politecnico di milano © 2001 - william fornaciari operating system security lecturer:

© 2001 - William Fornaciari© 2001 - William Fornaciari

Politecnico di MilanoPolitecnico di Milano

Operating SystemOperating System

SecuritySecurity

Lecturer:Lecturer:

<speaker’s name><speaker’s name>

<speaker’s affiliation><speaker’s affiliation><speaker’s e-mail><speaker’s e-mail>

<speaker’s web site<speaker’s web site>>

SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 22 - -

Computer Security in the Real Computer Security in the Real WorldWorld

“ What people want from computer security is to be as secure with computers as they are in the real world. Real-world security is about value, locks, and police. When it works, you get good enough locks (not too many break-ins), good enough police (so break-ins aren’t a paying business), and minimum interference with daily life. Computer security is hard because people don’t trust new things (especially when they don’t understand them), and computers are fast and complicated. The kind of computer break-ins most people care about are vandalism or sabotage that damages information or disrupts service, theft of money or information, and loss of privacy. Some people think that because computers are precise, perfect computer security should be possible. I’ll explain why this is wrong ... ” Butler Lampson


SecuritySecurity

Computer security deals with the prevention, detection and reaction to unauthorised actions by usersWith term security we focus on the global problem which deals with

Technical issuesManagement issuesSocial issueslegal issues

There is no single definition of security


Security and Protection Security and Protection

We can see protection as a subset of securityReferring only to specific mechanisms used by OS to safeguard computer informationProviding controlled access to programs and data stored in the computer

Security requires not only an adequate protection system, but must consider the external environment within which the system operates

Malicious behaviour of entities external to the system, affecting computer assets

Hardware included communication lines and networkssoftwaredata


Security ContestSecurity Contest

Network Security

Informative System Security

Informative System Security

Intruder

Intruder


IntrudersIntruders

Modern systems usually allow remote accessFrom terminalsFrom modemsFrom the network

Intruders can use all of these to break in


Security AreasSecurity Areas

Apart from social and legislative controls, computer security can be generally divided into three areas

External security Interface securityInternal security


External SecurityExternal Security

It is concerned with physical access to overall computer facility, to prevent theft, destruction, tampering. This includes

Control of access to communication lines, removable memory media and terminalsSafeguarding information from natural disaster like fire, earthquakes, floods, short circuits ,wars, …

External security consist of administrative and physical control measures to prevent undesired access to physical resourcesFull protection cannot be assured so the target is to

Minimize possible violationsMinimize possible consequent damagesProvide recovery procedures (a proper backup policy)


Interface SecurityInterface Security

It is concerned with the authentication of a user once physical access to a computer system became feasible (Authentication)


Internal SecurityInternal Security

It is concerned withControl of access within computer system (Protection)Safeguarding of information transmitted over communication lines between computer system (communication/network security)Safeguarding stored information that is inadvertently or maliciously disclosed (file security)Monitoring the utilization of the system resources from its users (Auditing)


Security Levels Security Levels

The problem of security can be faced at three different levels

Basic technologiesArchitectures and protocolsOrganizational

Organization

Architectures and Protocols

Basic Technologies


Basic technologiesBasic technologies

Essentially basic technologies focus on cryptographic techniques but belong to this level

Electromagnetic shields...

Technologies of this level are hard to trick with a direct attack Brute force attacks comport an enormous cost


Architectures and protocolsArchitectures and protocols

The system may be secure but we do not know who is our interlocutorWe need special architectures and protocols for

Cryptographic keys exchangeCertificates


OrganizationalOrganizational

Concern with non-technical problems but with human levelComputer security easily subverted by bad human practices

E.g. Living passwords stick-up to computer monitor

The management have to instil secure behaviours into the users and strongly discourage non-secure behaviours

Non-secure behaviours may compromise all security measures we have hardly made-up

In a nutshell there is a need of a management security consciousness

Social engineering attacks tend to be cheap, easy, effective


Security MeasuresSecurity Measures

A rough classification isPrevention, take measures that prevent computer assets from being damageddetection, take measures that allow detection when an asset has been damaged, how it has been damaged, and who has caused the damageReaction, take measures that allow recovering computer assets or recovering from a damage to computer assets


Security Problems (1)Security Problems (1)

Security is an engineering problemTrade-off between safety, cost , performance and inconvenienceRisk analysis and security Planning are required

Security is a global conceptWe can not protect a part of a system leaving another part without any protectionThose breaking security will attack the weakest point


Security Problems (2)Security Problems (2)

Total security is, generally, not reachableBecause making mistakes is easyThe nature of problem implies that mistakes are always exploited

Target to reach is to makeViolating security mechanisms require a cost and an effort so great that it is not convenient


Fundamental Constraints of Fundamental Constraints of Practical Computer SecurityPractical Computer Security

Security costsIf security measures cost too much, they won’t be adopted

Conflict between security and ease-of-useUsers have specific security requirements but usually no security expertiseIf security mechanisms are not easy to use or interfere too much with the working patterns users are accustomed to, they will not be used or are misused

Misuse often makes security measures useless

Impact on performance is manifoldSecurity measures need additional computational resourcesIf impact is too high, they will not be used


Security RequirementsSecurity Requirements

There are a range of security requirements we have to grant to messages and data

ConfidentialityIntegrityAvailabilityAccountabilityNo repudiation


ConfidentialityConfidentiality

Confidentiality Concern with prevention of unauthorized disclosure of informationCapture the concept that computer security not have only to stop unauthorized user to read sensitive information but have to prevent from learning sensitive information

The terms privacy and secrecy are sometimes used to distinguish between

Protection of personal data ( privacy )Protection of data belonging to an organization ( secrecy )


IntegrityIntegrity

IntegrityConcern with unauthorized modification of informationIf we equate integrity with the prevention of all unauthorized actions, then confidentiality becomes a part of integrity

Data integrityIs the state that exists when electronic data is the same as that in the source documents and has not been exposed to accidental or malicious alteration or destructionIt is impossible to guarantee this property only with mechanisms internal to the computer system, but we have also to consider communications security


AvailabilityAvailability

Availability Concern with prevention of unauthorized withholding of information or resourcesIt is the property of being accessible and useable upon demand by an authorized entity

Engineering techniques use to improve availability

Go far beyond traditional boundaries of computer securityCome from other areas like fault-tolerant computing

In the context of security it is linked with prevention of ‘denial of service’


Accountability (1)Accountability (1)

Confidentiality, integrity, availabilityDeal with different aspects of access controlPut their emphasis on the prevention of unwelcome events

Authorized actions can, also, lead to a security violationA flaw in security system may allows an intruder to find a way to go round controlsFor these reasons users should be held responsible for their actions, so it was introduced a new security requirement, the accountability


Accountability (2)Accountability (2)

AccountabilityAudit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party

The system has to identify and authenticate users to achieve this target

It has to keep an audit trail of security relevant events

If a security violation has occurred, information from audit trail may help to identify the intruder


Reliability and SafetyReliability and Safety

Often considering computer security we have to keep in mind other areas like

Reliability, relating to accidental failuresSecurity is a part of reliability or vice versa

Safety, relating to the impact of system failures on their environment


Categories of ThreatsCategories of Threats

A normal information flow from a source and a destination may be subject to

Passive attacksInterception

Active attacksInterruptionModificationFabrication


Normal Information FlowNormal Information Flow

Information Source

Information Destination

Normal information flow


Interruption Interruption

Prevent source from sending information to receiverOr receiver from sending request to sourceIs an attack to availability

Intruder

Information Source



How Interruption Occurs How Interruption Occurs

Interruption ma be obtained destroying or making unusable a resource

Destroying hardwareE.g., an hard disk, cutting communication lines ...

Deleting or damaging softwareDeleting dataInterference with communications channelOverloading a shared resource

The intruder with this kind of attacks want to cause denial of service


InterceptionInterception

The information flow between source and destination is eavesdropped by an unauthorized third partyIt is an illicit data copy and a threat to confidentiality

Intruder

Information Source



Another Type of InterceptionAnother Type of Interception

It is an active attack

Intruder

Information Source



How Interception OccursHow Interception Occurs

There are several ways to achieve this purposeBreak-insIllicit data copyingEavesdroppingSniffingMasqueradingTampering

The aims of this attack could beAcquiring message contentTraffic flow analysis which permit to deduce information like


ModificationModification

The information or data are modified it is a threat to integrity

Intruder

Information Source



How Modification OccurHow Modification Occur

Ways to bring modification based attacks areInterception of data requestMasqueradingIllicit access to servers/services

Modification may concernMessage authorMessage sending time (reply attacks)Message contents


FabricationFabrication

Unauthorized party inserts counterfeit objects into the systemCounterfeit concern both author and contents messageIt is a threat to integrity

Intruder

Information Source



How Fabrication OccurHow Fabrication Occur

This attacks can be lead bySpoofingMasqueradingBypassing protection measuresDuplication of legitimate request


Passive vs Active AttacksPassive vs Active Attacks

Passive attacks are forms of eavesdroppingNo modification, injections of requests occurAre difficult to detectRequire mechanisms that protect communication independently from the fact an attack is occurring

Active attacks are more aggressiveAvailability and integrity are compromised


Informative System Security Informative System Security ThreatsThreats

Computer security consist ofFormulating an access control policy that reflects the protection requirements of the applicationThe computer system has to enforce the policy in the presence of active attempts to bypass or disable controls

Implementing a complex system is a challenge task and there is a long history of security bugs in OS caused often by simple programming errorsMany attacks exploit well know security weakness in an automated and efficient manner


How Things Go WrongHow Things Go Wrong

The major sources of security problems fall into the following categories

Change in environmentBound and syntax checkingConvenient but dangerous design featuresEscapes from controlled invocationBypass at a lower layerFlaws in protocol implementations


Change in EnvironmentChange in Environment

Change is one of the biggest enemies of securityA system may offers perfectly adequate security, a part of the system is changed

The security implication of changes was taken into account but the security is compromisedOr even worse the changes was considered no influent to security and unpleasant surprise will occur


Bound and Syntax CheckingBound and Syntax Checking

A frequent source of security problems are commands that not check the size or the syntax of their arguments

By overrunning an input buffer, an attacker with detailed system knowledge can overwrite memory locations holding security-relevant data


Convenient featuresConvenient features

Backward compatibility with legacy systems, ease of installation, ease of use, are good reasons for including features These features are however dangerous from a security viewpoint leaving the system open for attackers to exploit what is an intended system feature


Controlled InvocationControlled Invocation

An error in such a program can seriously undermine securityE.g., in Unix when a user logs in

the login program sets up an environment for that user executing the commands contained in the user’s .cshrc and .login filesThe login program runs with root privilegeA user can use file .cshrc and .login as trojan horses inserting commands that will be executed by rootIt is ,therefore, essential that the UID of the login process is set to the user’s UID before executing any commands that could be defined by the user


BypassBypass

Logical access control validates access by users and processes to logical system objectsThis control may be bypassed if an attacker

can insert code below logical access controlOr gets direct access to memory


Flawed Protocol Flawed Protocol ImplementationsImplementations

Abstract descriptions of security protocols are full of innocuous statements like ‘pick up a random number’Sometimes, designers go for an easy option being aware of its security shortcomingsSometimes they do not immediately spot the problem


Malicious Programs (1)Malicious Programs (1)

Dangers for a system often are represented by programs which take advantage of system weak-points

E.g., OS that not protect against unauthorised modification

Clever programmers can get SW to do their dirty work for themPrograms have several advantages for these purpose

SpeedMutabilityAnonymity


Malicious Programs (2)Malicious Programs (2)

We can distinguish malicious programs in two categories

Independent programs, that may be executed autonomously from the execution of other programs

WormBacteria

Program fragments, that cannot work independently from the execution of another process

Trojan horseTrapdoorsLogic bombVirus

Trojan horse and logic bomb may be, in same case, virus part


TaxonomyTaxonomy

Malicious Programs

Need Host Programs Independent

BacteriaLogic BombsTrapdoors Viruses WormsTrojan Horses

Replicates


TrapdoorsTrapdoors

A trapdoor is a secret entry point into an otherwise legitimate programIs a portion of code that recognize special input sequences or that it is activated when an application is executed with a particular ID

An user knowing its existence may gain access bypassing normal authentication proceduresTrapdoors are used by programmers

To facilitate debugging and program test avoiding tedious and long authentication proceduresTo have an activation method if the program authentication process have a bug

Controls against trapdoors are difficult to implement


Logic BombsLogic Bombs

A logic Bomb is a piece of code belonging to a legitimate program that under certain conditions ‘explodes’

Modifying or deleting data and filesCausing a system halt...

Usually they are inserted by program authorsPractically it is hard or impossible to detect a logic bomb before its explosion

Typical activating conditions areThe presence or absence of certain filesA particular dayA particular user which is executing the application


Trojan HorsesTrojan Horses

A trojan horse seemingly is a useful program that contains hidden code that performs harmful things

Obtaining access to the user’s files changing file permissionsObtaining passwordsDeleting data and filesAdding backdoors to programs...

We may find them EditorsFake login screenparticularly dangerous in compilers

Inserting malicious code in a program during its compilation


BacteriaBacteria

Their only purpose is to replicate themselvesBacteria reproduces itself in an exponential way

Taking up all the processor capacityTaking up memoryTaking up disk spaceEventually denying users access to resources


WormsWorms

Worms use network connections to spread from system to systemTo replicate themselves use

E-mail facility– A worm mails a copy of itself to other systems

Remote execution capability– A worm executes a copy of itself on other systems

Remote log-in capability– A worm log on to a remote system as a user and

then uses commands to copy itself from one system to the other

Can spread very rapidly


Worms (2)Worms (2)

When a worm is activated may act as aVirusBacteriaTrojan horseOr making whatever kind of malicious action

Four phases characterized a worm ( like a virus )Sleeping, the worm is inactive waiting for same event Propagation, the worm

Looks for other system to infect analysing host table or remote system addressesEstablishes a remote connectionCopies itself in the remote system assuring the copy will be activated


Worms (3)Worms (3)

triggering, the worm is ready to do its workThis phase may be activated by various events

Execution, the worm makes its work

The ‘Morris Internet worm’ in 1988 is the most famous example


VirusesViruses

Viruses are programs that can infect other programs by modifying themLike worms, also viruses are designed for spreading but they are piece of code inserted into legitimate programsViruses occur anywhere imported code gets executed

Imported programsSome inclusions in mail messagesBoot sectors and other executable portions of mediaMacros attached to some data files

Along with mere infection, trojan horses, trapdoors, or logic bombs can be included


Virus Life-CycleVirus Life-Cycle

The life-cycle of a virus has four phases like worms

Not all viruses have the sleeping onePropagation

The virus put a copy of itself in some program or in some system disk areaThe copy itself will enter the propagation phase

Triggering phaseThe virus is activated by some event for executing its ‘task’

ExecutionThe virus execute its ‘task’ which may be innocuous or harmful


Virus SpreadVirus Spread

Infectedprogram

Uninfectedprogram

Virus Code

Infectedprogram

Uninfectedprogram

Virus Code

Infectedprogram

Uninfectedprogram

Virus Code Virus Code

1.

2.

3.


Typical Virus ActionsTypical Virus Actions

Typical virus actions areFind uninfected writable programsModify those programsPerform normal actions of infected programDo whatever other damage is desired by its author


Viruses Taxonomy (1)Viruses Taxonomy (1)

A non-exhaustive taxonomyParasitic virus

It is the classic virus attacked to executable fileWhen the infected program is executed,the virus for uninfected file for spreading

Memory resident virusLodges in main memory as a part of a resident system programOnce in memory, it Infects every program that is executed

Boot sector virusIt infects a boot sector When the system is started, the virus ‘start its work’



Stealth virusIt is designed with the precise intent of eluding anti-virus detection

– Compression techniques may be used by this kind of viruses for leaving unmodified the infected program dimensions

– The virus may modify the routines for the I/O operation so that when that routines are used, they show as uninfected the infected program

– Hiding in a sector marked as bad in the FAT

Slow infection virusControl the rate of infection to avoid immediate detection



Polymorph virusIt is design to make little changes to its code at every infection

– Creates copies of itself that are functionally equivalent but have distinctly different bit patterns

– Encrypts itself and uses a new key on each new infection

It is a way to deceive anti-virus mechanism– Making detection by ‘signature’ impossible

Macro virusIt is attached to a data file

– Therefore bypass integrity protection mechanisms targeting executables

It is written in high-level language– Therefore it is much more platform independent


Dealing with VirusesDealing with Viruses

The solution to contrast viruses arePrevention of infectionDetection and reactionContainment


Preventing the Spread of Preventing the Spread of VirusesViruses

To prevent a virus infection the solution is not installing untrusted softwareBut who can you trust?

Viruses have been found in commercial shrink-wrap software

So we have to take other prevention measuresScan incoming programs for viruses

Some viruses are designed to hideAnti-virus software do not detect newest viruses

Limit the targets viruses can reachMonitor updates to executable files


Virus Detection (1)Virus Detection (1)

Virus detection is need if infection occurredBoth virus and anti-virus software are become more complexWe may identify four anti-virus generation

Simple analysers (first generation)Scanner using the virus ‘signature’ to identify the infection

– Do not identify polymorph viruses

Others maintain a record of program length looking for variation in length

– Do not identify secret viruses



Heuristic analysers (second generation)Uses heuristic rules to search for probable virus infectionLooks for fragments of code that are often associated with virusesA checksum may be attached to the end of a program so that if a virus infected the program without modifying the checksum it may be detected

– Some viruses are able to generate checksum itselfChecksum may be substituted with a coded hash function that is harder to modify by a virus

Activity trap (third generation)They are memory-resident programs that identify a virus by its actions rather than its structureThey intervene when these actions take place



Totally equipped protection (fourth generation)Consists of a variety of anti-virus techniques used in conjunctionBesides analysis and activity trap, these packages consist of control access techniques that prevent virus from entering the system


ContainmentContainment

To avoid viruses damages we may run suspect programs in an encapsulated environment limiting their forms of access to prevent virus spreadContainment requires versatile security model and strong protection guarantees

Running each executable in its own protection domain relaying on the underlying access control mechanisms

Standard access control mechanisms offered by OS often are not enough

Programs execute under the user’s identity with the user’s privileges

So the evil program has full user privileges


Standard Access Control Standard Access Control MechanismsMechanisms

Other problems with standard access mechanisms are

What access is allowable?How does it get set?How fast can you create the domains?

Most popular OS do not offer simple ways to limit the security domain of programs

Access control mechanisms present several problem in managing untrusted code (as we have seen talking about protection )

Other possible solutionImproved OS access control for managing untrusted code‘Padded cells’


Padded Cell ApproachesPadded Cell Approaches

Improving OS access control means building systems able in managing domains not the same as process spaces Padded cell essentially consist in executing programs in an encapsulated environment Three ways to implement an encapsulated environment

Augmenting the OSSolves the general problem

Virtual machine and language-based approachesMost suitable for downloading small executable

Software-enforced fault isolationMost suitable for composition of executables


Virtual Machine and Language Virtual Machine and Language ApproachesApproaches

Define a virtual machine that does not allow ‘insecure’ operationsRun imported programs through an interpret for that languageJava does precisely thatThe java virtual machine is meant to provide a secure execution environment allowing

Very limited file accessNo process creationVery limited network communicationsVery limited examination of details of the host computer


Software-Enforced Fault Software-Enforced Fault IsolationIsolation

The virtual machine approach is limitingWhat happens if you need to write a file, create a process … ?Usually only one language is supported

Consist of a software approach to memory protection

Segment matchingAddress sandboxing


Authorization and Access Authorization and Access ControlControl

Computer security deals with the prevention and detection of unauthorized actions by users of a computer systemThe concepts of proper authorization and of access control are essential for this definitionWe have seen Access control mechanisms talking about protection


Identification and Identification and AuthenticationAuthentication

A secure system somehow has to track the identities of the users requesting its servicesIdentification

Consist of entering user name and passwordYou announce who you are

Authentication is the process of verifying a user’s identity

Once user name and password are entered, a process compare the input against the entries stored in a password fileLogin will succeed if its entered a valid user name and the corresponding password


User AuthenticationUser Authentication

There exists two reasons for authenticating a user

User identity is a parameter in access control decision

Processes are generally assigned to protection domains according to the identity of the user on whose behalf they are executed

User identity is recorded when logging security relevant events in an audit trail

Most computer system use identification and authentication through username and password as their first line of defence


PasswordsPasswords

Identification and authentication through a password

Has become a widely accepted mechanism and not too difficult to implementObtaining a valid password is an extremely common way for gaining unauthorized access to a computer system

Password guessingPassword spoofingCompromise of the password file


Choosing PasswordsChoosing Passwords

Password choice is a critical security issueCompletely prevent an attacker from accidentally guessing a valid password is impossibleThe use of trivial words as passwords makes an illegal disclosure a rather easy eventWe can try to keep the probability for such an event as low as possible adopting same sagacity

Changing default system password like ‘manager’Prescribing a minimal password lengthMixing upper and lower case symbolIncluding numerical and other non-alphabetical symbol Avoiding obvious passwordsChanging the password frequentlyAlways choose easy-to-remember password


Password GuessingPassword Guessing

Attackers essentially follow two guessing strategy

Exhaustive search (brute force)Try all possible combination of valid symbols, up to certain length

Intelligent searchSearch through a restricted name space

– Try passwords that are somehow associated with a user like name, names of friends and relatives, car brand, car registration number, phone number ...

– Try password that are generally popular (dictionary attack)

Successful attacks are more often based on social engineering than on technical ingenuity

Actions should be taken to focus the user’s attention on the relevance of a careful choice of password, and of its correct use


Dictionary attacksDictionary attacks

In a dictionary attackAn on-line dictionary contains a set of popular passwordsA program try all passwords from the dictionary till finding the correct one


Password disclosurePassword disclosure

Studies have shown that the illegal disclosure of passwords through repeated attempts is still feasible today with acceptable computation time

Due to the use of massive parallelism

Parallel technologies combined with a negligence in the selection and management of passwords, increase the exposure to intrusions


Improving Password Security Improving Password Security (1)(1)

System may help to improve password security

Password checkersTools that check passwords against some dictionary of ‘weak’ passwords

Password generationSome OS include password generator producing random but pronounceable passwordsUsers are allowed only to adopt password proposed by the systemUser are unlikely to memorise long and complicated passwords

– They write such passwords down on a piece of paper that is kept close to the computer



Password ageingAn expiry date for passwords can be set forcing users to change passwords ate regular intervalA list of old passwords may be kept to prevent re-use of old passwords by usersChanging passwords too often cause problem of writing them to remind

Limit login attemptsThe system can monitor unsuccessful attempts and react by locking the user account completely or at least for a certain period of timeUseful against dictionary attacks



Inform userAfter a successful login, the system can display the time of the last login and the number of failed login attemptsUser may discover recently attempted attacks


Spoofing Attacks (1)Spoofing Attacks (1)

Identification and authentication through username and password provide unilateral authentication

The user has no guarantees about the identity of the party to whom he is giving his password

In a spoofing attackThe attacker runs a program that presents a fake login screen on some terminal/workstationUser tries to logonUser name and password are stored by the attackerExecution could be handed over the user or login is aborted with an error messageThe spoofing program terminates giving back control to the OS


Against Spoofing Attacks Against Spoofing Attacks

Solutions against spoofing attacks may beDisplaying the number of failed loginsGuarantee that the user communicates with the OS and not with a spoofing program

Windows NT has a secure attention sequence CTRL+ALT+DEL which invokes the Windows NT OS login screen

Double authentication system (hand-shacking)It is mutual authentication where the system introduces itself to the user through information known only to the user, and the user authenticates back to the systemE.g. In a distributed system, the system could be required to authenticate itself to the user


Beyond Spoofing AttacksBeyond Spoofing Attacks

Other way through which an intruder may ‘find’ a password are due to that

Passwords do not travel directly from the user to the checking routinePasswords are, temporarily, held in intermediate storage locations like

BuffersCachesWeb pages

The management of these storage locations is beyond the control of the user and a password may be kept longer than the user may though


Compromise of the Password Compromise of the Password FileFile

User passwords are stored in the password files managed by OSPassword files are a desirable target for an intruder

Disclosure or modification of its content permit the intruder gaining system access

Password file must be protectedCryptographic protectionAccess control enforced by the OSA combination of cryptographic protection and access control plus mechanisms to slow dictionary attacks


Cryptographic Protection (1)Cryptographic Protection (1)

Instead of the password x, the value f(x) is stored in the password file

f(x) is a one-way function easy to compute but hard to reverse

When an user logs in and enters a password x1, the system

Applies the one-way function f and the compare f(x1) with the expected value f(x). If the values matches, the user has been successfully authenticated

The password file can be left more readable if dictionary attacks are not a concern


Cryptographic Protection (2)Cryptographic Protection (2)

In a dictionary attack the attacker Knows the encryption function

E.g. Unix uses the one-way function crypt(3)

Encrypts all words in a dictionaryCompare, off-line, all these words against the encrypted entries in the password file, if a match is found the attacker knows that user password

We may use a one-way function harder to compute

Dictionary attacks become harder (require more time)Also login mechanism slow-down

It is better to hide also the encrypted password file


Access Control MechanismsAccess Control Mechanisms

OS access control mechanisms restrict the access to files and other resources to users holding appropriate privileges

They can be used to protect password filesOnly privileged users can have access to the password fileIf read access is restricted to privileged users, passwords in theory could be stored unencrypted

Malicious users, taking advantages of erratic OS modules (bugs or trapdoors) could access the content of password fileTrojan horse in the login procedure of a system can record all the passwords used at login timeCombination of access control mechanisms an cryptographic methods is then recommended


Proprietary Storage FormatsProprietary Storage Formats

A weak form of read protection is provided by proprietary storage formats

E.g. Windows NT stores encrypted passwords in a proprietary binary format

A determined attacker will obtain or deduce the information necessary to be able to detect the location of security relevant data


Password SaltingPassword Salting

When a password is encryptedAn additional information, the ‘salt’, is appended to the password before encryption

E.g. In Unix system a ‘salt’ is a 12-bit numberThe salt is generated on the basis of the creation time and of the identifier of the running process

Password salting ensures the uniqueness of the passwords

Two users with the same passwords have different entries in the password file

Slows down dictionary attacks as it is no longer possible to search for the passwords of several users simultaneously


Inserting a New PasswordInserting a New Password

Crypt (3)

Password File

User ID Salt Encrypted PWD

Salt Password12 bit 56 bit


Controlling a PasswordControlling a Password

Password File

User ID Salt Encrypted PWD

User ID

Crypt (3)

Salt

Password

56 bit

Comparison


Matched PasswordsMatched Passwords

A set of matched passwords are shared by system and userWhen the user wants to login

The system presents to the user a password that is chosen from the set of matched passwordsThe user has to present the other element

A generalisation of this concept is the use of an algorithm to obtain the passwords

E.g., the system chooses an integer and presents it to the user

The user uses this integer as input of a functionThe output of the function is the password

Finally, we arrive to the concept of one-time password


Password Replay AttackPassword Replay Attack

Passwords can be stolen during transmissionA password can be protected

Encrypting it at the sender workstationDecrypting it at the receiver workstation

Such a protection has a limited valueAn intruder may intercepts and steals the encrypted password and replay the userID and the encrypted password later onThe problem is the receiving system accepting an encrypted password


One-time PasswordsOne-time Passwords

The concept of one-time passwords is to dynamically generate unpredictable passwords that are valid for a single access to the security systemThe one-time passwords often are implemented using token cards, although software-based implementation also existsSince the one-time passwords cannot be reused, their staling should not pose security risks as the password replay attack


Token CardsToken Cards

With a token card the user enters a PIN code through a keypad on the cardThe card has a built-in processor that verifies the PIN code and generates a random numberThe user enters that number as the one-time password for the logon processThe receiver system verifies the password

At the set-up time an application is installed on the system that can also generate the same number for a given userIDIf the two number correspond, the user is authenticated


Single Sign-onSingle Sign-on

In an IT environment passwords control access to computers, networks, programs, files, …User would not find convenient to enter passwords over and over again when navigating in internetA single sign-on solves the problem

User enter his password onceThe system stores the passwordWhenever a password is needed, the system do the job for user


Single Sign-on vs Repeated Single Sign-on vs Repeated AuthenticationAuthentication

Single sign-on service adds convenience but it also raises new security concerns

Stored passwords have to be protectedCryptographic protection cannot be applied because the system needs the passwords as readable plaintext

To reduce the chance that an attacker uses an unattended machine where another user is already logged on, authentication may be demanded

At the start of a sessionAt certain intervals within the session

Choosing between single sign-on and repeated authentication is a tradeoff between easy-to-use and security


Alternative Approaches (1)Alternative Approaches (1)

Password-based authentication is the most common mechanismAn user can be also authenticated on the basis of

Something user knowA user is identified on the basis of his answering a set of questions posed by the system

Something user holdUser has to present a physical token to be authenticated

– key– Smart card

Physical token may be lost or stolenTo increase security are often used with something user knows

– Password– E.g., bank-card with a PIN



Something a user “is”Biometrics are used to authenticate persons

– Computerized facsimile systems» The user image is stored» Identification occurs by matching the person with his

stored image

– Fingerprint-based systems» Identification is the result of a match between the

user’s fingerprints with the stored ones

– Voice-recognition-based systems» The user’s voice is matched against its stored version

– Retinal features-based systems» Identification is made by examining the features of the

user’s retina



With biometrics a stored pattern is compared with the actual measurements taken but these patterns will hardly ever match precisely

– We have to face up a new problem, false positives and false negatives

What a user doAuthentication is based on some mechanical tasks that people perform in a way that is both repeatable and specific to the individual

– E.g., Checking an hand written signature (writing speed and writing pressure)

Some problem of biometrics authentication



Where the user isWhen a user login, the system may also take into account where user isSome OS grant access only if user login from a certain terminal

– E.g., a system manager may only login from an operator console but not from an arbitrary user terminal


Systems ManagementSystems Management

Once the system has been installed and is operational, its security mechanisms should prevent illegal user actions but

The protection mechanisms or the implemented policy may not be adequate or flawed

It is advantageous to have further mechanisms which allow to detect security violations or other suspicious events when they are happening or after they have happened


Intrusion DetectionIntrusion Detection

An early intrusion detection permit to expel him before he may cause damages or at least to limit damagesThese mechanisms may serve as deterrent Intrusion detection allow to collect information about intrusion techniques that may be used to enforce intrusion prevention mechanismsThese techniques may also try to detect abuses of legitimate users


Audits Logs and Intrusion Audits Logs and Intrusion Detection Detection

A classification of such mechanisms areAuditing, records security relevant events in an audit log (audit trail) for later analysisIntrusion detection, detects suspicious events when they happen and informs the system managerAutomatic retaliation (intrusion response), reacts immediately to security alarms by taking appropriate actions

They may be false alarms and its doubtful whether automatic retaliation is always a good idea


Audit LogAudit Log

It is important to keep the audit log in a secure placeAttackers who are able to change the audit log are in a perfect position to hide their traces

Set the logical protection on the audit log so that only privileged users have write accessSend audit log to another computer where root on the audited machine has no superuser privilege and possible have optional utilities like compilers, editors and certain network utilities

The attacker have so to gain access to two different systems and without some utilities it is more difficult to gain root access to the audit machine

Send the audit log to a secure printer


Administrative SideAdministrative Side

On the administrative side we have to decide on The security-relevant events that should be loggedThe time an audit log has to be kept

There is a trade-off betweenThe number of different events loggedAnd the ability of the operator to scan through an audit logMore events are declared to be security relevant, more extensive the audit log will be and it may become difficult to spot intrusion attemptsToo few events are recorded, more difficult become to establish how an attack had been conduced once it has been detected


Native Audit Log vs Specific Audit Native Audit Log vs Specific Audit LogLog

Native audit log All OS include accounting software that collects information on user activityThe disadvantage is that the information collected by the administrative software may not contain useful information for security purpose

Detection-specific audit logA specific mechanism is designed to collect only the information needed for intrusion detection purposes


Detection-specific Audit LogDetection-specific Audit Log

An example of a detection-specific audit log contains the following fields

Subject, who start the actionAn user working on some terminalA process executing under an user domain

Action, the operation accomplished by the subject

I/O operations …Object, on which the operation works onException, if an exception is raised by the operation executionResources usage, a list of elements containing the amount of used resourceTime stamp, the time of execution


Intrusion Detection Intrusion Detection TechniquesTechniques

Assume the behaviour of the intruder differs from the legitimate user

Overlaps in behaviours may occurA simplified interpretation of intruder behaviour will lead to detect more intruders but also to have ‘false positives’Trying to limit ‘false positives’ will lead to augment ‘false negatives’ that is some intruders will be recognized as legitimate users

Expert systems and techniques from artificial intelligence may be used in intrusion detection systems

These techniques may be also used to scan through the audit log


Intrusion Detection Approaches Intrusion Detection Approaches (1)(1)

Statistical anomaly detectionData related to the behaviour of legitimate users are collected over a certain period of timeStatistical approaches are used to determine if the behaviour is not a legitimate one

Defining thresholds, user independent, concerning the occurrence rate of certain eventsOr outlining a specific profile for each legitimate users to be used to detect changing in user’s behaviours

Useful for detection of intruder that uses the account of a legitimate user but may not detect legitimate users abuses


Intrusion Detection Approaches Intrusion Detection Approaches (1)(1)

Rule-based detectionRules are developed to detect deviation from previous usage patternExpert systems searches for suspicious behaviourUseful for detection of legitimate users abuses

A system may use a combination of the two approaches


Cryptography (1)Cryptography (1)

Data confidentiality provides the means to protect information from unauthorized disclosureIt is achieved by encrypting the message at the sender and decrypting it at the receiverCryptography has its roots in communication security

Two entities A and B communicate over an insecure channelAn intruder, who has full control over this channel, being able to read, delete and insert messagesCryptography allows them to construct a secure logical channel over an insecure physical connection

Access to physical communication links does not compromise cryptographic protection



In distributed systems, the traffic between clients and servers is a new point of attackServices and mechanisms for communication security are needed

Data confidentiality, encryption algorithms hide the content of messagesData integrity, integrity check functions provide the means to detect whether a document has been modifiedData origin authentication, message authentication codes or digital signature algorithms provide the means to verify the source and integrity of a message



Encryption consists of transforming the message in such a way that only the target recipient can interpret

The original data is called plaintextThe resulting data after applying the encryption algorithm is called ciphertext or cipher

Decryption is the reverse process, it transforms the ciphertext to plaintext



The encryption and decryption algorithms may be kept public because the message confidentiality is linked only to the cryptographic keys

The key used in a cryptographic transformation should be the only item that needs protection

It is fundamental for a cryptographic algorithm making the keys to be chosen among a great key-space

Encrypt DecryptPlaintext PlaintextCiphertext


Key managementKey management

Key management is fundamental for the security of cryptographic schemes

Cryptographic keys are sensitive data stored in a computer systemAccess control mechanisms have to protect them

Access control failures compromise cryptographic protection

We have to considerWhere keys are generatedHow keys are generatedWhere keys are storedHow the keys get thereWhere the keys are usedHow to revoke and replace keys


Cryptographic MechanismsCryptographic Mechanisms

Cryptographic mechanisms are the basic building block of cryptographic protocols

Cryptographic protocols offer good key management

In computer security the most used cryptographic mechanisms are

Cryptographic algorithmsIntegrity check functions (hash functions)


Cryptographic Algorithms Families Cryptographic Algorithms Families (1)(1)

Two big family of cryptographic algorithms areSecret key algorithms (Symmetrical)

The key used to encrypt is the same used to decryptThe encryption algorithm E and the decryption one D are conceptually the sameOnly the key is secret, the algorithms are publicThe algorithms have not a clear mathematical foundation, but are based on the combination of several steps of operations as

– Permutation– Finite space elements mapping

» XOR» Mod sum» …

– Permutation and mapping may change over the time


Cryptographic Algorithms Cryptographic Algorithms Families (2)Families (2)

Public key algorithms (Asymmetrical)Two keys are used

– Ke key is used for encryption is public– Kd key is used for decryption is known only by the

owner– It is computational difficult to deduce the private

key knowing the public one and also to decrypt without the Kd key

The encrypt and decryption function are different– The encrypt one is direct and easy– The decrypt one is the inverse and generally very

complicate

These algorithms are based on computational complexity theory


Public Key vs Private KeyPublic Key vs Private Key

The limitation of private key algorithms isthe necessity to exchange the secret key: risk of interception

Public key algorithms have not this necessitythe two parts involved have their two own keys, a public one and a private oneThe problem is the decryption complexity that grows more than linearly with the encrypted block lengthThey are used for

Key distribution for private key algorithmsDigital signature


Secret and Public Key Secret and Public Key Algorithms Algorithms

EncryptE

DecryptD = E

PlaintextM

Ke Ke

PlaintextEke [M]

EncryptE

DecryptD

Plaintext

Ke Kd

PlaintextEke [M]


Cryptographic AlgorithmsCryptographic Algorithms

The most famous algorithms in the field of secret key are

DES (Data Encryption Standard)IDEA (International Data Encoding Algorithm)

In the field of public key areRSA (Rivest, Shamir, Adelman)Diffie-Hellmann


DES (1)DES (1)

The plaintext M is divided into 64-bit blocks Mi

(block ciphers)If M is less than 64 bit, the remaining left bits are filled with 0

The key is 56-bit length

DES

Mi

64 bit

Ek[Mi]

64 bit

Ke

56 bit


DES Phases (1)DES Phases (1)

The algorithms consist of a the following phases applied to each block Mi

One initial permutation16 iteration of the same operationA swap operation One inverse permutation



Permutation P1

Mi64 bit

Permutation P2

Ke56 bit

Iteration 1 RL RLP/C56 bit48 bit

64 bit 56 bit

56 bit64 bit

Iteration 16 RL RLP/C56 bit48 bit

64 bit 56 bit

64 bitSWAP Permutation P1-1 Ciphertext

64 bit



RL RL

56 bit

56 bit

The key is broken in two 32-bit blocks and a left rotation is

done

P/C56 bit48 bit A permutation and concentration is done

64 bit

SWAP

64 bit

The input is broken into two 32-bit blocks that are swapped


Iteration i (1)Iteration i (1)

Li-1

32 bit

Ri-1

32 bit

P/E

S-Box

RiLi

Ci-1 Di-1

24 bit 24 bit

P/C

Ci Di

32 bit

4848 bit

Permutation

A

B

RL RL


S-BoxS-Box

S-Box are 8 boxes S1,...,S8 each with 6 inputs and 4 outputs If input is 100101

The first an the last bit are used to select the row The middle bits to select the column

0 1 2 3 4 5 6 7 8 9 10

11

12

13

14 15

0 14

4 13

2 17

1 2 15

7 9

2 6 1 14

3 18

12

8 7

It is the outcome


DecodingDecoding

Encoding StepLi = Ri-1

Ri = Li-1 F(Ki , Ri-1)

Decoding stepRi-1 = Li

Li-1 = Ri F(Ki , Li)

Li-1 Ri-1

RiLi

A

B

F(Ki,Ri-1) KiMakes decoding without the key

impossible


Block Ciphers UsesBlock Ciphers Uses

We have seen DES referred only to a 64-bit blockWhen message M is greater than 64-bit then we can use several techniques based upon DES

Electronic codebookCipher block chaining

The key is 56-bit lengthA brute-force attack requires 256 attempts

An enormous number but today reachable

Double-DES and Triple-DES make the DES algorithm stronger towards brute-force attacks


Electronic CodebookElectronic Codebook

Message M is divided in 64-bit blocks Mi

DES is applied separately to each blockThe resulting encrypted blocks are concatenated

M =

DES DES DES

Ek [M]=

M1 M2 ... Mn

Ek [M1] Ek [M2] Ek [Mn]

|| || ||

|| || ||...


Brute Force AttackBrute Force Attack

The brute force attack consist in trying all possible key value to decrypt the messageThe maximum required time for the attack is

Tmax = * 2n/N

= time required for a verification

n = key lengthN = number of parallel computer

E.g.,With a computer that make 106 attempt every second, the DES is broken in T= 2000 yearsWith an high parallel computer T= 21 minutes


Cipher Block ChainingCipher Block Chaining

M =

DES DES DES

Ek [M]=

M1 M2 ... Mn

Ek [M1] Ek [M2] Ek [Mn]

|| || ||

|| || ||...


Double-DESDouble-DES

A way to attacks double-DES is the meet-in-the-middle attack

DES

DES

Mi

Ek[Mi]

K1

K2 != K1

DES

DES

K1

K2 != K1

X

Encrypt

Decrypt


Triple-DESTriple-DES

Triple-DES is adopted to avoid meet-in-the-middle attacks

DES

DES

Mi

Ek[Mi]

K1

K2

DES K3

Equal to a 112-bit

key


IDEA (1)IDEA (1)

After the brute-force attacks that have cracked DES algorithm, IDEA was introduced

Like DES works on 64-bit blocksThe same algorithms is used to encrypt and decryptWhat makes IDEA stronger than DES is the 128-bit Key

Algorithm is based on 8 iteration applied to each block

XOR operationModule sumPermutation


IDEA (2)IDEA (2)

Each block is divided into four 16-bits sub-blocksThe cryptographic key is divided into eight 16-bit fragmentsEach sub-block is summed or multiplied with a fragment of the cryptographic key At each iteration only six key fragments are usedWhen each key fragment is used, the key is 25-bit shifted to the left When the last iteration is done the first four operation are re-applied to obtain one 64-bit encrypted block


Iteration iIteration i

K1 K2 K3 K4 K5 K6 K7 K8 M1 M2 M3 M4

KEY 128-bit Message 64-bit

B1*K1 B3+K3XOR XOR

*

+

XORXOR

K5

+

*

B1*K1 B3*K3

K5

XORXOR

B4’ B2’B1’B3’

B2+K2B4*K4

B4*K4

B2+K2


DecryptionDecryption

To decrypt ciphertext the same encoding algorithm is used, with the only difference that the key sub-blocks are taken in inverse order


Key Establishment ProtocolsKey Establishment Protocols

Before a symmetric cryptographic algorithm can be used, all the keys have to be in the right placeCryptographic protocols that established keys for use by other protocols are known as ‘ key establishment protocols’

Some, known as Key agreement protocols, involve only the parties that want to establish a shared key

E.g., Diffie-Hellman Protocol

Others, key transport protocols, require the services of a trusted third party, a Key Distribution Centre (KDC)

E.g., Needham-Schroeder Protocol


Needham-Schroeder Protocol Needham-Schroeder Protocol (1)(1)

Needham-Schroeder Protocol is an n-way challenge-response authentication protocolTwo parties A and B obtain their session key from a server S (KDC)Initially, both parties share a secret key with the KDC

Ka

Kb

A symmetric algorithm is used for encryptionNonces are included in the messages to prevent reply attacks



Principal A informs the KDC his intention to establish a connection with B

Message contains a big random number (a nonce) Na

The KDC responds with an encrypted message, with Ka, containing

Na

a session key Ks

An encrypted message Kb (A,Ks) which A have to send to BThe identity of B

Principal A sends to BThe message Kb (A,Ks)

A nonce Na2 encrypted with the session key



B responds to A with(Na2 –1) encrypted with the session key to prove that he is B

Na would not work because an intruder may have intercept it previously

Nb

Now A is sure to talk with B

The last protocol message consists in a response from A to B

The nonce Nb-1 encrypted with the session key

Now B knows that are talking with A



A B

KDC

Na,A,B

Ka(Na,B,Ks,Kb(A,Ks))

Kb(A,Ks),Ks(Na2)

Ks(Na2 –1),Nb

Ks(Nb-1)


RSA RSA

The security of RSA algorithm derives from the complexity in factorising a big integer into two big prime factor

n= p*q where n, p,q are three big prime numbern may be public, this don’t compromise the secrecy of p and q

The public key is composed by a couple (Ke,n)

Ke is chosen randomly with the constraint to be a prime number towards (p-1)(q-1)

The private key is (Kd,n)

Kd is chosen so that Ke*d mod [(p-1)(q-1)] =1keys length may vary from 40 up to 1024 bit

Key length impact hardly on computational time necessary for the encoding and decoding functions


Encryption and DecryptionEncryption and Decryption

To encrypt a message Mi the public key Ke is used

Ci = Encrypt(Mi) = MiKe mod n,

To decrypt the ciphertext Ci is used the private key that is knew only by is owner

Mi = Decrypt(Ci) = CiKd mod n

E.g.Subject S1 want to send a message to S2S1 encrypt the message using the public key of S2S2 receive the encrypt message and decrypt it using its personal private key


RSA Example (1)RSA Example (1)

Choose two prime number p and qp=3q=11

Calculate n=pq=33 and z=(p-1)(q-1)=20Choose kd relative prime towards z

Kd=7

Choose Ke so that Ke *d mod z = 1Ke = 3

Then C = P3 (mod 33) and P= c7 (mod33)P=plaintextC=ciphertext


RSA Example (2)RSA Example (2)

code P3 P3 mod33

C7 C7mod33

26 17576 20 1280000000

26

1 1 1 1 1

14 2744 5 78125 14

14 2744 5 78125 14

5 125 26 8031810176

5


Diffie-HellmannDiffie-Hellmann

The Diffie-Hellmann algorithm permit key exchanging between two subject

Subject A send a message to subject BSubject B send a message to subject AAfter the messages exchange the two subjects A and B own a secret key that may be used to encrypt further messagedThe two message can be intercepted by everyone but only A and B own the secret key

The algorithm is based upon a mathematical problem

Given a prime modulus p, the basis a, and the value y = ax mod pFind the discrete logarithm x of y


How Diffie-Hellmann worksHow Diffie-Hellmann works

The two subjects have to calculate and transmit to the other the following values Yi and Yj

Yi = axi mod q for subject iYj = axj mod q for subject jWhere x is taken randomly, and kept secret , from the set (1,...,p-1) where p is a prime numberThe secret key Kij = axixj mod q

For subject i Kij= Yjxi mod q

For subject j Kij= Yixi mod q

An intruder knows Yj and Yi but not Xi or Xj and it is quite impossible to calculate

xi=log a (Yi mod p)Or xj= log a (Yj mod p)


Discrete Logarithm Problem (DLP)Discrete Logarithm Problem (DLP)

P is a prime number e.g. p = 7A is p primitive root e.g. a = 3b = ai mod pKnowing i it is easy to calculate b

31 mod 7 = 3

32 mod 7 = 2

33 mod 7 = 6

34 mod 7 = 4

It extremely difficult to calculate i knowing b , a, p especially when a an p are big

i = loga b mod p


HASH Functions (1)HASH Functions (1)

Cryptographic is the principal mechanisms to ensure confidentialityHash functions are used

for data integrityIn digital signature algorithms

Simple hash functions areTranspositionSubstitution

Specific algorithm was created for using it in digital signatures protocols

SHA-1 (Secure Hash Algorithm)MD5

Through verification mechanisms, it is possible to detect message manipulations


Hash Functions PropertiesHash Functions Properties

Hash functionsTransform arbitrary length information into a fixed length code ( the message digest )

are not invertable

Use of hash functions makes high improbable to obtain two equal digest from two different messagesAnd so to change the message maintaining the same digest

Message m

Digest h(m)


SHA-1 and MD5SHA-1 and MD5

SHA-1 and MD5 algorithms implement two different one-way hash functions (integrity check function)The digest is obtained from a 512-bit message

The message is condensed, using an hash function, obtaining a ‘digest’The digest, 160-bit length for SHA-1 and 128-bit for MD5, is the message digital signature

The two algorithms makes computationally hard to go back to the original message that originate the digest


CertificatesCertificates

Security using public and private keys is guaranteed only if we are sure that the public key we are using belong to the user that declared it (to the legitimate owner)The public key-sender association is guaranteed by the Certification Authority (CA) and various intermediate certification units forming a tree structure called Public Key Infrastructure (PKI)

Trust is propagated from CA to terminal nodes CA is an institution which guarantee the client and server identityThe PKI aim is to link public keys with their owners in a secure way

making useful digital signature and public key algorithms


Digital Certificate FormatDigital Certificate Format

CA DIGITAL SIGNATURE

Certificate Owner

Certificate Validity

Key Exchange (Owner public key)

…

CA


PKI Hierarchy (1)PKI Hierarchy (1)

Root CA

Subordinate CA Subordinate CA Subordinate CA

Subordinate CA Subordinate CA

CERTIFICATE


PKI Hierarchy (2)PKI Hierarchy (2)

Policy Approving authority (PAA)Approves certificates issuance policies of PCAs

E.g., one per country – Cross-certified or certified by United Nations

Policy certification Authority (PCA)Establishes certificate issuance policy for its community

E.g.,State government or large corporations

Certificate Authority (CA)Issues certificates to users according to PCA policy

E.g. Verisign,Entrust,…


X.509 (1)X.509 (1)

X.509 is a standard that specifies the precise format of a digital certificate

Describes the fields that a certificate have to contain

X.509 standard associates a DN (distinguished name) to each pubic key to univocally identify the key owner


X.509 (2)X.509 (2)

X.509 certificate structureCertificate version numberCertificate serial numberUser public keyDN of CA that issues the certificateValidity periodOwner DNCertificate type

Client (for a client that want to buy some items on-line)Server (for a vendor willing to start an e-commerce business)E-mail

CA digital signature


Cryptanalysis (1)Cryptanalysis (1)

Cryptanalysis is the science of breaking ciphersThe attacks that can be perpetrated by a cryptanalyst, can be so classified:

Ciphertext-only attackCryptanalyst have only the encrypted textThe succeed possibility of this attack is remote

Known-plaintext attackCryptanalyst possess the encrypted text and the corresponding cleartext Permit to obtain the secret key

Chosen-plaintext attackCryptanalyst may chose the cleartext, encrypt it and compare the results with the ciphertext he has


Cryptanalysis (2)Cryptanalysis (2)

Adaptive-chosen-plaintext attackThe cryptanalyst possess the ciphertextIs a modification of the previous attack, the cleartext chosen is modified depending on the encrypt results

Chosen-chipertext attackThe cryptanalyst have the cleartext and may chose the ciphertext to decrypt for obtaining the cleartext

Adaptive-chosen-chipertext attackThe cryptanalyst have the cleartextThe choice of the ciphertext depend on the result of decryption


Distributed Systems SecurityDistributed Systems Security

Moving from a centralised system to a distributed system has an impact on your security

The assumption on the security of the communications link hardly will hold, we have to take in account

Eavesdrop on passwordChanges or insertions of messagesTakes over a session

Users are not necessarily registered at the node they are accessing an object


How do you authenticate How do you authenticate users ? (1)users ? (1)

User authentication and in particular access control can be based on three different policies

The user identityThe network address the user operates fromThe distributed service the user is invoking

In all three cases communication via the network introduces new vulnerabilities

If access control decisions are based on users identity, how will the user access rights travel with them ?The network address imply the maintenance of ca list of trusted systems to which permit access

Risks came from the weakness of these trusted systems


How do you authenticate How do you authenticate users ? (2)users ? (2)

We may decide that users coming from certain nodes in the system need not be authenticated again

This imply a strongly dependence on the message authentication and the initial entity authentication mechanisms


Delegation (1)Delegation (1)

In distributed system a user may login a certain node and then execute a program on a remote node

To obtain resources at the remote node, the program will need the relevant access rightsThis, typically, is obtained by ‘delegation’

the program would be endowed with the access rights of the usersAnd then run with these access rights on the remote node

Users may not want to release all their right to a node they have little control over

A weak protection on the remote node permit to an attacker to grab users access right


Delegation (2)Delegation (2)

Systems where users can control which rights they delegate and where accountability mechanisms are able to discern the delegated use of access rights, therefore may be preferredFor popular service, proxy users may be created to deal with remote service request

First the remote user permission to run the service is checkedThen the proxy is let to perform the requested actions, running with its own rights instead of the rights delegated by the remote user


Security EnforcementSecurity Enforcement

Once chosen the policies, we have to decide how to enforce them

Where a user is authenticateWhere the access control decision are taken

Security may be enforced centrally or locallyTo enforce security centrally, we may use

Authentication serverAnd a ticket-granting servers

E.g., KerberosOr install a firewall to control access to intranet

The enforcement is left the OS on the individual nodes for the locally option

DSSAOr CORBA (Middle-ware protection)


AuthenticationAuthentication

Passwords are still the most popular authentication mechanism in distributed systemsUnprotected passwords transmitted over networks are an obvious vulnerability

Password sniffers are programs that listen the network traffic and extract packets containing passwords and other security-relevant information

Better authentication schemas are neededAuthentication based on public keyAuthentication protocol involving trusted third party

KerberosDSSA/SPX…


Authentication Based on Public Authentication Based on Public KeyKey

Public key algorithms may be used to implement an authentication protocol

The two entities have no necessity to share a secret keyThey have only to know the public key of the partner

Or better to use a CA, then they have only to know the CA public key

The protocol consists of two phasesEntity A generate a random number, encrypt it with B public key and sends to B the ciphertext

Only B may decrypt the messageEntity B use his private key to decrypt the message and send back the result to AIn the same way a may authenticate himself to B


KerberosKerberos

Kerberos is an authentication and key distribution systemIt authenticates clients to services in a distributed system

Assuming a trusted third party with whom both client and server share a secret

Clients and servers participating in a network communications are identified with the term ‘principal’

The third party cooperates to enable principals to authenticate one another

Authentication is built around the concepts ofTickets

Have a lifetime, then expireAnd central security servers


Kerberos Base SchemaKerberos Base Schema

Kerberos makes use of two types of trusted third party

Kerberos authentication server (KAS)Authenticates principals at login and issues ticketsEnable principals to obtain other tickets from TGS

Ticket granting servers (TGSs)Issue tickets that give principals access to network services demanding authentication

KAS an TGS even are logically separated, are executed on the same host

Called key distribution center (KDC)


Kerberos RealmKerberos Realm

KAS is at the heart of a kerberos realmKerberos realm is a single administrative domain that controls access to a collection of serversTo get kerberos working

Principals have to be registered with the KASThe TGSs have to receive access control information And all the necessary keys have to be put in place by the security administrator


Kerberos Authentication Protocol Kerberos Authentication Protocol (1)(1)

Users and also services are associated to an identifier (name, instance, realm)

Name, every service has a name and a host that provides it (instance)User have the instance field emptyEach entity is associated with a domain, the realm

KDC is the trusted subject and contains user Ids and passwords (secret keys) for all system users Six steps have to take place for client A to access a server B and to establish mutual authentication between A and B

At the end A an B share a secret Key Ka,b to communicate

A symmetric cipher system, like DES, is used for encryption


Step 1Step 1

To start a session, user A logs on at a local hostEntering user name and passwordRequesting the service of a ticket-granting server

Message 1 is send to KAS, it contains in cleartextThe A’s identityThe name of TGSThe expiring date of the requested thicketA nonce to prevent replay attacks

TGS

Server BClient AKAS1


Step 2Step 2

KAS generates the session key Ka,tgs and the ticketTicketa,tgs = ektgs [Ka,tgs , A, T1, L1]

eKx[x] is data x encrypted using Kx key

Ktgs is a secret key shared by TGS and KAST1 is the creation timeL1 is the expiring date (lifetime) of the ticketThe session key Ka,tgs is created for use between A and TGS

Session key, ticket and nonce N1 are encrypted with A’s secret key Ka and returned to A in message 2

TGS

Server BClient AKAS 2

1


Step 3Step 3

On host A The key Ka is reconstructed from the passwordThe session key Ka, tgs is obtainedA creates an authenticator Ka, tgs (A,T3)

T3 is the creation time of the authenticator

In message 3 is sent the authenticator, the ticket, the requested expiry date L2 a nonce N2 and the name of the service to TGS

TGS


1 3


Step 4Step 4

TGS Decrypts the ticket using Ktgs and verifies the ticket validity against the local clockUses the key Ka,tgs from the ticket to check the authenticator Generates, if all verifications succeed, the session key Ka,b and the ticket

Ticketa,b = Ekb [ Ka,b,A,T2,L2 ]

The session key ka,b and the ticketa,b are encrypted under the session key Ka,tgs that A shares with TGS and send to A in message 4

TGS


1 3 4


Step 5Step 5

The client A stores the encrypted ticket and decrypt the new session key Ka,b

Message 5, asks B for an authenticated session, contains

Ticketa,b

A new authenticator constructed with the session key Ka,b

TGS


1 3 4 5


Step 6Step 6

Upon successful decryption and verification of time, B sends message 6 containing

The last timestamp received encrypted with the session key

A receives message 6 Decrypts the time stamp Compare it with its own copy of T4, if they are equal, B has been authenticated

TGS


1 3 4 56


ConclusionConclusion

Password guessing and password spoofing attacks are possibleKeys and tickets are held on the client machine relaying on the protection mechanisms on that nodeThe security of the protocol may be reduced by a weak implementation

E.g., weak random-number generator for key generation permit to find easily the keys by exhaustive search


DSSA/SPXDSSA/SPX

SPX Is an authentication and key exchange systemIs part of distributed system security architecture (DSSA)

DSSA is a security architecture for a network of workstations comprising authentication and other facilitiesEach node enforces its own security policyUsers have to trust the OS on each node they login

Users delegate privileges to the node they are using


SPXSPX

Authentication in SPX involvesCredentials

Containing the name and long-term private key of a principalRepresent a user within SPXCan be stored on a server and require the user’s password to be initialisedOr could be held on smart carts carried by users

CertificatesBinding principal names to public keys

Authentication tokensTo authenticate each other

Delegation can be implemented


SPX Base SchemaSPX Base Schema

SPX make use of two different serversCertification authority (CA)

Issues public key certificates and can be off-lineIt must be trusted only to issue valid certificates

Certificate distribution center (CDC)Stores the certificates issued by a CACDC function could could be offered by a naming serviceIt have be on-line during authenticationIt have not to be trusted

SPX distinguish betweenIdentity ClaimantsIdentity Verifiers


SPX Protocol (1)SPX Protocol (1)

Mutual authentication between principals A an B consist in obtaining a session key Ka,b

The key is created by A for use between A and B in a symmetric encryption algorithm

The protocol proceed as followClaimant A send a message to CDC asking for the long-term public key of the verifier B

CDC

B A

1



The CDC replies with a certificate binding B identity to its public key Pb

The certificate for principal B, issued by CAa that is a certification authority trusted by A, his

Certificate(B,CAa) = sSCAa(CAa,B,Lc,Pb)

Is the digital signature of message (CAa,B,Lc,Pb) obtained with the long term private key of CAa that is SCAa

CDC

B A

12



The claimant A verify the key Pb using the public verification key of CAa

Then A generates a session key Ka,b used to generateAn authenticator eKa,b (T,A)

T is a time stamp

A signed ticket for A’s short term public key P’a

sSa(Lt,A,P’a)– Lt is the expiry date of the ticket

A delegatorePb(Ka,b)

eKa,b(S’a)– S’a is the short term private key of A

That are all send to B in message 3



If no delegator is intended, the delegator sS’a(ePb(Ka,b)) is used so that the A’s short term private key S’a is not revealed to B

CDC

B A

12 3



The verifier B retrieves a certificate for the claimant long-term public key Pa from the CDC for authenticating the claimant long-term public key Pa

CDC

B A

12 3

4



CDC sent a message to verifier B containingThe certificates(A,CAb)

CDC

B A

12 3 4

5



The verifier B Retrieves the session Key Ka,b from the delegator using its own long-term private key Sb for decryption

Uses the session key to decrypt the authenticator and compares the time stamp with its own local clockChecks the signature on the ticket sSa(Lt,A,P’a) using the certified verification key Pa

With delegator ePb(Ka,b), eKa,b(S’a) the verifier B retrieves S’a and confirms that S’a and P’a are a proper Key pairWith delegator sS’a(ePb(Ka,b)) the verifier checks the signature on ePb(Ka,b) using P’a



When all checks have succeeded, b completes mutual authentication by responding with an authenticator eKa,b(T)

T is a time stamp

The claimant A uses the session key to decrypt the authenticator and verifies T against its own copy

CDC

B A

12 3 4

5

6


Others…Others…

Others authentication and key distribution systems:

Network security program (NetSP), by IBMIt uses one-way hash function (faster than cryptographic mechanisms) for message integrity check

The exponential security system (TESS)Is a collection of different tools using the one-way hash function as cryptographic mechanism

Secure European system for application in a multi-vendor environment (SESAME)

the authentication model is a kerberos extension using public key cryptographic algorithms


Security APIsSecurity APIs

In a distributed system Security often exceed simple authenticationDifferent components will not necessarily use the same security mechanismsUsers and application writers are not necessarily security experts

A solution to these issues is Decomposition of the system in layers Application program interface (API) allows an application in one layer to call services in the layer below, hiding implementation details

API can relieve the application programmer from security specific tasks like the implementation/choice of cryptographic algorithms


GSS-APIGSS-API

The Generic Security API (GSS-API) provides a simple interface to security services for connection-oriented applications. It provides

Machine independenceProtocol environment independence

Independence from the used communications protocolSuitability to a range of implementation placements

An application residing on the client workstation accesses security services by issuing a GSS-API callThe call is processes by the security code on the client workstationThe client application communicates directly with the server application over the network


GSS-API UsageGSS-API Usage

1. Call GSS_SEAL 3. Call GSS_UNSEAL2. Encrypted message 4. Decrypted message

ClientApplication

SecurityCode

SecurityCode

ServerApplication

GSS-API GSS-API1 2 3 4

Client Server


CORBA (1)CORBA (1)

In a distributed system, the service layer is the most appropriate location for security enforcement

It provides a common standard for security enforcement towards the different OSIt presents to application writers a intermediate layer providing the interface to the underlying OS

An object request broker (ORB) handles the interaction between users and objects, and between objectsCORBA

Includes interfaces for managing policy objects as well as access control on such interfacesDo not prescribe specific policies


CORBA (2)CORBA (2)

Some application are security aware, explicitly requesting the protection they need ofIn some cases, security should be enforced without involving the applicationObject have to delegate their privileges when invoking servicesPolicies may restrict the extent of delegationObjects with similar protection requirements are grouped into domainsThe domain security policy is enforced by the ORB


CORBA (3)CORBA (3)

Interoperability between ORBs will be supported by

BridgesGatewaysInter-ORB protocols like

General inter-ORB protocol (GIOP)Internet inter-ORB protocol (IIOP)

SECIOP is the security inter-ORB protocolTo facilitate a uniform interpretation of access rights, there is a set of standard access rights

GetSetManageTo enhance flexibility, there is also the option to define additional rights


CORBA (4)CORBA (4)

The CORBA security services includeAuthenticationSecurity context establishmentAuthorization and access control with

ACLsCapabilitiesRole-base access control

Message protection, mainly (but not only) with encryptionAuditNon-repudiation


Digital Signatures (1)Digital Signatures (1)

The introduction of the digital signature permits also to ensure (in data-transmission):

IntegrityNo-repudiation

Possibility to univocally identify the message author which cannot deny his message paternity and the receiver that cannot deny to have received the message

A digital signature scheme consists of A signature algorithm A verification algorithm

Digital signature algorithms areELGamal algorithmSchnorr algorithmDigital signature standard (DSS)


Digital Signatures (1)Digital Signatures (1)

In digital signature algorithms are usedFor encryption

Diffie-Hellman algorithmRSA algorithm

For hashingSHA-1MD5


Digital Signature Algorithm (1)Digital Signature Algorithm (1)

A digital signature algorithm consists of Producing a summary, the digest, of the document content using a one–way hash functionThis digest is then encrypted with the sender private key obtaining the digital signatureThe digital signature is then sent with the message to the receiver

In cleartext Alternatively, the message with the digital signature may be encrypted

The receiver Decrypts the digital signature Compares it with the digest


Digital Signature Algorithm (2)Digital Signature Algorithm (2)

Message

HashFunction

DIGEST Encryption

Message

Sender

Sender private key

Encryption

Receiver public key

Decryption

MessageHash

Function

DecryptionDIGEST

DIGEST

Compare

Receiver Receiver private key

Sender public key

Digital Signature

Digital Signature


ElGamal Algorithm (1)ElGamal Algorithm (1)

It is a public-key algorithm based on discrete logUses a symmetrical encryption with a session key that is dynamically generated

ElGamal signaturesSelect a prime q such that 2159<q<2160

Choose a prime p Select b such that 1< b < p-1Compute the generator g = b (p-1)/q mod pGenerate random secret x and calculate y=gx mod pPublic key is (p, q, g, y)The hash value of the message computed with SHA-1 is converted into an integer

h = hash of message


ElGamal Algorithm (2)ElGamal Algorithm (2)

Generate another random secret k relatively prime to (p-1)The signature is a pair (r, s)

r = gk mod ps = (h-xr)k-1 mod (p-1)

– K-1 slow, but can be pre-calculated

The signature is checked with the public key (p,q,g,y)

Accepted if and only if yrrs=gh mod p

Similar to Diffie-Hellmann algorithmr is independent of message/hash


Schnorr AlgorithmSchnorr Algorithm

It is similar to ElGamal algorithmsSchnorr Algorithm introduces an hash function associating an integer belonging to a predefined interval with each message and keyThe advantage is the possibility to modulate the digital signature length by properly selecting the hash function co-domain


DSS (1)DSS (1)

It is a variant of Schnorr algorithmThe hash function H has the message as the only argument, so that its value is independent from the encryption key

DSS AlgorithmGenerates prime p (512-1024 bits)Finds q, a prime factor of p-1 (160 bits)Finds g = h (p-1)/q mod p

Where h<p and h (p-1)/q mod p >1

Choose a random x where y = gx mod pPublic key is ( p,q,g,y )Private is x < q (160 bits)


DSS (2)DSS (2)

The signature is (r,s)Generate a random k < qr= (gk mod p) mod qs=(k-1 (H(m)+xr))mod q

The checking is ok if v=rw = s-1 mod qa=(H(m)w) mod qb=(rw) mod qv=((gayb) mod p) mod q

NoteBetter than ElGamal, since q is smaller than pCalculating inverses is slow

However, some things can be pre-computed– r does not depend on message at all


Network Attacks ( How Intruders Get Network Attacks ( How Intruders Get In )In )

Modern systems usually allow remote accessFrom terminalsFrom modemsFrom the network

Intruders can use all of these to break inHackers invent new attacks every-time security experts find new ways to improve previous ones


Some Remote AttacksSome Remote Attacks

We focalise our attention on some attacks exploiting network (Internet/Intranet) connections

SpoofingSniffingShadow server (Web-spoofing)TCP Session Hijacking


Packet SnifferPacket Sniffer

Each internet packet may pass through a big number of computers before reaching the final oneHackers may use special tools, packet sniffer, to intercept these packets The aim of this attack is to get information

Often precedes a spoofing attack or a session hijacking

Packet sniffer toolsSniffer ProNetwork MonitorTCPDumpDsniff


IP SpoofingIP Spoofing

This attack to the IP protocol is focalised on the packet address that the protocol uses for the transmissionsThe attack consists of giving false information about computer owner

The hacker modify his IP address to become similar to a host of an intranet or of a trusted net, by duplicating the TCP/IP address of the host

With this attack the hacker may acquire the access

To each packet addressed to a system T o the system services

The masquerade attack is a spoofing attack


TCP Hijacking (Active Sniffing)TCP Hijacking (Active Sniffing)

TCP Hijacking consists of achieving control of a network connection

Already active Or in the beginning phase

The idea is to Take control over a computer that is connected (or is connecting) to the networkDisconnect the controlled computerDodge the server by substituting to the disconnected computer

Other types of hijacking attack UDP hijackingMan in the Middle


Web-Spoofing (1)Web-Spoofing (1)

In a web-spoofing attack, the Hacker mayObserve and modify all the traffic from his victim to the web server Control all the traffic from the web server to his victim


Web-Spoofing (2)Web-Spoofing (2)

Web Page

Link

Browser

Hacker

Web server

Page Request

Requested page

Copy of the page


DoS Attack (1)DoS Attack (1)

A Denial of Service attack happens when the resource availability is intentionally cut-off or degradedTo achieve this goal, different approaches are followed:

Processes or memory degradeThe attacker overload the target, generating a great number of processes that devour all the resources or overload the CPU

File destructionDeactivation of system parts or of the process

This type of attack may, also, be directed to network application or to network protocols


SnorkSnork

Snork attack is a DoS Attack that degrade target performances Snork attack, an attacker send

Remote Procedure Call datagram to a server port UDP 135 giving the impression to the RPC server of the existence of a similar server sending bad data

The sender IP address is subject to spoofingThe RPC server send to the IP sender Address a deny packet, the second server do the same

A loop beginsIf the packet subject to spoofing is sent to a great number of servers, the target server will be submerged by a great number of deny packet that finally will cause its blocking


SYN Flood AttackSYN Flood Attack

SYN Flood is a Dos Attack that exploit the TCP protocolIt is carried out by sending the TCP connection request so fast to make impossible for the target system to elaborate the request

The target uses resources to take track of each connectionSo, a big number of SYN may exhaust all the target host resources to take track of new connections


The DDoS attack (1)The DDoS attack (1)

The Distributed Denial of Service is a recent type of attack, it uses

ClientMaster Daemon (Zombie)

Clients are used to start the attack through the mastersA master is a compromised host, containing a particular software that permit the control of several daemonsA daemon is, also, a compromised host containing a particular software that permit to generate a pocket flow towards the target


The DDoS attack (2)The DDoS attack (2)

To make this attack working, the particular software has to be installed on hundred of hosts

Generally an automatic procedure looks for the vulnerable hosts and install the software

DDoS tools areTrinooTribe Flood NetworkStacheldrahtShaftmstream


Security in Internet/Intranet Security in Internet/Intranet EnvironmentEnvironment

Internet gives a wide connectivity thanks to the TCP/IP open protocolThe use of this protocol is also the first reason of insecurity

TCP/IP is an intrinsic insecure protocolWe have the following security problems

AuthenticationAccess controlData and message confidentialityData and message integrityNo repudiationDenial of service


Security Problem LocalizationSecurity Problem Localization

Client

Local ServerGlobal server

Firewall

Internet

IdentificationAuthentication

Access Control

ConfidentialityIntegrityPassword protection

Sender AuthenticationNo Repudiation

Denial of serviceSecure Internet Connection


Internet Services ProblemsInternet Services Problems

Internet provides the following protocols (services)

TelnetE-mail and newsgroupFTPWorld Wide Web

Each of this protocols have some security problems


TelnetTelnet

One problem of this protocol is the authentication

The password is transmitted in cleartext over the network

An attacker may easily intercept and use it in a second time

Possible solutions areOne time passwordPassword aging policyChallenge-response mechanism

Another problem is the possibility to use telnet protocol for connecting to every port on which are working other internet services

An attacker may so use a telnet session to damage any other internet service


E-mail and NewsgroupE-mail and Newsgroup

The e-mail and newsgroup services present the same problems regarding mainly

Message integrityMessage confidentiality

The solution consists of using digital signature and encryption mechanisms

Privacy enhanced mail (PEM)Secure MIME (S/MIME)Pretty Good Privacy (PGP)


FTPFTP

The FTP protocol has the same authentication problems of a telnet session The anonymous FTP permit to download files to users that logon as anonymous giving as password theirs e-mail address

This type of connection arise big security problems


WWWWWW

A web browser integrates communication services like

E-mailFTPNewsgroup…

So a web browser adds to the security problems of the HTTP protocol the problems of the included services


Some WWW Security Some WWW Security Problems Problems

Browsers handle the client’s web traffic and disclose information about users and their computing environment to the serverBrowsers permit the execution of applet Java and ActiveX controls

These components may contain backdoors or trojan horses

Many web services want a place for storing information about their customers

The server ask the browser to store a cookie that contains these information


CookiesCookies

Cookies are used to keep state information beyond the duration of a session

To avoid the necessity to reinsert authentication credentials every time are requiredTo recover the state of previous operation or to commit incomplete transactions…

Cookies cannot violate the integrity of the system being data and not executable codeThe set of cookies stored by the browser create a client profile, creating privacy problem


Network ProtocolsNetwork Protocols

Network protocols and security extensionTCP/IPIPSecSecure Socket Layer (SSL)Secure HTTP (S-HTTP) Secure Electronic transaction (SET)Privacy Enhanced Mail (PEM)Pretty Good Privacy (PGP)Secure MIME (S/MIME)…


TCP/IPTCP/IP

The TCP/IP is a multi-layer protocolEach layer offers to the superior a series of services

A software application may interfaces using a specific socket with the protocol The protocol manages, through its layers

CommunicationsDatagram routingPocket synchronism…


TCP/IP ArchitectureTCP/IP Architecture

Application LayerFTP , SMTP , HTTP , Telnet

Transport LayerTCP , UDP

Internetwork LayerIP

Network Layer


IP DatagramIP Datagram

Version

Header Length

Type of service

Total length

Identification Flags

Fragment Offset

Time to live Protocol Header Checksum

Source Address

Destination Address

Option and Padding

Data

4 bit 8 bit 16 bit 32 bit


TCP SegmentTCP Segment

Source Port Destination Port

Sequence number

Acknowledgment

LH Flag Credit windows

checksum Urgent point

Options

Data

32 bit16 bit


FlagsFlags

The Flags field is composed by six one-bit flags used to characterize the segment functions

URG is a pointer to the data field indicating a priority data portionACK indicates the segment is an acknowledgement oneSYN is set to 1 for the connection request…

URG ACK PSH RST SYN FYN


EncapsulationEncapsulation

Treader

HeaderIP Datagram

HeaderTCP Segment

B Network layerA

IP layer

Header TCP layer

Contains Port number

Contains IP Address

Contains a link


TCP Protocol (1)TCP Protocol (1)

TCP protocol is connection orientedSo before transferring data between two host, a connection have to be set-up

TCP have only one type of message, the SegmentTo distinguish between data messages and protocol message the segment flags are usedWhen an host open a connection

The flag SYN is set to 1.SYN

To distinguish the connection a sequence number is sent (an host may begin multiple connections)

SEQ XA quantity of data may be sent

[b]


TCP Protocol (2)TCP Protocol (2)

The receiver sent an acknowledgment The SYN flag is set to 1A sequence number is sent

Seq Y

The ACK flag is set to 1 and the acknowledgment field contains the the value X+Y

The sender response with an acknowledgement message


Connection set-upConnection set-up(Three-way handshake)(Three-way handshake)

.SYN, SEQ X, [b]

.SYN, SEQ Y, ACK X+b, [c]

ACK Y+c


TCP/IP Security TCP/IP Security

Internet security ensures that users can communicate over the Internet without the fear of theft, interception, or break-inThe IP datagram

Has no field concerning any security attributes

Is transmitted in cleartext over the networkEvery attacker may intercept and modify it

The internet protocol is intrinsically insecureMechanisms that secure the TCP/IP and Internet components are needed


Security Protocols (1)Security Protocols (1)

The IP layer can be secured by the use of IP security standards that specify security services for the IP layer

IPSecThe TCP/IP application and any other higher level application or protocol, as a result, may access the security services through the IP layer

E-mail can be secured by implementing one of the secure e-mail schemes providing a variety of e-mail security services

Privacy Enhanced Mail (PEM)Pretty Good Privacy (PGP)S/MINE


Security Protocols (2)Security Protocols (2)

To ensure Web security may be usedSecure Socket Layer (SSL)Secure Hypertext Transfer Protocol (S-HTTP)

Many application like Telnet and TCP can be upgraded to utilize the GSS-APIOthers protocols was created for specific purpose as e-commerce

Secure Electronic Transaction (SET)…

Network security relies on secure underlying OSAny security schemes protecting the Internet must utilize a variety of system protection mechanisms


Security Protocols Localization Security Protocols Localization (1)(1)

HTTP FTP SMTP

TCP

IPSec

HTTP FTP SMTP

SSL

TCP

IP


Security Protocols Localization Security Protocols Localization (2)(2)

S-HTTP S/MIME

TCP

IP

SET PGP

HTTP FTP SMTP

TCP

IP


IPSecIPSec

IPSec protocol provides a standard mechanism for specifying security for the IP layer onlyThe IP security is provided through two schemes

IP Authentication Header (IP AH)Provides sender authentication and datagram integrityDo not address confidentialityAs implied by the its name, authentication data are placed in a header within the datagram

IP Encapsulating Security Payload (IP ESP)Provides confidentiality to IP datagram other than authentication and integrity

The two schemes can be used separately or togetherBoth schemes are based upon the concept of Security association (AS)


Security association (AS)Security association (AS)

A security association provides the underlying correspondence for the use of security mechanisms between two communicating entitiesIs an agreement on types and modality of the security services that can be summarise in a set of security parameters shared by the communicating entities

Algorithms, methods and keys for authentication in AHAlgorithms, methods and keys for encryption in ESPThe lifetimes of the keys and the security associationThe source address of the security associationsThe sensitivity level of the secured data

A particular security association is uniquely identified by the Security Parameter Index (SPI) and the destination address


SPISPI

The SPI is a 32-bit pseudo random number contained in the header datagramTo authenticate a datagram the sending host

has to locate a SA selecting the SPI value on the userID and the destination address

When an IP datagram is received, it may verify the authentication data and/or decrypt data only if the receiver may connect himself with the SA identified by the SPI


IP AHIP AH

Authentication header format

Next header field identifies the data after the authentication headerReserved is a field reserved for future useLength field provides the length of the authentication data fieldThe authentication data is calculate using a message digest algorithm

Next Header

Length Reserved

Security Parameter Index

Authentication Data(variable number of 32-bit words)

8 bit 16 bit 32 bit


Location of AHLocation of AH

IP Header

Hop-by-Hop

/routing

AH Dest. options

TCP Data

Next Header

Length Reserved

Security Parameter Index

Authentication Data(variable number of 32-bit words)


IP ESPIP ESP

IP ESP encapsulates either the entire datagram or only the header portion of the upper layer protocolsEncrypts most of the content inside the encapsulated portion Appends a plaintext header at the end that is used to route the packet through the network

ESP consists ofAn unencrypted headerAn encrypted data field that may include

The protected ESP header fields and the protected user data which is the entire datagram or simply the upper-level protocol packet


Location of the ESP HeaderLocation of the ESP Header

Opaque transform data is a protected field containing further parameters relevant for the processing of the cryptographic algorithm

IP Header Other IP headers

ESP Header Encrypted Data

Security parameters index(SPI)

Opaque transform data


Tunnel ModeTunnel Mode

Before encrypting a datagram, the sender locates the SADetermine which encryption algorithm and key to employThen has the choice between two ESP modes

ESP tunnel modeThe complete datagram is encapsulated within the ESPThis ESP is transmitted within another IP datagram with cleartext headerCan be use between gateway machines (firewalls) to create a virtual private network

A collection of host that have implemented protocols to securely exchange information


Transport ModeTransport Mode

ESP transport modeOnly an upper-layer protocol, such as TCP or UDP data is encapsulatedThe ESP header is inserted immediately preceding the transport layer protocol headerThis mode conserves the bandwidth since there are no encrypted IP headers


IPSec SummaryIPSec Summary

IPSec provides security without changing the interface to IP

Upper layer protocols need not change to invoke security

IPSec increases protocol processing costs and communication latency as sender and receiver perform cryptographic operationsIPSec is based on the use of symmetric key algorithms

Do not prescribe a particular key management protocol even if a Internet Key management (IKE) protocols was developed


SSL Protocol (1)SSL Protocol (1)

SSL protocol was developed by Netscape Communication Corp. for

Authenticating access to server by using RSAClient/server Keys exchanging secure way

HTTP FTP SMTP

SSL

TCP

IP


SSL Protocol (2)SSL Protocol (2)

SSL protocol ensure a secure TCP/IP connection on the basis of

The communicating entities may authenticate each other using public key cryptographic mechanismsData confidentiality is ensured by the use of a session keyData integrity is ensured by the use of Message Authentication Code (MAC)

MAC is a family of hash functions parameterised by a secret keyProvides assurance about the source and integrity of a message

The SSL protocol do not avoid traffic analysisIP address travel across the network in cleartext


SSL Phases SSL Phases

The SSL protocol consists of two phasesFirst phase, Handshake

Client and server exchange a symmetric key using a asymmetric key algorithmIn this phase client and server decide the cipher algorithm to use (cipher setting)The server must authenticate itself wit a digital certificateThe client certificate authentication is optional

Second phase, secure connectionBy using the secure channel created during the previous phase, client and server may communicate each other in a secure way using a secret key algorithm


SLL HandshakeSLL Handshake

Session key Generation

Client Server

Cipher setting

Cipher setting

Server public Key

Client public key

Session Key encrypted with server public key


SLL Example (1)SLL Example (1)

Message1 (from Client to server) Client hello Client random numberSuggested Cipher suites

TLS_RSA_WITH_IDEA_CBC_SHATLS_RSA_WITH_DES_CBC_SHATLS_RSA_EXPORT_WITH_DES40_CBC_SHA

Suggested Compression algorithmNONE

Message2 (from Server to Client) Server helloServer random numberUse cipher suite

TLS_RSA_WITH_DES_CBC_SHACertificates

Subject: DN = SuperstorevirtualobjectPublic key: 0x9f400682…Issuer: Verisign

Server doneNONE


SLL Example (2)SLL Example (2)

Message3 (from client to server)Client key exchange: RSA_Encrypt (Server Public Key, PreMasterSecret)Change Cipher Spec: NONEFinished MD5(M1 || M2 || M3A)

Message4 (from server to client)Change Cipher Spec: NONEFinished MD5(M1 || M2 || M3A || M3C)


SLL Conclusions SLL Conclusions

SSL is the most widely used Internet security protocolIt adds a security layer between application protocols and TCP, so applications explicitly have to ask for securityApplication code, thus, has to be changed

Not much more than edit operations


S-HTTP (1)S-HTTP (1)

S-HTTP is an extension of HTTP that providesConfidential transactionsData integrity and authenticationNo repudiation

Methods used to ensure message securityDigital signaturecryptography Sender identity authenticationMessage authenticity

The protocol gives great flexibility in the choice of

Key management mechanismsSecure policiesCryptographic algorithms


S-HTTP (2)S-HTTP (2)

S-HTTP message consists ofThe Header, includes information about

The way to decrypt the messageHow to elaborate message after its decryption

The body, includes the encrypted text

During the initial connection phase, server and client negotiate how to carry on the transactions

Essentially they negotiate the methods to use to protect messages

SignatureAuthenticationscryptography


S-HTTP MessageS-HTTP Message

An S-HTTP message consist of the request line followed by a series of header linesthe encapsulated content

Request line (state line)All the request must include the line

Secure * Secure-HTTP/1.2E.g.Secure http://. . ./Secure-HTTP/1.2

Three types of Header linesS-HTTP HeadersHTTP non-negotiation headersHTTP negotiation headers


S-HTTP HeadersS-HTTP Headers

S-HTTP header fields contains information aboutDefine the format of the encrypted message

Content-Privacy-DomainThe type of compression used for the media

Content-Transfer-Encoding the type of the encrypted message

Content-type Information about the key previously exchanged

Prearranged-key-infoInformation for the use of digital signature

MAC-Info

The two fields, content-privacy-domain and content-type, are obligatory


HTTP Non Negotiation HeaderHTTP Non Negotiation Header

This header lines enters in the encapsulated content

So they are protected by encryptionHTTP non negotiation header fields

Key-assignfuture Contains a symbolic name the agent want to assign to the key for references

Encryption-identityIdentify a potential recipient to whom the sender may encrypt the message with the established optionsFor Kerberos provides information about the kerberos identity

Certificate-infoContains information about digital certificates

NonceNonce-Echo


HTTP Negotiation HeaderHTTP Negotiation Header

To make the negotiation possible, S-HTTP header contains a negotiation block which permit to express preferences about the types of cryptographic extensions to use

E.g.,SHTTP-Certificate-types, express the certificate types that the the agent may accept SHTTP-Key-Exchange-Algorithms, gives information about the algorithms that the agent may use to encrypt messages…Yor-key-pattern

– Is a generalized syntax model for a great number of key types


S-HTTP Header Line FormatS-HTTP Header Line Format

S-HTTP headers Content-Privacy-DomainContent-transfer-EncodingContent-typePrearranged-key-infoMAC-info

HTTP non-negotiation headers Key-assignEncryption-IdentityCertificate-infoNonceNonce-echo

HTTP negotiation headers SHTTP-Privacy-DomainsSHTTP-certificate-typesSHTTP-Key-exchange-algorithmsSHTTP-Signature-algorithmsSHTTP-message-digest-algorithmsSHTTP-Symmetric-content-algorithmsSHTTP-Symmetric-header-algorithmsSHTTP-Privacy-enhancementsYor-key-pattern

Header type Header


SETSET

SET is a specific protocol for e-commerce transactions

Assuring no-repudiationThe seller (merchant) cannot deny to have receive the purchaser orderThe purchaser (cardholder) cannot deny to have make the order

The mechanism used by this protocol is the Dual Signature

Two messages are sent, contemporary, to two different entitiesThe dual signature mechanisms allows to link together the two messages

Permit to acquire items without sending to the seller purchase bank payment information


SET ArchitectureSET Architecture

Internet

Cardholder Merchant

CertificationAuthority

PaymentGateway

BankNetwork

AcquirerBank


Payment GatewayPayment Gateway

The banks are linked together by a proprietary network A payment gateway is a informatics system that links together Internet and the proprietary bank networkExamples of payment gateway are

www.cybercash.comwww.bancasella.itwww.authoriznet.com…

http://www.cybercash.com/



http://www.bancasella.it/



http://www.authoriznet.com/




Dual Signature GenerationDual Signature Generation

Item purchasing

request

Payment authorization

Hash function

Hash function

Message digest A

Message A

Message B

Message digest B

Message digest A

Message digest B

Hash function

Message digest

Dual Signature

Encryption with cardholder private key


Messages MatchMessages Match

Cardholder

MessageA

Dual Signature

Message digest B

MessageB

Dual Signature

Message digest A

Message digest A

Message digest A

Merchant

Hash function

Bank


Message IntegrityMessage Integrity

MessageA

Dual Signature

Message digest B

Hash function

Message digest A

Message digest B

Hash function

Message digest

Decryption with cardholder public Key

Message digest


Cardholder Digital Certificate Cardholder Digital Certificate (1)(1)

The cardholder may not want to give to the merchant his credit card dataTo avoid this

The cardholder sends to the merchant, a digital certificates containing the message digest of his credit card dataTo the trusted payment gateway, his credit card data

The merchant sends, to the payment gateway, the cardholder digital certificatesThe payment gateway verify data coherence


Cardholder Digital Certificate Cardholder Digital Certificate (2)(2)

CreditCardData

Hash function

Digital Signature

Message digest Encryption with

cardholder private key

CreditCardData

Hash function

Message digest

Digital Signature

Digital Signature

Decryption with cardholder public key

Message digest

Cardholder

Merchant

Payment Gateway


SET PhasesSET Phases

SET protocol consists of five phasesCardholder registration

The cardholder asks for a digital certificate to the Certification Authority

Merchant registrationThe merchant requires a digital certificate to the CA

Purchase requestIn this phase the dual signature mechanism is applied

Payment authorizationThe payment gateway says to the the merchant that he was enabled by the cardholder to pay himThe payment occurs in the next phase

– Sunday and during night the bank system may be off-line

CaptureThe payment is confirmed


Purchase Request PhasePurchase Request Phase

Cardholder Merchant

Request of the Merchant CA

Merchant CA

Purchase request

Digital invoice


PEM (1)PEM (1)

PEM message providesAuthenticationData integrityNon-repudiationAs optional features confidentiality

Three types of messages, that offer combination of cryptographic services, can be specified

MIC-CLEAR message provides data integrity and authentication

The message can be read also by non PEM hostA non PEM host cannot verify the integrity or authenticity


PEM (2)PEM (2)

MIC-ONLY messages includes the security functions of MIC-CLEAR plus an encoding step that ensures that a PEM message can be passes through various e-mail gateways without being transformedENCRYPTED message provides the services of a MIC-ONLY message plus confidentiality

Each message is composed by two partsThe Header that contains all the necessary information for a correct interpretation and validationInside the header there are

The MICReferences to the used cryptographic algorithmPossible digital signature


PEM Message TransmissionPEM Message Transmission

PEM message processing consists of four stepsCanonicalization

PEM converts each message to a standard formatMessage integrity and digital signature

PEM uses RSA and MD5 for message integrity algorithmsTo permit verification of sender identity, the sender includes its X.509 certificate

Optional EncryptionPEM specifies the use of DES in Cipher block chaining

Optional transmission encodingThis step is executed only if the message type is MIC-ONLY or ENCRYPTEDPEM converts the message into a text using 6-bit alphabet


Receiving a PEM MessageReceiving a PEM Message

The receiving hostFirst checks the message type

If is MIC-ONLY or ENCRYPTED the message is decoded

– If is ENCRYPTED first inverts the 6-bit text to 8-bit ciphertext and then decrypted

– Else the 6-bit encoding is transformed to canonical plaintext

The processing is now common for a MIC-ONLY or MIC-CLEAR message

The message integrity and authenticity is checkedThe canonical format is transformed into a format that is compatible with the receiving host


PGPPGP

PGP is a software product that secures e-mail traffic providing

ConfidentialityEncrypting the message using IDEA algorithm in cipher block chaining mode

Data origin authenticationData integrityOrigin non-repudiation

PGP use for sender authentication the X.509 protocol


Data Origin Authentication Data Origin Authentication and Message Integrity and Message Integrity

Data origin authentication assures the recipient about the identity of the senderData origin authentication and message integrity are accomplished

A one-way hash function is applied to the message and the resulting message digest is appended to the message

MD5The message digest is encrypted by the sender private key

RSA with keys length: 384 or 512 or 1024 bitsThe receiver uses the sender public key to decrypt the message

Which ensures that the digest was indeed encrypted by the identified message sender


PGP Usage PGP Usage

PGP automatically provides confidentiality, authentication and data integrity

It is, however, possible to send a PGP message without confidentiality or authentication or integrity

PGP can be used to secure e-mail as well as to encrypt filesPGP compresses message using the ZIP 2.0 program

Reduce the size of the message and it makes the cryptanalysis task more difficult


S/MINES/MINE

S/MINE try to secures e-mail message defining a new protocol and not a application pocket like PGPThe message is composed of two parts

HeaderContains all the information for a correct and secure transmission

Textin MIME format

It permits to transmit in a secure way also message containing attachments


Network BoundariesNetwork Boundaries

With IPSec and SSL, the security perimeters coincide with the boundaries of nodes in a computer network

The node are assumed to be secure while the network is insecure

Networks consist of nested subnets and it may be the case that the boundary of such a subnet is an appropriate security perimeter

This is the case of an organization that has installed a local area network (LAN)


Separating Two SubnetsSeparating Two Subnets

The separation of two subnets consist in avoiding that data belonging to a subnet do not accidentally migrate outside itThe solution is a router that passes packets between subnets only if they are explicitly addressed to a node on the other side

Router

subnet1

subnet2


Virtual Private NetworkVirtual Private Network

When the subnets are not directly connected, a virtual private network (VPN) may establish a secure connection between gateways in each of the subnetsAll traffic between the subnets has to go through these gateways where cryptographic protection is added to extend the security perimeter

subnet1

subnet2

Gateway GatewaySecure

Connection


Firewalls (1)Firewalls (1)

When the LAN is connected to the Internet, the threat environment changesTo protect private networks (Intranet) from eavesdropping, intrusion and other attacks from the Internet, an adequate barrier is requiredThis barrier is a firewall

A firewall may, also, be installed between two different Intranet zones where we want to prevent access by no authorised personal



Internet

FIREWALL

Intranet



A firewall identify a set of actions executed adopting special hardware and special softwareThe principal components are

FilteringProxyDomain Name System (DNS)E-mail Server


Some ConsiderationsSome Considerations

Authentication protocol requires to know who ours users are When we want to reach out into internet to meet an ever growing set of users

Authentication protocol is inappropriateTo determine ours access control decisions we have to use

The address a remote user comes fromOr the service requested


Firewall TasksFirewall Tasks

Typical tasks of a firewall areAccess control based on sender or receiver addressesAccess control based on the service requestedHiding the internal network

Topology, addresses, traffic from the outside world

Virus checking on incoming filesAuthentication based on the source of trafficLogging of internet activities

The two fundamental mechanisms used by firewalls are

Packet filteringProxy servers


Negative Aspects Negative Aspects

A firewall presents, also, negative aspectsIt may protect only from the attacks to which is configuredThe eventually firewall compromise expose the Intranet to attacksIt offers no protection to direct network access doors

Cannot protect the resources from attack by an internal user of the private networkIs useful only if all the Internet traffic is handled through the firewall

Usually it do not perform virus protectionTo implement such protection, the firewall must implement the logic to detect viruses from the data stream

As a security concentrate point may be a bottle-neck


Security Policy DefinitionSecurity Policy Definition

A firewall cannot be acquired as pre-manufactured solution

It has to be modelled on the basis of the requirements and the correct compromise between security and functionality

A high level security network policy definition is required before configuring the firewall

The possibility of files downloadingtelnet support to internet userThe access with different rights for the userThe identity registration of whom access through the firewall…


Packet Filtering (1)Packet Filtering (1)

A packet filtering is, usually, a router (screening router) that

Examines the passing information packetExecute a selection based on

the packet IP address, source and destinationThe port number, of the source and destinationProtocol types

– TCP, UDP, FTP, TELNET,...Direction

– From inside to outside– From outside to inside

Packet filtering works at IP levelOften it is difficult to specify security policies with rules that work at a low level


Filtering Table (1)Filtering Table (1)

Filtering operations make use of a filtering tableA filtering table contains the rules to be applied

Filtering rules should be designed to reflect the company security policy

To avoid IP spoofing attack the filter rules should discard any packet from the Internet that contain the source address of a host inside the private network

Action Source Source Port

Destination

Destination Port

Protocol Flags

options

Description

allow * * 145.115.12.127

* TCP Connection to

external trusted

host

allow * 25 * * TCP ack=1

block * * * * * default


Filtering Table (2)Filtering Table (2)

The filter component of a firewall works as follows

When a packet arrives, it is tested against the first rules

If the first rules applies to the packet, then the specified action for that rule is carried out

– The packet is rejected or forwarded

If this rule does not apply, the second rules is checked, and so onIf no rule applies, the last rules is rejected the packet

– Close system policy


Screening RouterScreening Router

Internet

Intranet

Router

Filtering Table


TCP ProblemTCP Problem

A TCP client begins a connection with the port 21 of the TCP server

Control communication, used for receiving and transmitting commands

Data transmission occurs from the port 20 of the server and a random client port

This makes difficult the creation of rules to filter packets and permitting FTP communication between an internal host and an external server

In addiction, when access to an external FTP server is granted, the network address of the client would be revealed

This information could be useful for potential attackers


Proxy Servers (1)Proxy Servers (1)

A Proxy server intercepts and examines traffic at the TCP/IP layer permitting

to implement policies based on user identities (authentication)

Packet filtering do not permit user authentication To hide information about the internal network topology

The proxy server intercepts the client request and decides whether it is permitted according to its security rules Is the only entity seen by the outside worldA proxy server allows access to a specific serviceSince is at the application layer, separate proxy servers may be required for each type of application (service)


Proxy Servers (2)Proxy Servers (2)

To begin a communication with the outsideThe client connects himself to the proxy server of proper application The proxy server

Authenticates the user and ensure he is authorized to access the applicationCreates a second TCP/IP connection between itself and the server on Internet

– So each packet coming out from the Intranet has the firewall IP address (the Intranet topology is hided)

Receives information from one of the two connections and transfer them to the second according to the adopted security policies

A proxy server may memorize in a log file all the significant information about the network traffic


Domain Name SystemDomain Name System

A DNS provides the name to address translation in a TCP/IP networkA firewall can provide a modified name-server function for users residing inside and outside the private network

The firewall should not divulge the IP addresses of hosts inside the private network

For inquiries from hosts inside the private network, the firewall should resolve all the names of hosts inside the private network to the IP address of the firewallFor inquiries from hosts inside the private network, the firewall forwards name-to-address resolution for hosts on the internet


Mail HandlingMail Handling

The e-mail is often the first vehicle of problemsTo protect the private network, one approach is to provide a mail gateway to the private networkE-mail originating from the private network

First is sent to the mail gatewayThe mail gateway selects the e-mail destined for the internet and forwards it to the firewall mail handling program

E-mail received from InternetThe firewall forwards it to the mail gateway on the private network

The mail may be submit to virus or other malicious software controls by the gateway


Firewall ArchitecturesFirewall Architectures

A firewall is made of several components that generates different architectures (configurations) according to the way they are combined

Screening RouterDual-homed HostScreened Host GatewayScreened Subnet FirewallDouble Bastion Host


Dual-homed Host (1)Dual-homed Host (1)

A dual-homed host is a machine with two network interfaces to keep the traffic separated

One towards InternetThe other towards Intranet

The Intranet is physically separated from Internet

The traffic must pass through the gateway

It can be used as a firewallNot only route packet between the Internet and the Intranet (packet filtering)But processes these packets according to its security rules (proxy server)


Dual-homed Host (2)Dual-homed Host (2)

Internet Intranet

Networkinterface

1

Forwarder

Networkinterface

2Rules


Bastion HostBastion Host

Putting all the controls upon a single machine is dangerous

If an attacker tricks it, all the system is compromised

A Bastion Host is any machine belonging to the firewall with a maximum criticism degree

The criticism derives from its high attacks exposure It may be located outside the firewall (into the Intranet) or inside

A proxy is often installed on a bastion hostOr services that we want to offer to the outside

– Web Server– FTP server– ...

Packets are let enter only if addressed to the bastion host


Screened Host Gateway (1)Screened Host Gateway (1)

To improve the intranet security, often, to a screening router is coupled a bastion hostThe screening router has the purpose to forward all the authorized packet towards the bastion host The bastion host will analyse the information looking for attacks at a higher layer than IPThe double check increase the security level inside the systemThis solution is hardly based on the routing table of the screening router

Its violation may cause the elusion of the bastion host

Deleting the line that route the traffic to the bastion host


Screened Host Gateway (2)Screened Host Gateway (2)

Intranet

InternetScreening router

Bastion Host(proxy)


Dual-homed Gateway (1)Dual-homed Gateway (1)

A peripheral network, also called demilitarised zone (DMZ), is placed between the internal network and the InternetA screening router sits between the Internet and the peripheral networkA bastion host with dual-homed host configuration is used so a modification to the routing table of the screening router do not compromise the systemThe DMZ is a suitable location for non-sensitive hosts that should be accessible to the outside world, like a Web server

Outsiders browsing web pages need not get into the internal network at all


Dual-homed Gateway (2)Dual-homed Gateway (2)

Internet

Screening router

Bastion Host(dual-homed host)

Peripheral network (DMZ)

Internal network

Firewall


DMZDMZ

A network oriented application, usually, uses two types of data

PublicPrivate

DMZ may be exploit to manage the two different data types

All the data, private and public, are memorized inside the Internal networkInside the DMZ are installed hosts that manage only public data

So public data may be accessed from internet without entering the private network


Screened Subnet (1)Screened Subnet (1)

This configuration presents two screening router and between them bastion hosts containing services to the outside world The first screening router

Forwards traffic from the outside to the bastion hosts and in the opposite directionOther traffic is rejected

The second screening router (choke)Permit the communication with the intranet only to the bastion hosts


Screened Subnet (2)Screened Subnet (2)

Internet

External screening router

Peripheral network (DMZ)

Internal network

Firewall

Internal screening router (choke)

Bastion Hosts

DNS hostFTP host


Security EvaluationSecurity Evaluation

The Trusted Computer Security Evaluation Criteria (TCSEC) also known as Orange Book were the first evaluation criteria to gain wide acceptanceOther evaluation criteria have been developed

Information Technology security Evaluation Criteria (ITSEC)Federal criteriaCommon criteria

Security Evaluation aims to give assurance that a product/system is secure


Evaluation CriteriaEvaluation Criteria

Evaluation criteria refers toProducts

The verification concern the satisfaction – of a generic set of security requirements specified

inside the security classes by the Orange Book– Of the protection file defined by the Common

criteria

Systems The analysis start from the evaluation of each system component as described by the ITSEC


Evaluation PurposeEvaluation Purpose

The Orange Books distinguishes betweenEvaluation

Assessing whether a product has the security properties claimed for it

CertificationAssessing whether a product is suitable for a given application

AccreditationDeciding that a product will be used in a given application


Credibility Credibility

The credibility of evaluation depend from the used methodTwo situation should be prevented

An evaluated product is later found to contain serious flawDifferent evaluations of the same product disagree in their results

Repeatability and reproducibility are often included among the methodology evaluation criteria

Security Evaluations should arrive at an independent, commonly accepted verdict on the properties of security products. An independent evaluation facility can either be

A government agencyOr a properly accredited enterprise


The Orange BookThe Orange Book

It is the first guideline for evaluating security productsOrange book intended to create a more generally applicable document that provides

A yardstick for users to asses the degree of trust that can be placed in a computer secutity systemGuidance for manufacturers of computer security systemsA basis for specifying security requirements when acquring a computer security system


Criteria (1) Criteria (1)

The criteria used by the Orange Book to define its evaluation classes are

Security policyMandatory and discretionary access control policies expressed in terms of subject and objects

Marking of objects Labels specify the sensitivity of objects

Identification of subjectsIndividual subjects must be identified and authenticated

AccountabilityAudit logs of security relevant events have to be kept


Criteria (2)Criteria (2)

AssuranceOperational assurance refers to the security architectureLife cycle assurance refers to methodology,testing, configuration and managing

DocumentationEvaluators need test and design documentationAlso guidance to install and use the product are needed

Continuous protectionSecurity mechanisms cannot be tampered with


Divisions and ClassesDivisions and Classes

The Orange Book applies the previous criteria to define four security divisions and seven security classesProducts in higher classes provides more security mechanisms and assuranceThe security classes are defined incrementally

All requirements of one class are included in these of a higher one

The four divisionsD, minimal protectionC, discretionary protectionB, mandatory protectionA, verified protocol


Minimal Protection Minimal Protection

In class D there are products submitted for evaluation but without the requirements of any Orange Book class


Class C1: Discretionary Security Class C1: Discretionary Security ProtectionProtection

C1 systems are intended for an environment where co-operating users process data at the same level of integrityDiscretionary access control is based on individual users and/or groupsUsers have to identify themselves and their identity has to be authenticated The Trusted Computer Base (TCB) has to have its own execution domainDocumentation has to be provided

User manualTrusted facility manual (for system administrator)Test documentationDesign documentation


Class C2: Controlled Access Class C2: Controlled Access ProtectionProtection

C2 systems make users individually accountable for their actions

Discretionary access control is enforced at the granularity of single usersPropagation of access rights has to be controlledAudit trails of security-relevant events have to be kept

C2 is regarded to be the most reasonable class for commercial applications


Class B1: Labelled Security Class B1: Labelled Security Protection (1)Protection (1)

Division B is intended for products that handle classified data and enforces the mandatory Bell-Lapadula policiesEach object and subject has a label

Integrity of labels has to be protectedIt is necessary to consider what happens to label when the objects are exported to other systems

The security labels of a subject are determined by identification and authenticationInformal or formal model of security policy is requiredTesting and documentation has to be much more thorough


Class B1: Labelled Security Class B1: Labelled Security Protection (2)Protection (2)

Design documentation, source code and object code have to be analysedAll flaws uncovered in testing must be removedC1 certificates have been received by complex software systems like

Multi-level secure Unix systemsDatabase management systems

Class C1 is intended for system high environments with compartments


Class B2: Structured Class B2: Structured ProtectionProtection

Class B2 increases assurance by adding requirements to the design of the systemMandatory access control also govern access to physical devicesA formal model of the security policy and a descriptive top level specification of the system are requiredTCB shall provide distinct address spaces to isolate processes

Hardware mechanisms supports memory management

A covert channel analysis has to be doneEvents potentially creating a covert channel have to be audited

Security testing will establish that the TBC is relatively resistant to penetration


Class B3: Security DomainsClass B3: Security Domains

B3 systems are graded highly resistant to penetrationA security administrator is supportedAuditing mechanism monitor the occurrence of security-relevant events and issue automatic warnings in suspicious situationTrusted recovery after a system failure has to be facilitated


Class A1: Verified Design (1)Class A1: Verified Design (1)

Class A1 is functionally equivalent to B3The use of formal methods permits to achieve the highest assurance levelEvaluation for class A1 requires

A formal model of security policyA formal top level specificationConsistency proof between model and the formal top level specificationThe TCB implementation has informally shown to be consistent with the formal top level specificationA formal analysis of covert channels


Class A1: Verified Design (2)Class A1: Verified Design (2)

In addition, more stringent configuration management and distribution control will ensure that the version installed at a customer site is the same as the evaluated master copyVery few products have been evaluated to class A1


Security PlanningSecurity Planning

Protecting system information means giving response to questions like

How much does this information worth ?How can we estimate the damage derived from information loss ?

The enterprise has to answer producing the following documentation

Business Security AnalysisSecurity PolicySecurity PlanDisaster Recovery PlanSecurity Audits


Business Impact AnalysisBusiness Impact Analysis

This document valued the economic consequences deriving from a possible attackThrough risk analysis we try to estimate the damages caused by a successful attackThe first step in risk analysis is to define

What we are protectingWhat is its value inside the enterpriseagainst whom we are protecting itThe probability the attack occurs

The second step is to estimate the economic damage caused by the attack


Security PolicySecurity Policy

The security policies are defined starting from the previous analysisThese rules list a set of technical rules, procedures, principles and behaviors with the aim to avoid attack risksThe document, also, defines the data and systems responsibilityThe individuation and creation of the policies is only the first step

Policies have to be periodically updated trying to satisfy the new users requirements and the aimed security degree


Security Plan & Disaster Recovery Security Plan & Disaster Recovery PlanPlan

The aim of the Security Plan is to implement the rules defined inside the security policy document to reach the desired security degreeSystem analysis, even if executed at a deep level, cannot find all the security flaws

Some flaws are not suitably cover either for wrong evaluations or for the low ratio cost-risk/cost-countermeasures

The Disaster Recovery Plan specifies the behaviors users have to assume in the eventuality an attack succeeds

Also natural disaster are considered


Security AuditsSecurity Audits

The first four documents are written in the presented orderThe Security Audits document covers the entire analysis cycleIt describes the current security level

Comparing what are happening with what would happenShowing how user are reacting


Developing MethodologyDeveloping Methodology

Defining a security policy has to take into account bond tied to the structure inside that the system works

Technical bondsLogistic bondsAdministrative bondsPolitics and economics bonds

To satisfy all this bonds is required a planning, implementation and maintenance methodology


Methodology PhasesMethodology Phases

A security methodology consists of the following main phases

Context analysisInformation system analysisUsers classificationAccess rights definitionUndesired events cataloguingRisk analysisCountermeasures individuationCountermeasures integration


Context AnalysisContext Analysis

In this phase are studied the organization finality and structure in terms of

Number and geographic distribution of the headquartersOrganizational units( departments, offices, …)Roles, competences and responsibilitiesHierarchy and functionality relations

Procedures and information flows are, also, analysed


Information System Analysis Information System Analysis (1)(1)

This phase consist in analyzingPhysical resources

Information system is seen as a set of devices that ,to work, need space,electric alimentation, suitable environment, protection from material damages and theftThe analysis consists of

– Components individuation– Rooms inspection and evaluation– Cablation verification


Information System Analysis Information System Analysis (2)(2)

Logical resourcesThe system is seen like a set of information, flows and processesThe analysis consists of

– Information classification– Services cataloguing

Resources interdependenciesFor each system resource, physical or logical, it is necessary to individuate the resource it needs to work in a correct wayThis analysis points out the potentially critical system resources


Users ClassificationUsers Classification

The assignment of a belonging class to each user allows

grouping users of the same class Defining common security bonds

Users may be classified, at a first approximation level, by their role inside the organization


Access Rights DefinitionAccess Rights Definition

In a system, we must explicitly define to which services and information and with which modality each user typology may access The outcome of the analysis are two matrices

Users/services matrixUsers/information matrix


Undesired Events CataloguingUndesired Events Cataloguing

When what may happen to the system was described, in this phase we try to point out what have no happen

It is need a systematic research to individuate the majority of undesired events A starting point may be to consider as undesired event each access, to information or to services, that is not allowed by the rights matrices It is a good procedure to distinguish between

Intentional attacksAccidental events


Risk AnalysisRisk Analysis

When we have defined and catalogued the undesired events, it is important to associate a risk to each of themThe risk analysis permit to address the next phase of countermeasures individuation towards the potentially more critical system areas


Countermeasures Countermeasures IndividuationIndividuation

In this phase we have to choose the countermeasures to adopt for neutralize the undesired events we have previously individuateCountermeasures individuation consist of

Cost/efficacy ratio evaluationTo avoid countermeasures with an enormous cost compared to the risk they have to protect from

Security standard and referring security model analysisOrganization countermeasures

It is essential that the staff acquires a security consciousness

Technical countermeasures


Countermeasures IntegrationCountermeasures Integration

A countermeasures set may be a collection of uncorrelated expedients that may hardly provide an adequate answer to the global security needs of an organizationWe need to make a selection of the adopted countermeasuresThe aim is to individuate a subset of minimum cost that respect the following bonds

CompletenessHomogeneity Controlled redundancyAccomplishment


Bibliography (1)Bibliography (1)

Dieter Gollmann. Computer Security. Wiley 1999Mariagrazia Fugini, Fabrizio Maio, Pierluigi Plebani. Sicurezza dei Sistemi Informatici. ApogeoWilliam Stalling. Sistemi Operativi. Jackson LibriVijay Ahuja. Secure Commerce on the Internet. AP ProfessionalRyan Russel, Stace Cunningham. Hack Proofing. Mc Graw HillJeff Crume. Inside Internet Security: What Hacker don’t want you to know. Addison WesleyAbraham Silberschatz, Peter Baer Galvin. Sistemi Operativi. Addison Wesley. V Ed.William Stallings. Sistemi Operativi. Jackson Libri


Bibliography (2)Bibliography (2)

Dario Forte. Information Security. Mondadori InformaticaA. Tanenbaum. Reti di Computer. UTETLars Klander. Hacker Proof. Mc Graw Hill

politecnico di milano © 2001 - william fornaciari operating system security lecturer:

Documents

security areas

term security

security lecturer

realworld security

subset of security

perfect computer security

william fornaciari

computer information