Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz

advertisement 
CMSC 414
Computer and Network Security
Lecture 11
Jonathan Katz
“Insecurity of 802.11”
 WEP encryption:
IV, RC4(IV | k)  (M, c(M))
 Is this secure against chosen-plaintext attacks?
– It is randomized…
 40-bit key (in some implementations)!
– Claims that, with IV, this gives a 64-bit effective key(!)
 And how is the IV chosen?
– Only 24 bits long -- IV repetitions are a problem!
– Reset to 0 upon re-initialization
– Some implementations increment the IV as a counter
“Insecurity of 802.11”
 A repeating IV allows the attacker to compute the
XOR of two plaintexts
– We have discussed already how this can be damaging
 Small IV space means the attacker can build a
dictionary of (IV, RC4(IV | k)) pairs
– If portions of some plaintexts known, this enables
determination of other plaintexts
“Insecurity of 802.11”
 Known-plaintext attacks discovered on this usage
of RC4
– Possible because the first byte of plaintext is a fixed,
known header!
 Chosen-plaintext attacks
– Send IP traffic/e-mail to the mobile host and watch it
get forwarded
– Transmit broadcast messages to access point
– Authentication spoofing
“Insecurity of 802.11”
 No cryptographic integrity protection
– The checksum is linear (i.e., c(xy) = c(x)c(y)) and
unkeyed, and therefore easy to attack
– Allows IP redirection attack
– Allows TCP “reaction” attacks
• Look at whether TCP checksum is valid
• Form of chosen-ciphertext attack
 Encryption used to provide authentication
of mobile station (access point sends nonce;
station returns an encryption of the nonce)
– Allows easy spoofing after eavesdropping
“Analysis of E-Voting System”
 This paper should scare you…
– Magnitude of possible attacks by voters
– Not just the security flaws, but also the reaction of
Diebold and govt. officials…
 Vulnerable to attacks by voters, as well as attacks
by insiders
 Security through obscurity did not help
– In this case, code was leaked
Desiderata?
 Security against voters
– No double voting
– No voting outside place of residence
– Unable to disrupt the election, or tamper with results
– Privacy of others’ votes
 Security against insiders (election officials, district
heads, programmers, tech staff, …)
– Privacy of votes, except end-of-day total
– Unable to disrupt the election, or tamper with results
 Public verifiability of the entire process
Overview of Diebold system
 Voting terminals initialized; ballots installed
 On voting day, voters given voting card
– Voter inserts card, gets ballot, makes choices
– After confirmation, voting card is “cancelled”
 Election is closed by inserting an admin card
– Results can be uploaded for tabulation
Poor cryptography
 Smartcards have no cryptographic functionality
– Possible to create home-made voting cards!
– Cast multiple votes by disabling “cancellation”, or
overwriting card
– Change party affiliation
 No cryptographic protection for admin cards
– Only a weak PIN…if any
– Possible to shut down the election!
 Bad audit mechanism for detecting over-voting
– Detected over-vote would nullify the election
“Analysis of E-Voting System”
 Most data stored without any integrity
• Possible to modify ballots, vote total, or even the software
 No authentication of data sent to back-end server
 Hard-coded, non-random DES key!
 CBC mode with IV = 0!
– Deterministic encryption…
– Linking voters to votes (encrypted votes stored
sequentially)
 CRC used instead of a secure MAC
 Poor random number generation
“…Attacks on SSH”
 Previous examples illustrated bad cryptography
 Here we will see an example of good
cryptography being ‘circumvented’
“…Attacks on SSH”
 Focus only on the symmetric-key encryption and
integrity protection mechanism for SSH packets
 Recall CBC mode: ci = Fk(pi  ci-1)
 Chosen-ciphertext attack on CBC mode…
SSH
 SSH uses a variant of CBC mode
 This variant can be proven secure against chosen-
ciphertext attacks
Proof model?
decryption of
ciphertext, or error
c’1, …, c’n
…
c1, …, cn
c’1, …, c’n
Even after this interaction,
adversary learns no information about original plaintext
Real world?
 Different error messages returned depending on
the error condition
– If packet_length not in correct range, terminate the
session and send SSH2_MSG_DISCONNECT
– If packet_length not a multiple of the block length,
terminate session with no error message
– Else accept packet_length bytes until MAC can be
checked; different error message sent in this case
 This does not match the formal model!
Real world?
 SSH sends/receives communication block-by-
block
…
c1, …, cn
c’1
c’2
c’3
c’n
decryption of
ciphertext, or error
This enables attacks!
 Focus on packet_length ciphertext block
– If SSH2_MSG_DISCONNECT message sent right
away, then the attacker learns that the most significant
14 bits of decrypted length field are not all 0
• Leaks that they are all 0 with probability 2-14
– If above check passes and length check does not fail,
then 4 least significant bits of decrypted length field
equal 12
• Happens with probability 2-4
– If above checks pass, then attacker injects blocks until
the MAC check fails
• Reveals exact value of decrypted length field
Side channel attacks
Side channel attacks
 We have seen already one example of how reality
can differ from the (standard) formal models used
in cryptography
 More generally, cryptographic analysis treats
primitives/protocols as black boxes
 In reality, primitives and protocols implemented in
the real world by hardware/software
– This may lead to (other) attacks ‘outside the model’
Side channel attacks
 CPU retains state in the form of caches, branch
prediction buffer, stack data, memory, disk…
 Interaction with users influences resource usage,
page protections, scheduling
 Timing attacks, power analysis, EM radiation,
heat/sound/disk access patterns
– Especially in embedded systems
Side channel attacks
 Side channel attacks may be used to break the
crypto
– E.g., timing attacks, power analysis
 Side channel attacks may also be used to
circumvent crypto entirely
– E.g., EM radiation from monitors/keyboards, extracting
keys from memory or data from disk
– (Really more of a systems issue than a crypto issue)
“Cold boot attacks”
 Attacks on disk encryption products, exploiting
poor key management along with the fact that
memory contents can be recovered
Basic setup
Encpw(k)
pw
data
k
RAM
Enck(data)
Encrypted
hard drive
What happens when computer is shut off (or put in standby)?
Setup 2
k
pw
ok
TPM
k
RAM
Before correct password entered, k is loaded into memory
Key observations
 If memory can be probed, possible to recover k
(and then read all data on hard drive) without the
correct password
– First case: k not scrubbed after power down
• Memory decays over time
• But not too quickly, and this process can be slowed by cooling
– Second case: k should be loaded only after successful
password is entered
 Video at http://citp.princeton.edu/memory/media/
Related documents
– Security JDiBrief Scenario based risk assessment for critical infrastructures:
– Security JDiBrief Scenario based risk assessment for critical infrastructures:
Marking Time Discussion Questions When did the planning for the September 11
Marking Time Discussion Questions When did the planning for the September 11
Network Security
Network Security
Cryptography and Network Security Chapter 1
Cryptography and Network Security Chapter 1
Revenge-Seeking Behaviors
Revenge-Seeking Behaviors
Download PDF - Echo Photo Agency
Download PDF - Echo Photo Agency
Introduction to Network Security
Introduction to Network Security
Download
advertisement