Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

From Fish to Phishing - Information Security Group

advertisement 
From Fish to Phishing
Kenny Paterson
Information Security Group
Mathematics Department
Royal Holloway, University of London
Inaugural Lecture - February 19th 2008
1
Overview
CINS/F1-01
1.
2.
3.
4.
5.
6.
What is Cryptography?
Fish and Colossus
WEP and GSM
IPsec
Phishing
Concluding remarks
Inaugural Lecture - February 19th 2008
2
1. What is Cryptography?
• Historically: making (and breaking) codes and
ciphers.
– Designed to scramble messages so they cannot be
read by an enemy.
– The preserve of emperors and generals.
– Archetypes: the Caesar cipher; Kama Sutra code.
• Today: a range of techniques for ensuring the
confidentiality, integrity and origin of data.
– Mobile phones, chip and pin cards, Internet ecommerce.
– Industrial cryptography.
Inaugural Lecture - February 19th 2008
3
What is Cryptography?
• And a thriving academic discipline involving a
blend of mathematics, statistics and computer
science.
– Advanced encryption, signature, key exchange
primitives.
– Secure multi-party computation.
– Private information retrieval from databases.
– Anonymous handshake protocols.
– Electronic elections and auctions.
– ….
Inaugural Lecture - February 19th 2008
4
This Talk
• Cryptography is a powerful tool.
– Instrumental in increasing security and confidence in
the digital age.
• But cryptography has many limitations.
–
–
–
–
Human involvement.
Changing adversaries.
Difficulties of key management.
Widening chasm between theory and practice.
• Our aim:
– To illustrate some of these problems using a mixture
of historical and current examples.
Inaugural Lecture - February 19th 2008
5
2. Fish and Colossus
Key
K
Message
M
Encryption
Algorithm
Key
K
Ciphertext
C
Message
M
Decryption
Algorithm
Interceptor
• Usual assumption: interceptor knows everything about
the system.
• So security depends entirely on the secrecy of the key K.
• Kerckhoffs’ Principle.
Inaugural Lecture - February 19th 2008
6
Fish
• 1941: Germans begin to build pan-European wireless
communications network.
– Linking Wehrmacht commands with general staff in Berlin.
– Using directional antennae and high-speed, non-Morse signalling for
teleprinter traffic.
– Encrypted using Geheimschreiber machine.
• Lorenz SZ40/42 teletype attachment.
– Careful traffic analysis indicated possible high value of traffic.
• Traffic named “Fish” by Bletchley Park staff.
– Each link named after a different species: Bream, Codfish,…
• 1942: British start to systematically intercept Fish signals.
– And Bletchley Park begins to analyse ciphertext.
– But with virtually no information about the encryption method being used!
• Jan-May 1945: British decrypt 22 million characters of Fish traffic.
– Without ever having seen a Lorenz machine!
Inaugural Lecture - February 19th 2008
7
Breaking Fish
• Initial analysis suggested Fish traffic was being
encrypted using a stream cipher.
– Message converted into numbers, A=0, B=1,…, Z=25.
– Message added character-by-character to keystream.
Message
M
7,21
Key
K
Key
K
Keystream
Generator
Key
Keystream
K
Generator
Keystream
12,8
12,8
+
Encryption
19,3
Ciphertext
C=K+M mod 26
Decryption
Message
M
7,21
8
Breaking Fish
• In theory: stream cipher known to be unbreakable if
keystream is a truly random sequence of characters.
– Shannon (1949): H(M|C)=H(M).
– Ciphertext reveals nothing (statistically) about the message.
• In practice: sender and receiver have to generate a
pseudo-random keystream using a deterministic
algorithm and a short key.
– Introducing statistical imperfections exploitable by cryptanalyst…
Inaugural Lecture - February 19th 2008
9
Fishing at a Depth
• Fish message indicators preceding encrypted data were
presumed to indicate initial setting of keystream
generator.
• Equality of indicators would imply equality of keystreams.
– Known as a depth at Bletchley Park.
• So what if a depth occurred for two closely related
messages?
– Should never be permitted because known to introduce security
weakness.
– But operators make mistakes….
• With some inspired guess-work, this could allow the two
related messages to be recovered…
Inaugural Lecture - February 19th 2008
10
Fishing at a Depth
K
C1
5
3
20 23 23 7
1
16 14 5
12 3
5
3
20 23 23 7
3
17 19 10 18 6
0
14 12 14 23 6
17
M1
Text1
Text2
M2
C2
22 24 7
14 2
9
21
K
Inaugural Lecture - February 19th 2008
11
Fishing at a Depth
K
C1
5
3
20 23 23 7
1
16 14 5
12 3
5
3
20 23 23 7
3
17 19 10 18 6
0
14 12 14 23 6
17
M1
Text1
Text2
M2
C2
22 24 7
14 2
9
21
K
Inaugural Lecture - February 19th 2008
12
Fishing at a Depth
K
C1
5
3
20 23 23 7
1
16 14 5
12 3
3
17 19 10 18 6
0
14 12 14 23 6
17
M1
Text1
Text2
C R Y P T O
C R Y P T O
M2
C2
5
3
20 23 23 7
22 24 7
14 2
9
21
K
Inaugural Lecture - February 19th 2008
13
Fishing at a Depth
K
C1
5
3
M1
2
17 24 15 19 14
Text1
Text2
20 23 23 7
1
16 14 5
12 3
3
17 19 10 18 6
0
14 12 14 23 6
17
C R Y P T O
C R Y P T O
M2
2
17 24 15 19 14
C2
5
3
20 23 23 7
22 24 7
14 2
9
21
K
Inaugural Lecture - February 19th 2008
14
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14
Text1
Text2
4
19
20 23 23 7
1
16 14 5
12 3
3
17 19 10 18 6
0
14 12 14 23 6
17
C R Y P T O
C R Y P T O
M2
2
17 24 15 19 14
C2
5
3
K
3
12 22 8
20 23 23 7
4
22 24 7
14 2
9
21
19
C=K+M mod 26
Inaugural Lecture - February 19th 2008
15
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14
Text1
Text2
4
19
20 23 23 7
1
16 14 5
12 3
0
14 12 14 23 6
17
C R Y P T O G R A P H Y
C R Y P T O
M2
2
17 24 15 19 14
C2
5
3
K
3
12 22 8
20 23 23 7
4
3
17 19 10 18 6
22 24 7
14 2
9
21
19
Inaugural Lecture - February 19th 2008
16
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19
20 23 23 7
1
16 14 5
17 0
12 3
15 7
0
14 12 14 23 6
17
24
C R Y P T O G R A P H Y
C R Y P T O
M2
2
17 24 15 19 14
C2
8
15 16 5
1
7
K
3
12 22 8
4
19
3
17 19 10 18 6
Inaugural Lecture - February 19th 2008
22 24 7
14 2
9
21
17
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
0
14 12 14 23 6
17
24
C R Y P T O G R A P H Y
C R Y P T O
M2
2
17 24 15 19 14
C2
8
15 16 5
1
7
K
3
12 22 8
4
19
3
17 19 10 18 6
22 24 7
14 2
9
21
C=K+M mod 26
Inaugural Lecture - February 19th 2008
18
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
0
14 12 14 23 6
17
24
C R Y P T O G R A P H Y
C R Y P T O
M2
2
17 24 15 19 14
C2
8
15 16 5
1
7
K
3
12 22 8
4
19 21 25 14 16 5
3
17 19 10 18 6
22 24 7
14 2
9
21
5
Equality of Keysteams
Inaugural Lecture - February 19th 2008
19
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
0
14 12 14 23 6
17
24
C R Y P T O G R A P H Y
C R Y P T O
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
20 13 1
22 24 7
14 2
9
21
5
C=K+M mod 26
Inaugural Lecture - February 19th 2008
20
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
0
14 12 14 23 6
17
24
C R Y P T O G R A P H Y
C R Y P T O I S F U N B
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
20 13 1
22 24 7
14 2
9
21
5
Inaugural Lecture - February 19th 2008
21
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
0
17
24
C R Y P T O G R A P H Y I
C R Y P T O I S F U N B
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
14 12 14 23 6
S F U N B
20 13 1
22 24 7
14 2
9
21
5
Inaugural Lecture - February 19th 2008
22
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
0
24 8
C R Y P T O G R A P H Y I
C R Y P T O I S F U N B
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
14 12 14 23 6
18 5
17
29 13 1
S F U N B
20 13 1
22 24 7
14 2
9
21
5
Related messages
Inaugural Lecture - February 19th 2008
23
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
18 22 7
0
24 8
C R Y P T O G R A P H Y I
C R Y P T O I S F U N B
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
20 10 5
14 12 14 23 6
18 5
17
29 13 1
S F U N B
20 13 1
22 24 7
14 2
9
21
5
C=K+M mod 26
Inaugural Lecture - February 19th 2008
24
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
18 22 7
0
24 8
C R Y P T O G R A P H Y I
C R Y P T O I S F U N B
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
20 10 5
14 12 14 23 6
18 5
17
29 13 1
S F U N B
20 13 1
5
22 24 7
14 2
9
18 22 7
20 10 5
21
Equality of Keysteams
Inaugural Lecture - February 19th 2008
25
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
18 22 7
0
24 8
20 10 5
14 12 14 23 6
18 5
17
29 13 1
C R Y P T O G R A P H Y I
C R Y P T O I S F U N B
S F U N B
M2
2
17 24 15 19 14 8
18 5
2
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
Text2
3
20 13 1
5
4
0
20 18 4
22 24 7
14 2
9
18 22 7
20 10 5
21
C=K+M mod 26
Inaugural Lecture - February 19th 2008
26
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
18 22 7
0
24 8
20 10 5
14 12 14 23 6
18 5
17
29 13 1
C R Y P T O G R A P H Y I S F U N B
C R Y P T O I S F U N B E C A U S E
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
20 13 1
5
Inaugural Lecture - February 19th 2008
4
2
0
20 18 4
22 24 7
14 2
9
18 22 7
20 10 5
21
27
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
18 22 7
0
24 8
20 10 5
14 12 14 23 6
18 5
17
29 13 1
C R Y P T O G R A P H Y I S F U N B E
C R Y P T O I S F U N B E C A U S E
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
20 13 1
5
4
2
0
20 18 4
22 24 7
14 2
9
18 22 7
20 10 5
21
Related messages
Inaugural Lecture - February 19th 2008
28
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
18 22 7
0
24 8
20 10 5
14 12 14 23 6
17
18 5
4
29 13 1
C R Y P T O G R A P H Y I S F U N B E
C R Y P T O I S F U N B E C A U S E
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
20 13 1
5
Inaugural Lecture - February 19th 2008
4
2
0
20 18 4
22 24 7
14 2
9
18 22 7
20 10 5
21
29
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
18 22 7
0
24 8
20 10 5
13
14 12 14 23 6
17
18 5
4
29 13 1
C R Y P T O G R A P H Y I S F U N B E
C R Y P T O I S F U N B E C A U S E
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
20 13 1
5
4
2
0
20 18 4
22 24 7
14 2
9
18 22 7
20 10 5
21
C=K+M mod 26
Inaugural Lecture - February 19th 2008
30
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
18 22 7
0
24 8
20 10 5
13
14 12 14 23 6
17
18 5
4
29 13 1
C R Y P T O G R A P H Y I S F U N B E
C R Y P T O I S F U N B E C A U S E
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
20 13 1
5
4
2
0
20 18 4
22 24 7
14 2
9
21
18 22 7
20 10 5
13
Equality of Keysteams
Inaugural Lecture - February 19th 2008
31
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
18 22 7
0
24 8
20 10 5
13
14 12 14 23 6
17
18 5
4
29 13 1
C R Y P T O G R A P H Y I S F U N B E
C R Y P T O I S F U N B E C A U S E
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
20 13 1
5
4
2
0
20 18 4
8
22 24 7
14 2
9
21
18 22 7
20 10 5
13
C=K+M mod 26
Inaugural Lecture - February 19th 2008
32
Fishing at a Depth
K
3
12 22 8
C1
5
3
M1
2
17 24 15 19 14 6
Text1
Text2
4
19 21 25 14 16 5
20 23 23 7
1
16 14 5
17 0
5
12 3
15 7
18 22 7
0
24 8
20 10 5
13
14 12 14 23 6
17
18 5
4
29 13 1
C R Y P T O G R A P H Y I S F U N B E
C R Y P T O I S F U N B E C A U S E I
M2
2
17 24 15 19 14 8
18 5
C2
8
15 16 5
1
7
17 19 10 18 6
K
3
12 22 8
4
19 21 25 14 16 5
3
20 13 1
5
Inaugural Lecture - February 19th 2008
4
2
0
20 18 4
8
22 24 7
14 2
9
21
18 22 7
20 10 5
13
33
Deducing Fish’s Structure
• Just such a depth was intercepted on 30th August 1941.
– Two messages with same indicator HQIBPEXEZMUG.
– Abbreviations, misspellings and corrections were inserted by
wireless operator when forced to retransmit a long message.
– Operator should have chosen new message indicator, but did not.
• Analysis by Tiltman then recovered the two messages.
• More importantly a sequence of nearly 4000 keystream
letters was obtained.
• From this sequence, Tutte (later assisted by others)
determined the entire structure of the Lorenz machine.
Inaugural Lecture - February 19th 2008
34
Lorenz SZ40 Structure
Keystream bits
Chi Wheels
Clock
41
31
29
26
23
43
47
51
53
59
Motor Wheels
61
37
Psi Wheels
Inaugural Lecture - February 19th 2008
35
Lorenz SZ40 Structure
• 5 parallel bits of keystream produced per clock pulse.
– Bit-by-bit combined with message in Baudot coded form.
• 12 pinwheels, arranged in two groups of five (chi and psi)
plus two motor wheels, M1 and M2.
– Output bits taken from XOR sums of chi and psi wheels.
– Chi wheels of lengths 41, 31, 29, 26, 23, clocked regularly.
– Psi wheels of lengths 43, 47, 51, 53, 59, clocked irregularly,
according to output of M1.
– M1 of length 37 clocked irregularly according to output of M2.
– M2 of length 61 clocked regularly.
• Modern interpretation: irregularly clocked circulating shift
registers.
• 2501 possible keys.
– Monthly (later daily) setting of pins on each wheel.
– Per message key: initial rotational offset of each wheel.
Inaugural Lecture - February 19th 2008
36
Lorenz SZ40
Size:51cm × 46cm × 46cm (20in × 18in × 18in)
Inaugural Lecture - February 19th 2008
37
Fish and Colossus
• In 1943, Max Newman raised the possibility of using a
machine to automate the breaking of Fish.
– Ideally suited to repetitive calculations involved in statistical
analysis developed by Tutte, Turing, and many others.
– But initial all-mechanical machines were slow and unreliable.
• Tommy Flowers proposed and led the build of a rival
electro-mechanical design, Colossus.
– Based at Post Office Research Station, Dollis Hill, London.
– Using 1500 state-of-the-art thermionic valves, thyratrons, and
photomultipliers.
– Implementing shift registers, systolic arrays, configurable Boolean
operations on data,…
– But not a Turing-complete machine.
Inaugural Lecture - February 19th 2008
38
Mechanised Cryptanalysis of Fish
• Colossus Mark I delivered 18th January 1944.
• Rapidly followed by first Colossus Mark II (2400 valves
and 5 times as fast).
• Eventually 10 Colossi in 24-hour operation at Bletchley
Park, with 11th in production.
Inaugural Lecture - February 19th 2008
39
The Value of Fish Traffic
• By 8th May 1945, Bletchley Park had broken 13508
messages on 718 keys, obtaining 63 million plaintext
characters.
• Fish yielded information of great strategic value:
– Strategic appreciations, order of battle, strength of individual
Wehermacht divisions.
– German situation reports for the entire Russian front.
– German strategic plans to hold on to Italy.
– Information about likely success of D-Day landings:
• 8th May 1944, Field Marshall von Rundstedt to general staff, Berlin:
an Allied assault on Normandy would “be the enemy’s pre-requisite
condition for a subsequent descent on the Channel coast’’.
– Revelation of plans for counter-attack at Anzio beach-head.
– Insight into Hitler’s mental state.
Inaugural Lecture - February 19th 2008
40
Other Aspects of the Fish Story
• Destruction of Colossi at the war’s end.
– Colossus re-build project recently completed.
• Wartime work gave British scientists and
engineers a head-start in the fledgling
computer industry.
• Fish/Colossus story only began to
emerge in the mid-1970s.
– Several key documents only recently
declassified.
• Including “General report on Tunny”.
– Whole story masterfully told in Paul
Gannon’s “Colossus – Bletchley Park’s
Greatest Secret” (Atlantic Press, 2006).
Inaugural Lecture - February 19th 2008
Tommy Flowers
MBE
1905-1998
41
Fishing Lessons
• Kerckhoffs’ Principle not applicable, but lack of system
knowledge only delayed the breaking of Fish.
• A single human error provided the key to unlocking Fish.
– Keystream repetition for two closely related messages.
• At least three major intellectual achievements:
– Initial decryption from a depth (Tiltman).
– Deriving the Lorenz machine’s structure from keystream alone
(Tutte et al.).
– Development of mechanised cryptanalysis (Newman, Flowers).
Inaugural Lecture - February 19th 2008
42
3. WEP and GSM
• In the late 1990’s, wireless equipment became cheap
enough to be used in mass-market networking
equipment.
• IEEE developed 802.11 family of WirelessLAN standards.
– Operating in “free for all” unregulated frequencies.
• Recognition that encryption is needed because of
broadcast nature of signals.
• IEEE 802.11b&g included WEP (Wired Equivalent
Privacy) mechanisms.
– Encryption.
– Integrity protection for data.
– Authentication of network nodes.
Inaugural Lecture - February 19th 2008
43
WEP (In)security
• World War Drive 2004
– Survey of 228,537 networks
– 140,890 (60%) configured to use Open System
Authentication.
– Meaning no encryption or authentication enabled.
• Demonstration of vulnerability.
• Legality of demo doubtful!
Inaugural Lecture - February 19th 2008
44
WEP (In)security
• WEP requires end-user to configure a shared key in
every communicating device.
–
–
–
–
Easy in a small home network of 2 or 3 devices.
More difficult in a corporate environment with many devices.
Updating keys a major headache.
A classic key management problem.
• Worse still, the entire WEP design is seriously flawed.
– Authentication is trivial to defeat.
– Encryption shown to be weak by Fluhrer, Mantin and Shamir.
– Cracking tools (Airsnort, WEPcrack) are widely available on
Internet.
• Can recover WEP key in a matter on minutes.
• What went wrong?
Inaugural Lecture - February 19th 2008
45
GSM Security
• GSM = second generation mobile phone system.
– 1.9 billion customers.
– GSM networks in over 210 countries.
• Cryptography integrated as part of GSM from the start.
– Algorithms and architecture designed by experts.
– Security almost entirely hidden from end-users.
– This security (especially key management) is not cost-free.
• Operators had a strong economic incentive to get the
GSM security design right.
– Protect revenue stream so as to recoup investment in licences
purchased from national governments.
– Desire to avoid embarrassing breaches of personal privacy
occurring in first generation networks.
Inaugural Lecture - February 19th 2008
46
Lessons from WEP
• Economic incentives are often a major driver
for adoption of security measures.
– GSM using paid-for frequencies, 802.11 using freefor-all frequencies.
– Lack of incentive led to sloppy design in WEP.
• Employ security experts to design security
systems, not enthusiasts.
• Good key management is hard and best not left
to end-users.
Inaugural Lecture - February 19th 2008
47
Lessons from WEP
But: designers of WiMAX have recently repeated most
of the same errors made in WEP design…
Those who cannot learn from history are doomed to
repeat it.
George Santayana, Reason in Common Sense, The
Life of Reason, Vol. 1.
You must learn from the mistakes of others. You can't
possibly live long enough to make them all yourself.
Sam Levenson
Inaugural Lecture - February 19th 2008
48
4. IPsec
• IPsec provides cryptographic protection for IP
packets.
– Encryption and integrity protection.
• An important system for protecting Internet
traffic.
– e.g. widely used in Virtual Private Networking
applications.
• Specified in IETF RFCs 4301-4309 and related
documents.
– RFCs are (essentially) standards for the Internet.
– Very complex set of documents with many options.
– 300+ pages of very technical text.
Inaugural Lecture - February 19th 2008
49
IPsec
• IPsec uses industrial-strength cryptography.
• Yet we still managed to break IPsec in certain
encryption-only configurations.
– Ciphertext-only attacks.
– Attacks demonstrated in the lab.
– Paterson and Yau (Eurocrypt 2006), Degabriele and
Paterson (IEEE Security and Privacy 2007).
Inaugural Lecture - February 19th 2008
50
Breaking IPsec
• Capture ciphertexts from the network.
• Modify ciphertexts so as to produce predictable
changes to underlying messages.
– Bit flipping weakness of CBC mode encryption.
– Messages now have small, attacker-induced faults.
• Inject modified ciphertexts into the network.
• IPsec decryption results in faulty IP packets.
– IP produces ICMP error messages when these
faulty packets are further processed.
– ICMP messages are not encrypted and carry
portions of faulty IP packets.
– These can be intercepted.
Inaugural Lecture - February 19th 2008
51
Breaking IPsec
Key
K
Message
M
Encryption
Algorithm
Key
K
Message
M
Ciphertext
C
Interceptor
Decryption
Algorithm
Reactive System
Active attacker
Inaugural Lecture - February 19th 2008
52
Breaking IPsec
• The encryption-only configurations that we
broke were already known to have theoretical
weaknesses.
– Bellovin (1995, 1996), using ideas of Wagner.
• So why were they still allowed in the
standards?
Inaugural Lecture - February 19th 2008
53
Breaking IPsec
RFC 4303:
“Using encryption-only for confidentiality is
allowed by ESP. However, it should be noted
that in general, this will provide defense only
against passive attackers.”
“ESP allows encryption-only … because this
may offer considerably better performance and
still provide adequate security, e.g., when
higher layer authentication/integrity protection
is offered independently.”
Inaugural Lecture - February 19th 2008
54
Breaking IPsec
• From the IPsec administrator's guide of a wellknown vendor:
“If you require data confidentiality only in your IPSec
tunnel implementation, you should use ESP without
authentication. By leaving off the authentication
service, you gain some performance speed but lose
the authentication service.”
http://www.cisco.com/en/US/docs/security/security_ma
nagement/vms/router_mc/1.3.x/user/guide/U13_bldg
.html#wp1068306 (last accessed 16/2/2008).
Inaugural Lecture - February 19th 2008
55
IPsec Lessons
• Cryptography is only ever a component in a secure
system and should not be viewed in isolation.
• Encryption on its own is not sufficient to provide
confidentiality.
• Be aware of shifts in the adversary’s capabilities.
• Complexity and flexibility are the enemies of security.
• Sacrifice backward compatibility if security is the
primary objective.
• Gulf in understanding between theoreticians, standards
writers, implementers, and users.
– Security message gets lost in translation.
Inaugural Lecture - February 19th 2008
56
5. Phishing
• Demonstration: let’s take an on-line test.
http://www.sonicwall.com/phishing/
• An attack of this general type is known as a
phishing attack.
• 6 Billion phishing e-mails are sent world-wide
each month.
• Average loss per successful attack is estimated
at $1200 (Federal Trade Commission).
– Junk e-mail is a lot cheaper to send than junk mail.
– So even if only a tiny fraction are successful, it’s still
economically viable for the attacker.
Inaugural Lecture - February 19th 2008
57
Phishing
• Phishing exploits a mixture of human gullibility,
technological naivety, fear, and sometimes
greed.
– Users trust that “From” address in e-mail is a
guarantee of origin, and that link in e-mail is a
guarantee of destination for their sensitive data.
• Arguably, cryptography is of no use at all in
preventing this form of attack.
– Unless we had a global authentication infrastructure
that is used universally to prove the origin of all emails.
Inaugural Lecture - February 19th 2008
58
Phishing Lessons
• Cryptography has its limitations.
• Don’t rely on a technology to do a job for which
it was never designed.
– Smart banks never use e-mail to ask their
customers to do anything sensitive.
– Unfortunately, their customers don’t all know this yet.
• Much more research is needed in the area of
humans and security.
– How humans take security-sensitive decisions, and
how they can be guided towards making better
ones.
Inaugural Lecture - February 19th 2008
59
6. Concluding Remarks
• Cryptography is one of the most powerful tools we have
in our security armoury.
• Implementing, deploying and managing effective
cryptography is difficult and expensive.
– Key management may be hardest of all.
• In theory, theory and practice are the same. In practice,
they are not.
• Eliminate humans (and human error).
• Watch out for changing adversaries.
• Recognise the limitations of cryptography.
• Learn from history.
Inaugural Lecture - February 19th 2008
60
Thanks
• Thanks to Marta Baker and her staff.
• Many thanks to colleagues and students for
making the ISG such a special place to work.
• Many, many thanks to Fred Piper for his
immeasurable and constant support over the
years.
• And thank you all for coming.
Inaugural Lecture - February 19th 2008
61
Related documents
Speech - legacyboush
Speech - legacyboush
American Studies Harrison Daily Life In Cities The American Nation
American Studies Harrison Daily Life In Cities The American Nation
Oakdale High School Advanced Placement United States History Mr
Oakdale High School Advanced Placement United States History Mr
Essay Questions
Essay Questions
19th century military intro
19th century military intro
AP Euro – Chapter 23 Study Guide – Building
AP Euro – Chapter 23 Study Guide – Building
AP Euro: Ch. 25 & 26 Review Essays Directions: Read through the
AP Euro: Ch. 25 & 26 Review Essays Directions: Read through the
Download
advertisement