume on weekends and holidays
How Sensitive is Sensitive?
The P25 unintended cleartext they live-sampled included some of the most sensitive investigative data Names and/or identifying features of targets and confidential
informants, their locations, description of undercover agents Information relayed by Title III wiretap plants Plans for forthcoming takedowns and operations Wide range of crimes, some involving targets that appeared
to employ reasonably sophisticated countermeasures Sensitive cleartext captured from virtually every DoJ & DHS
LE agency
Mostly law enforcement / criminal, but we were not looking for military or intelligence traffic.
What is going wrong?Three categories of unintended cleartext:
Single user error: one user transmitting in clear, but communicating with an encrypted team
Group error: everyone in clear, indicated they were encrypted, no one noticed they weren’t
Keying failure: one member of group did not have key, so everyone went to clear
Cleartext they sampled was roughly evenly split between single/group error and keying failure.
Observations P25 tactical radio crypto capability is now widely
deployed by federal law enforcement Yet, Federal P25 networks still carry quite a bit of
easily intercepted LE sensitive cleartext Two dominant causes, each requiring different
mitigating approaches Accidental cleartext (about half the time) Keying failure (about half the time)
Mitigations P25 protocols and products require a top-to-bottom redesign
for security Should not be considered reliable secure, until then. Authors suggested some short term solution.
