security john black unr fall 2000. security why security? –adversaries (bad guys) first example:...
TRANSCRIPT
Security
John Black
UNR
Fall 2000
Security
• Why Security?– Adversaries (bad guys)
• First Example: login-screen spoofing– Make a fake login screen– Store passwords of unsuspecting users
Thompson’s Turing Award Lecture
• Thompson’s Turing Award Lecture– Write a program which prints its own source – Put backdoor into login program via the
compiler (each compilation inserts a backdoor)– Put backdoor into compiler itself– Have compiler code reproduce its own source– Now compile, then delete sources and backdoor
remains ONLY IN THE BINARIES!
Password Guessing
• Many users pick poor (easy-to-guess) passwords– Password guessers are programs that try
common passwords (eg, English words)– These attacks can often be performed offline
(ie, at the attackers home without knowledge of the site being attacked)
Other Attacks
• Timing Attacks– How long a function takes to compute can leak
information about what keys are being used
• Paging Attacks– Watching page faults can leak info too
• Power Analysis– Watching the amount of power a piece of hardware
consumes can let an attacker lift the key!
Internet Worm
• ‘finger’ attack– The Unix finger program uses the ‘gets()’
function of C (this is no longer true)– gets() does NOT check for buffer overflow– One could attack a machine by deliberately
giving ‘finger’ a long command-line argument to overflow its buffer, thereby overwriting the return address
Internet Worm, cont.
• Since ‘finger’ runs as root, we get root:
Command Line Argument goes here, but is really machine code
Return Address
Stack Parameter from cmd line
Overwrite Return Address to force jump to code above
Execution Stack
Other Attacks
• Besides trying to gain access to a system we could try and DENY access– Famous case in Feb 2000: Yahoo and others
shut down by a DDOS attack (Distributed Denial of Service)
– Notoriously hard to stop– Culprits were not caught
That was Security
• The topics we just covered are part of a vast area called “Security”
• Another sub-area is Cryptography, which we now discuss briefly
Intro to Cryptography
• Social Aspects– Should we have access to strong cryptography?– Governments would like to keep a special
backdoor for use against criminals• Would this be abused?• Are YOU comfortable knowing the government
could look in on you?
– Governments consider crypto a MUNITION• Export is illegal
And now the fun stuff
• Cryptography is basically math• First we address the “privacy problem”• The simplest setting is the symmetric key or
private key setting• Alice (A) and Bob (B) want to communicate
PRIVATELY over an insecure channel• To begin with, they share a common key K
– A key is a fixed-length randomly-chosen string
Privacy, Symmetric Case
• Solution is to use a block cipher under some mode of operation
• Lets say AES is used (Advanced Encryption Standard, newly ratified Oct, 2000)
• A wants to send msg M to B:– A computes C=AES(K, M) and sends to B– B computes AES (K, M) to recover M– M is called the “plaintext”; C is called the “ciphertext”
A BAdversaryK K
-1
Facts about Symmetric Cryptography
• Anyone seeing AES(K, M) cannot learn anything without K– Exception: they learn that SOME
communication is taking place and they learn the approximate length
• Encryption and Decryption is FAST for symmetric cryptography
Key Distriubtion
• But how do we distribute the keys??– If A and B can meet in person, this is not hard;
but meeting in person is impractical in an electronic age
– The solution came about in the early 1980s: asymmetric cryptography, aka public-key cryptography
Asymmetric Crypto
• In this setting A runs some algorithm and computes two (mathematically related) keys: sk and pk (secret key and public key)
• pk is advertised to the world, but sk is kept secret• To send a message M to A we compute C=E(pk,
M) and send to A• A receives C and computes D(sk, C) = M
– Here E() is the encryption function and D() is the decryption function
Notes on Asymmetric Crypto
• Once I encrypt with C=E(pk, M) even I cannot understand C any longer– Only someone holding sk can decrypt
• Asymmetric crypto is based on hard mathematical problems– A typical hard problem is this: take n = pq where p and q
are 512-bit primes; if you were given n (but not p and q) could you compute p and q in a “reasonable” amount of time?
– No one knows how to solve the above problem efficiently
• Asymmetric crypto tends to be sllllllow
Change of Topic: Authentication
• Authentication is an integral part of cryptography, but has nothing to do with privacy
• A wants to send a message to B such that B can be certain (with high probability) that A did in fact originate the message
Authentication, Symmetric Case
• Symmetric setting:– A and B share a common key K
– We use an algorithm known as a MAC (Message Authentication Code)
– A wants to send M to B• A computes t=MAC(K, M) and sends (M,t) to B
• B receives (M’, t’)
• B computes MAC(K, M’) and compares to t’– If equal, B ACCEPTS
– If unequal, B REJECTS
Authentication, cont.
• Any M sent from A should verify 100% of the time
• Any M sent from someone other than A (who does not possess K), should never verify (unless they get extremely lucky)
• Authentication in the symmetric setting is FAST
• The string t=MAC(K,M) is called the “tag”
Intuition on MACs
• Think of a big table with all possible msgs in one column and random independent 64-bit strings in the second column
• What is the probability the adversary could guess the proper tag for an M she had not seen before? Answer: 1 in 2^64
Message M Tag t
Empty String 1011…10001…10111…00011…0
0100Etc… Random bits
Authentication, Asymmetric Setting
• In asymmetric setting there is no shared key• Instead of “MAC” we call our tag a
“signature”• To sign a message M
– A generates sk, pk as before– A computes s=E(sk, M) and broadcasts (M,s)
• To verify A’s signature on M– Compute D(pk, s)=M and compare to M
Authentication Facts, Asymmetric Setting
• As before, no one but the holder of sk can generate valid signatures which will verify under use of pk
• As with asymmetric privacy, these algorithms are sllllow
• There is still a problem: what if someone masquerades as A and distributes a bogus pk as the public key?
Certification Authorities (CAs)
• A CA is a company which will sign the public keys of others with their private key so we can be sure of the validity of those public keys– Where do we then get the public key of the CA
to verify this? It’s built in to the browser!– What if the browser is hacked? Well, I guess
we’re hosed…
Secure Socket Layer (SSL)
• This is the security protocol used in browsers
• Here’s how it works:– (1) User U requests secure connection with
Vendor V– (2) V replies with its public key pk and a
signature from some CA– (3) U verifies that pk is properly signed by CA
SSL, cont.
– (4) U generates some random session key S to be used with symmetric algorithms
– (5) U computes C=E(pk, S) and sends to V– (6) V computes D(sk, C)=S– Both parties now have S and communicate
using both symmetric privacy and authentication (ie, block cipher and MAC algorithms)