Upload
bathsheba-fowler
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
© 2001 - William Fornaciari© 2001 - William Fornaciari
Politecnico di MilanoPolitecnico di Milano
Operating SystemOperating System
SecuritySecurity
Lecturer:Lecturer:
<speaker’s name><speaker’s name>
<speaker’s affiliation><speaker’s affiliation><speaker’s e-mail><speaker’s e-mail>
<speaker’s web site<speaker’s web site>>
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 22 - -
Computer Security in the Real Computer Security in the Real WorldWorld
“ What people want from computer security is to be as secure with computers as they are in the real world. Real-world security is about value, locks, and police. When it works, you get good enough locks (not too many break-ins), good enough police (so break-ins aren’t a paying business), and minimum interference with daily life. Computer security is hard because people don’t trust new things (especially when they don’t understand them), and computers are fast and complicated. The kind of computer break-ins most people care about are vandalism or sabotage that damages information or disrupts service, theft of money or information, and loss of privacy. Some people think that because computers are precise, perfect computer security should be possible. I’ll explain why this is wrong ... ” Butler Lampson
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 33 - -
SecuritySecurity
Computer security deals with the prevention, detection and reaction to unauthorised actions by usersWith term security we focus on the global problem which deals with
Technical issuesManagement issuesSocial issueslegal issues
There is no single definition of security
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 44 - -
Security and Protection Security and Protection
We can see protection as a subset of securityReferring only to specific mechanisms used by OS to safeguard computer informationProviding controlled access to programs and data stored in the computer
Security requires not only an adequate protection system, but must consider the external environment within which the system operates
Malicious behaviour of entities external to the system, affecting computer assets
Hardware included communication lines and networkssoftwaredata
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 55 - -
Security ContestSecurity Contest
Network Security
Informative System Security
Informative System Security
Intruder
Intruder
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 66 - -
IntrudersIntruders
Modern systems usually allow remote accessFrom terminalsFrom modemsFrom the network
Intruders can use all of these to break in
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 77 - -
Security AreasSecurity Areas
Apart from social and legislative controls, computer security can be generally divided into three areas
External security Interface securityInternal security
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 88 - -
External SecurityExternal Security
It is concerned with physical access to overall computer facility, to prevent theft, destruction, tampering. This includes
Control of access to communication lines, removable memory media and terminalsSafeguarding information from natural disaster like fire, earthquakes, floods, short circuits ,wars, …
External security consist of administrative and physical control measures to prevent undesired access to physical resourcesFull protection cannot be assured so the target is to
Minimize possible violationsMinimize possible consequent damagesProvide recovery procedures (a proper backup policy)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 99 - -
Interface SecurityInterface Security
It is concerned with the authentication of a user once physical access to a computer system became feasible (Authentication)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1010 - -
Internal SecurityInternal Security
It is concerned withControl of access within computer system (Protection)Safeguarding of information transmitted over communication lines between computer system (communication/network security)Safeguarding stored information that is inadvertently or maliciously disclosed (file security)Monitoring the utilization of the system resources from its users (Auditing)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1111 - -
Security Levels Security Levels
The problem of security can be faced at three different levels
Basic technologiesArchitectures and protocolsOrganizational
Organization
Architectures and Protocols
Basic Technologies
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1212 - -
Basic technologiesBasic technologies
Essentially basic technologies focus on cryptographic techniques but belong to this level
Electromagnetic shields...
Technologies of this level are hard to trick with a direct attack Brute force attacks comport an enormous cost
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1313 - -
Architectures and protocolsArchitectures and protocols
The system may be secure but we do not know who is our interlocutorWe need special architectures and protocols for
Cryptographic keys exchangeCertificates
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1414 - -
OrganizationalOrganizational
Concern with non-technical problems but with human levelComputer security easily subverted by bad human practices
E.g. Living passwords stick-up to computer monitor
The management have to instil secure behaviours into the users and strongly discourage non-secure behaviours
Non-secure behaviours may compromise all security measures we have hardly made-up
In a nutshell there is a need of a management security consciousness
Social engineering attacks tend to be cheap, easy, effective
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1515 - -
Security MeasuresSecurity Measures
A rough classification isPrevention, take measures that prevent computer assets from being damageddetection, take measures that allow detection when an asset has been damaged, how it has been damaged, and who has caused the damageReaction, take measures that allow recovering computer assets or recovering from a damage to computer assets
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1616 - -
Security Problems (1)Security Problems (1)
Security is an engineering problemTrade-off between safety, cost , performance and inconvenienceRisk analysis and security Planning are required
Security is a global conceptWe can not protect a part of a system leaving another part without any protectionThose breaking security will attack the weakest point
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1717 - -
Security Problems (2)Security Problems (2)
Total security is, generally, not reachableBecause making mistakes is easyThe nature of problem implies that mistakes are always exploited
Target to reach is to makeViolating security mechanisms require a cost and an effort so great that it is not convenient
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1818 - -
Fundamental Constraints of Fundamental Constraints of Practical Computer SecurityPractical Computer Security
Security costsIf security measures cost too much, they won’t be adopted
Conflict between security and ease-of-useUsers have specific security requirements but usually no security expertiseIf security mechanisms are not easy to use or interfere too much with the working patterns users are accustomed to, they will not be used or are misused
Misuse often makes security measures useless
Impact on performance is manifoldSecurity measures need additional computational resourcesIf impact is too high, they will not be used
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1919 - -
Security RequirementsSecurity Requirements
There are a range of security requirements we have to grant to messages and data
ConfidentialityIntegrityAvailabilityAccountabilityNo repudiation
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2020 - -
ConfidentialityConfidentiality
Confidentiality Concern with prevention of unauthorized disclosure of informationCapture the concept that computer security not have only to stop unauthorized user to read sensitive information but have to prevent from learning sensitive information
The terms privacy and secrecy are sometimes used to distinguish between
Protection of personal data ( privacy )Protection of data belonging to an organization ( secrecy )
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2121 - -
IntegrityIntegrity
IntegrityConcern with unauthorized modification of informationIf we equate integrity with the prevention of all unauthorized actions, then confidentiality becomes a part of integrity
Data integrityIs the state that exists when electronic data is the same as that in the source documents and has not been exposed to accidental or malicious alteration or destructionIt is impossible to guarantee this property only with mechanisms internal to the computer system, but we have also to consider communications security
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2222 - -
AvailabilityAvailability
Availability Concern with prevention of unauthorized withholding of information or resourcesIt is the property of being accessible and useable upon demand by an authorized entity
Engineering techniques use to improve availability
Go far beyond traditional boundaries of computer securityCome from other areas like fault-tolerant computing
In the context of security it is linked with prevention of ‘denial of service’
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2323 - -
Accountability (1)Accountability (1)
Confidentiality, integrity, availabilityDeal with different aspects of access controlPut their emphasis on the prevention of unwelcome events
Authorized actions can, also, lead to a security violationA flaw in security system may allows an intruder to find a way to go round controlsFor these reasons users should be held responsible for their actions, so it was introduced a new security requirement, the accountability
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2424 - -
Accountability (2)Accountability (2)
AccountabilityAudit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party
The system has to identify and authenticate users to achieve this target
It has to keep an audit trail of security relevant events
If a security violation has occurred, information from audit trail may help to identify the intruder
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2525 - -
Reliability and SafetyReliability and Safety
Often considering computer security we have to keep in mind other areas like
Reliability, relating to accidental failuresSecurity is a part of reliability or vice versa
Safety, relating to the impact of system failures on their environment
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2626 - -
Categories of ThreatsCategories of Threats
A normal information flow from a source and a destination may be subject to
Passive attacksInterception
Active attacksInterruptionModificationFabrication
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2727 - -
Normal Information FlowNormal Information Flow
Information Source
Information Destination
Normal information flow
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2828 - -
Interruption Interruption
Prevent source from sending information to receiverOr receiver from sending request to sourceIs an attack to availability
Intruder
Information Source
Information Destination
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2929 - -
How Interruption Occurs How Interruption Occurs
Interruption ma be obtained destroying or making unusable a resource
Destroying hardwareE.g., an hard disk, cutting communication lines ...
Deleting or damaging softwareDeleting dataInterference with communications channelOverloading a shared resource
The intruder with this kind of attacks want to cause denial of service
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3030 - -
InterceptionInterception
The information flow between source and destination is eavesdropped by an unauthorized third partyIt is an illicit data copy and a threat to confidentiality
Intruder
Information Source
Information Destination
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3131 - -
Another Type of InterceptionAnother Type of Interception
It is an active attack
Intruder
Information Source
Information Destination
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3232 - -
How Interception OccursHow Interception Occurs
There are several ways to achieve this purposeBreak-insIllicit data copyingEavesdroppingSniffingMasqueradingTampering
The aims of this attack could beAcquiring message contentTraffic flow analysis which permit to deduce information like
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3333 - -
ModificationModification
The information or data are modified it is a threat to integrity
Intruder
Information Source
Information Destination
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3434 - -
How Modification OccurHow Modification Occur
Ways to bring modification based attacks areInterception of data requestMasqueradingIllicit access to servers/services
Modification may concernMessage authorMessage sending time (reply attacks)Message contents
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3535 - -
FabricationFabrication
Unauthorized party inserts counterfeit objects into the systemCounterfeit concern both author and contents messageIt is a threat to integrity
Intruder
Information Source
Information Destination
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3636 - -
How Fabrication OccurHow Fabrication Occur
This attacks can be lead bySpoofingMasqueradingBypassing protection measuresDuplication of legitimate request
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3737 - -
Passive vs Active AttacksPassive vs Active Attacks
Passive attacks are forms of eavesdroppingNo modification, injections of requests occurAre difficult to detectRequire mechanisms that protect communication independently from the fact an attack is occurring
Active attacks are more aggressiveAvailability and integrity are compromised
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3838 - -
Informative System Security Informative System Security ThreatsThreats
Computer security consist ofFormulating an access control policy that reflects the protection requirements of the applicationThe computer system has to enforce the policy in the presence of active attempts to bypass or disable controls
Implementing a complex system is a challenge task and there is a long history of security bugs in OS caused often by simple programming errorsMany attacks exploit well know security weakness in an automated and efficient manner
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3939 - -
How Things Go WrongHow Things Go Wrong
The major sources of security problems fall into the following categories
Change in environmentBound and syntax checkingConvenient but dangerous design featuresEscapes from controlled invocationBypass at a lower layerFlaws in protocol implementations
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4040 - -
Change in EnvironmentChange in Environment
Change is one of the biggest enemies of securityA system may offers perfectly adequate security, a part of the system is changed
The security implication of changes was taken into account but the security is compromisedOr even worse the changes was considered no influent to security and unpleasant surprise will occur
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4141 - -
Bound and Syntax CheckingBound and Syntax Checking
A frequent source of security problems are commands that not check the size or the syntax of their arguments
By overrunning an input buffer, an attacker with detailed system knowledge can overwrite memory locations holding security-relevant data
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4242 - -
Convenient featuresConvenient features
Backward compatibility with legacy systems, ease of installation, ease of use, are good reasons for including features These features are however dangerous from a security viewpoint leaving the system open for attackers to exploit what is an intended system feature
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4343 - -
Controlled InvocationControlled Invocation
An error in such a program can seriously undermine securityE.g., in Unix when a user logs in
the login program sets up an environment for that user executing the commands contained in the user’s .cshrc and .login filesThe login program runs with root privilegeA user can use file .cshrc and .login as trojan horses inserting commands that will be executed by rootIt is ,therefore, essential that the UID of the login process is set to the user’s UID before executing any commands that could be defined by the user
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4444 - -
BypassBypass
Logical access control validates access by users and processes to logical system objectsThis control may be bypassed if an attacker
can insert code below logical access controlOr gets direct access to memory
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4545 - -
Flawed Protocol Flawed Protocol ImplementationsImplementations
Abstract descriptions of security protocols are full of innocuous statements like ‘pick up a random number’Sometimes, designers go for an easy option being aware of its security shortcomingsSometimes they do not immediately spot the problem
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4646 - -
Malicious Programs (1)Malicious Programs (1)
Dangers for a system often are represented by programs which take advantage of system weak-points
E.g., OS that not protect against unauthorised modification
Clever programmers can get SW to do their dirty work for themPrograms have several advantages for these purpose
SpeedMutabilityAnonymity
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4747 - -
Malicious Programs (2)Malicious Programs (2)
We can distinguish malicious programs in two categories
Independent programs, that may be executed autonomously from the execution of other programs
WormBacteria
Program fragments, that cannot work independently from the execution of another process
Trojan horseTrapdoorsLogic bombVirus
Trojan horse and logic bomb may be, in same case, virus part
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4848 - -
TaxonomyTaxonomy
Malicious Programs
Need Host Programs Independent
BacteriaLogic BombsTrapdoors Viruses WormsTrojan Horses
Replicates
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4949 - -
TrapdoorsTrapdoors
A trapdoor is a secret entry point into an otherwise legitimate programIs a portion of code that recognize special input sequences or that it is activated when an application is executed with a particular ID
An user knowing its existence may gain access bypassing normal authentication proceduresTrapdoors are used by programmers
To facilitate debugging and program test avoiding tedious and long authentication proceduresTo have an activation method if the program authentication process have a bug
Controls against trapdoors are difficult to implement
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5050 - -
Logic BombsLogic Bombs
A logic Bomb is a piece of code belonging to a legitimate program that under certain conditions ‘explodes’
Modifying or deleting data and filesCausing a system halt...
Usually they are inserted by program authorsPractically it is hard or impossible to detect a logic bomb before its explosion
Typical activating conditions areThe presence or absence of certain filesA particular dayA particular user which is executing the application
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5151 - -
Trojan HorsesTrojan Horses
A trojan horse seemingly is a useful program that contains hidden code that performs harmful things
Obtaining access to the user’s files changing file permissionsObtaining passwordsDeleting data and filesAdding backdoors to programs...
We may find them EditorsFake login screenparticularly dangerous in compilers
Inserting malicious code in a program during its compilation
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5252 - -
BacteriaBacteria
Their only purpose is to replicate themselvesBacteria reproduces itself in an exponential way
Taking up all the processor capacityTaking up memoryTaking up disk spaceEventually denying users access to resources
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5353 - -
WormsWorms
Worms use network connections to spread from system to systemTo replicate themselves use
E-mail facility– A worm mails a copy of itself to other systems
Remote execution capability– A worm executes a copy of itself on other systems
Remote log-in capability– A worm log on to a remote system as a user and
then uses commands to copy itself from one system to the other
Can spread very rapidly
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5454 - -
Worms (2)Worms (2)
When a worm is activated may act as aVirusBacteriaTrojan horseOr making whatever kind of malicious action
Four phases characterized a worm ( like a virus )Sleeping, the worm is inactive waiting for same event Propagation, the worm
Looks for other system to infect analysing host table or remote system addressesEstablishes a remote connectionCopies itself in the remote system assuring the copy will be activated
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5555 - -
Worms (3)Worms (3)
triggering, the worm is ready to do its workThis phase may be activated by various events
Execution, the worm makes its work
The ‘Morris Internet worm’ in 1988 is the most famous example
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5656 - -
VirusesViruses
Viruses are programs that can infect other programs by modifying themLike worms, also viruses are designed for spreading but they are piece of code inserted into legitimate programsViruses occur anywhere imported code gets executed
Imported programsSome inclusions in mail messagesBoot sectors and other executable portions of mediaMacros attached to some data files
Along with mere infection, trojan horses, trapdoors, or logic bombs can be included
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5757 - -
Virus Life-CycleVirus Life-Cycle
The life-cycle of a virus has four phases like worms
Not all viruses have the sleeping onePropagation
The virus put a copy of itself in some program or in some system disk areaThe copy itself will enter the propagation phase
Triggering phaseThe virus is activated by some event for executing its ‘task’
ExecutionThe virus execute its ‘task’ which may be innocuous or harmful
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5858 - -
Virus SpreadVirus Spread
Infectedprogram
Uninfectedprogram
Virus Code
Infectedprogram
Uninfectedprogram
Virus Code
Infectedprogram
Uninfectedprogram
Virus Code Virus Code
1.
2.
3.
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5959 - -
Typical Virus ActionsTypical Virus Actions
Typical virus actions areFind uninfected writable programsModify those programsPerform normal actions of infected programDo whatever other damage is desired by its author
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6060 - -
Viruses Taxonomy (1)Viruses Taxonomy (1)
A non-exhaustive taxonomyParasitic virus
It is the classic virus attacked to executable fileWhen the infected program is executed,the virus for uninfected file for spreading
Memory resident virusLodges in main memory as a part of a resident system programOnce in memory, it Infects every program that is executed
Boot sector virusIt infects a boot sector When the system is started, the virus ‘start its work’
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6161 - -
Viruses Taxonomy (2)Viruses Taxonomy (2)
Stealth virusIt is designed with the precise intent of eluding anti-virus detection
– Compression techniques may be used by this kind of viruses for leaving unmodified the infected program dimensions
– The virus may modify the routines for the I/O operation so that when that routines are used, they show as uninfected the infected program
– Hiding in a sector marked as bad in the FAT
Slow infection virusControl the rate of infection to avoid immediate detection
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6262 - -
Viruses Taxonomy (2)Viruses Taxonomy (2)
Polymorph virusIt is design to make little changes to its code at every infection
– Creates copies of itself that are functionally equivalent but have distinctly different bit patterns
– Encrypts itself and uses a new key on each new infection
It is a way to deceive anti-virus mechanism– Making detection by ‘signature’ impossible
Macro virusIt is attached to a data file
– Therefore bypass integrity protection mechanisms targeting executables
It is written in high-level language– Therefore it is much more platform independent
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6363 - -
Dealing with VirusesDealing with Viruses
The solution to contrast viruses arePrevention of infectionDetection and reactionContainment
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6464 - -
Preventing the Spread of Preventing the Spread of VirusesViruses
To prevent a virus infection the solution is not installing untrusted softwareBut who can you trust?
Viruses have been found in commercial shrink-wrap software
So we have to take other prevention measuresScan incoming programs for viruses
Some viruses are designed to hideAnti-virus software do not detect newest viruses
Limit the targets viruses can reachMonitor updates to executable files
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6565 - -
Virus Detection (1)Virus Detection (1)
Virus detection is need if infection occurredBoth virus and anti-virus software are become more complexWe may identify four anti-virus generation
Simple analysers (first generation)Scanner using the virus ‘signature’ to identify the infection
– Do not identify polymorph viruses
Others maintain a record of program length looking for variation in length
– Do not identify secret viruses
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6666 - -
Virus Detection (2)Virus Detection (2)
Heuristic analysers (second generation)Uses heuristic rules to search for probable virus infectionLooks for fragments of code that are often associated with virusesA checksum may be attached to the end of a program so that if a virus infected the program without modifying the checksum it may be detected
– Some viruses are able to generate checksum itselfChecksum may be substituted with a coded hash function that is harder to modify by a virus
Activity trap (third generation)They are memory-resident programs that identify a virus by its actions rather than its structureThey intervene when these actions take place
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6767 - -
Virus Detection (3)Virus Detection (3)
Totally equipped protection (fourth generation)Consists of a variety of anti-virus techniques used in conjunctionBesides analysis and activity trap, these packages consist of control access techniques that prevent virus from entering the system
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6868 - -
ContainmentContainment
To avoid viruses damages we may run suspect programs in an encapsulated environment limiting their forms of access to prevent virus spreadContainment requires versatile security model and strong protection guarantees
Running each executable in its own protection domain relaying on the underlying access control mechanisms
Standard access control mechanisms offered by OS often are not enough
Programs execute under the user’s identity with the user’s privileges
So the evil program has full user privileges
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6969 - -
Standard Access Control Standard Access Control MechanismsMechanisms
Other problems with standard access mechanisms are
What access is allowable?How does it get set?How fast can you create the domains?
Most popular OS do not offer simple ways to limit the security domain of programs
Access control mechanisms present several problem in managing untrusted code (as we have seen talking about protection )
Other possible solutionImproved OS access control for managing untrusted code‘Padded cells’
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7070 - -
Padded Cell ApproachesPadded Cell Approaches
Improving OS access control means building systems able in managing domains not the same as process spaces Padded cell essentially consist in executing programs in an encapsulated environment Three ways to implement an encapsulated environment
Augmenting the OSSolves the general problem
Virtual machine and language-based approachesMost suitable for downloading small executable
Software-enforced fault isolationMost suitable for composition of executables
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7171 - -
Virtual Machine and Language Virtual Machine and Language ApproachesApproaches
Define a virtual machine that does not allow ‘insecure’ operationsRun imported programs through an interpret for that languageJava does precisely thatThe java virtual machine is meant to provide a secure execution environment allowing
Very limited file accessNo process creationVery limited network communicationsVery limited examination of details of the host computer
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7272 - -
Software-Enforced Fault Software-Enforced Fault IsolationIsolation
The virtual machine approach is limitingWhat happens if you need to write a file, create a process … ?Usually only one language is supported
Consist of a software approach to memory protection
Segment matchingAddress sandboxing
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7373 - -
Authorization and Access Authorization and Access ControlControl
Computer security deals with the prevention and detection of unauthorized actions by users of a computer systemThe concepts of proper authorization and of access control are essential for this definitionWe have seen Access control mechanisms talking about protection
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7474 - -
Identification and Identification and AuthenticationAuthentication
A secure system somehow has to track the identities of the users requesting its servicesIdentification
Consist of entering user name and passwordYou announce who you are
Authentication is the process of verifying a user’s identity
Once user name and password are entered, a process compare the input against the entries stored in a password fileLogin will succeed if its entered a valid user name and the corresponding password
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7575 - -
User AuthenticationUser Authentication
There exists two reasons for authenticating a user
User identity is a parameter in access control decision
Processes are generally assigned to protection domains according to the identity of the user on whose behalf they are executed
User identity is recorded when logging security relevant events in an audit trail
Most computer system use identification and authentication through username and password as their first line of defence
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7676 - -
PasswordsPasswords
Identification and authentication through a password
Has become a widely accepted mechanism and not too difficult to implementObtaining a valid password is an extremely common way for gaining unauthorized access to a computer system
Password guessingPassword spoofingCompromise of the password file
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7777 - -
Choosing PasswordsChoosing Passwords
Password choice is a critical security issueCompletely prevent an attacker from accidentally guessing a valid password is impossibleThe use of trivial words as passwords makes an illegal disclosure a rather easy eventWe can try to keep the probability for such an event as low as possible adopting same sagacity
Changing default system password like ‘manager’Prescribing a minimal password lengthMixing upper and lower case symbolIncluding numerical and other non-alphabetical symbol Avoiding obvious passwordsChanging the password frequentlyAlways choose easy-to-remember password
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7878 - -
Password GuessingPassword Guessing
Attackers essentially follow two guessing strategy
Exhaustive search (brute force)Try all possible combination of valid symbols, up to certain length
Intelligent searchSearch through a restricted name space
– Try passwords that are somehow associated with a user like name, names of friends and relatives, car brand, car registration number, phone number ...
– Try password that are generally popular (dictionary attack)
Successful attacks are more often based on social engineering than on technical ingenuity
Actions should be taken to focus the user’s attention on the relevance of a careful choice of password, and of its correct use
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7979 - -
Dictionary attacksDictionary attacks
In a dictionary attackAn on-line dictionary contains a set of popular passwordsA program try all passwords from the dictionary till finding the correct one
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8080 - -
Password disclosurePassword disclosure
Studies have shown that the illegal disclosure of passwords through repeated attempts is still feasible today with acceptable computation time
Due to the use of massive parallelism
Parallel technologies combined with a negligence in the selection and management of passwords, increase the exposure to intrusions
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8181 - -
Improving Password Security Improving Password Security (1)(1)
System may help to improve password security
Password checkersTools that check passwords against some dictionary of ‘weak’ passwords
Password generationSome OS include password generator producing random but pronounceable passwordsUsers are allowed only to adopt password proposed by the systemUser are unlikely to memorise long and complicated passwords
– They write such passwords down on a piece of paper that is kept close to the computer
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8282 - -
Improving Password Security Improving Password Security (2)(2)
Password ageingAn expiry date for passwords can be set forcing users to change passwords ate regular intervalA list of old passwords may be kept to prevent re-use of old passwords by usersChanging passwords too often cause problem of writing them to remind
Limit login attemptsThe system can monitor unsuccessful attempts and react by locking the user account completely or at least for a certain period of timeUseful against dictionary attacks
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8383 - -
Improving Password Security Improving Password Security (3)(3)
Inform userAfter a successful login, the system can display the time of the last login and the number of failed login attemptsUser may discover recently attempted attacks
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8484 - -
Spoofing Attacks (1)Spoofing Attacks (1)
Identification and authentication through username and password provide unilateral authentication
The user has no guarantees about the identity of the party to whom he is giving his password
In a spoofing attackThe attacker runs a program that presents a fake login screen on some terminal/workstationUser tries to logonUser name and password are stored by the attackerExecution could be handed over the user or login is aborted with an error messageThe spoofing program terminates giving back control to the OS
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8585 - -
Against Spoofing Attacks Against Spoofing Attacks
Solutions against spoofing attacks may beDisplaying the number of failed loginsGuarantee that the user communicates with the OS and not with a spoofing program
Windows NT has a secure attention sequence CTRL+ALT+DEL which invokes the Windows NT OS login screen
Double authentication system (hand-shacking)It is mutual authentication where the system introduces itself to the user through information known only to the user, and the user authenticates back to the systemE.g. In a distributed system, the system could be required to authenticate itself to the user
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8686 - -
Beyond Spoofing AttacksBeyond Spoofing Attacks
Other way through which an intruder may ‘find’ a password are due to that
Passwords do not travel directly from the user to the checking routinePasswords are, temporarily, held in intermediate storage locations like
BuffersCachesWeb pages
The management of these storage locations is beyond the control of the user and a password may be kept longer than the user may though
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8787 - -
Compromise of the Password Compromise of the Password FileFile
User passwords are stored in the password files managed by OSPassword files are a desirable target for an intruder
Disclosure or modification of its content permit the intruder gaining system access
Password file must be protectedCryptographic protectionAccess control enforced by the OSA combination of cryptographic protection and access control plus mechanisms to slow dictionary attacks
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8888 - -
Cryptographic Protection (1)Cryptographic Protection (1)
Instead of the password x, the value f(x) is stored in the password file
f(x) is a one-way function easy to compute but hard to reverse
When an user logs in and enters a password x1, the system
Applies the one-way function f and the compare f(x1) with the expected value f(x). If the values matches, the user has been successfully authenticated
The password file can be left more readable if dictionary attacks are not a concern
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8989 - -
Cryptographic Protection (2)Cryptographic Protection (2)
In a dictionary attack the attacker Knows the encryption function
E.g. Unix uses the one-way function crypt(3)
Encrypts all words in a dictionaryCompare, off-line, all these words against the encrypted entries in the password file, if a match is found the attacker knows that user password
We may use a one-way function harder to compute
Dictionary attacks become harder (require more time)Also login mechanism slow-down
It is better to hide also the encrypted password file
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 9090 - -
Access Control MechanismsAccess Control Mechanisms
OS access control mechanisms restrict the access to files and other resources to users holding appropriate privileges
They can be used to protect password filesOnly privileged users can have access to the password fileIf read access is restricted to privileged users, passwords in theory could be stored unencrypted
Malicious users, taking advantages of erratic OS modules (bugs or trapdoors) could access the content of password fileTrojan horse in the login procedure of a system can record all the passwords used at login timeCombination of access control mechanisms an cryptographic methods is then recommended
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 9191 - -
Proprietary Storage FormatsProprietary Storage Formats
A weak form of read protection is provided by proprietary storage formats
E.g. Windows NT stores encrypted passwords in a proprietary binary format
A determined attacker will obtain or deduce the information necessary to be able to detect the location of security relevant data
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 9292 - -
Password SaltingPassword Salting
When a password is encryptedAn additional information, the ‘salt’, is appended to the password before encryption
E.g. In Unix system a ‘salt’ is a 12-bit numberThe salt is generated on the basis of the creation time and of the identifier of the running process
Password salting ensures the uniqueness of the passwords
Two users with the same passwords have different entries in the password file
Slows down dictionary attacks as it is no longer possible to search for the passwords of several users simultaneously
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 9393 - -
Inserting a New PasswordInserting a New Password
Crypt (3)
Password File
User ID Salt Encrypted PWD
Salt Password12 bit 56 bit
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 9494 - -
Controlling a PasswordControlling a Password
Password File
User ID Salt Encrypted PWD
User ID
Crypt (3)
Salt
Password
56 bit
Comparison
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 9595 - -
Matched PasswordsMatched Passwords
A set of matched passwords are shared by system and userWhen the user wants to login
The system presents to the user a password that is chosen from the set of matched passwordsThe user has to present the other element
A generalisation of this concept is the use of an algorithm to obtain the passwords
E.g., the system chooses an integer and presents it to the user
The user uses this integer as input of a functionThe output of the function is the password
Finally, we arrive to the concept of one-time password
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 9696 - -
Password Replay AttackPassword Replay Attack
Passwords can be stolen during transmissionA password can be protected
Encrypting it at the sender workstationDecrypting it at the receiver workstation
Such a protection has a limited valueAn intruder may intercepts and steals the encrypted password and replay the userID and the encrypted password later onThe problem is the receiving system accepting an encrypted password
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 9797 - -
One-time PasswordsOne-time Passwords
The concept of one-time passwords is to dynamically generate unpredictable passwords that are valid for a single access to the security systemThe one-time passwords often are implemented using token cards, although software-based implementation also existsSince the one-time passwords cannot be reused, their staling should not pose security risks as the password replay attack
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 9898 - -
Token CardsToken Cards
With a token card the user enters a PIN code through a keypad on the cardThe card has a built-in processor that verifies the PIN code and generates a random numberThe user enters that number as the one-time password for the logon processThe receiver system verifies the password
At the set-up time an application is installed on the system that can also generate the same number for a given userIDIf the two number correspond, the user is authenticated
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 9999 - -
Single Sign-onSingle Sign-on
In an IT environment passwords control access to computers, networks, programs, files, …User would not find convenient to enter passwords over and over again when navigating in internetA single sign-on solves the problem
User enter his password onceThe system stores the passwordWhenever a password is needed, the system do the job for user
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 100100 - -
Single Sign-on vs Repeated Single Sign-on vs Repeated AuthenticationAuthentication
Single sign-on service adds convenience but it also raises new security concerns
Stored passwords have to be protectedCryptographic protection cannot be applied because the system needs the passwords as readable plaintext
To reduce the chance that an attacker uses an unattended machine where another user is already logged on, authentication may be demanded
At the start of a sessionAt certain intervals within the session
Choosing between single sign-on and repeated authentication is a tradeoff between easy-to-use and security
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 101101 - -
Alternative Approaches (1)Alternative Approaches (1)
Password-based authentication is the most common mechanismAn user can be also authenticated on the basis of
Something user knowA user is identified on the basis of his answering a set of questions posed by the system
Something user holdUser has to present a physical token to be authenticated
– key– Smart card
Physical token may be lost or stolenTo increase security are often used with something user knows
– Password– E.g., bank-card with a PIN
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 102102 - -
Alternative Approaches (2)Alternative Approaches (2)
Something a user “is”Biometrics are used to authenticate persons
– Computerized facsimile systems» The user image is stored» Identification occurs by matching the person with his
stored image
– Fingerprint-based systems» Identification is the result of a match between the
user’s fingerprints with the stored ones
– Voice-recognition-based systems» The user’s voice is matched against its stored version
– Retinal features-based systems» Identification is made by examining the features of the
user’s retina
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 103103 - -
Alternative Approaches (3)Alternative Approaches (3)
With biometrics a stored pattern is compared with the actual measurements taken but these patterns will hardly ever match precisely
– We have to face up a new problem, false positives and false negatives
What a user doAuthentication is based on some mechanical tasks that people perform in a way that is both repeatable and specific to the individual
– E.g., Checking an hand written signature (writing speed and writing pressure)
Some problem of biometrics authentication
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 104104 - -
Alternative Approaches (4)Alternative Approaches (4)
Where the user isWhen a user login, the system may also take into account where user isSome OS grant access only if user login from a certain terminal
– E.g., a system manager may only login from an operator console but not from an arbitrary user terminal
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 105105 - -
Systems ManagementSystems Management
Once the system has been installed and is operational, its security mechanisms should prevent illegal user actions but
The protection mechanisms or the implemented policy may not be adequate or flawed
It is advantageous to have further mechanisms which allow to detect security violations or other suspicious events when they are happening or after they have happened
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 106106 - -
Intrusion DetectionIntrusion Detection
An early intrusion detection permit to expel him before he may cause damages or at least to limit damagesThese mechanisms may serve as deterrent Intrusion detection allow to collect information about intrusion techniques that may be used to enforce intrusion prevention mechanismsThese techniques may also try to detect abuses of legitimate users
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 107107 - -
Audits Logs and Intrusion Audits Logs and Intrusion Detection Detection
A classification of such mechanisms areAuditing, records security relevant events in an audit log (audit trail) for later analysisIntrusion detection, detects suspicious events when they happen and informs the system managerAutomatic retaliation (intrusion response), reacts immediately to security alarms by taking appropriate actions
They may be false alarms and its doubtful whether automatic retaliation is always a good idea
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 108108 - -
Audit LogAudit Log
It is important to keep the audit log in a secure placeAttackers who are able to change the audit log are in a perfect position to hide their traces
Set the logical protection on the audit log so that only privileged users have write accessSend audit log to another computer where root on the audited machine has no superuser privilege and possible have optional utilities like compilers, editors and certain network utilities
The attacker have so to gain access to two different systems and without some utilities it is more difficult to gain root access to the audit machine
Send the audit log to a secure printer
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 109109 - -
Administrative SideAdministrative Side
On the administrative side we have to decide on The security-relevant events that should be loggedThe time an audit log has to be kept
There is a trade-off betweenThe number of different events loggedAnd the ability of the operator to scan through an audit logMore events are declared to be security relevant, more extensive the audit log will be and it may become difficult to spot intrusion attemptsToo few events are recorded, more difficult become to establish how an attack had been conduced once it has been detected
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 110110 - -
Native Audit Log vs Specific Audit Native Audit Log vs Specific Audit LogLog
Native audit log All OS include accounting software that collects information on user activityThe disadvantage is that the information collected by the administrative software may not contain useful information for security purpose
Detection-specific audit logA specific mechanism is designed to collect only the information needed for intrusion detection purposes
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 111111 - -
Detection-specific Audit LogDetection-specific Audit Log
An example of a detection-specific audit log contains the following fields
Subject, who start the actionAn user working on some terminalA process executing under an user domain
Action, the operation accomplished by the subject
I/O operations …Object, on which the operation works onException, if an exception is raised by the operation executionResources usage, a list of elements containing the amount of used resourceTime stamp, the time of execution
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 112112 - -
Intrusion Detection Intrusion Detection TechniquesTechniques
Assume the behaviour of the intruder differs from the legitimate user
Overlaps in behaviours may occurA simplified interpretation of intruder behaviour will lead to detect more intruders but also to have ‘false positives’Trying to limit ‘false positives’ will lead to augment ‘false negatives’ that is some intruders will be recognized as legitimate users
Expert systems and techniques from artificial intelligence may be used in intrusion detection systems
These techniques may be also used to scan through the audit log
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 113113 - -
Intrusion Detection Approaches Intrusion Detection Approaches (1)(1)
Statistical anomaly detectionData related to the behaviour of legitimate users are collected over a certain period of timeStatistical approaches are used to determine if the behaviour is not a legitimate one
Defining thresholds, user independent, concerning the occurrence rate of certain eventsOr outlining a specific profile for each legitimate users to be used to detect changing in user’s behaviours
Useful for detection of intruder that uses the account of a legitimate user but may not detect legitimate users abuses
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 114114 - -
Intrusion Detection Approaches Intrusion Detection Approaches (1)(1)
Rule-based detectionRules are developed to detect deviation from previous usage patternExpert systems searches for suspicious behaviourUseful for detection of legitimate users abuses
A system may use a combination of the two approaches
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 115115 - -
Cryptography (1)Cryptography (1)
Data confidentiality provides the means to protect information from unauthorized disclosureIt is achieved by encrypting the message at the sender and decrypting it at the receiverCryptography has its roots in communication security
Two entities A and B communicate over an insecure channelAn intruder, who has full control over this channel, being able to read, delete and insert messagesCryptography allows them to construct a secure logical channel over an insecure physical connection
Access to physical communication links does not compromise cryptographic protection
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 116116 - -
Cryptography (2)Cryptography (2)
In distributed systems, the traffic between clients and servers is a new point of attackServices and mechanisms for communication security are needed
Data confidentiality, encryption algorithms hide the content of messagesData integrity, integrity check functions provide the means to detect whether a document has been modifiedData origin authentication, message authentication codes or digital signature algorithms provide the means to verify the source and integrity of a message
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 117117 - -
Cryptography (3)Cryptography (3)
Encryption consists of transforming the message in such a way that only the target recipient can interpret
The original data is called plaintextThe resulting data after applying the encryption algorithm is called ciphertext or cipher
Decryption is the reverse process, it transforms the ciphertext to plaintext
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 118118 - -
Cryptography (4)Cryptography (4)
The encryption and decryption algorithms may be kept public because the message confidentiality is linked only to the cryptographic keys
The key used in a cryptographic transformation should be the only item that needs protection
It is fundamental for a cryptographic algorithm making the keys to be chosen among a great key-space
Encrypt DecryptPlaintext PlaintextCiphertext
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 119119 - -
Key managementKey management
Key management is fundamental for the security of cryptographic schemes
Cryptographic keys are sensitive data stored in a computer systemAccess control mechanisms have to protect them
Access control failures compromise cryptographic protection
We have to considerWhere keys are generatedHow keys are generatedWhere keys are storedHow the keys get thereWhere the keys are usedHow to revoke and replace keys
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 120120 - -
Cryptographic MechanismsCryptographic Mechanisms
Cryptographic mechanisms are the basic building block of cryptographic protocols
Cryptographic protocols offer good key management
In computer security the most used cryptographic mechanisms are
Cryptographic algorithmsIntegrity check functions (hash functions)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 121121 - -
Cryptographic Algorithms Families Cryptographic Algorithms Families (1)(1)
Two big family of cryptographic algorithms areSecret key algorithms (Symmetrical)
The key used to encrypt is the same used to decryptThe encryption algorithm E and the decryption one D are conceptually the sameOnly the key is secret, the algorithms are publicThe algorithms have not a clear mathematical foundation, but are based on the combination of several steps of operations as
– Permutation– Finite space elements mapping
» XOR» Mod sum» …
– Permutation and mapping may change over the time
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 122122 - -
Cryptographic Algorithms Cryptographic Algorithms Families (2)Families (2)
Public key algorithms (Asymmetrical)Two keys are used
– Ke key is used for encryption is public– Kd key is used for decryption is known only by the
owner– It is computational difficult to deduce the private
key knowing the public one and also to decrypt without the Kd key
The encrypt and decryption function are different– The encrypt one is direct and easy– The decrypt one is the inverse and generally very
complicate
These algorithms are based on computational complexity theory
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 123123 - -
Public Key vs Private KeyPublic Key vs Private Key
The limitation of private key algorithms isthe necessity to exchange the secret key: risk of interception
Public key algorithms have not this necessitythe two parts involved have their two own keys, a public one and a private oneThe problem is the decryption complexity that grows more than linearly with the encrypted block lengthThey are used for
Key distribution for private key algorithmsDigital signature
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 124124 - -
Secret and Public Key Secret and Public Key Algorithms Algorithms
EncryptE
DecryptD = E
PlaintextM
Ke Ke
PlaintextEke [M]
EncryptE
DecryptD
Plaintext
Ke Kd
PlaintextEke [M]
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 125125 - -
Cryptographic AlgorithmsCryptographic Algorithms
The most famous algorithms in the field of secret key are
DES (Data Encryption Standard)IDEA (International Data Encoding Algorithm)
In the field of public key areRSA (Rivest, Shamir, Adelman)Diffie-Hellmann
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 126126 - -
DES (1)DES (1)
The plaintext M is divided into 64-bit blocks Mi
(block ciphers)If M is less than 64 bit, the remaining left bits are filled with 0
The key is 56-bit length
DES
Mi
64 bit
Ek[Mi]
64 bit
Ke
56 bit
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 127127 - -
DES Phases (1)DES Phases (1)
The algorithms consist of a the following phases applied to each block Mi
One initial permutation16 iteration of the same operationA swap operation One inverse permutation
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 128128 - -
DES Phases (2)DES Phases (2)
Permutation P1
Mi64 bit
Permutation P2
Ke56 bit
Iteration 1 RL RLP/C56 bit48 bit
64 bit 56 bit
56 bit64 bit
Iteration 16 RL RLP/C56 bit48 bit
64 bit 56 bit
64 bitSWAP Permutation P1-1 Ciphertext
64 bit
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 129129 - -
DES Phases (2)DES Phases (2)
RL RL
56 bit
56 bit
The key is broken in two 32-bit blocks and a left rotation is
done
P/C56 bit48 bit A permutation and concentration is done
64 bit
SWAP
64 bit
The input is broken into two 32-bit blocks that are swapped
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 130130 - -
Iteration i (1)Iteration i (1)
Li-1
32 bit
Ri-1
32 bit
P/E
S-Box
RiLi
Ci-1 Di-1
24 bit 24 bit
P/C
Ci Di
32 bit
4848 bit
Permutation
A
B
RL RL
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 131131 - -
S-BoxS-Box
S-Box are 8 boxes S1,...,S8 each with 6 inputs and 4 outputs If input is 100101
The first an the last bit are used to select the row The middle bits to select the column
0 1 2 3 4 5 6 7 8 9 10
11
12
13
14 15
0 14
4 13
2 17
1 2 15
7 9
2 6 1 14
3 18
12
8 7
It is the outcome
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 132132 - -
DecodingDecoding
Encoding StepLi = Ri-1
Ri = Li-1 F(Ki , Ri-1)
Decoding stepRi-1 = Li
Li-1 = Ri F(Ki , Li)
Li-1 Ri-1
RiLi
A
B
F(Ki,Ri-1) KiMakes decoding without the key
impossible
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 133133 - -
Block Ciphers UsesBlock Ciphers Uses
We have seen DES referred only to a 64-bit blockWhen message M is greater than 64-bit then we can use several techniques based upon DES
Electronic codebookCipher block chaining
The key is 56-bit lengthA brute-force attack requires 256 attempts
An enormous number but today reachable
Double-DES and Triple-DES make the DES algorithm stronger towards brute-force attacks
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 134134 - -
Electronic CodebookElectronic Codebook
Message M is divided in 64-bit blocks Mi
DES is applied separately to each blockThe resulting encrypted blocks are concatenated
M =
DES DES DES
Ek [M]=
M1 M2 ... Mn
Ek [M1] Ek [M2] Ek [Mn]
|| || ||
|| || ||...
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 135135 - -
Brute Force AttackBrute Force Attack
The brute force attack consist in trying all possible key value to decrypt the messageThe maximum required time for the attack is
Tmax = * 2n/N
= time required for a verification
n = key lengthN = number of parallel computer
E.g.,With a computer that make 106 attempt every second, the DES is broken in T= 2000 yearsWith an high parallel computer T= 21 minutes
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 136136 - -
Cipher Block ChainingCipher Block Chaining
M =
DES DES DES
Ek [M]=
M1 M2 ... Mn
Ek [M1] Ek [M2] Ek [Mn]
|| || ||
|| || ||...
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 137137 - -
Double-DESDouble-DES
A way to attacks double-DES is the meet-in-the-middle attack
DES
DES
Mi
Ek[Mi]
K1
K2 != K1
DES
DES
K1
K2 != K1
X
Encrypt
Decrypt
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 138138 - -
Triple-DESTriple-DES
Triple-DES is adopted to avoid meet-in-the-middle attacks
DES
DES
Mi
Ek[Mi]
K1
K2
DES K3
Equal to a 112-bit
key
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 139139 - -
IDEA (1)IDEA (1)
After the brute-force attacks that have cracked DES algorithm, IDEA was introduced
Like DES works on 64-bit blocksThe same algorithms is used to encrypt and decryptWhat makes IDEA stronger than DES is the 128-bit Key
Algorithm is based on 8 iteration applied to each block
XOR operationModule sumPermutation
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 140140 - -
IDEA (2)IDEA (2)
Each block is divided into four 16-bits sub-blocksThe cryptographic key is divided into eight 16-bit fragmentsEach sub-block is summed or multiplied with a fragment of the cryptographic key At each iteration only six key fragments are usedWhen each key fragment is used, the key is 25-bit shifted to the left When the last iteration is done the first four operation are re-applied to obtain one 64-bit encrypted block
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 141141 - -
Iteration iIteration i
K1 K2 K3 K4 K5 K6 K7 K8 M1 M2 M3 M4
KEY 128-bit Message 64-bit
B1*K1 B3+K3XOR XOR
*
+
XORXOR
K5
+
*
B1*K1 B3*K3
K5
XORXOR
B4’ B2’B1’B3’
B2+K2B4*K4
B4*K4
B2+K2
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 142142 - -
DecryptionDecryption
To decrypt ciphertext the same encoding algorithm is used, with the only difference that the key sub-blocks are taken in inverse order
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 143143 - -
Key Establishment ProtocolsKey Establishment Protocols
Before a symmetric cryptographic algorithm can be used, all the keys have to be in the right placeCryptographic protocols that established keys for use by other protocols are known as ‘ key establishment protocols’
Some, known as Key agreement protocols, involve only the parties that want to establish a shared key
E.g., Diffie-Hellman Protocol
Others, key transport protocols, require the services of a trusted third party, a Key Distribution Centre (KDC)
E.g., Needham-Schroeder Protocol
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 144144 - -
Needham-Schroeder Protocol Needham-Schroeder Protocol (1)(1)
Needham-Schroeder Protocol is an n-way challenge-response authentication protocolTwo parties A and B obtain their session key from a server S (KDC)Initially, both parties share a secret key with the KDC
Ka
Kb
A symmetric algorithm is used for encryptionNonces are included in the messages to prevent reply attacks
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 145145 - -
Needham-Schroeder Protocol Needham-Schroeder Protocol (2)(2)
Principal A informs the KDC his intention to establish a connection with B
Message contains a big random number (a nonce) Na
The KDC responds with an encrypted message, with Ka, containing
Na
a session key Ks
An encrypted message Kb (A,Ks) which A have to send to BThe identity of B
Principal A sends to BThe message Kb (A,Ks)
A nonce Na2 encrypted with the session key
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 146146 - -
Needham-Schroeder Protocol Needham-Schroeder Protocol (3)(3)
B responds to A with(Na2 –1) encrypted with the session key to prove that he is B
Na would not work because an intruder may have intercept it previously
Nb
Now A is sure to talk with B
The last protocol message consists in a response from A to B
The nonce Nb-1 encrypted with the session key
Now B knows that are talking with A
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 147147 - -
Needham-Schroeder Protocol Needham-Schroeder Protocol (3)(3)
A B
KDC
Na,A,B
Ka(Na,B,Ks,Kb(A,Ks))
Kb(A,Ks),Ks(Na2)
Ks(Na2 –1),Nb
Ks(Nb-1)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 148148 - -
RSA RSA
The security of RSA algorithm derives from the complexity in factorising a big integer into two big prime factor
n= p*q where n, p,q are three big prime numbern may be public, this don’t compromise the secrecy of p and q
The public key is composed by a couple (Ke,n)
Ke is chosen randomly with the constraint to be a prime number towards (p-1)(q-1)
The private key is (Kd,n)
Kd is chosen so that Ke*d mod [(p-1)(q-1)] =1keys length may vary from 40 up to 1024 bit
Key length impact hardly on computational time necessary for the encoding and decoding functions
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 149149 - -
Encryption and DecryptionEncryption and Decryption
To encrypt a message Mi the public key Ke is used
Ci = Encrypt(Mi) = MiKe mod n,
To decrypt the ciphertext Ci is used the private key that is knew only by is owner
Mi = Decrypt(Ci) = CiKd mod n
E.g.Subject S1 want to send a message to S2S1 encrypt the message using the public key of S2S2 receive the encrypt message and decrypt it using its personal private key
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 150150 - -
RSA Example (1)RSA Example (1)
Choose two prime number p and qp=3q=11
Calculate n=pq=33 and z=(p-1)(q-1)=20Choose kd relative prime towards z
Kd=7
Choose Ke so that Ke *d mod z = 1Ke = 3
Then C = P3 (mod 33) and P= c7 (mod33)P=plaintextC=ciphertext
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 151151 - -
RSA Example (2)RSA Example (2)
code P3 P3 mod33
C7 C7mod33
26 17576 20 1280000000
26
1 1 1 1 1
14 2744 5 78125 14
14 2744 5 78125 14
5 125 26 8031810176
5
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 152152 - -
Diffie-HellmannDiffie-Hellmann
The Diffie-Hellmann algorithm permit key exchanging between two subject
Subject A send a message to subject BSubject B send a message to subject AAfter the messages exchange the two subjects A and B own a secret key that may be used to encrypt further messagedThe two message can be intercepted by everyone but only A and B own the secret key
The algorithm is based upon a mathematical problem
Given a prime modulus p, the basis a, and the value y = ax mod pFind the discrete logarithm x of y
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 153153 - -
How Diffie-Hellmann worksHow Diffie-Hellmann works
The two subjects have to calculate and transmit to the other the following values Yi and Yj
Yi = axi mod q for subject iYj = axj mod q for subject jWhere x is taken randomly, and kept secret , from the set (1,...,p-1) where p is a prime numberThe secret key Kij = axixj mod q
For subject i Kij= Yjxi mod q
For subject j Kij= Yixi mod q
An intruder knows Yj and Yi but not Xi or Xj and it is quite impossible to calculate
xi=log a (Yi mod p)Or xj= log a (Yj mod p)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 154154 - -
Discrete Logarithm Problem (DLP)Discrete Logarithm Problem (DLP)
P is a prime number e.g. p = 7A is p primitive root e.g. a = 3b = ai mod pKnowing i it is easy to calculate b
31 mod 7 = 3
32 mod 7 = 2
33 mod 7 = 6
34 mod 7 = 4
It extremely difficult to calculate i knowing b , a, p especially when a an p are big
i = loga b mod p
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 155155 - -
HASH Functions (1)HASH Functions (1)
Cryptographic is the principal mechanisms to ensure confidentialityHash functions are used
for data integrityIn digital signature algorithms
Simple hash functions areTranspositionSubstitution
Specific algorithm was created for using it in digital signatures protocols
SHA-1 (Secure Hash Algorithm)MD5
Through verification mechanisms, it is possible to detect message manipulations
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 156156 - -
Hash Functions PropertiesHash Functions Properties
Hash functionsTransform arbitrary length information into a fixed length code ( the message digest )
are not invertable
Use of hash functions makes high improbable to obtain two equal digest from two different messagesAnd so to change the message maintaining the same digest
Message m
Digest h(m)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 157157 - -
SHA-1 and MD5SHA-1 and MD5
SHA-1 and MD5 algorithms implement two different one-way hash functions (integrity check function)The digest is obtained from a 512-bit message
The message is condensed, using an hash function, obtaining a ‘digest’The digest, 160-bit length for SHA-1 and 128-bit for MD5, is the message digital signature
The two algorithms makes computationally hard to go back to the original message that originate the digest
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 158158 - -
CertificatesCertificates
Security using public and private keys is guaranteed only if we are sure that the public key we are using belong to the user that declared it (to the legitimate owner)The public key-sender association is guaranteed by the Certification Authority (CA) and various intermediate certification units forming a tree structure called Public Key Infrastructure (PKI)
Trust is propagated from CA to terminal nodes CA is an institution which guarantee the client and server identityThe PKI aim is to link public keys with their owners in a secure way
making useful digital signature and public key algorithms
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 159159 - -
Digital Certificate FormatDigital Certificate Format
CA DIGITAL SIGNATURE
Certificate Owner
Certificate Validity
Key Exchange (Owner public key)
…
CA
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 160160 - -
PKI Hierarchy (1)PKI Hierarchy (1)
Root CA
Subordinate CA Subordinate CA Subordinate CA
Subordinate CA Subordinate CA
CERTIFICATE
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 161161 - -
PKI Hierarchy (2)PKI Hierarchy (2)
Policy Approving authority (PAA)Approves certificates issuance policies of PCAs
E.g., one per country – Cross-certified or certified by United Nations
Policy certification Authority (PCA)Establishes certificate issuance policy for its community
E.g.,State government or large corporations
Certificate Authority (CA)Issues certificates to users according to PCA policy
E.g. Verisign,Entrust,…
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 162162 - -
X.509 (1)X.509 (1)
X.509 is a standard that specifies the precise format of a digital certificate
Describes the fields that a certificate have to contain
X.509 standard associates a DN (distinguished name) to each pubic key to univocally identify the key owner
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 163163 - -
X.509 (2)X.509 (2)
X.509 certificate structureCertificate version numberCertificate serial numberUser public keyDN of CA that issues the certificateValidity periodOwner DNCertificate type
Client (for a client that want to buy some items on-line)Server (for a vendor willing to start an e-commerce business)E-mail
CA digital signature
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 164164 - -
Cryptanalysis (1)Cryptanalysis (1)
Cryptanalysis is the science of breaking ciphersThe attacks that can be perpetrated by a cryptanalyst, can be so classified:
Ciphertext-only attackCryptanalyst have only the encrypted textThe succeed possibility of this attack is remote
Known-plaintext attackCryptanalyst possess the encrypted text and the corresponding cleartext Permit to obtain the secret key
Chosen-plaintext attackCryptanalyst may chose the cleartext, encrypt it and compare the results with the ciphertext he has
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 165165 - -
Cryptanalysis (2)Cryptanalysis (2)
Adaptive-chosen-plaintext attackThe cryptanalyst possess the ciphertextIs a modification of the previous attack, the cleartext chosen is modified depending on the encrypt results
Chosen-chipertext attackThe cryptanalyst have the cleartext and may chose the ciphertext to decrypt for obtaining the cleartext
Adaptive-chosen-chipertext attackThe cryptanalyst have the cleartextThe choice of the ciphertext depend on the result of decryption
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 166166 - -
Distributed Systems SecurityDistributed Systems Security
Moving from a centralised system to a distributed system has an impact on your security
The assumption on the security of the communications link hardly will hold, we have to take in account
Eavesdrop on passwordChanges or insertions of messagesTakes over a session
Users are not necessarily registered at the node they are accessing an object
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 167167 - -
How do you authenticate How do you authenticate users ? (1)users ? (1)
User authentication and in particular access control can be based on three different policies
The user identityThe network address the user operates fromThe distributed service the user is invoking
In all three cases communication via the network introduces new vulnerabilities
If access control decisions are based on users identity, how will the user access rights travel with them ?The network address imply the maintenance of ca list of trusted systems to which permit access
Risks came from the weakness of these trusted systems
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 168168 - -
How do you authenticate How do you authenticate users ? (2)users ? (2)
We may decide that users coming from certain nodes in the system need not be authenticated again
This imply a strongly dependence on the message authentication and the initial entity authentication mechanisms
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 169169 - -
Delegation (1)Delegation (1)
In distributed system a user may login a certain node and then execute a program on a remote node
To obtain resources at the remote node, the program will need the relevant access rightsThis, typically, is obtained by ‘delegation’
the program would be endowed with the access rights of the usersAnd then run with these access rights on the remote node
Users may not want to release all their right to a node they have little control over
A weak protection on the remote node permit to an attacker to grab users access right
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 170170 - -
Delegation (2)Delegation (2)
Systems where users can control which rights they delegate and where accountability mechanisms are able to discern the delegated use of access rights, therefore may be preferredFor popular service, proxy users may be created to deal with remote service request
First the remote user permission to run the service is checkedThen the proxy is let to perform the requested actions, running with its own rights instead of the rights delegated by the remote user
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 171171 - -
Security EnforcementSecurity Enforcement
Once chosen the policies, we have to decide how to enforce them
Where a user is authenticateWhere the access control decision are taken
Security may be enforced centrally or locallyTo enforce security centrally, we may use
Authentication serverAnd a ticket-granting servers
E.g., KerberosOr install a firewall to control access to intranet
The enforcement is left the OS on the individual nodes for the locally option
DSSAOr CORBA (Middle-ware protection)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 172172 - -
AuthenticationAuthentication
Passwords are still the most popular authentication mechanism in distributed systemsUnprotected passwords transmitted over networks are an obvious vulnerability
Password sniffers are programs that listen the network traffic and extract packets containing passwords and other security-relevant information
Better authentication schemas are neededAuthentication based on public keyAuthentication protocol involving trusted third party
KerberosDSSA/SPX…
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 173173 - -
Authentication Based on Public Authentication Based on Public KeyKey
Public key algorithms may be used to implement an authentication protocol
The two entities have no necessity to share a secret keyThey have only to know the public key of the partner
Or better to use a CA, then they have only to know the CA public key
The protocol consists of two phasesEntity A generate a random number, encrypt it with B public key and sends to B the ciphertext
Only B may decrypt the messageEntity B use his private key to decrypt the message and send back the result to AIn the same way a may authenticate himself to B
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 174174 - -
KerberosKerberos
Kerberos is an authentication and key distribution systemIt authenticates clients to services in a distributed system
Assuming a trusted third party with whom both client and server share a secret
Clients and servers participating in a network communications are identified with the term ‘principal’
The third party cooperates to enable principals to authenticate one another
Authentication is built around the concepts ofTickets
Have a lifetime, then expireAnd central security servers
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 175175 - -
Kerberos Base SchemaKerberos Base Schema
Kerberos makes use of two types of trusted third party
Kerberos authentication server (KAS)Authenticates principals at login and issues ticketsEnable principals to obtain other tickets from TGS
Ticket granting servers (TGSs)Issue tickets that give principals access to network services demanding authentication
KAS an TGS even are logically separated, are executed on the same host
Called key distribution center (KDC)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 176176 - -
Kerberos RealmKerberos Realm
KAS is at the heart of a kerberos realmKerberos realm is a single administrative domain that controls access to a collection of serversTo get kerberos working
Principals have to be registered with the KASThe TGSs have to receive access control information And all the necessary keys have to be put in place by the security administrator
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 177177 - -
Kerberos Authentication Protocol Kerberos Authentication Protocol (1)(1)
Users and also services are associated to an identifier (name, instance, realm)
Name, every service has a name and a host that provides it (instance)User have the instance field emptyEach entity is associated with a domain, the realm
KDC is the trusted subject and contains user Ids and passwords (secret keys) for all system users Six steps have to take place for client A to access a server B and to establish mutual authentication between A and B
At the end A an B share a secret Key Ka,b to communicate
A symmetric cipher system, like DES, is used for encryption
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 178178 - -
Step 1Step 1
To start a session, user A logs on at a local hostEntering user name and passwordRequesting the service of a ticket-granting server
Message 1 is send to KAS, it contains in cleartextThe A’s identityThe name of TGSThe expiring date of the requested thicketA nonce to prevent replay attacks
TGS
Server BClient AKAS1
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 179179 - -
Step 2Step 2
KAS generates the session key Ka,tgs and the ticketTicketa,tgs = ektgs [Ka,tgs , A, T1, L1]
eKx[x] is data x encrypted using Kx key
Ktgs is a secret key shared by TGS and KAST1 is the creation timeL1 is the expiring date (lifetime) of the ticketThe session key Ka,tgs is created for use between A and TGS
Session key, ticket and nonce N1 are encrypted with A’s secret key Ka and returned to A in message 2
TGS
Server BClient AKAS 2
1
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 180180 - -
Step 3Step 3
On host A The key Ka is reconstructed from the passwordThe session key Ka, tgs is obtainedA creates an authenticator Ka, tgs (A,T3)
T3 is the creation time of the authenticator
In message 3 is sent the authenticator, the ticket, the requested expiry date L2 a nonce N2 and the name of the service to TGS
TGS
Server BClient AKAS 2
1 3
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 181181 - -
Step 4Step 4
TGS Decrypts the ticket using Ktgs and verifies the ticket validity against the local clockUses the key Ka,tgs from the ticket to check the authenticator Generates, if all verifications succeed, the session key Ka,b and the ticket
Ticketa,b = Ekb [ Ka,b,A,T2,L2 ]
The session key ka,b and the ticketa,b are encrypted under the session key Ka,tgs that A shares with TGS and send to A in message 4
TGS
Server BClient AKAS 2
1 3 4
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 182182 - -
Step 5Step 5
The client A stores the encrypted ticket and decrypt the new session key Ka,b
Message 5, asks B for an authenticated session, contains
Ticketa,b
A new authenticator constructed with the session key Ka,b
TGS
Server BClient AKAS 2
1 3 4 5
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 183183 - -
Step 6Step 6
Upon successful decryption and verification of time, B sends message 6 containing
The last timestamp received encrypted with the session key
A receives message 6 Decrypts the time stamp Compare it with its own copy of T4, if they are equal, B has been authenticated
TGS
Server BClient AKAS 2
1 3 4 56
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 184184 - -
ConclusionConclusion
Password guessing and password spoofing attacks are possibleKeys and tickets are held on the client machine relaying on the protection mechanisms on that nodeThe security of the protocol may be reduced by a weak implementation
E.g., weak random-number generator for key generation permit to find easily the keys by exhaustive search
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 185185 - -
DSSA/SPXDSSA/SPX
SPX Is an authentication and key exchange systemIs part of distributed system security architecture (DSSA)
DSSA is a security architecture for a network of workstations comprising authentication and other facilitiesEach node enforces its own security policyUsers have to trust the OS on each node they login
Users delegate privileges to the node they are using
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 186186 - -
SPXSPX
Authentication in SPX involvesCredentials
Containing the name and long-term private key of a principalRepresent a user within SPXCan be stored on a server and require the user’s password to be initialisedOr could be held on smart carts carried by users
CertificatesBinding principal names to public keys
Authentication tokensTo authenticate each other
Delegation can be implemented
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 187187 - -
SPX Base SchemaSPX Base Schema
SPX make use of two different serversCertification authority (CA)
Issues public key certificates and can be off-lineIt must be trusted only to issue valid certificates
Certificate distribution center (CDC)Stores the certificates issued by a CACDC function could could be offered by a naming serviceIt have be on-line during authenticationIt have not to be trusted
SPX distinguish betweenIdentity ClaimantsIdentity Verifiers
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 188188 - -
SPX Protocol (1)SPX Protocol (1)
Mutual authentication between principals A an B consist in obtaining a session key Ka,b
The key is created by A for use between A and B in a symmetric encryption algorithm
The protocol proceed as followClaimant A send a message to CDC asking for the long-term public key of the verifier B
CDC
B A
1
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 189189 - -
SPX Protocol (2)SPX Protocol (2)
The CDC replies with a certificate binding B identity to its public key Pb
The certificate for principal B, issued by CAa that is a certification authority trusted by A, his
Certificate(B,CAa) = sSCAa(CAa,B,Lc,Pb)
Is the digital signature of message (CAa,B,Lc,Pb) obtained with the long term private key of CAa that is SCAa
CDC
B A
12
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 190190 - -
SPX Protocol (3)SPX Protocol (3)
The claimant A verify the key Pb using the public verification key of CAa
Then A generates a session key Ka,b used to generateAn authenticator eKa,b (T,A)
T is a time stamp
A signed ticket for A’s short term public key P’a
sSa(Lt,A,P’a)– Lt is the expiry date of the ticket
A delegatorePb(Ka,b)
eKa,b(S’a)– S’a is the short term private key of A
That are all send to B in message 3
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 191191 - -
SPX Protocol (4)SPX Protocol (4)
If no delegator is intended, the delegator sS’a(ePb(Ka,b)) is used so that the A’s short term private key S’a is not revealed to B
CDC
B A
12 3
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 192192 - -
SPX Protocol (5)SPX Protocol (5)
The verifier B retrieves a certificate for the claimant long-term public key Pa from the CDC for authenticating the claimant long-term public key Pa
CDC
B A
12 3
4
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 193193 - -
SPX Protocol (6)SPX Protocol (6)
CDC sent a message to verifier B containingThe certificates(A,CAb)
CDC
B A
12 3 4
5
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 194194 - -
SPX Protocol (7)SPX Protocol (7)
The verifier B Retrieves the session Key Ka,b from the delegator using its own long-term private key Sb for decryption
Uses the session key to decrypt the authenticator and compares the time stamp with its own local clockChecks the signature on the ticket sSa(Lt,A,P’a) using the certified verification key Pa
With delegator ePb(Ka,b), eKa,b(S’a) the verifier B retrieves S’a and confirms that S’a and P’a are a proper Key pairWith delegator sS’a(ePb(Ka,b)) the verifier checks the signature on ePb(Ka,b) using P’a
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 195195 - -
SPX Protocol (8)SPX Protocol (8)
When all checks have succeeded, b completes mutual authentication by responding with an authenticator eKa,b(T)
T is a time stamp
The claimant A uses the session key to decrypt the authenticator and verifies T against its own copy
CDC
B A
12 3 4
5
6
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 196196 - -
Others…Others…
Others authentication and key distribution systems:
Network security program (NetSP), by IBMIt uses one-way hash function (faster than cryptographic mechanisms) for message integrity check
The exponential security system (TESS)Is a collection of different tools using the one-way hash function as cryptographic mechanism
Secure European system for application in a multi-vendor environment (SESAME)
the authentication model is a kerberos extension using public key cryptographic algorithms
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 197197 - -
Security APIsSecurity APIs
In a distributed system Security often exceed simple authenticationDifferent components will not necessarily use the same security mechanismsUsers and application writers are not necessarily security experts
A solution to these issues is Decomposition of the system in layers Application program interface (API) allows an application in one layer to call services in the layer below, hiding implementation details
API can relieve the application programmer from security specific tasks like the implementation/choice of cryptographic algorithms
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 198198 - -
GSS-APIGSS-API
The Generic Security API (GSS-API) provides a simple interface to security services for connection-oriented applications. It provides
Machine independenceProtocol environment independence
Independence from the used communications protocolSuitability to a range of implementation placements
An application residing on the client workstation accesses security services by issuing a GSS-API callThe call is processes by the security code on the client workstationThe client application communicates directly with the server application over the network
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 199199 - -
GSS-API UsageGSS-API Usage
1. Call GSS_SEAL 3. Call GSS_UNSEAL2. Encrypted message 4. Decrypted message
ClientApplication
SecurityCode
SecurityCode
ServerApplication
GSS-API GSS-API1 2 3 4
Client Server
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 200200 - -
CORBA (1)CORBA (1)
In a distributed system, the service layer is the most appropriate location for security enforcement
It provides a common standard for security enforcement towards the different OSIt presents to application writers a intermediate layer providing the interface to the underlying OS
An object request broker (ORB) handles the interaction between users and objects, and between objectsCORBA
Includes interfaces for managing policy objects as well as access control on such interfacesDo not prescribe specific policies
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 201201 - -
CORBA (2)CORBA (2)
Some application are security aware, explicitly requesting the protection they need ofIn some cases, security should be enforced without involving the applicationObject have to delegate their privileges when invoking servicesPolicies may restrict the extent of delegationObjects with similar protection requirements are grouped into domainsThe domain security policy is enforced by the ORB
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 202202 - -
CORBA (3)CORBA (3)
Interoperability between ORBs will be supported by
BridgesGatewaysInter-ORB protocols like
General inter-ORB protocol (GIOP)Internet inter-ORB protocol (IIOP)
SECIOP is the security inter-ORB protocolTo facilitate a uniform interpretation of access rights, there is a set of standard access rights
GetSetManageTo enhance flexibility, there is also the option to define additional rights
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 203203 - -
CORBA (4)CORBA (4)
The CORBA security services includeAuthenticationSecurity context establishmentAuthorization and access control with
ACLsCapabilitiesRole-base access control
Message protection, mainly (but not only) with encryptionAuditNon-repudiation
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 204204 - -
Digital Signatures (1)Digital Signatures (1)
The introduction of the digital signature permits also to ensure (in data-transmission):
IntegrityNo-repudiation
Possibility to univocally identify the message author which cannot deny his message paternity and the receiver that cannot deny to have received the message
A digital signature scheme consists of A signature algorithm A verification algorithm
Digital signature algorithms areELGamal algorithmSchnorr algorithmDigital signature standard (DSS)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 205205 - -
Digital Signatures (1)Digital Signatures (1)
In digital signature algorithms are usedFor encryption
Diffie-Hellman algorithmRSA algorithm
For hashingSHA-1MD5
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 206206 - -
Digital Signature Algorithm (1)Digital Signature Algorithm (1)
A digital signature algorithm consists of Producing a summary, the digest, of the document content using a one–way hash functionThis digest is then encrypted with the sender private key obtaining the digital signatureThe digital signature is then sent with the message to the receiver
In cleartext Alternatively, the message with the digital signature may be encrypted
The receiver Decrypts the digital signature Compares it with the digest
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 207207 - -
Digital Signature Algorithm (2)Digital Signature Algorithm (2)
Message
HashFunction
DIGEST Encryption
Message
Sender
Sender private key
Encryption
Receiver public key
Decryption
MessageHash
Function
DecryptionDIGEST
DIGEST
Compare
Receiver Receiver private key
Sender public key
Digital Signature
Digital Signature
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 208208 - -
ElGamal Algorithm (1)ElGamal Algorithm (1)
It is a public-key algorithm based on discrete logUses a symmetrical encryption with a session key that is dynamically generated
ElGamal signaturesSelect a prime q such that 2159<q<2160
Choose a prime p Select b such that 1< b < p-1Compute the generator g = b (p-1)/q mod pGenerate random secret x and calculate y=gx mod pPublic key is (p, q, g, y)The hash value of the message computed with SHA-1 is converted into an integer
h = hash of message
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 209209 - -
ElGamal Algorithm (2)ElGamal Algorithm (2)
Generate another random secret k relatively prime to (p-1)The signature is a pair (r, s)
r = gk mod ps = (h-xr)k-1 mod (p-1)
– K-1 slow, but can be pre-calculated
The signature is checked with the public key (p,q,g,y)
Accepted if and only if yrrs=gh mod p
Similar to Diffie-Hellmann algorithmr is independent of message/hash
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 210210 - -
Schnorr AlgorithmSchnorr Algorithm
It is similar to ElGamal algorithmsSchnorr Algorithm introduces an hash function associating an integer belonging to a predefined interval with each message and keyThe advantage is the possibility to modulate the digital signature length by properly selecting the hash function co-domain
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 211211 - -
DSS (1)DSS (1)
It is a variant of Schnorr algorithmThe hash function H has the message as the only argument, so that its value is independent from the encryption key
DSS AlgorithmGenerates prime p (512-1024 bits)Finds q, a prime factor of p-1 (160 bits)Finds g = h (p-1)/q mod p
Where h<p and h (p-1)/q mod p >1
Choose a random x where y = gx mod pPublic key is ( p,q,g,y )Private is x < q (160 bits)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 212212 - -
DSS (2)DSS (2)
The signature is (r,s)Generate a random k < qr= (gk mod p) mod qs=(k-1 (H(m)+xr))mod q
The checking is ok if v=rw = s-1 mod qa=(H(m)w) mod qb=(rw) mod qv=((gayb) mod p) mod q
NoteBetter than ElGamal, since q is smaller than pCalculating inverses is slow
However, some things can be pre-computed– r does not depend on message at all
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 213213 - -
Network Attacks ( How Intruders Get Network Attacks ( How Intruders Get In )In )
Modern systems usually allow remote accessFrom terminalsFrom modemsFrom the network
Intruders can use all of these to break inHackers invent new attacks every-time security experts find new ways to improve previous ones
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 214214 - -
Some Remote AttacksSome Remote Attacks
We focalise our attention on some attacks exploiting network (Internet/Intranet) connections
SpoofingSniffingShadow server (Web-spoofing)TCP Session Hijacking
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 215215 - -
Packet SnifferPacket Sniffer
Each internet packet may pass through a big number of computers before reaching the final oneHackers may use special tools, packet sniffer, to intercept these packets The aim of this attack is to get information
Often precedes a spoofing attack or a session hijacking
Packet sniffer toolsSniffer ProNetwork MonitorTCPDumpDsniff
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 216216 - -
IP SpoofingIP Spoofing
This attack to the IP protocol is focalised on the packet address that the protocol uses for the transmissionsThe attack consists of giving false information about computer owner
The hacker modify his IP address to become similar to a host of an intranet or of a trusted net, by duplicating the TCP/IP address of the host
With this attack the hacker may acquire the access
To each packet addressed to a system T o the system services
The masquerade attack is a spoofing attack
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 217217 - -
TCP Hijacking (Active Sniffing)TCP Hijacking (Active Sniffing)
TCP Hijacking consists of achieving control of a network connection
Already active Or in the beginning phase
The idea is to Take control over a computer that is connected (or is connecting) to the networkDisconnect the controlled computerDodge the server by substituting to the disconnected computer
Other types of hijacking attack UDP hijackingMan in the Middle
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 218218 - -
Web-Spoofing (1)Web-Spoofing (1)
In a web-spoofing attack, the Hacker mayObserve and modify all the traffic from his victim to the web server Control all the traffic from the web server to his victim
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 219219 - -
Web-Spoofing (2)Web-Spoofing (2)
Web Page
Link
Browser
Hacker
Web server
Page Request
Requested page
Copy of the page
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 220220 - -
DoS Attack (1)DoS Attack (1)
A Denial of Service attack happens when the resource availability is intentionally cut-off or degradedTo achieve this goal, different approaches are followed:
Processes or memory degradeThe attacker overload the target, generating a great number of processes that devour all the resources or overload the CPU
File destructionDeactivation of system parts or of the process
This type of attack may, also, be directed to network application or to network protocols
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 221221 - -
SnorkSnork
Snork attack is a DoS Attack that degrade target performances Snork attack, an attacker send
Remote Procedure Call datagram to a server port UDP 135 giving the impression to the RPC server of the existence of a similar server sending bad data
The sender IP address is subject to spoofingThe RPC server send to the IP sender Address a deny packet, the second server do the same
A loop beginsIf the packet subject to spoofing is sent to a great number of servers, the target server will be submerged by a great number of deny packet that finally will cause its blocking
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 222222 - -
SYN Flood AttackSYN Flood Attack
SYN Flood is a Dos Attack that exploit the TCP protocolIt is carried out by sending the TCP connection request so fast to make impossible for the target system to elaborate the request
The target uses resources to take track of each connectionSo, a big number of SYN may exhaust all the target host resources to take track of new connections
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 223223 - -
The DDoS attack (1)The DDoS attack (1)
The Distributed Denial of Service is a recent type of attack, it uses
ClientMaster Daemon (Zombie)
Clients are used to start the attack through the mastersA master is a compromised host, containing a particular software that permit the control of several daemonsA daemon is, also, a compromised host containing a particular software that permit to generate a pocket flow towards the target
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 224224 - -
The DDoS attack (2)The DDoS attack (2)
To make this attack working, the particular software has to be installed on hundred of hosts
Generally an automatic procedure looks for the vulnerable hosts and install the software
DDoS tools areTrinooTribe Flood NetworkStacheldrahtShaftmstream
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 225225 - -
Security in Internet/Intranet Security in Internet/Intranet EnvironmentEnvironment
Internet gives a wide connectivity thanks to the TCP/IP open protocolThe use of this protocol is also the first reason of insecurity
TCP/IP is an intrinsic insecure protocolWe have the following security problems
AuthenticationAccess controlData and message confidentialityData and message integrityNo repudiationDenial of service
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 226226 - -
Security Problem LocalizationSecurity Problem Localization
Client
Local ServerGlobal server
Firewall
Internet
IdentificationAuthentication
Access Control
ConfidentialityIntegrityPassword protection
Sender AuthenticationNo Repudiation
Denial of serviceSecure Internet Connection
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 227227 - -
Internet Services ProblemsInternet Services Problems
Internet provides the following protocols (services)
TelnetE-mail and newsgroupFTPWorld Wide Web
Each of this protocols have some security problems
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 228228 - -
TelnetTelnet
One problem of this protocol is the authentication
The password is transmitted in cleartext over the network
An attacker may easily intercept and use it in a second time
Possible solutions areOne time passwordPassword aging policyChallenge-response mechanism
Another problem is the possibility to use telnet protocol for connecting to every port on which are working other internet services
An attacker may so use a telnet session to damage any other internet service
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 229229 - -
E-mail and NewsgroupE-mail and Newsgroup
The e-mail and newsgroup services present the same problems regarding mainly
Message integrityMessage confidentiality
The solution consists of using digital signature and encryption mechanisms
Privacy enhanced mail (PEM)Secure MIME (S/MIME)Pretty Good Privacy (PGP)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 230230 - -
FTPFTP
The FTP protocol has the same authentication problems of a telnet session The anonymous FTP permit to download files to users that logon as anonymous giving as password theirs e-mail address
This type of connection arise big security problems
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 231231 - -
WWWWWW
A web browser integrates communication services like
E-mailFTPNewsgroup…
So a web browser adds to the security problems of the HTTP protocol the problems of the included services
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 232232 - -
Some WWW Security Some WWW Security Problems Problems
Browsers handle the client’s web traffic and disclose information about users and their computing environment to the serverBrowsers permit the execution of applet Java and ActiveX controls
These components may contain backdoors or trojan horses
Many web services want a place for storing information about their customers
The server ask the browser to store a cookie that contains these information
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 233233 - -
CookiesCookies
Cookies are used to keep state information beyond the duration of a session
To avoid the necessity to reinsert authentication credentials every time are requiredTo recover the state of previous operation or to commit incomplete transactions…
Cookies cannot violate the integrity of the system being data and not executable codeThe set of cookies stored by the browser create a client profile, creating privacy problem
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 234234 - -
Network ProtocolsNetwork Protocols
Network protocols and security extensionTCP/IPIPSecSecure Socket Layer (SSL)Secure HTTP (S-HTTP) Secure Electronic transaction (SET)Privacy Enhanced Mail (PEM)Pretty Good Privacy (PGP)Secure MIME (S/MIME)…
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 235235 - -
TCP/IPTCP/IP
The TCP/IP is a multi-layer protocolEach layer offers to the superior a series of services
A software application may interfaces using a specific socket with the protocol The protocol manages, through its layers
CommunicationsDatagram routingPocket synchronism…
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 236236 - -
TCP/IP ArchitectureTCP/IP Architecture
Application LayerFTP , SMTP , HTTP , Telnet
Transport LayerTCP , UDP
Internetwork LayerIP
Network Layer
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 237237 - -
IP DatagramIP Datagram
Version
Header Length
Type of service
Total length
Identification Flags
Fragment Offset
Time to live Protocol Header Checksum
Source Address
Destination Address
Option and Padding
Data
4 bit 8 bit 16 bit 32 bit
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 238238 - -
TCP SegmentTCP Segment
Source Port Destination Port
Sequence number
Acknowledgment
LH Flag Credit windows
checksum Urgent point
Options
Data
32 bit16 bit
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 239239 - -
FlagsFlags
The Flags field is composed by six one-bit flags used to characterize the segment functions
URG is a pointer to the data field indicating a priority data portionACK indicates the segment is an acknowledgement oneSYN is set to 1 for the connection request…
URG ACK PSH RST SYN FYN
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 240240 - -
EncapsulationEncapsulation
Treader
HeaderIP Datagram
HeaderTCP Segment
B Network layerA
IP layer
Header TCP layer
Contains Port number
Contains IP Address
Contains a link
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 241241 - -
TCP Protocol (1)TCP Protocol (1)
TCP protocol is connection orientedSo before transferring data between two host, a connection have to be set-up
TCP have only one type of message, the SegmentTo distinguish between data messages and protocol message the segment flags are usedWhen an host open a connection
The flag SYN is set to 1.SYN
To distinguish the connection a sequence number is sent (an host may begin multiple connections)
SEQ XA quantity of data may be sent
[b]
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 242242 - -
TCP Protocol (2)TCP Protocol (2)
The receiver sent an acknowledgment The SYN flag is set to 1A sequence number is sent
Seq Y
The ACK flag is set to 1 and the acknowledgment field contains the the value X+Y
The sender response with an acknowledgement message
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 243243 - -
Connection set-upConnection set-up(Three-way handshake)(Three-way handshake)
.SYN, SEQ X, [b]
.SYN, SEQ Y, ACK X+b, [c]
ACK Y+c
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 244244 - -
TCP/IP Security TCP/IP Security
Internet security ensures that users can communicate over the Internet without the fear of theft, interception, or break-inThe IP datagram
Has no field concerning any security attributes
Is transmitted in cleartext over the networkEvery attacker may intercept and modify it
The internet protocol is intrinsically insecureMechanisms that secure the TCP/IP and Internet components are needed
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 245245 - -
Security Protocols (1)Security Protocols (1)
The IP layer can be secured by the use of IP security standards that specify security services for the IP layer
IPSecThe TCP/IP application and any other higher level application or protocol, as a result, may access the security services through the IP layer
E-mail can be secured by implementing one of the secure e-mail schemes providing a variety of e-mail security services
Privacy Enhanced Mail (PEM)Pretty Good Privacy (PGP)S/MINE
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 246246 - -
Security Protocols (2)Security Protocols (2)
To ensure Web security may be usedSecure Socket Layer (SSL)Secure Hypertext Transfer Protocol (S-HTTP)
Many application like Telnet and TCP can be upgraded to utilize the GSS-APIOthers protocols was created for specific purpose as e-commerce
Secure Electronic Transaction (SET)…
Network security relies on secure underlying OSAny security schemes protecting the Internet must utilize a variety of system protection mechanisms
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 247247 - -
Security Protocols Localization Security Protocols Localization (1)(1)
HTTP FTP SMTP
TCP
IPSec
HTTP FTP SMTP
SSL
TCP
IP
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 248248 - -
Security Protocols Localization Security Protocols Localization (2)(2)
S-HTTP S/MIME
TCP
IP
SET PGP
HTTP FTP SMTP
TCP
IP
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 249249 - -
IPSecIPSec
IPSec protocol provides a standard mechanism for specifying security for the IP layer onlyThe IP security is provided through two schemes
IP Authentication Header (IP AH)Provides sender authentication and datagram integrityDo not address confidentialityAs implied by the its name, authentication data are placed in a header within the datagram
IP Encapsulating Security Payload (IP ESP)Provides confidentiality to IP datagram other than authentication and integrity
The two schemes can be used separately or togetherBoth schemes are based upon the concept of Security association (AS)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 250250 - -
Security association (AS)Security association (AS)
A security association provides the underlying correspondence for the use of security mechanisms between two communicating entitiesIs an agreement on types and modality of the security services that can be summarise in a set of security parameters shared by the communicating entities
Algorithms, methods and keys for authentication in AHAlgorithms, methods and keys for encryption in ESPThe lifetimes of the keys and the security associationThe source address of the security associationsThe sensitivity level of the secured data
A particular security association is uniquely identified by the Security Parameter Index (SPI) and the destination address
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 251251 - -
SPISPI
The SPI is a 32-bit pseudo random number contained in the header datagramTo authenticate a datagram the sending host
has to locate a SA selecting the SPI value on the userID and the destination address
When an IP datagram is received, it may verify the authentication data and/or decrypt data only if the receiver may connect himself with the SA identified by the SPI
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 252252 - -
IP AHIP AH
Authentication header format
Next header field identifies the data after the authentication headerReserved is a field reserved for future useLength field provides the length of the authentication data fieldThe authentication data is calculate using a message digest algorithm
Next Header
Length Reserved
Security Parameter Index
Authentication Data(variable number of 32-bit words)
8 bit 16 bit 32 bit
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 253253 - -
Location of AHLocation of AH
IP Header
Hop-by-Hop
/routing
AH Dest. options
TCP Data
Next Header
Length Reserved
Security Parameter Index
Authentication Data(variable number of 32-bit words)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 254254 - -
IP ESPIP ESP
IP ESP encapsulates either the entire datagram or only the header portion of the upper layer protocolsEncrypts most of the content inside the encapsulated portion Appends a plaintext header at the end that is used to route the packet through the network
ESP consists ofAn unencrypted headerAn encrypted data field that may include
The protected ESP header fields and the protected user data which is the entire datagram or simply the upper-level protocol packet
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 255255 - -
Location of the ESP HeaderLocation of the ESP Header
Opaque transform data is a protected field containing further parameters relevant for the processing of the cryptographic algorithm
IP Header Other IP headers
ESP Header Encrypted Data
Security parameters index(SPI)
Opaque transform data
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 256256 - -
Tunnel ModeTunnel Mode
Before encrypting a datagram, the sender locates the SADetermine which encryption algorithm and key to employThen has the choice between two ESP modes
ESP tunnel modeThe complete datagram is encapsulated within the ESPThis ESP is transmitted within another IP datagram with cleartext headerCan be use between gateway machines (firewalls) to create a virtual private network
A collection of host that have implemented protocols to securely exchange information
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 257257 - -
Transport ModeTransport Mode
ESP transport modeOnly an upper-layer protocol, such as TCP or UDP data is encapsulatedThe ESP header is inserted immediately preceding the transport layer protocol headerThis mode conserves the bandwidth since there are no encrypted IP headers
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 258258 - -
IPSec SummaryIPSec Summary
IPSec provides security without changing the interface to IP
Upper layer protocols need not change to invoke security
IPSec increases protocol processing costs and communication latency as sender and receiver perform cryptographic operationsIPSec is based on the use of symmetric key algorithms
Do not prescribe a particular key management protocol even if a Internet Key management (IKE) protocols was developed
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 259259 - -
SSL Protocol (1)SSL Protocol (1)
SSL protocol was developed by Netscape Communication Corp. for
Authenticating access to server by using RSAClient/server Keys exchanging secure way
HTTP FTP SMTP
SSL
TCP
IP
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 260260 - -
SSL Protocol (2)SSL Protocol (2)
SSL protocol ensure a secure TCP/IP connection on the basis of
The communicating entities may authenticate each other using public key cryptographic mechanismsData confidentiality is ensured by the use of a session keyData integrity is ensured by the use of Message Authentication Code (MAC)
MAC is a family of hash functions parameterised by a secret keyProvides assurance about the source and integrity of a message
The SSL protocol do not avoid traffic analysisIP address travel across the network in cleartext
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 261261 - -
SSL Phases SSL Phases
The SSL protocol consists of two phasesFirst phase, Handshake
Client and server exchange a symmetric key using a asymmetric key algorithmIn this phase client and server decide the cipher algorithm to use (cipher setting)The server must authenticate itself wit a digital certificateThe client certificate authentication is optional
Second phase, secure connectionBy using the secure channel created during the previous phase, client and server may communicate each other in a secure way using a secret key algorithm
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 262262 - -
SLL HandshakeSLL Handshake
Session key Generation
Client Server
Cipher setting
Cipher setting
Server public Key
Client public key
Session Key encrypted with server public key
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 263263 - -
SLL Example (1)SLL Example (1)
Message1 (from Client to server) Client hello Client random numberSuggested Cipher suites
TLS_RSA_WITH_IDEA_CBC_SHATLS_RSA_WITH_DES_CBC_SHATLS_RSA_EXPORT_WITH_DES40_CBC_SHA
Suggested Compression algorithmNONE
Message2 (from Server to Client) Server helloServer random numberUse cipher suite
TLS_RSA_WITH_DES_CBC_SHACertificates
Subject: DN = SuperstorevirtualobjectPublic key: 0x9f400682…Issuer: Verisign
Server doneNONE
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 264264 - -
SLL Example (2)SLL Example (2)
Message3 (from client to server)Client key exchange: RSA_Encrypt (Server Public Key, PreMasterSecret)Change Cipher Spec: NONEFinished MD5(M1 || M2 || M3A)
Message4 (from server to client)Change Cipher Spec: NONEFinished MD5(M1 || M2 || M3A || M3C)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 265265 - -
SLL Conclusions SLL Conclusions
SSL is the most widely used Internet security protocolIt adds a security layer between application protocols and TCP, so applications explicitly have to ask for securityApplication code, thus, has to be changed
Not much more than edit operations
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 266266 - -
S-HTTP (1)S-HTTP (1)
S-HTTP is an extension of HTTP that providesConfidential transactionsData integrity and authenticationNo repudiation
Methods used to ensure message securityDigital signaturecryptography Sender identity authenticationMessage authenticity
The protocol gives great flexibility in the choice of
Key management mechanismsSecure policiesCryptographic algorithms
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 267267 - -
S-HTTP (2)S-HTTP (2)
S-HTTP message consists ofThe Header, includes information about
The way to decrypt the messageHow to elaborate message after its decryption
The body, includes the encrypted text
During the initial connection phase, server and client negotiate how to carry on the transactions
Essentially they negotiate the methods to use to protect messages
SignatureAuthenticationscryptography
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 268268 - -
S-HTTP MessageS-HTTP Message
An S-HTTP message consist of the request line followed by a series of header linesthe encapsulated content
Request line (state line)All the request must include the line
Secure * Secure-HTTP/1.2E.g.Secure http://. . ./Secure-HTTP/1.2
Three types of Header linesS-HTTP HeadersHTTP non-negotiation headersHTTP negotiation headers
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 269269 - -
S-HTTP HeadersS-HTTP Headers
S-HTTP header fields contains information aboutDefine the format of the encrypted message
Content-Privacy-DomainThe type of compression used for the media
Content-Transfer-Encoding the type of the encrypted message
Content-type Information about the key previously exchanged
Prearranged-key-infoInformation for the use of digital signature
MAC-Info
The two fields, content-privacy-domain and content-type, are obligatory
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 270270 - -
HTTP Non Negotiation HeaderHTTP Non Negotiation Header
This header lines enters in the encapsulated content
So they are protected by encryptionHTTP non negotiation header fields
Key-assignfuture Contains a symbolic name the agent want to assign to the key for references
Encryption-identityIdentify a potential recipient to whom the sender may encrypt the message with the established optionsFor Kerberos provides information about the kerberos identity
Certificate-infoContains information about digital certificates
NonceNonce-Echo
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 271271 - -
HTTP Negotiation HeaderHTTP Negotiation Header
To make the negotiation possible, S-HTTP header contains a negotiation block which permit to express preferences about the types of cryptographic extensions to use
E.g.,SHTTP-Certificate-types, express the certificate types that the the agent may accept SHTTP-Key-Exchange-Algorithms, gives information about the algorithms that the agent may use to encrypt messages…Yor-key-pattern
– Is a generalized syntax model for a great number of key types
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 272272 - -
S-HTTP Header Line FormatS-HTTP Header Line Format
S-HTTP headers Content-Privacy-DomainContent-transfer-EncodingContent-typePrearranged-key-infoMAC-info
HTTP non-negotiation headers Key-assignEncryption-IdentityCertificate-infoNonceNonce-echo
HTTP negotiation headers SHTTP-Privacy-DomainsSHTTP-certificate-typesSHTTP-Key-exchange-algorithmsSHTTP-Signature-algorithmsSHTTP-message-digest-algorithmsSHTTP-Symmetric-content-algorithmsSHTTP-Symmetric-header-algorithmsSHTTP-Privacy-enhancementsYor-key-pattern
Header type Header
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 273273 - -
SETSET
SET is a specific protocol for e-commerce transactions
Assuring no-repudiationThe seller (merchant) cannot deny to have receive the purchaser orderThe purchaser (cardholder) cannot deny to have make the order
The mechanism used by this protocol is the Dual Signature
Two messages are sent, contemporary, to two different entitiesThe dual signature mechanisms allows to link together the two messages
Permit to acquire items without sending to the seller purchase bank payment information
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 274274 - -
SET ArchitectureSET Architecture
Internet
Cardholder Merchant
CertificationAuthority
PaymentGateway
BankNetwork
AcquirerBank
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 275275 - -
Payment GatewayPayment Gateway
The banks are linked together by a proprietary network A payment gateway is a informatics system that links together Internet and the proprietary bank networkExamples of payment gateway are
www.cybercash.comwww.bancasella.itwww.authoriznet.com…
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 276276 - -
Dual Signature GenerationDual Signature Generation
Item purchasing
request
Payment authorization
Hash function
Hash function
Message digest A
Message A
Message B
Message digest B
Message digest A
Message digest B
Hash function
Message digest
Dual Signature
Encryption with cardholder private key
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 277277 - -
Messages MatchMessages Match
Cardholder
MessageA
Dual Signature
Message digest B
MessageB
Dual Signature
Message digest A
Message digest A
Message digest A
Merchant
Hash function
Bank
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 278278 - -
Message IntegrityMessage Integrity
MessageA
Dual Signature
Message digest B
Hash function
Message digest A
Message digest B
Hash function
Message digest
Decryption with cardholder public Key
Message digest
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 279279 - -
Cardholder Digital Certificate Cardholder Digital Certificate (1)(1)
The cardholder may not want to give to the merchant his credit card dataTo avoid this
The cardholder sends to the merchant, a digital certificates containing the message digest of his credit card dataTo the trusted payment gateway, his credit card data
The merchant sends, to the payment gateway, the cardholder digital certificatesThe payment gateway verify data coherence
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 280280 - -
Cardholder Digital Certificate Cardholder Digital Certificate (2)(2)
CreditCardData
Hash function
Digital Signature
Message digest Encryption with
cardholder private key
CreditCardData
Hash function
Message digest
Digital Signature
Digital Signature
Decryption with cardholder public key
Message digest
Cardholder
Merchant
Payment Gateway
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 281281 - -
SET PhasesSET Phases
SET protocol consists of five phasesCardholder registration
The cardholder asks for a digital certificate to the Certification Authority
Merchant registrationThe merchant requires a digital certificate to the CA
Purchase requestIn this phase the dual signature mechanism is applied
Payment authorizationThe payment gateway says to the the merchant that he was enabled by the cardholder to pay himThe payment occurs in the next phase
– Sunday and during night the bank system may be off-line
CaptureThe payment is confirmed
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 282282 - -
Purchase Request PhasePurchase Request Phase
Cardholder Merchant
Request of the Merchant CA
Merchant CA
Purchase request
Digital invoice
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 283283 - -
PEM (1)PEM (1)
PEM message providesAuthenticationData integrityNon-repudiationAs optional features confidentiality
Three types of messages, that offer combination of cryptographic services, can be specified
MIC-CLEAR message provides data integrity and authentication
The message can be read also by non PEM hostA non PEM host cannot verify the integrity or authenticity
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 284284 - -
PEM (2)PEM (2)
MIC-ONLY messages includes the security functions of MIC-CLEAR plus an encoding step that ensures that a PEM message can be passes through various e-mail gateways without being transformedENCRYPTED message provides the services of a MIC-ONLY message plus confidentiality
Each message is composed by two partsThe Header that contains all the necessary information for a correct interpretation and validationInside the header there are
The MICReferences to the used cryptographic algorithmPossible digital signature
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 285285 - -
PEM Message TransmissionPEM Message Transmission
PEM message processing consists of four stepsCanonicalization
PEM converts each message to a standard formatMessage integrity and digital signature
PEM uses RSA and MD5 for message integrity algorithmsTo permit verification of sender identity, the sender includes its X.509 certificate
Optional EncryptionPEM specifies the use of DES in Cipher block chaining
Optional transmission encodingThis step is executed only if the message type is MIC-ONLY or ENCRYPTEDPEM converts the message into a text using 6-bit alphabet
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 286286 - -
Receiving a PEM MessageReceiving a PEM Message
The receiving hostFirst checks the message type
If is MIC-ONLY or ENCRYPTED the message is decoded
– If is ENCRYPTED first inverts the 6-bit text to 8-bit ciphertext and then decrypted
– Else the 6-bit encoding is transformed to canonical plaintext
The processing is now common for a MIC-ONLY or MIC-CLEAR message
The message integrity and authenticity is checkedThe canonical format is transformed into a format that is compatible with the receiving host
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 287287 - -
PGPPGP
PGP is a software product that secures e-mail traffic providing
ConfidentialityEncrypting the message using IDEA algorithm in cipher block chaining mode
Data origin authenticationData integrityOrigin non-repudiation
PGP use for sender authentication the X.509 protocol
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 288288 - -
Data Origin Authentication Data Origin Authentication and Message Integrity and Message Integrity
Data origin authentication assures the recipient about the identity of the senderData origin authentication and message integrity are accomplished
A one-way hash function is applied to the message and the resulting message digest is appended to the message
MD5The message digest is encrypted by the sender private key
RSA with keys length: 384 or 512 or 1024 bitsThe receiver uses the sender public key to decrypt the message
Which ensures that the digest was indeed encrypted by the identified message sender
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 289289 - -
PGP Usage PGP Usage
PGP automatically provides confidentiality, authentication and data integrity
It is, however, possible to send a PGP message without confidentiality or authentication or integrity
PGP can be used to secure e-mail as well as to encrypt filesPGP compresses message using the ZIP 2.0 program
Reduce the size of the message and it makes the cryptanalysis task more difficult
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 290290 - -
S/MINES/MINE
S/MINE try to secures e-mail message defining a new protocol and not a application pocket like PGPThe message is composed of two parts
HeaderContains all the information for a correct and secure transmission
Textin MIME format
It permits to transmit in a secure way also message containing attachments
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 291291 - -
Network BoundariesNetwork Boundaries
With IPSec and SSL, the security perimeters coincide with the boundaries of nodes in a computer network
The node are assumed to be secure while the network is insecure
Networks consist of nested subnets and it may be the case that the boundary of such a subnet is an appropriate security perimeter
This is the case of an organization that has installed a local area network (LAN)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 292292 - -
Separating Two SubnetsSeparating Two Subnets
The separation of two subnets consist in avoiding that data belonging to a subnet do not accidentally migrate outside itThe solution is a router that passes packets between subnets only if they are explicitly addressed to a node on the other side
Router
subnet1
subnet2
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 293293 - -
Virtual Private NetworkVirtual Private Network
When the subnets are not directly connected, a virtual private network (VPN) may establish a secure connection between gateways in each of the subnetsAll traffic between the subnets has to go through these gateways where cryptographic protection is added to extend the security perimeter
subnet1
subnet2
Gateway GatewaySecure
Connection
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 294294 - -
Firewalls (1)Firewalls (1)
When the LAN is connected to the Internet, the threat environment changesTo protect private networks (Intranet) from eavesdropping, intrusion and other attacks from the Internet, an adequate barrier is requiredThis barrier is a firewall
A firewall may, also, be installed between two different Intranet zones where we want to prevent access by no authorised personal
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 295295 - -
Firewalls (2)Firewalls (2)
Internet
FIREWALL
Intranet
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 296296 - -
Firewalls (3)Firewalls (3)
A firewall identify a set of actions executed adopting special hardware and special softwareThe principal components are
FilteringProxyDomain Name System (DNS)E-mail Server
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 297297 - -
Some ConsiderationsSome Considerations
Authentication protocol requires to know who ours users are When we want to reach out into internet to meet an ever growing set of users
Authentication protocol is inappropriateTo determine ours access control decisions we have to use
The address a remote user comes fromOr the service requested
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 298298 - -
Firewall TasksFirewall Tasks
Typical tasks of a firewall areAccess control based on sender or receiver addressesAccess control based on the service requestedHiding the internal network
Topology, addresses, traffic from the outside world
Virus checking on incoming filesAuthentication based on the source of trafficLogging of internet activities
The two fundamental mechanisms used by firewalls are
Packet filteringProxy servers
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 299299 - -
Negative Aspects Negative Aspects
A firewall presents, also, negative aspectsIt may protect only from the attacks to which is configuredThe eventually firewall compromise expose the Intranet to attacksIt offers no protection to direct network access doors
Cannot protect the resources from attack by an internal user of the private networkIs useful only if all the Internet traffic is handled through the firewall
Usually it do not perform virus protectionTo implement such protection, the firewall must implement the logic to detect viruses from the data stream
As a security concentrate point may be a bottle-neck
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 300300 - -
Security Policy DefinitionSecurity Policy Definition
A firewall cannot be acquired as pre-manufactured solution
It has to be modelled on the basis of the requirements and the correct compromise between security and functionality
A high level security network policy definition is required before configuring the firewall
The possibility of files downloadingtelnet support to internet userThe access with different rights for the userThe identity registration of whom access through the firewall…
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 301301 - -
Packet Filtering (1)Packet Filtering (1)
A packet filtering is, usually, a router (screening router) that
Examines the passing information packetExecute a selection based on
the packet IP address, source and destinationThe port number, of the source and destinationProtocol types
– TCP, UDP, FTP, TELNET,...Direction
– From inside to outside– From outside to inside
Packet filtering works at IP levelOften it is difficult to specify security policies with rules that work at a low level
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 302302 - -
Filtering Table (1)Filtering Table (1)
Filtering operations make use of a filtering tableA filtering table contains the rules to be applied
Filtering rules should be designed to reflect the company security policy
To avoid IP spoofing attack the filter rules should discard any packet from the Internet that contain the source address of a host inside the private network
Action Source Source Port
Destination
Destination Port
Protocol Flags
options
Description
allow * * 145.115.12.127
* TCP Connection to
external trusted
host
allow * 25 * * TCP ack=1
block * * * * * default
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 303303 - -
Filtering Table (2)Filtering Table (2)
The filter component of a firewall works as follows
When a packet arrives, it is tested against the first rules
If the first rules applies to the packet, then the specified action for that rule is carried out
– The packet is rejected or forwarded
If this rule does not apply, the second rules is checked, and so onIf no rule applies, the last rules is rejected the packet
– Close system policy
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 304304 - -
Screening RouterScreening Router
Internet
Intranet
Router
Filtering Table
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 305305 - -
TCP ProblemTCP Problem
A TCP client begins a connection with the port 21 of the TCP server
Control communication, used for receiving and transmitting commands
Data transmission occurs from the port 20 of the server and a random client port
This makes difficult the creation of rules to filter packets and permitting FTP communication between an internal host and an external server
In addiction, when access to an external FTP server is granted, the network address of the client would be revealed
This information could be useful for potential attackers
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 306306 - -
Proxy Servers (1)Proxy Servers (1)
A Proxy server intercepts and examines traffic at the TCP/IP layer permitting
to implement policies based on user identities (authentication)
Packet filtering do not permit user authentication To hide information about the internal network topology
The proxy server intercepts the client request and decides whether it is permitted according to its security rules Is the only entity seen by the outside worldA proxy server allows access to a specific serviceSince is at the application layer, separate proxy servers may be required for each type of application (service)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 307307 - -
Proxy Servers (2)Proxy Servers (2)
To begin a communication with the outsideThe client connects himself to the proxy server of proper application The proxy server
Authenticates the user and ensure he is authorized to access the applicationCreates a second TCP/IP connection between itself and the server on Internet
– So each packet coming out from the Intranet has the firewall IP address (the Intranet topology is hided)
Receives information from one of the two connections and transfer them to the second according to the adopted security policies
A proxy server may memorize in a log file all the significant information about the network traffic
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 308308 - -
Domain Name SystemDomain Name System
A DNS provides the name to address translation in a TCP/IP networkA firewall can provide a modified name-server function for users residing inside and outside the private network
The firewall should not divulge the IP addresses of hosts inside the private network
For inquiries from hosts inside the private network, the firewall should resolve all the names of hosts inside the private network to the IP address of the firewallFor inquiries from hosts inside the private network, the firewall forwards name-to-address resolution for hosts on the internet
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 309309 - -
Mail HandlingMail Handling
The e-mail is often the first vehicle of problemsTo protect the private network, one approach is to provide a mail gateway to the private networkE-mail originating from the private network
First is sent to the mail gatewayThe mail gateway selects the e-mail destined for the internet and forwards it to the firewall mail handling program
E-mail received from InternetThe firewall forwards it to the mail gateway on the private network
The mail may be submit to virus or other malicious software controls by the gateway
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 310310 - -
Firewall ArchitecturesFirewall Architectures
A firewall is made of several components that generates different architectures (configurations) according to the way they are combined
Screening RouterDual-homed HostScreened Host GatewayScreened Subnet FirewallDouble Bastion Host
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 311311 - -
Dual-homed Host (1)Dual-homed Host (1)
A dual-homed host is a machine with two network interfaces to keep the traffic separated
One towards InternetThe other towards Intranet
The Intranet is physically separated from Internet
The traffic must pass through the gateway
It can be used as a firewallNot only route packet between the Internet and the Intranet (packet filtering)But processes these packets according to its security rules (proxy server)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 312312 - -
Dual-homed Host (2)Dual-homed Host (2)
Internet Intranet
Networkinterface
1
Forwarder
Networkinterface
2Rules
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 313313 - -
Bastion HostBastion Host
Putting all the controls upon a single machine is dangerous
If an attacker tricks it, all the system is compromised
A Bastion Host is any machine belonging to the firewall with a maximum criticism degree
The criticism derives from its high attacks exposure It may be located outside the firewall (into the Intranet) or inside
A proxy is often installed on a bastion hostOr services that we want to offer to the outside
– Web Server– FTP server– ...
Packets are let enter only if addressed to the bastion host
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 314314 - -
Screened Host Gateway (1)Screened Host Gateway (1)
To improve the intranet security, often, to a screening router is coupled a bastion hostThe screening router has the purpose to forward all the authorized packet towards the bastion host The bastion host will analyse the information looking for attacks at a higher layer than IPThe double check increase the security level inside the systemThis solution is hardly based on the routing table of the screening router
Its violation may cause the elusion of the bastion host
Deleting the line that route the traffic to the bastion host
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 315315 - -
Screened Host Gateway (2)Screened Host Gateway (2)
Intranet
InternetScreening router
Bastion Host(proxy)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 316316 - -
Dual-homed Gateway (1)Dual-homed Gateway (1)
A peripheral network, also called demilitarised zone (DMZ), is placed between the internal network and the InternetA screening router sits between the Internet and the peripheral networkA bastion host with dual-homed host configuration is used so a modification to the routing table of the screening router do not compromise the systemThe DMZ is a suitable location for non-sensitive hosts that should be accessible to the outside world, like a Web server
Outsiders browsing web pages need not get into the internal network at all
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 317317 - -
Dual-homed Gateway (2)Dual-homed Gateway (2)
Internet
Screening router
Bastion Host(dual-homed host)
Peripheral network (DMZ)
Internal network
Firewall
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 318318 - -
DMZDMZ
A network oriented application, usually, uses two types of data
PublicPrivate
DMZ may be exploit to manage the two different data types
All the data, private and public, are memorized inside the Internal networkInside the DMZ are installed hosts that manage only public data
So public data may be accessed from internet without entering the private network
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 319319 - -
Screened Subnet (1)Screened Subnet (1)
This configuration presents two screening router and between them bastion hosts containing services to the outside world The first screening router
Forwards traffic from the outside to the bastion hosts and in the opposite directionOther traffic is rejected
The second screening router (choke)Permit the communication with the intranet only to the bastion hosts
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 320320 - -
Screened Subnet (2)Screened Subnet (2)
Internet
External screening router
Peripheral network (DMZ)
Internal network
Firewall
Internal screening router (choke)
Bastion Hosts
DNS hostFTP host
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 321321 - -
Security EvaluationSecurity Evaluation
The Trusted Computer Security Evaluation Criteria (TCSEC) also known as Orange Book were the first evaluation criteria to gain wide acceptanceOther evaluation criteria have been developed
Information Technology security Evaluation Criteria (ITSEC)Federal criteriaCommon criteria
Security Evaluation aims to give assurance that a product/system is secure
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 322322 - -
Evaluation CriteriaEvaluation Criteria
Evaluation criteria refers toProducts
The verification concern the satisfaction – of a generic set of security requirements specified
inside the security classes by the Orange Book– Of the protection file defined by the Common
criteria
Systems The analysis start from the evaluation of each system component as described by the ITSEC
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 323323 - -
Evaluation PurposeEvaluation Purpose
The Orange Books distinguishes betweenEvaluation
Assessing whether a product has the security properties claimed for it
CertificationAssessing whether a product is suitable for a given application
AccreditationDeciding that a product will be used in a given application
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 324324 - -
Credibility Credibility
The credibility of evaluation depend from the used methodTwo situation should be prevented
An evaluated product is later found to contain serious flawDifferent evaluations of the same product disagree in their results
Repeatability and reproducibility are often included among the methodology evaluation criteria
Security Evaluations should arrive at an independent, commonly accepted verdict on the properties of security products. An independent evaluation facility can either be
A government agencyOr a properly accredited enterprise
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 325325 - -
The Orange BookThe Orange Book
It is the first guideline for evaluating security productsOrange book intended to create a more generally applicable document that provides
A yardstick for users to asses the degree of trust that can be placed in a computer secutity systemGuidance for manufacturers of computer security systemsA basis for specifying security requirements when acquring a computer security system
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 326326 - -
Criteria (1) Criteria (1)
The criteria used by the Orange Book to define its evaluation classes are
Security policyMandatory and discretionary access control policies expressed in terms of subject and objects
Marking of objects Labels specify the sensitivity of objects
Identification of subjectsIndividual subjects must be identified and authenticated
AccountabilityAudit logs of security relevant events have to be kept
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 327327 - -
Criteria (2)Criteria (2)
AssuranceOperational assurance refers to the security architectureLife cycle assurance refers to methodology,testing, configuration and managing
DocumentationEvaluators need test and design documentationAlso guidance to install and use the product are needed
Continuous protectionSecurity mechanisms cannot be tampered with
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 328328 - -
Divisions and ClassesDivisions and Classes
The Orange Book applies the previous criteria to define four security divisions and seven security classesProducts in higher classes provides more security mechanisms and assuranceThe security classes are defined incrementally
All requirements of one class are included in these of a higher one
The four divisionsD, minimal protectionC, discretionary protectionB, mandatory protectionA, verified protocol
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 329329 - -
Minimal Protection Minimal Protection
In class D there are products submitted for evaluation but without the requirements of any Orange Book class
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 330330 - -
Class C1: Discretionary Security Class C1: Discretionary Security ProtectionProtection
C1 systems are intended for an environment where co-operating users process data at the same level of integrityDiscretionary access control is based on individual users and/or groupsUsers have to identify themselves and their identity has to be authenticated The Trusted Computer Base (TCB) has to have its own execution domainDocumentation has to be provided
User manualTrusted facility manual (for system administrator)Test documentationDesign documentation
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 331331 - -
Class C2: Controlled Access Class C2: Controlled Access ProtectionProtection
C2 systems make users individually accountable for their actions
Discretionary access control is enforced at the granularity of single usersPropagation of access rights has to be controlledAudit trails of security-relevant events have to be kept
C2 is regarded to be the most reasonable class for commercial applications
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 332332 - -
Class B1: Labelled Security Class B1: Labelled Security Protection (1)Protection (1)
Division B is intended for products that handle classified data and enforces the mandatory Bell-Lapadula policiesEach object and subject has a label
Integrity of labels has to be protectedIt is necessary to consider what happens to label when the objects are exported to other systems
The security labels of a subject are determined by identification and authenticationInformal or formal model of security policy is requiredTesting and documentation has to be much more thorough
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 333333 - -
Class B1: Labelled Security Class B1: Labelled Security Protection (2)Protection (2)
Design documentation, source code and object code have to be analysedAll flaws uncovered in testing must be removedC1 certificates have been received by complex software systems like
Multi-level secure Unix systemsDatabase management systems
Class C1 is intended for system high environments with compartments
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 334334 - -
Class B2: Structured Class B2: Structured ProtectionProtection
Class B2 increases assurance by adding requirements to the design of the systemMandatory access control also govern access to physical devicesA formal model of the security policy and a descriptive top level specification of the system are requiredTCB shall provide distinct address spaces to isolate processes
Hardware mechanisms supports memory management
A covert channel analysis has to be doneEvents potentially creating a covert channel have to be audited
Security testing will establish that the TBC is relatively resistant to penetration
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 335335 - -
Class B3: Security DomainsClass B3: Security Domains
B3 systems are graded highly resistant to penetrationA security administrator is supportedAuditing mechanism monitor the occurrence of security-relevant events and issue automatic warnings in suspicious situationTrusted recovery after a system failure has to be facilitated
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 336336 - -
Class A1: Verified Design (1)Class A1: Verified Design (1)
Class A1 is functionally equivalent to B3The use of formal methods permits to achieve the highest assurance levelEvaluation for class A1 requires
A formal model of security policyA formal top level specificationConsistency proof between model and the formal top level specificationThe TCB implementation has informally shown to be consistent with the formal top level specificationA formal analysis of covert channels
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 337337 - -
Class A1: Verified Design (2)Class A1: Verified Design (2)
In addition, more stringent configuration management and distribution control will ensure that the version installed at a customer site is the same as the evaluated master copyVery few products have been evaluated to class A1
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 338338 - -
Security PlanningSecurity Planning
Protecting system information means giving response to questions like
How much does this information worth ?How can we estimate the damage derived from information loss ?
The enterprise has to answer producing the following documentation
Business Security AnalysisSecurity PolicySecurity PlanDisaster Recovery PlanSecurity Audits
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 339339 - -
Business Impact AnalysisBusiness Impact Analysis
This document valued the economic consequences deriving from a possible attackThrough risk analysis we try to estimate the damages caused by a successful attackThe first step in risk analysis is to define
What we are protectingWhat is its value inside the enterpriseagainst whom we are protecting itThe probability the attack occurs
The second step is to estimate the economic damage caused by the attack
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 340340 - -
Security PolicySecurity Policy
The security policies are defined starting from the previous analysisThese rules list a set of technical rules, procedures, principles and behaviors with the aim to avoid attack risksThe document, also, defines the data and systems responsibilityThe individuation and creation of the policies is only the first step
Policies have to be periodically updated trying to satisfy the new users requirements and the aimed security degree
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 341341 - -
Security Plan & Disaster Recovery Security Plan & Disaster Recovery PlanPlan
The aim of the Security Plan is to implement the rules defined inside the security policy document to reach the desired security degreeSystem analysis, even if executed at a deep level, cannot find all the security flaws
Some flaws are not suitably cover either for wrong evaluations or for the low ratio cost-risk/cost-countermeasures
The Disaster Recovery Plan specifies the behaviors users have to assume in the eventuality an attack succeeds
Also natural disaster are considered
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 342342 - -
Security AuditsSecurity Audits
The first four documents are written in the presented orderThe Security Audits document covers the entire analysis cycleIt describes the current security level
Comparing what are happening with what would happenShowing how user are reacting
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 343343 - -
Developing MethodologyDeveloping Methodology
Defining a security policy has to take into account bond tied to the structure inside that the system works
Technical bondsLogistic bondsAdministrative bondsPolitics and economics bonds
To satisfy all this bonds is required a planning, implementation and maintenance methodology
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 344344 - -
Methodology PhasesMethodology Phases
A security methodology consists of the following main phases
Context analysisInformation system analysisUsers classificationAccess rights definitionUndesired events cataloguingRisk analysisCountermeasures individuationCountermeasures integration
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 345345 - -
Context AnalysisContext Analysis
In this phase are studied the organization finality and structure in terms of
Number and geographic distribution of the headquartersOrganizational units( departments, offices, …)Roles, competences and responsibilitiesHierarchy and functionality relations
Procedures and information flows are, also, analysed
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 346346 - -
Information System Analysis Information System Analysis (1)(1)
This phase consist in analyzingPhysical resources
Information system is seen as a set of devices that ,to work, need space,electric alimentation, suitable environment, protection from material damages and theftThe analysis consists of
– Components individuation– Rooms inspection and evaluation– Cablation verification
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 347347 - -
Information System Analysis Information System Analysis (2)(2)
Logical resourcesThe system is seen like a set of information, flows and processesThe analysis consists of
– Information classification– Services cataloguing
Resources interdependenciesFor each system resource, physical or logical, it is necessary to individuate the resource it needs to work in a correct wayThis analysis points out the potentially critical system resources
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 348348 - -
Users ClassificationUsers Classification
The assignment of a belonging class to each user allows
grouping users of the same class Defining common security bonds
Users may be classified, at a first approximation level, by their role inside the organization
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 349349 - -
Access Rights DefinitionAccess Rights Definition
In a system, we must explicitly define to which services and information and with which modality each user typology may access The outcome of the analysis are two matrices
Users/services matrixUsers/information matrix
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 350350 - -
Undesired Events CataloguingUndesired Events Cataloguing
When what may happen to the system was described, in this phase we try to point out what have no happen
It is need a systematic research to individuate the majority of undesired events A starting point may be to consider as undesired event each access, to information or to services, that is not allowed by the rights matrices It is a good procedure to distinguish between
Intentional attacksAccidental events
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 351351 - -
Risk AnalysisRisk Analysis
When we have defined and catalogued the undesired events, it is important to associate a risk to each of themThe risk analysis permit to address the next phase of countermeasures individuation towards the potentially more critical system areas
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 352352 - -
Countermeasures Countermeasures IndividuationIndividuation
In this phase we have to choose the countermeasures to adopt for neutralize the undesired events we have previously individuateCountermeasures individuation consist of
Cost/efficacy ratio evaluationTo avoid countermeasures with an enormous cost compared to the risk they have to protect from
Security standard and referring security model analysisOrganization countermeasures
It is essential that the staff acquires a security consciousness
Technical countermeasures
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 353353 - -
Countermeasures IntegrationCountermeasures Integration
A countermeasures set may be a collection of uncorrelated expedients that may hardly provide an adequate answer to the global security needs of an organizationWe need to make a selection of the adopted countermeasuresThe aim is to individuate a subset of minimum cost that respect the following bonds
CompletenessHomogeneity Controlled redundancyAccomplishment
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 354354 - -
Bibliography (1)Bibliography (1)
Dieter Gollmann. Computer Security. Wiley 1999Mariagrazia Fugini, Fabrizio Maio, Pierluigi Plebani. Sicurezza dei Sistemi Informatici. ApogeoWilliam Stalling. Sistemi Operativi. Jackson LibriVijay Ahuja. Secure Commerce on the Internet. AP ProfessionalRyan Russel, Stace Cunningham. Hack Proofing. Mc Graw HillJeff Crume. Inside Internet Security: What Hacker don’t want you to know. Addison WesleyAbraham Silberschatz, Peter Baer Galvin. Sistemi Operativi. Addison Wesley. V Ed.William Stallings. Sistemi Operativi. Jackson Libri
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 355355 - -
Bibliography (2)Bibliography (2)
Dario Forte. Information Security. Mondadori InformaticaA. Tanenbaum. Reti di Computer. UTETLars Klander. Hacker Proof. Mc Graw Hill