csce 313 introduction to computer systemsstudents.cs.tamu.edu/amin/files/csce313/security.pdf38...
TRANSCRIPT
CSCE 313 Introduction to Computer Systems
Instructor: Amin Hassanzadeh
Fall 2013
http://people.tamu.edu/~hassanzadeh/csce313.htm
2
Security Overview
• Security Today
• Security Goals
• Security Threats
3
Security Today
• We rely on the secure operation of computers, systems, and networks, which are vulnerable
• Attacks occur every second and 25%+ Internet PCs are compromised
• The 2003 loss estimates range from $13 billion (worms and viruses only) to $226 billion (for all forms of covert attacks)
• Attacks and financial losses are still on the rise
4
The Good News ...
• Plenty of basic means for end-user protection - authentication, access control, integrity checking
• Intensive R&D effort on security solutions (government sponsored research & private industry development)
• Increasing public awareness of security issues
• New crops of security(-aware) researchers and engineers
5
The Bad News ...
• (Existing) information infrastructure as a whole is very vulnerable, which makes all critical national infrastructure vulnerable
– e.g., Denial-of-service attacks are particularly dangerous to the Internet infrastructure
– Do we continue to band-aid or re-design?
• Serious lack of effective technologies, policies, and management framework
6
The Definition
• Security is a state of well-being of information and infrastructures in which the possibility of successful yet undetected theft, tampering, and disruption of information and services is kept low or tolerable
• Security rests on
– Confidentiality
– Authenticity
– Integrity
– Availability
7
Security Goals
• Authentication of Alice (the client)
• Authorization of request from Alice
• Confidentiality (e.g. protect the content of request)
• Accountability (non-repudiation)
• Availability
“Alice”
“Bob”
“Eve” “Lucifer”
8
The Basic Components
• Confidentiality is the concealment of information or resources.
• Authenticity is the identification and assurance of the origin of information.
• Integrity refers to the trustworthiness of data or resources in terms of preventing improper and unauthorized changes.
• Availability refers to the ability to use the information or resource desired.
9
Security Threats and Attacks
• A threat is a potential violation of security.
– Flaws in design, implementation, and operation.
• An attack is any action that violates security.
– Active adversary.
10
Eavesdropping - Message Interception (Attack on Confidentiality)
• Unauthorized access to information
• Packet sniffers and wiretappers
• Illicit copying of files and programs
A B
Eavesdropper
11
Integrity Attack - Tampering With Messages
• Stop the flow of the message
• Delay and optionally modify the message
• Release the message again
A B
Perpetrator
12
Typical Attacks: Man-In-The-Middle
13
Authenticity Attack - Fabrication
• Unauthorized assumption of other’s identity
• Generate and distribute objects under this identity
A B
Masquerader: from A
14
Man-In-The-Middle: Example
• Passive tapping
– Listen to communication without altering contents.
• Active wire tapping
– Modify data being transmitted
– Example:
user intruder server
fine!
X logoff! Intruder takes over identity of user (masquerading)
Attack on Availability
• Destroy hardware (cutting fiber) or software
• Modify software in a subtle way (alias commands)
• Corrupt packets in transit
• Blatant denial of service (DoS): – Crashing the server
– Overwhelm the server (use up its resource)
A B
16
Impact of Attacks
• Theft of confidential information
• Unauthorized use of
– Network bandwidth
– Computing resource
• Spread of false information
• Disruption of legitimate services
All attacks can be related and are dangerous!
17
Security Policy and Mechanism
• Policy: a statement of what is, and is not allowed.
• Mechanism: a procedure, tool, or method of enforcing a policy.
• Security mechanisms implement functions that help prevent, detect, and respond to recovery from security attacks.
• Security functions are typically made available to users as a set of security services through APIs or integrated interfaces.
• Cryptography underlies many security mechanisms.
18
Assumptions and Trust
• A security policy consists of a set of axioms that the policy makers believe can be enforced.
• Two assumptions
– The policy correctly and unambiguously partitions the set of system states into secure and nonsecure states
• The policy is correct
– The security mechanisms prevent the system from entering a nonsecure state
• The mechanisms are effective
19
Assumptions and Trust – Cont’d
• Trusting the mechanisms work require the following assumptions
– Each mechanisms enforces part(s) of the security policy
– The union of the mechanisms enforce all aspects of the policy
– The mechanisms are implemented, installed, and administered correctly
20
How to Make a System Trustworthy
• Specification
– A statement of desired functions
• Design
– A translation of specifications to a set of components
• Implementation
– Realization of a system that satisfies the design
• Assurance
– The process to insure that the above steps are carried out correctly
– Inspections, proofs, testing, etc.
21
Operational / Human Issues
Operational Issues
• Risk Analysis
• Cost-Benefit Analysis
• Laws and Custom
Human Issues
• Organizational Problems
• People Problems
22
The Security Life Cycle
• The iterations of
– Threats
– Policy
– Specification
– Design
– Implementation
– Operation and maintenance
23
Taxonomy of Threats
• Taxonomy – a way to classify and refer to threats (and attacks) by names/categories
– Benefits – avoid confusion
– Focus/coordinate development efforts of security mechanisms
• No standard yet
• One possibility: by results/intentions first, then by techniques, then further by targets, etc.
– Associate severity/cost to each threat
24
A Taxonomy Example
• By results then by (high-level) techniques:
– Illegal root
• Remote, e.g., buffer-overflow a daemon
• Local, e.g., buffer-overflow a “root” program
– Illegal user
• Single, e.g., guess password
• Multiple, e.g., via previously installed back-door
– Denial-of-Service
• Crashing, e.g., teardrop, ping-of-death, land
• Resource consumption, e.g., syn-flood
– Probe
• Simple, e.g., fast/regular port-scan
• Stealth, e.g., slow/”random” port-scan
25
Security Threats
• Information Disclosure: – unauthorized dissemination of information
– result of theft or illegal action of who has access to information
• Information Destruction: – loss of internal data structures
– loss of stored information
– information may be destroyed without being disclosed
• Unauthorized Use of Service: – bypass system accounting policies
– unauthorized use of some proprietary services
• Denial of Service:
– prevent an authorized user from utilizing the system’s services in a timely manner
26
Threat Examples - IP Spoofing
• A common first step to many threats
• Source IP address cannot be trusted!
IP Payload IP Header
SRC: source DST: destination
SRC: 18.31.10.8 DST: 128.194.7.237
Is it really from MIT?
27
Similar to US Mail (or E-mail)
From: Amin H. TAMU
To: William S. Boston, MA
US mail maybe better in the sense that there is a stamp put on the envelope at the location (e.g., town) of collection...
28
Most Routers Only Care About Destination Address
128.59.10.xx
128.194.xx.xx
Rtr
Rtr
src:128.59.10.8 dst:128.194.7.237
Columbia
TAMU 36.190.0.xx Rtr
src:128.59.10.8 dst:128.194.7.237 Stanford
29
Why Should I Care?
• Attack packets with spoofed IP address help hide the attacking source.
• A smurf attack launched with your host IP address could bring your host and network to their knees.
• Higher protocol layers (e.g., TCP) help to protect applications from direct harm, but not enough.
30
Current IPv4 Infrastructure
• No authentication for the source
• Various approaches exist to address the problem:
– Router/firewall filtering
– TCP handshake
31
Router Filtering
• Decide whether this packet, with certain source IP address, should come from this side of network.
• Not standard - local policy.
36.190.0.xx Rtr
src:128.59.10.8 Dst:128.194.7.237 Stanford
Hey, you shouldn’t be here!
32
Router Filtering
• Very effective for some networks (ISP should always do that!)
– At least be sure that this packet is from some particular subnet
• Problems:
– Hard to handle frequent add/delete hosts/subnets or mobileIP
– Upsets customers, should legitimate packets get discarded
– Need to trust other routers
33
TCP Handshake
client server SYN seq=x
SYN seq=y, ACK x+1
ACK y+1
connection established
34
TCP Handshake
128.59.10.xx
128.194.xx.xx
Rtr
Rtr Columbia
TAMU 36.190.0.xx Rtr
src:128.59.10.8 dst:128.194.7.237 Stanford
x
seq=y, ACK x+1
The handshake prevents the attacker from establishing a TCP connection pretending to be 128.59.10.8
35
TCP Handshake
• Very effective for stopping most such attacks
• Problems:
– The attacker can succeed if “y” can be predicted
– Other DoS attacks are still possible (e.g., TCP SYN-flood)
36
IP Spoofing & SYN Flood
• X establishes a TCP connection with B assuming A’s IP address
A B
X
(1) SYN Flood
(2) predict B’s TCP seq. behavior
(3)
(4) SYN(seq=n)ACK(seq=m+1)
37
icmp echo request
icmp echo reply
ping
icmp echo request to a broadcast address: from victim
attacker
victim icmp echo reply from all hosts to victim
smurf
38
Smurf Attack
• Generate ping stream (ICMP echo request) to a network broadcast address with a spoofed source IP set to a victim host
• Every host on the ping target network will generate a ping reply (ICMP echo reply) stream, all towards the victim host
• Amplified ping reply stream can easily overwhelm the victim’s network connection
• Fraggle and Pingpong exploit UDP in a similar way
39
Vulnerability
• A vulnerability (or security flaw) is a specific failure of the security controls.
• Using the failure to violate the site security: exploiting the vulnerability; the person who does this: an attacker.
• It can be due to:
– Lapses in design, implementation, and operation procedures.
– Even security algorithms/systems are not immune!
• We will go over some examples in this course.
40
Example: IP Protocol-related Vulnerabilities
• Authentication based on IP source address
– But no effective mechanisms against IP spoofing
• Consequences (possible exploits)
– Denial of Service attacks on infrastructures, e.g.
• IP Spoofing and SYN Flood
• Smurf and Fraggle attacks
• OSPF Max Sequence
41
Security: Systems Overview
Functionality Authentication Authorization Confidentiality
Primitives sign()
verify()
Access control lists
Capabilities
“magic cookies”
encrypt()
decrypt()
Cryptography cyphers and hashes
42
Cryptography
Functionality Authentication Authorization Confidentiality
Primitives sign()
verify()
Access control lists
Capabilities
“magic cookies”
encrypt()
decrypt()
Cryptography cyphers and hashes
Cryptography:
• Closed-Design vs. Open-Design Cryptography
• Symmetric (“secret-key”) Encryption
• Asymmetric (“Public-Key”) Encryption
43
Closed-Design Cryptography
“Alice” “Bob” “crypto box” (closed)
“de-crypto box” (closed)
44
Open-Design Cryptography
45
Encryption
• Encryption algorithm consists of
– Set of K keys
– Set of M Messages
– Set of C ciphertexts (encrypted messages)
– A function E : K → (M→C). That is, for each k K, E(k) is a function for generating ciphertexts from messages.
• Both E and E(k) for any k should be efficiently computable functions.
– A function D : K → (C → M). That is, for each k K, D(k) is a function for generating messages from ciphertexts.
• Both D and D(k) for any k should be efficiently computable functions.
• An encryption algorithm must provide this essential property:
Given a ciphertext c C, a computer can compute m such that E(k)(m) = c
only if it possesses D(k).
– Thus, a computer holding D(k) can decrypt ciphertexts to the plaintexts used to produce them, but a computer not holding D(k) cannot decrypt ciphertexts.
– Since ciphertexts are generally exposed (for example, sent on the network), it is important that it be infeasible to derive D(k) from the ciphertexts
46
Computational Difficulty
• Algorithm needs to be efficient. – Otherwise only short keys can be used.
• Most schemes can be broken: depends on $$$. – e.g., Try all possible keys.
• Longer key is often more secure: – Brute-force cryptanalysis: twice as hard with each
additional bit.
• Cryptanalysis tools: – Special-purpose hardware.
– Parallel machines.
– Internet coarse-grain parallelism.
47
Secret Key vs. Secret Algorithm
• Secret algorithm: additional hurdle
• Hard to keep secret if used widely:
– Reverse engineering, social engineering
• Commercial: published
– Wide review, trust
• Military: avoid giving enemy good ideas
48
Cryptanalysis: Breaking an Encryption Scheme
• Ciphertext only:
– Exhaustive search until “recognizable plaintext”
– Need enough ciphertext
• Known plaintext:
– Secret may be revealed (by spy, time), thus <ciphertext, plaintext> pair is obtained
– Great for monoalphabetic ciphers
• Chosen plaintext:
– Choose text, get encrypted
– Useful if limited set of messages
49
Brute Force Attacks
• Number of encryption/sec: 1 million to 1 billion/sec
• 56-bit key broken in 1 week with 120,000 processors ($6.7m)
• 56-bit key broken in 1 month with 28,000 processors ($1.6m)
• 64-bit key broken in 1 week with 3.1 107 processors ($1.7b)
• 128-bit key broken in 1 week with 5.6 1026 processors
50
Types of Cryptography
• Secret key (Symmetric) cryptography: one key
• Public key (Asymmetric) cryptography: two keys - public, private
• Hash functions: no key
51
Symmetric Encryption
• Same key used to encrypt and decrypt
– E(k) can be derived from D(k), and vice versa
• Examples:
– Data Encryption Standard (DES)
– Triple-DES
– Advanced Encryption Standard (AES)
– Twofish
52
Symmetric Encryption: Caesar Cipher
MERRY CHRISTMAS
PHUUB FKULVWPDV
53
Symmetric Encryption: Jefferson’s Wheel Cipher
• Sender:
– assemble wheels in some (secret) order.
– Align message on one line.
– Choose any of the other lines as ciphertext.
• Receive:
– Assemble wheels in same secret order.
– Align cipertext on one line.
– Look for meaningful message on other lines.
Monticello Web Site: www.monticello.org/reports/interests/wheel_cipher.html
54
Symmetric Encryption: XOR
“Alice” “Bob”
k
m m k m k
k
m k k
0 1
0 0 1
1 1 0
55
Symmetric Encryption: DES (Data Encryption Standard)
Permutation
Permutation
Substitution
Permutation
56
Public Key Cryptography
• Asymmetric cryptography
• Invented/published in 1975
• Two keys: private (d), public (e)
– Encryption: public key; Decryption: private key
– Signing: private key; Verification: public key
• Much slower than secret key cryptography
57
Public Key Cryptography (Cont’d)
• Data transmission:
– Alice encrypts ma using eB, Bob decrypts ma using db.
• Storage:
– Can create a safety copy: using public key of trusted person.
• Authentication:
– No need to store secrets, only need public keys.
– Secret key cryptography: need to share secret key for every person to communicate with.
58
Public Key Cryptography (Cont’d)
• Digital signatures
– Encrypt hash h(m) with private key
• Authorship
• Integrity
• Non-repudiation: can’t do with secret key cryptography
59
Asymmetric Encryption
Keys must be different
60
Asymmetric Encryption (cont.)
• Public-key encryption based on each user having two keys:
– public key – published key used to encrypt data
– private key – key known only to individual user used to decrypt data
• Must be an encryption scheme that can be made public without leaking the decryption scheme
– Most common is RSA block cipher
– Efficient algorithms exist for testing whether or not a number is prime
– No efficient algorithm is known for finding the prime factors of a number
61
RSA (cont)
• If it is computationally infeasible to derive D(kd , N) from E(ke , N), E(ke , N) need not be kept secret and can be widely disseminated
– E(ke , N) is the public key
– D(kd , N) is the private key
– N is the product of two large, randomly chosen prime numbers p and q (for example, p and q are 512 bits each)
– Encryption algorithm is E(ke , N)(m) = mke mod N, where ke satisfies kekd mod (p−1)(q −1) = 1
– The decryption algorithm is then D(kd , N)(c) = ckd mod N
1. Pick random number ke , relative prime to (p-1)(q-1)
2. Compute kd, such that kekd mod (p-1)(q-1) = 1
62
RSA: Example
• Make p = 7 and q = 13
• We then calculate N = 7∗13 = 91 and (p−1)(q−1) = 72
• We next select ke relatively prime to 72 and< 72, yielding 5
• Finally, we calculate kd such that kekd mod 72 = 1, yielding 29
• We now have our keys
– Public key, (ke, N) = (5, 91)
– Private key, (kd, N) = (29, 91)
• Encrypting the message 69 with the public key results in the ciphertext 62
– 695 mod 91 = 62
• Ciphertext can be decoded with the private key
– 6229 mod 91 = 69
• Public key can be distributed in clear text to anyone who wants to communicate with holder of public key
63
RSA in Practice…
“Alice” “Bob”
{m}kApriv : A signs a message with A’s private key.
{m}kBpub : A encrypts message with B’s public key.
64
Symmetric vs. Asymmetric Encryption
• Symmetric cryptography based on simple transformations
• Asymmetric based on time consuming mathematical functions
– Asymmetric much more compute intensive
– Typically not used for bulk data encryption
– Used, instead, for short plaintexts, for example symmetric keys.
65
Hash Algorithms
• Message digests, one-way transformations
• Length of h(m) much shorter than length of m
• Usually fixed lengths: 48-128 bits
• Easy to compute h(m)
• Given h(m), no easy way to find m
• Computationally infeasible to find m1, m2 s.t. h(m1) = h(m2)
• Example: (m+c)2, take middle n digits
66
Hash Algorithms (Cont’d)
• Password hashing
– Doesn’t need to know password to verify it
– Store h(p+s), s (salt), and compare it with the user-entered p
– Salt makes dictionary attack less convenient
• Message integrity
– Agree on a password p
– Compute h(p|m) and send with m
– Doesn’t require encryption algorithm, so the technology is exportable
67
Authentication
Functionality Authentication Authorization Confidentiality
Primitives sign()
verify()
Access control lists
Capabilities
“magic cookies”
encrypt()
decrypt()
Cryptography cyphers and hashes
68
Authentication
1. Authentication
2. Message Integrity
3. Accountability / Non-Repudiation
“Alice” “Bob”
1. Who is making the request?
2. Is the received message the same as the sent message?
3. How do I build an audit trail?
69
• modify
• (replay)
• reorder
• append
Message Integrity
• Message Integrity can be guaranteed through Error-Detection Code. (e.g. cryptographic hash)
Message Integrity Authenticity Confidentiality
“Alice”
“Bob”
“Lucifer”
“Transfer $100 from account X to account Y”
70
Authentication: Model
• Symmetric Encryption (k1 = k2):
– A(m) is “message authenticator”
• Asymmetric Encryption (k1 != k2):
– A(m) is “signature”
– Example: A(m) = {Hash(m)}kApriv
– Cryptographically secure hash:
• Prob(Hash(m) = Hash(m’)) is very low (“low collision prob.”)
• SHA1, SHA256, etc.
“Alice” “Bob”
Sign
k1
m Verify
k2
m
YES/NO
A(m)
m
71
Authentication: Sign() and Verify()
• Algorithm components
– A set K of keys
– A set M of messages
– A set A of authenticators
– A function S : K → (M→ A)
• That is, for each k K, S(k) is a function for generating authenticators from messages
• Both S and S(k) for any k should be efficiently computable functions
– A function V : K → (M × A→ {true, false}). That is, for each k K, V(k) is a function for verifying authenticators on messages
• Both S and V(k) for any k should be efficiently computable functions
72
RSA in Practice…
“Alice” “Bob”
{m}kApriv: A signs a message with A’s private key.
{m}kBpub: A encrypts message with B’s public key.
{{m}kApriv}kApub: B verifies a message with A’s public key.
{{m}kBpub}kBpriv: B decrypts message with B’s private key.
kApub, kApriv kBpub, kBpriv
73
Authentication (Cont.)
• For a message m, a computer can generate an authenticator a A such that V(k)(m, a) = true only if it possesses S(k).
• Thus, computer holding S(k) can generate authenticators on messages so that any other computer possessing V(k) can verify them
• Computer not holding S(k) cannot generate authenticators on messages that can be verified using V(k).
• Since authenticators are generally exposed (for example, they are sent on the network with the messages themselves), it must not be feasible to derive S(k) from the authenticators.
74
Key Distribution Problem
• Q: How does Bob learn Alice’s key?
– Q.1: Alice’s public key?
– Q.2: Alice’s shared key?
“Alice” “Bob”
“Alice’s public key is X”
“Alice’s public key is X”
75
Key Distribution: Certificates
“Alice” “Bob”
1. {m, Sign(m, kApriv)}
VeriSign
Comodo
GoDaddy
Others
2007 Market Share (source: Secure Space) “Charles”
Certificate Authority
2. {Alice?!!}
3. {m=“kApub=X”, Sign(m, kCpriv)}
76
Establishing a Secure Channel
1. Authenticate user using public key encryption.
2. Use shared-key encryption for communication.
Q: How to Exchange Shared Key?
“Alice” “Bob”
“Charles”
1. {A,B}
3. {A, kApub, TS}kCpriv (certificate) {{kAB, TS}kApriv}kBpub (proposed key)
2. {A, kApub, TS}kCpriv {B, kBpub, TS}kCpriv (certificates)
Denning-Sacco Protocol (1982)
4. {data, TS}kAB
77
SSL
• Applications: HTTP, IMAP, FTP, etc…
• Client and server negotiate symmetric key that they will use for the length of the data session.
• Two phases in SSL:
– Phase 1: Connection Establishment
– Phase 2: Data Transfer
78
SSL: Connection Establishment
• Step 1: Client sends request to server, containing
– SSL version; connection preferences; nonce (i.e. some random number)
• Step 2: Server chooses among preferences, and sends reply, containing
– Chosen preferences; nonce; public-key certificate
– Public-key certificate is a public key that has been digitally signed by a trusted authority.
• Step 3: Client can use certification authority’s public key to check authenticity of server’s public key.
• Step 4: Server can request public key of client and verify it similarly (optional)
• Step 5: Client chooses random number (premaster secret), encrypts it with server’s public key, and sends it to server.
• Step 6: Both parties compute session key (used during data transfer) based on premaster secret and the two nonces.
– Note: At no point is the session key transferred between client and server.
79
SSL: Data Transfer
• Messages are fragmented into 16kB portions.
• Each portion is optionally compressed.
• A Message Authentication Code (MAC) is appended
– MAC is a hash derived from plaintext, two nonces, and
pre-master secret
• Plaintext and MAC are encrypted using the symmetric
key constructed during connection establishment.