INF3510 - Notater
advertisement
INF3510 - Notater Veronika Heimsbakk Institutt for informatikk Universitetet i Oslo veronahe@student.matnat.uio.no 31. mai 2012 Innhold 7 1 Intro 3 2 Information security 3 3 PDCA 3 4 Computer Security 4.1 Reference monitor . . . . . . . . . . . 4.2 Virtual Machine . . . . . . . . . . . . 4.3 Memory Corruption . . . . . . . . . 3 3 4 4 5 Cryptography 5.1 Encryption Standard . . . . . . 5.2 Stream Ciphers . . . . . . . . . 5.3 The perfect cipher? . . . . . . . 5.4 Integrity Check Functions . . . 5.5 Message Authentication Codes 5.6 Public Key Cryptography . . . 5.7 Digital Signatures . . . . . . . . 5.8 Summary . . . . . . . . . . . . . 4 5 5 5 5 6 6 6 6 6 . . . . . . . . . . . . . . . . . . . . . . . . Key Management 6.1 Usage Periods . . . . . . . . . . . . . 6.2 Key Generation . . . . . . . . . . . . 6.2.1 Key States . . . . . . . . . . . 6.2.2 Key Protection . . . . . . . . 6.2.3 Session Key Establishment . 6.2.4 Signing Public Keys . . . . . 6.2.5 Digital Signature . . . . . . . 6.2.6 Public-key Infrastructure . . 6.2.7 Public-Key Certificates . . . . 6.2.8 Browser PKI and Malicious Certificates . . . . . . . . . . . 8 7 7 7 8 8 8 9 9 9 9 10 1 Authentication 7.1 The Concept of Identity . . . . . . . 7.2 Entity Authentication . . . . . . . . . 7.2.1 Limitation of User Authentication . . . . . . . . . . . . . . 7.3 Message Authentication . . . . . . . 7.4 User Authentication . . . . . . . . . 7.4.1 Passwords . . . . . . . . . . . 7.5 Digest Authentication . . . . . . . . 7.6 ID-Based Authentication . . . . . . . 7.6.1 Modes of Operation . . . . . 7.6.2 Matching Algorithm . . . . . 7.7 Object-Based Authentication . . . . . 7.7.1 Clock-Based OTP Tokens . . 7.7.2 Counter-Based OTP Tokens . 7.7.3 Challenge Response Systems 7.7.4 Contactless Cards . . . . . . . 7.7.5 Multi-Factor Authentication . 7.7.6 Authentication Assurance . . Identity and Access Management 8.1 Identity Management Types . . . . . 8.2 Identity Domains . . . . . . . . . . . 8.3 Single Sign-On . . . . . . . . . . . . . 8.3.1 Single Domain SSO . . . . . . 8.4 Open Identity Model . . . . . . . . . 8.4.1 Characteristics . . . . . . . . 8.4.2 OpenID Business Model . . . 8.5 FEIDE . . . . . . . . . . . . . . . . . . 8.5.1 Technical Aspects . . . . . . . 8.6 Access Control . . . . . . . . . . . . . 8.6.1 Authorization and Access Control . . . . . . . . . . . . . 8.6.2 Three Main Approaches . . . 10 10 10 10 10 10 11 11 11 11 11 11 11 12 12 12 12 12 12 12 13 13 13 13 13 13 13 13 13 14 14 9 Communication Security 9.1 Communication Protocol Architecture . . . . . . . . . . . . . . . . . . . 9.1.1 Open Systems Interconnection 9.1.2 TCP/IP Protocol Architecture 9.1.3 OSI vs TCP/IP . . . . . . . . 9.2 SSL/TLS . . . . . . . . . . . . . . . . 9.3 IP Layer Security . . . . . . . . . . . 9.3.1 IPSec Security Services . . . . 9.3.2 Gateway-to-Gateway Architecture . . . . . . . . . . . . . 9.3.3 Host-to-Gateway Architecture 9.3.4 Host-to-Host Architecture . . 10 Perimeter Security 10.1 Firewalls . . . . . . . . . . . . . . . . 10.1.1 Router Packet Filter . . . . . 10.1.2 Host-Based Packet Filters . . 10.1.3 Stateful Packet Filters . . . . 10.1.4 Personal Firewalls . . . . . . 10.1.5 Circuit Level Gateways . . . 10.1.6 Application Level Gateway . 10.1.7 Deep Inspection Application Gateways . . . . . . . . . 10.1.8 TLS/HTTPS Traffic Inspection 10.2 IPv4 Addresses . . . . . . . . . . . . 10.3 Network Address Translation (NAT) 10.4 Screened Bastion-Host . . . . . . . . 10.5 Intrusion Detection Systems . . . . . 10.5.1 Intrusion Detection Techniques . . . . . . . . . . . . . 10.5.2 Port Scanning . . . . . . . . . 10.5.3 Attacking and Evading NIDS 10.5.4 Intrusion Detection Problems 10.5.5 Intrusion Detection Errors . . 10.5.6 Intrusion Prevention Systems 10.6 Honeypots . . . . . . . . . . . . . . . 10.7 WLAN Security . . . . . . . . . . . . 10.7.1 802.11 Wireless LAN Security 11 Application and Operations Security 11.1 Malware . . . . . . . . . . . . . . . . 11.1.1 Backdoor or Trapdoor . . . . 11.1.2 Logic Bomb . . . . . . . . . . 11.1.3 Trojan Horse . . . . . . . . . . 11.1.4 Viruses . . . . . . . . . . . . . 11.1.5 Worms . . . . . . . . . . . . . 11.2 Distributed Denial of Service Attacks 11.2.1 Constructing an Attack Network . . . . . . . . . . . . . . 11.2.2 11.2.3 11.3 SQL . 11.3.1 14 14 14 15 15 15 15 15 16 16 16 16 16 16 17 17 17 17 17 18 18 18 18 18 18 18 19 19 19 19 19 19 19 19 20 20 20 20 20 20 20 20 20 2 DDoS Countermeasures Botnet . . . . . . . . . . . . . . . . . . . . . . . . . SQL Injection . . . . . . . . . . . . . . . . . . 21 21 21 21 12 Operations Security 12.1 Due Diligence and Due Care . . . . . 12.2 Patch Management . . . . . . . . . . 12.3 Top 20 Security Controls . . . . . . . 21 21 21 22 13 Privacy and Regulatory Requirements 13.1 Regulation of IT Security . . . . . . . 13.1.1 Who Regulates IT? . . . . . . 13.1.2 Regulatory Frameworks . . . 13.2 Data Protection Regulation . . . . . 13.2.1 EU Directive on Data Protection . . . . . . . . . . . . . . . 13.2.2 Cross-Border Issues . . . . . 13.2.3 Tension With Other Laws . . 13.2.4 Application of Data Protection Laws . . . . . . . . . . . 13.3 EU Draft Recommendations . . . . . 13.4 Norwegian Regulation . . . . . . . . 13.5 Privacy Enhancing Technology . . . 13.6 Browser Cookie Manipulation . . . . 13.7 Is Privacy Different from Security? . 22 22 22 22 23 23 23 23 23 23 23 23 24 24 1 Intro • Establish ISM. • Spesify policy, objectives and procedures. INF3510 - Informasjonssikkerhet1 tar jeg våren 2012. Her leverer man en hjemmeeksamen på minimum 5000 ord, samt avlegger en eksamen. Eksamen er uten hjelpemiddel, og mitt mål med denne samlingen notater er å forbrede meg best mulig til eksamen. Hjemmeeksamen teller 40% av karakteren, og avsluttendeeksamen teller 60% av karakteren. Dokumentet vil bli skrevet på engelsk, ettersom notatene jeg har tatt er på engelsk. Notatene er i hovedsak forelesningsfoiler, skrevet på en litt enklere måte for repetisjon, pluss mine egne notater. Har dog droppet én forelesning - om Digital Forensics. Advarsel: inneholder nok alt for mange skrivefeil. • Indentify and analyze risks. Do-phase: • Implement and operate ISM. • Implement controls to manage risks. Check-phase • Monitor and review ISM. • Ensure that the controls work properly. • Mesure effectiveness of controls. • Record actions and events that could have an impact of the ISM System (ISMS). Act-phase 2 • Maintain and improve. Information security • Implement improvements. Information security is about protecting information assets. What is harmful? Need laws and policys. Confidentiality: Authorization: secrecy, privacy, anonymity. Concern: information theft. Control: encryption, access control. Integrety: Data integrety, system integrety. Concern: corruption. Control: cryptographic check, access, verification. Availability: Usable by authorization. Consern: Denial of Service (DoS). Control: filtering, recovery. 3 Only 8000 companies worldwide have the 27001 certification - mostly in Japan. 4 The Trusted Computing Base (TCB) of a computer system is the set of all hardware, firmware and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occuring inside the TCB might jeopardize the security properties of the entire system. 4.1 PDCA Reference monitor Reference monitor is the specification of a security model for enforcing an access control policy over subjects ability to preform operations on objects on a system. Eksample: the security kernel of an Operating System (OS) is a reference monitor placed at the lowest level. ISO27002 is an Information Security Management (ISM) guideline. Released in 2005. Contains 11 high level security objects and 183 controls. ISO27001 is ISM requriements. Perhaps far greater and fundamental importance than the original Code of Practice (ISO27002). Based on Plan-DoCheck-Act (PDCA). Hierarchic security levels is used in Intel microprosessor architecture since 803862 . There are four ordered privilige levels: Plan-phase: 1 Ved Computer Security prof. Audun Jøsang, kurssider: http://www.uio.no/ 2 Itel38g/i386/386. A 32-bit microprosessor. Released in 1986 for personal computers. studier/emner/matnat/ifi/INF3510/ 3 • Ring 0: highest; OS kernel. Hypervisor runs on host OS, performance penalty, good gui, better HW support, suitable for workstations. • Ring 1 and 2: OS services • Ring 3: lowest; applications. But why use a VM? It allowes multiple OSs on same hardware, this gives improved security, improves management and resourse utilization, and reduced energy consumption. It allows optimal combination of OS and application. Safe testing and analysis of malware; malware can only infect the VM. Windows and Linux uses ring 0 for OS and drivers (admin) and ring 3 for applications (user space). Rings 1 and 2 are not used, for performance reasons. A process can access and modify any data and software at the same or less privileged level as itself. A process that runs in kernel mode may modify anything on the whole platform. An attackers goal is then to reach access to the kernel mode. He may do this by tricking users to install software or through exploits. 4.2 4.3 Buffer overflow is when written data size > buffer size. This results in neighbouring buffers being overwritten. Unintentional buffer overflow crashes software and results in unreliability software. Intentional buffer overflow is when an attacker modifies specific data in the memory to execute malware. In languages like C or C++ you allocate and de-allocate memory. In type-safe languages like Java, memory management is error-free. Virtual Machine A Virtual Machine (VM) is a software implementation of a machine (computer) that executes programs like a real machine. An example is Java Virtual Machine (JVM). Platform virtualization allows multiple OSs to execute on top of a reference monitor calles Hypervisor. Each OS is a VM controlled by the Hypervisor. There are several Hypervisor implementations available, VM Ware is probably the most known freeware. VirtualBox is software for x86 virtualization (runs on Windows, Linus, OSX and Solaris hosts). Defences against memory corruption may be hardware functions as No eXecute (NX) bit/flag in stack memory; the attackers code will not execute. OS/compiler functions like stack cookies. Programming languages that is type-safe, like Java and C#. VM architecture variants: 5 Type 1 VM architecture: Apps Guest OS Hypervisor (VMM) Hardware Apps Guest OS Type 2 VM architecture: Apps Guest OS Cryptography When is cryptography used? It’s used if you require confidentiality, data integrity and message authentication. And when is it used? Historically the military where using it and spy agencies. Cryptography came in handy when they where transmitting messanges through insecure channels. Now days it’s used in many other areas. Especially in electronic information processing and communication technologies. For eksample banking. Apps Guest OS No host OS, hypervisor runs on hardware, high performance, limited GUI, suitable for servers. Apps Guest OS Hypervisor (VMM) Host Operating System Hardware Memory Corruption Apps Guest OS Taxonomy of modern ciphers Ciphers is divided into symmetric (one key) and asymmetric (two keys). Symmetric ciphers are divided into two more; stream and block. 4 Block ciphers vs. stream ciphers Encryption: plaintext M is converted into ciphertext C under the control of the key k. C = E(M, k). Decryption with key k recovers the plaintext M from ciphertext C. M = D(C, k). Symmetric ciphers: the secret key is used for both encryption and decryption. Asymmetric ciphers: pair of private and public keys where it is computationally infeasible to derive the private decryption key from the corresponding public encryption key. then processes separately. Problem: for a given key, the same plaintext block always encrypts to the same siphertext block. This may allow the attacker to construct a code book of known plaintext/ciphertext blocks. Shannon’s S-P Network3 is a sequence of many substitutions and permutations. Substitution provide confusion and complex relationship between input and output. Functions must be invertible. CTR mode can do parallel encryption in h/w or s/w. Can preprocess in advance of need. Good for HD encryption. Random access to encrypted data blocks. 5.1 CBC mode issues: the same plaintext block encrypts to different ciphertext blocks each time. May assist in detecting integrity breaches; such as the insertion, deletion or reordering of data blocks. Problem: inserting or deleting a block will cause incorrect decryption. 5.2 Encryption Standard Stream Ciphers Consist of a key stream generator and a function for combining key stream and data. The key stream generator takes a input key k seed S(0) and updated its state with a state transition function f(k), S(i+1) = f(k)(S(i)). The output at step i is the bitstream key K(i) derived from S(i). In such a cipher, a bit error in ciphertext bit i causes a single bit error in plaintext bit i. Wireless networks use stream ciphers to protect data confidentiality. Stream ciphers cannot be used for integrity protection, because of precise relative changes to the plaintext by modifying the corresponding ciphertext bits. The Data Encryption Standard (DES) was published in 1977 by the US National Bureau of Standards. It was used in unclassified government applications with a 15 years life time. When the time had come to replace DES, a public competition took place. This was because DES used 56-bit keys and the 64-bit data blocks did not longer adequate. Rijndeal4 was nominated as the new Advanced Encryption Standard (AES) in 2001. Versions for 128-bit, 196-bit and 256-bit data and key blocks was now possible. Block ciphers can be used in different modes in order to provide different security services. Common modes include: 5.3 • Electronic Code Book (ECB) The perfect cipher? An attackers goal is to discover the secret key. If you require confidentiality, the One Time Pad is provably secure. But we don’t use it due to its disadvantages. It’s disadvantages are that each key can only be used once, each key is typically very large and it requires secure distribution of large key. Key management is therefore difficult. In the One Time Pad cipher, the encryption and decryption operations are identical. • Cipher Block Chaining (CBC) • Output Feedback (OFB) • Cipher Feedback (CFB) • Counter Mode (CTR) ECB is the simplest mode of operation. Plaintext data is divided into several blocks, each block 5.4 3 Designed by Claude Shannon, Massachusetts Institute of Technology (MIT) in 1949. 4 Designed by Vincent Rijmen and Joan Daemen. Integrity Check Functions Requirements for a one-way hash function h: 5 • Ease of computation: given x, it is easy to compute h(x). Layer Security (TLS). As a response to the Diffie-Hellman article in 1976, three guys tried to work out an even better algorithm. This one is calles RSA. This is an asymmetric algorithm. In practice, large messages are not encrypted directly with asymmetric algorithms. Hybrid systems are used, where only symmetric session key is encrypted with asymmetric algorithm. • Compression: h maps inputs x of arbitrary bitlength to outputs h(x) of a fixed bitlength n. • One-way: given a value y, it is impossible to find an input x so that h(x) = y. • Collision resistance: it is impossible to find x and x’, where x is unlike x’, with h(x) = h(x’). Hybrid cryptosystems works like this: symmetric ciphers are faster than asymmetric ciphers because they are less computationally expensive, but asymmetric ciphers simplify key distribution, therefore a combination of both symmetric and asymmetric ciphers can be used - a hybrid system. Some frequently used hash functions are Secure Hash Algorithm (SHA-1): 160 bit digest. Potential attacks exist, it’s designed to operate with the US Digital Signature Standard (DSA). The replacement for SHA-1 is SHA-256, 384 and 512 bit digest. This one is still secure. It’s a ongoing competition for a new secure hash algorithm. The winner will be announced in 2012. 5.5 5.7 A MAC cannot be used as evidence that should be verified by a third party. Digital signatures used for non-repudiation, data origin authentication and data integrity sevices, and in some authentication exchange mechanisms. This digital signature mechanism got three components; key generation, signing and verification procedures. In applications a message M is not signed directly, but a hash value h(M) is. To get authentication from a document sent from A, we require a procedure for B to get an authentic copy of A’s public key. Then we have a service that provides the authenticity of dockument signed by A. This can be provided by a Public Key Infrastructure (PKI). Message Authentication Codes A message M with a simple message hash h(M) can be changes by an attacker. In communications we need to verify the origin of the data, therefore Message Authentication Codes (MAC). This can use hash functions as h(M, k). With the message M and the secret key k. To validate and authenticate this message, the reciver of the message need to share the same secret key as the sender who computed the MAC. A third party who does not h ave the key cannot validate the message. In practice the MAC algorithm is: • Hash-based MAC algorithm (HMAC). So what is the difference between MAC and digital signatures? They are both authentication mechanisms. When using MAC, the verifier needs the secret key that was used to compute the MAC. MAC cannot be used as evidence with a third party. Digital signatures can be validated by third parties, and can in the theory support both non-repudiation and authentication. • CBC based MAC algorithm (CBC-MAC). • Cipher-based MAC algorithm (CMAC). 5.6 Digital Signatures Public Key Cryptography Public key encryptio nwas proposed in the open literature by Diffie and Hellman in 1976. Here each party has a public encryption key and a private decryption key. Computing the private key from the public key should be infeasible. Applications using Diffie-Hellman: IP Security (IPSec) and Secure Socket Layer (SSL)/Transport 5.8 Summary A cipher must be hard to cryptanalyse and use a sufficently large key. Algorithm secrecy makes cryptanalysis harder, 6 but it can give false assurance, and it’s challenging to keep cipher design confidential. It’s safest to assume that the attacker knows cipher. 6 2. Public Signature Key: several years (depends on key size) 3. Symmetric Authentication Key: < 2 years / < OUP + 3 years Key Management 4. Private Authentication Key: 1-2 years 5. Public Authentication Key: 1-2 years The security of protected information by encryption depends on the size of the keys, robustness of cryptographic algorithms and the protection and management afforded to the keys. A single key should be used for only one purpose. If you use it for two different purposes, it may weaken the security. By limiting the use of a key, limits the damage that could be done if the key is compromised. And some key usages interfere with each other: an asymmetric key pair should only be used for either encryption or digital signatures, not both. 6. Symmetric Data Encryption Keys: < 2 years / < OUP + 3 years 7. Symmetric Key Wrapping Key: < 2 years / < OUP + 3 years 8. Symmetric and asymmetric RNG Keys: upon reseeding 9. Symmetric Master Key: about 1 year 10. Private Key Transport Key: < 2 years 11. Public Key Transport Key: 1-2 years There are 19 types of cryptographic keys, defined by NIST. They are classified according to wheter they are public, private or symmetric, their area of use and for asymmetric keys - wheter they are static or ephemeral. The cryptopo period is the lifespan of the specific key. This is important because it limits the amount of information protected by that given key that is available for analysis. And limits the amount of exposure if a single key is compromised. Short cryptoperiods may be counter productive, particularly where denial of service is the paramount concern, and there is a significant overhead and potential for error in the re-keyring, key update or key derivation process. The cryptoperiod is therefore a trade-off. 6.1 12. Symmetric Key Agreement Key: 1-2 years 13. Private Static Key Agreement Key: 1-2 years 14. Public Static Key Agreement Key: 1-2 years 15. Private Ephemeral Key Agreement Key: one key agreement transaction 16. Public Ephemeral Key Agreement Key: one key agreement transaction 17. Symmetric Authorization (Access Approval) Key: < 2 years 18. Private Authorization (Access Approval) Key: < 2 years 19. Public Authorization (Access Approval) Key: < 2 years Usage Periods A key is both used for protecting and processing. In the protection period, the key is used for encryption. And in the processing period, the key is used for decryption. A symmetric key shall not be used to provide protection after the end of the protection period. The processing period normally extend beyond the protection period. Recommended crypto periods as following: Type - protection period - usage period 6.2 Key Generation This is the most sensitive of all cryptographic functions. When we generate a key, we need to prevent unauthorized disclosure, insertion and deletion of keys. Automated devises that generate keys and initialization vectors (IVs) should be physically protected to prevent modifications, replacements and disclosure. Keys should also be randomly chosen from full range of key space. 1. Private Signature Key: 1-3 years 7 Random Number Generator Seeds (RNG) keys 1. Simple delete operation on computer; may are used to initialize the generation of random leave undeleted key e.g. in recycle bin or symmetric/asymmetric keys. Knowing the seed temporary folders. may determine the key uniquely. Requires confi2. Special delete operation on computer; that dentiality and integrity protection. leaves no data e.g. by overwriting. Examples of key generation Stream cipher keys: long true random key stream 3. Magnetic media degaussing (as the One-Time-Pad), or short random key (for example 128 bits) input to keystream generator to 4. Destruction of physical device e.g. high temgenerate a pseudo random key stream. perature. AES symmetric block cipher keys: select adequate key length 128, 192 or 256 bits. Ensures that any 6.2.1 Key States key is as probable as any other. RSA asymmetric cipher: makes sure n = p * q 1. Pre-activision: the key material has been gen(modulus) is sufficiently large to prevent factoring erated. example n = 2048 bit. Randomness in seeds to 2. Active: the key may be used to cryptographigenerate primes p and q must be twice the securically protect information or process previousty required. ly protected information. Compromise of keys occurs when the protec3. Deactivated: a key whose cryptoperiod has tive mechanisms for the key fail, and the key can expired, still need to preform processing. no longer be trusted. When a key is compromised, Therefore deactivated until its destroyed. all the use of the key to protect information shall cease and the compromised key shall be revoked. 4. Destroyed: the key has been destroyed. A compromise recovery plan should contain: 5. Compromised: keys are compromised when 1. The identification of the personnel to notify. they are released to or determined by an unauthorized entity. 2. The identification of the personnel to perform the recovery actions. 6. Destroyed compromised: key is destroyed after a compromise. 3. The re-key method. 4. Any other recovery procedures, such as: 6.2.2 • Physical inspection of equipment. Key Protection Keys should be accessible for authorized users and protected against unauthorized users. E.g. symmetric ciphers is never stored or transmitted ’in the clear’. They may use hierarchy like session keys encrypted with a master. Master key protection could be locks and guards, tamper proof devices, passwords and biometrics. For asymmetric ciphers private keys need confidentiality protection and public keys need integrity/authentication protection. • Identification of all information that may be compromised. • Identification of all signatures that may be invalid due to the compromise of a signing key. • Distribution of new keying material, if required. The worst form of key compromise is when it is not detected. 6.2.3 When a key is going to be destructed, no key material should reside in volatile memory or permanent storage media afterwards. Methods for destroying keys may be as follows: Session Key Establishment Symmetric ciphers are more efficient than asymmetric, typically used for secure data communication sessions. Session keys for symmetric ciphers 8 3. Signed hashed message with As private key must be distributed under the protection of permanent keys. Three options for protecting the distribution of session keys: 4. Digital signature: Sig = S( H ( M), K priv ) 5. Recover hash from Sig with As public key: H ( M) = V ( Sig, K pub ) 1. Use existing shared secret keys. 2. Use a trusted third party (server) who shared a symmetric (long-term) key with each user. 6. Is valid if H ( M) = H ( M0 ) 7. Compute hash H ( M0 ) 3. Use asymmetric cipher to protect session key. 6.2.4 8. B has received plain text M0 Signing Public Keys Need to know who the key belongs to. Public keys must be distributed securely. May use a public-key certificate from a trusted third party: Certification Authority (CA). A public-key certificate is a public key digitally signed by a CA. A hierarchy of public-key certificated becomes a Public Key Infrastructure (PKI). 6.2.5 6.2.6 Public-key Infrastructure Due to spoofing problem, public keys must be digitally signed before it is distributed. PKI is an infrastructure for distributing signed public keys in the form of public-key certificates. PKI consist of: • Policies: to define the rules for managing certificates. Digital Signature Notation • Technologies: to implement policies and generate, store and manage certificates. • Private Key K priv : confidential key only known by the owner. • Procedures: related to key management. • Public Key K pub : publicly known key. • Structure of public key certificates: public keys with digital signatures. • Plain text message M: the original message or data. 6.2.7 • Hash function H: used to create hash block. Public-Key Certificates • Digital signature Sig: cryptographic authenti- A public-key certificate is a public key with a digital signature. It binds a name to the public cation code. key. CA sign public keys. An authentic copy of • Signature generation S: function for creating CA’s public key is needed in order to validate the digital signature Sig of hash H ( M) on certificate. Relying party validates this certificate, message M. E.g. RSA: the S(sign) function is verifies that the users public key is authentic. equivalent to D (decrypt). • Verification function V: function for verifying How to generate a digital certificate? the digital signature Sig of hash H ( M) on • Assemble the information in single record message M. E.g. RSA: the V (veri f y) function Rec. is equivalent to E(encrypt). • Hash the record. Generation and validation two parties A and B. is as follows: take • Sign the hashed record. 1. The plain text M • Append the digital signature to the record. 2. Compute the hash H ( M) H ( Rec) → S( H ( Rec), K priv (CA)) 9 Using certificates to verify signature If B sends signed message M, Sig B ( H ( M)), CertB to A, H ( M) is the hash value of the message M. • Identity: a set of names, attributes of entity in a specific domain. An entity may have multiple identities in one domain. • A is the relying party and must first validate Cert B : A uses CA’s public key K pub (CA) to verify CA’s signature on the binding between the public key and Bs unique identifier. • Digital identity: digital representation of names, attributes in a way that is suitable for processing by computers. • A obtains K pub (B) from the certificate Cert B • A uses K pub (B) to verify signature Sig B (H(M)) on M. • Names and attributes of entity: can be unique or ambiguous within a domain. 7.2 • If A trusts the CA that issued Cert B and is certain of CA’s public key and unique identifier and is certain of Bs unique identifier, then A is certain that message M came from B. Self-signed root keys Many people think a root public key is authentic just because it is selfsigned. Self-signing provides absolutely no security. It gives impression of assurance and false trust. System authentication: verify identity/name of system in a session. Person authentication: verify correctness of person’s claimed identity or name. This happens in a session and/or in access control. Identity and/or name may be recognized as name, role or attribute. Organization authentication verify attribute of org., or its authorized representative. This may require person authentication. 7.2.1 6.2.8 Browser PKI and Malicious Certificates 7.3 Message Authentication This provides evidence that the message or data was sent by a user or entity with a specific identity. Strong message authentication requires cryptographic protection like MAC or DigSign. Weak message authentication only needs some form of electronic evidence, like senders phone number of a SMS message. Authentication What is authentication? Identity: means ’same one as last time’. First time authentication is not meaningful since there is no ’last time’. Authentication requires a first tie registration of identity in the form of a name within a domain. Registration may take two forms: pre-authentication, from previous identity e.g. a passport or creation of a new identity, e.g. a new born baby. 7.1 Limitation of User Authentication Limitation applies to the start of a session between user and the system. Assume that the user operates a terminal. Does not guarantee that received messages originate from the user or terminal. There may be a man-in-the-middle attack. The web-browser automatically validates certificates by checking that the certificate name and the domain name of the web-server are equal. Criminals buy legitimate certificates with are automatically validated by browsers. This may be used for malicious phising attacks, e.g. a bank. However, this malicious certificates are legitimate certificates. Server certificates validation is not authentication. 7 Entity Authentication 7.4 User Authentication Stages of user authentication: 1. Registration: user contacts ID-provider, possibly with documentation. (Pre-authentication.) 2. Provisioning: ID-provider registers unique name and issues credential. The Concept of Identity • Entity: a person, organization, agent, system etc. 3. Identification: user presents the unique name to select his identity. 10 4. Verification of identity: provides ID with credential. may also be put under duress to produce biometric authenticator. Step 1 and 2 is the registration phase that is done only once, while step 3 and 4 is the authentication 7.6.1 Modes of Operation phase that is done multiple times. • Enrollment: analog capture of the user’s bioThe ’thing’ used to preform authentication is metric attribute. called credential. This may also refer to a token or a authenticator. This may be passwords, pin-codes, • Identification: capture of a new biometric smart cards etc. sample, searching the database for stored sample. 7.4.1 Passwords • Verification: comparison of the new sample This is a simple and most-often-used authenticawith that of the user’s stored template. tor, and it is something the user knows. The problem with passwords is that it is easy to share, may be forgotten, often easy to guess and may be writ- 7.6.2 Matching Algorithm ten down. Some strategies for strong passwords • True positive: legitimate user is accepted. may be computer generated passwords, proactive password checking and reactive password check• True negative: attacker is rejected. ing. • False positive → False Acceptance Rate (FAR): attacker are accepted. 7.5 Digest Authentication • False negatives → False Rejection Rate (FRR): legitimate users are rejected. HTTP digest is a simple challenge response protocol specified in RFC 2069. Server sends: WWWauthenticate = digest, realm = ’server domain’, nonce = ’some random number’. User specifies userID and password in browser window. Browser produces a password digest from nonce, userID and password using a one-way hash function (e.g. SHA-1). Browser sends userID and digest to server, that validates the digest. Passworddigest = H (nonce, userID, password). 7.6 • Tradeoff between FAR and FRR: FAR = (# accepted attackers) / (total # attackers), FRR = (# rejected users) / (total # users) 7.7 Object-Based Authentication This is something you have, e.g. a token. And tokens usually are synchronized One-TimePassword (OTP) generators. Using a password only once significantly strengthens the security of the authentication process. There are two general methods for this: clock-based tokens and counter-based tokens. ID-Based Authentication Biometrics, why use it? It is convenient as it can not be lost or forgotten. Provides for positive authentication → it is difficult to copy, share and distribute. This kind of authentication is increasingly socially acceptable and is becoming less expensive. Biometrics may also be used for identification. Examples of this kind of authentication may be fingerprints, facial recognition, eye retina/scanning, hand geometry etc. The requirements are that the characteristic of the person should be universal and distinctive. The safety risk considering biometrics is that attackers might want to ’steal’ body parts. Subjects 7.7.1 Clock-Based OTP Tokens The token displays time-dependent code on display, the user have to copy the code to log in. Possession of the token is necessary to know the correct value for the current time. Each code is computed for specific time window. Clocks must be synchronized. Example for this type of token is BankID. 11 7.7.2 Counter-Based OTP Tokens None Level 0 No reg. of id required Counter-based tokens generate a ’password’ result value as a function of an internal counter and other internal data, without external inputs. HOTP is a HMAC-based OTP algorithm described in RFC 4226: tokens that do not support any numeric input, and the value displayed on the token is designed to be easily read and entered by the user. 7.7.3 Challenge Response Systems Contactless Cards Conactless identification cards consist of a chip and an antenna. Does not need to come into contact with the machine reader. When not within the range of a machine (RF) reader it is not powered and so remains inactive. Suitable for use in hot, dirty, foggy environments. 8 7.7.5 Moderate Level 3 Moderate conf. in the id assertion Identity and Access Management Multi-Factor Authentication When two or more authentication methods is used to log in. Example: BankID and PIN-code. 7.7.6 Low Level 2 Low conf. in the id assertion Level 1 is used for online self-registration and self-chosen password. Pre-authentication by providing person number. This provides little or no authentication assurance. Level 2 gives fixed password provisioned in person or by mail to user’s address in national person register. OPT calculator without PIN-code, provisioned in person or by mail. List of OTP provisioned in person or by mail. Provides some authentication assurance. Level 3 uses OPT calculator with PIN-code provisioned separately in person or my mail to address in national person register. SMS-based authentication, where enrollment of mobile phone is based on code provisioned in person or by mail. Personal public-key certificate with gov. PKI. Provides high authentication assurance. Level 4 uses two-factor authentication, where at least one must be dynamic and at least one is provisioned in person. Also requires logging and auditing by third party. Provides very high authentication assurance. A challenge is sent in response to access request: a legitimate user can respond to the challenge by preforming a task which requires use of information only available to the user. Advantage: since the challenge will be different each time, the response will be too. The dialohue can not be captured and used at a later time. Could use symmetric or asymmetric crypto. 7.7.4 Minimal Level 1 Minimal confidence in the id assertion Authentication Assurance This gives trust in identity. It is a requirement for e-business. Authentication assurance: resources have different sensitivity levels. Authentication has a cost, stronger authentication → higher cost. Authentication assurance level should match the sensitivity level. Identity representing and entities as digital identities. Managing name spaces of unique identifiers. Mapping identities between domains. Authentication is registration, provisioning and authentication. Access is authorization, access approval and accounting (AAA). 8.1 Identity Management Types 1. Mgmt of user IDs and crentials on SP side. 2. Mgmt of user IDs and credentials on user side. 3. Mgmt of SP IDs and credentials on SP side. Authentication Assurance Levels (AAL) 12 High Level 4 High conf. in the id assertion 4. Mgmt of SP IDs and credentials on user side. 8.4 SP = Service Provider. Single common identifier name space: based on URIs or XRIs. Multiple identity providers: each IdP controls its own domain name, registers users under own domain name. Whoever controls a domain name can be IdP. IdP are involved in every service access: collect info about service access. 8.2 Identity Domains An identity domain is a network realm with a name space of unique names. Management structures: single authority, e.g. user IDs in company network. Hierarchical: e.g. Domain Name System (DNS). A single policy is normally applied in a domain. 8.3 8.4.1 Characteristics Self registration. Anybody can be IdProvider and server, also you. Not all IdProviders are recognized as ’authorities’. A SP can specify which IdPs it accepts. Not suitable for sensitive services. Typically targets online services with AAL-1. Vulnerable to multiple forms of abuse. Single Sign-On Low acceptance of new services that require separate user authentication. Silo model requires users to provide same information to many service providers. Silo model makes it difficult to offer bundled services, from different service providers. Service providers want better quality user information. 8.3.1 Open Identity Model 8.4.2 OpenID Business Model For ID Providers it is a collection of market data, knows who uses which service and fragmentation of ID Provider market is a threat. For Service Providers (Relying Party): potentially more traffic and business. For users: avoid multiple identities, avoids typing passwords. Single Domain SSO Single authority that acts as identity provider (IdP) and credentials provider, single authority authenticates users. Advantages: well suited for servers under single management, e.g. within large private and government organizations. Good usability. Disadvantages: Politically and technically difficult to implement in open environments. Who trusts authentication by other organizations? 8.5 FEIDE This is the Norwegian Id management system withing the national education sector. Users have only one username and password. Users access web-services via a central log-in service. Services are given what they need to know about the user. Services are not given the users password, only information about the user. FEIDE have Federated SSO Identify Federation: a set of formal agreements with the schools before they agreements, standards and technologies that en- are connected. able a group of SPs to recognize user identities and entitlements from other SPs. Identifier (and cre8.5.1 Technical Aspects dential) issuance as for the silo model. Mapping between a user’s different unique identifiers. Au- Based on SAML 2.0. Back end authenticate users thentication by one SP, communicated as security by using LDAP. One central identity provider assertions to other SPs. Provides SSO in open en- (IdP) where service providers (SPs) are connected. vironments. Single Sign On when going between services. Advantages: improved usability (theoretically). Single Log Out when logging out from a service. Compatible with silo user-identity domains. Allows SPs to bundle services and collect user info. 8.6 Access Control Disadvantages: high technical and legal complexity. High trust requirements. Privacy issues. This controls how users and systems access othUnimaginable for all SPs to federate. er systems and resources. Prevents unauthorizes 13 users to access to resources. Unauthorized access could compromise: confidentiality, integrity and availability of information assets. 8.6.1 Combined MAC and DAC A combination of these two access controls approaches is often used. MAC is applied first: if access is granted → discretionary system is invoked. Access granted only if both approaches permit. This ensures no owner may make sensitive information available to unauthorized users. Authorization and Access Control To authorize is to specify access permissions for roles, individuals, entities or processes. Authority may be delegated. Authorization policy is implemented in IT systems in the form of access rules. RBAC Role based. Access rights are based on the role of the subject, rather than identity. Example: admin. RBAC may be combined with DAC and MAC. Access Control Phases This goes as follows: Registration: Registration → Provisioning → Authorization : Offline Operation: Identification → Authentication → Approval : Online Termination: De-registration → Revoke authorization : Offline 8.6.2 9 Three Main Approaches • Discretionary access control (DAC) Communication Security Network security got two main areas: communication security and perimeter security. • Mandatory access control (MAC) • Role-based access control (RBAC) DAC Access rights to an object or resource are granted at the discretion of the owner of the object. According to the Orange Book (TCSEC) DAC is implemented as an Access Control List (ACL). Windows and Linux uses DAC. 9.1 Communication Protocol Architecture This is a layered structure of hardware and software that supports the exchange of data between systems as well as a distributed application (e.g. email). Each protocol consist of a set of rules for exchanging messages. There are two standards: OSI reference model and TCP/IP protocol suite. The last one is most widely used. ACL Attached to an object. Provides an access rule for a list of subjects. Simple means of enforcing policy. Does not scale well. ACLs may be combined into an access control matrix covering access rules for a set of objects. MAC A central authority assigns access privileges. According to Orange Book MAC is implemented with security labels, e.g. security clearance and classification levels. (SE)Linux includes MAC. 9.1.1 Open Systems Interconnection OSI is developed by the International Organization Standardization (ISO) and is a 7 layer model. Each layer preforms a subset of the required communication functions. Each layer provide services to the next higher layer. Labels Security Labels can be assigned to subjects and objects. Object labels are assigned according to sensitivity. Subject labels are determined by the authorization policy. 14 Client Client Hello Application Provides access to OSI for users. Presentation Provides independence to the application from differences in data representation. Session Provides the control structure for communication between applications. Transport Provides reliable, transparent transfer of data between end points. Network Provides upper layers with independence from the data transmission and switching technologies used to connect systems. Data Link Provides for the reliable transfer of information across the physical link. Physical Concerned with transmission of unstructured bit stream over physical medium. 9.1.2 ← Client Certificate Client Key Exchange Certificate Verify Client Finished Message 9.3 9.3.1 OSI vs TCP/IP 9.2 OSI Application Presentation Session Transport Network Data Link Physical Change Cipher Spec Server Finished Message IP Layer Security This is the standard for secure communications over the Internet Protocol (IP) networks. It uses encryption, authentication and key management algorithms. It is based on an end-to-end security model at the IP level. Provides a security architecture for both IPv4 and IPv6 (mandatory for IPv6 and optional for IPv4). It’s a layer 3 security: operates on the network layer of OSI and Internet layer of TCP. TCP/IP Protocol Architecture 7 6 5 4 3 2 1 Server Hello Server Certificate Server Key Exchange Client Certificate Request Server Done → ← Developed by the US Defense Advanced Research Project Agency (DARPA) for its packet switched network (ARPANET). Used by the global Internet. No official model, but it is a working one. 9.1.3 Server → IPSec Security Services Message Confidentiality Protects against unauthorized data disclosure. Accomplished by the use of encryption mechanisms. TCP/IP Application Traffic Analysis Protection A person monitoring network traffic cannot know which parties are communicating, how often, or how much data is being sent. Provided by concealing IP datagram details such ad source and destination address. Transport Internet Network Access Physical Message Integrity IPSec can determine if data has been changed (intentionally or unintentionally) during transit. Integrity of data can be assured by using a MAC. SSL/TLS See your own paper on the case, stupid. 15 Message Replay Protection The same data is not delivered multiple times, and data is not delivered grossly out of order. However, IPSec does not ensure that data is delivered in the exact order in which it is sent. Key establishment is often accomplished through a manual process. Peer Authentication Each IPSec endpoint confirms the identity of the other IPSec endpoint with which it wishes to communicate. Ensures that network traffic is being sent from the expected host. This may be firewalls, intrusion detection systems and LAN security. Network Access Control Filtering can ensure users only have access to certain network resources and can only use certain types of network traffic. A firewall is a check point that protects the internal networks against attack from outside network. The check point function applies rules to decide which traffic can pass in and out. If the level of risk associated with maintaining a connection between an organization’s internal network and the Internet (or other network(s)) is unacceptable, the most effective way of treating the risk is to avoid the risk altogether and disconnect completely. If this is not possible, then firewalls may provide effective control for reducing the risk level to an acceptable level. Firewalls are often the first line of defence against external attacks, but should not be the only defence. A firewall prevents unauthorized access to or from a private network. System admins must define criteria for what is (un)authorized. All traffic that passes though the firewall must meet this specified criteria. Firewalls may be implemented in both hardware and software, or a combination of both. They are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. Firewalls must be effectively administrated and updated with the latest patches. Some description of different types of firewalls follows: 9.3.2 10 10.1 Gateway-to-Gateway Architecture Provides secure network communication between two networks. Establish a VPN connection between the two gateways. Network traffic is routed through the IPSec connection. Only protects data between those two gateways. 9.3.3 Host-to-Gateway Architecture Commonly used to provide secure remote access. The organization deploys a VPN gateway onto their network; each remote access user then establishes a VPN connection between the local computer (host) and the VPN gateway. As with the gateway-to-gateway model, the VPN gateway may be a dedicated device or a part of another network device. Most often used when connection hosts on unsecured networks to resources on secured networks, such as linking traveling employees around the world to headquarters over the Internet. 9.3.4 Host-to-Host Architecture Typically used for special purpose needs, such as system administrators preforming remote management of a single server. Only model that provides end-to-end protection for data throughout its transit. Resource-insensitive to implement and maintain in terms of user and host management. All user systems and servers that will participate in VPNs need to have VPN software installed. 10.1.1 Perimeter Security Firewalls Router Packet Filter This is a network router function that accepts/rejects packets based on headers is referred to as a packet filter. Packet filters examine each packet’s headers and make decisions based on attributes such as: 16 • Source or destination IP addresses • IPTables for Linux • Source or destination port numbers • Checkpoint firewall-1 • Protocol (UDP, TCP or ICMP • Cisco PIX (integrated hardware and software) • ICMP message type • Microsoft Internet Security and Acceleration Server • And which interface the packet arrived on A packet filter examines each packet that attempts to pass through the filter. This is done for both directions. Each packet is examined independently of other packets that may be part of the same connection, unaware of session states at internal or external hosts. 10.1.2 Strengths and Weaknesses Its strengths is low overhead and high throughput. And it supports almost any application. Its weaknesses though is that it do not usually interpret application data/commands: may allow insecure operations to occur. It allows direct connection between hosts inside and outside firewall. Host-Based Packet Filters Routers are commonly used as packet filters, in addition to normal routing duties. A host may preform packet filtering as well as other duties, such as web serving. In this case the packet filter is designed to protect the hist itself, not other hosts. Common packet filter software includes: 10.1.4 Personal Firewalls This is a program designed to protect the computer it is installed on. Personal firewalls are frequently used by home users to protect themselves from the Internet. They are usually a stateful packet filter. Some products include anti-virus software as well (usually at extra cost). • IPChains for Linux • TCP wrappers for various Unix • IP filter for Sun Solaris 10.1.5 10.1.3 Stateful Packet Filters Circuit Level Gateways A circuit level gateway is a special type of application level gateway with reduced security checking. It acts as a relay of TCP/UDP layer data rather than application data, and usually no analysis of the application layer data is preformed. Connections are validated before allowing data to be exchanged. It is able to identify a particular packet as being part of a particular connection. Got high performance possible due to limited security checking. Similar strengths and weaknesses to stateful packet filters except, can examine application layer data to a certain extent, but not up to application level gateway standards. E.g. some control/blocking of insecure FTP commands. Stateful packet filters take account of the current state of a connection. They are more ’intelligent’ than simple packet filters. They are also able to recognize if a particular packet is part of an established connection by ’remembering’ recent traffic history. This makes the definition of filtering rules easier to accomplish and therefore potentially more secure. A stateful packet filter keeps track of sessions. Though it can be subject to Denial of Service (DOS) attacks. Stateful packet filters are sometimes called dynamic packet filters due to their ability to add rules ’on the fly’. For example: can recognize an outgoing connection request from an internal client being sent to an external server. And will add a temporary rule to allow the reply traffic back through the firewall. When session is finished, the temporary rule is deleted. Common software packages include: 10.1.6 Application Level Gateway This acts as a relay of application level traffic. Also known as an application proxy because the firewall needs to act on behalf of the client. Usually configured to support only specific applications or 17 10.3 specific features of an application: each application supported bu a specific gateway in the firewall. 1. Client sends a request to the server, which is intercepted by the firewall (application gateway). 2. Firewall sends the request to the server on behalf of the client. 3. Sever sends reply back to the firewall. Firewall sends reply to the client. 4. Both client and the server think they are communicating with each other, not knowing the firewall exists. It is transparent. 10.4 Deep Inspection Application Gateways 10.5 Screened Bastion-Host Intrusion Detection Systems Intrusion detection systems (IDS) are automated systems (programs) that detect suspicious events. IDS can be either host-based or network-based. A host based IDS is designed to detect intrusions only on the host it is installed on: monitor changes to host’s operating system files and traffic sent to the host. Network based IDS (NIDS) are designed to detect intrusions on one or more network segments, usually deployed to protect a number of hosts: monitor network(s) looking for suspicious traffic. What should be detected? Attempted and successful break-ins, attacks by legitimate users (for example, illegitimate use of root privileges), trojan horse malware, viruses and worms, denial of service attacks. TLS/HTTPS Traffic Inspection As known, TLS is designed for end-to-end encryption, so a firewall may not inspect. In order to inspect TLS, terminate TLS connections at gateway. An SysAdmin must create internal PKI root and issue internal server certificated with the name of external servers (e.g. Facebook). Internal users/hosts will receive server certificate from gateway and believe that the certificate comes from the external server. Causes clear text gap at gateway, but it is transparent to users. 10.2 Translation This is a dedicated firewall that comes in addition to the packet filtering routers. Its functions are proxy for services in the internal network, NAT, protocol gateway for different link layer protocols. Deep packet inspection looks at application content instead of individual or multiple packets. It keeps track of application content across multiple packets. Potentially unlimited level of detail in traffic filtering. Like packet 1 contains IP header, UDP header and payload data. Deep inspection only look at payload data, that is application parameters for e.g. Facebook. 10.1.8 Address This translates public ↔ private addresses and ports. The possibilities are: static mapping (permanent mapping of public to private addresses), dynamic mapping (mapping of public to private addresses when needed, unmapped when no longer needed), port address translation (PAT) (multiple internal addresses mapped to same public address but with different port numbers). NAT helps enforce control over outbound connections, restrict incoming traffic, conceal internal network configuration and prevents port scanning. Can not be used with protocols that require a separate back-channel, protocols that encrypt TCP headers, embed TCP address info and IPv6. How it works 10.1.7 Network (NAT) IPv4 Addresses 10.5.1 IPv4 addresses of 32 bits → 232 = 4, 294, 967, 296 unique addresses. Represented as four decimal bytes separated by dots. For the University of Oslo it is: 129.240.8.200. Intrusion Detection Techniques Misuse detection Must know in advance what attacker will do (how?). Can only detect known attacks. 18 10.6 Anomaly detection Using a model of normal system behavior, try to detect deviations and abnormalities. Can potentially detect unknown attacks. 10.5.2 This is a computer configured to detect network attacks or malicious behavior. It appears to be part of a network, and seems to contain information or a resource of value to attackers. But honeypots are isolated, are never advertised and are continuously monitored. All connections to honeypots are per definition malicious. Can be used to extract attack signatures. Port Scanning Many vulnerabilities are OS-specific: bugs in implementation, default configuration. Port scan is often a prelude to an attack. Attacker tries many ports on many IP addresses, for example looking for an old version of some daemon with an unpatched buffer overflow. If characteristic behavior detected, mount attack. 10.5.3 10.7.1 802.11 Wireless LAN Security WEP (’99) WPA (’03) Auth. and key gen. Encryption WEP EAP RC4 RC4 + TKIP Integrity None Intrusion Detection Errors False negatives: attack is not detected. Big problem in signature-based misuse detection. False positives: harmless behavior is classified as an attack. Big problem in statistical anomaly detection. Both types of IDS suffer from both error types. 10.5.6 WLAN Security Intrusion Detection Problems Lack of training data with real attacks: but lots of ’normal’ network traffic, system call data. Data drift: statistical methods detect changes in behavior, attacker can attack gradually and incrementally. Discriminating characteristics hard to specify: many attackers may be withing bounds of ’normal’ range of activities. False identifications are very costly: SysAdmin will spend many hours examining evidence. 10.5.5 10.7 Only authorized terminals (or users) may get access though WLAN. Should be impossible to set up rogue AP. Interception of traffic by radios within range should be impossible. Attacking and Evading NIDS Overload NIDS with huge data streams, then attempt the intrusion. Use encryption to hide packet content. Split malicious data into multiple packets. 10.5.4 Honeypots WPA2 (’04) aka RSN EAP CCMP AES CTRP (or TKIP) Michael CCMP MIC AES CBCMAC Notation of Table • WPA: WiFi Protected Access • EAP: Extensible Authentication Protocol • RC4: Rivest Cipher 4 (stream cipher) • TKIP: Temporal-Key Integrity Protocol Intrusion Prevention Systems • Michel MIC: A type of Message Integrity Check Intrusion prevention systems (IPS) is a relatively new term that may mean different things. Most commonly, a IPS is a combination of an IDS and a firewall. A system that detects an attack and may stop it as well. It may be an extension of an NIDS. • CCMP: Counter Mode with Cipher Block Chaining Message Authentication Protocol 19 11 Application and Operations Security 11.1.4 A piece of software that infects programs: modifying programs to include a copy of the virus, so it executes secretly when host program is run. Specific to operating system and hardware: taking advantage of their details and weaknesses. A typical virus goes through phases of: dormant, propagation, triggering, execution. Application security: malicious software, attacks on applications. 11.1 Malware Malicious content comes in many different forms and got different effects. It is difficult to know when infected. More advanced forms emerge. Malware is a growing concern. There are different types of malicious programs. They can either be independent or need a host program. Independent malware may be worms and zombies. Malware that needs a host program can be trapdoors, logic bombs, trojans and viruses. Viruses, worms and zombies are replicate. How do computers get infected? Direct attacks from the network, as worms or exploitation of application vulnerabilities such as SQL injection or buffer overflows. Accessing a malicious or infected website or starting an application from a website. Installing infected software. 11.1.1 11.1.5 Mobile Phone Worms First appeared on mobile phones in 2004. They communicate via Bluetooth or MMS. They disable phone, delete data on the phone or send premium-prices messages. Worm Countermeasures Overlaps with antivirus techniques. Worms also cause significant net activity. Worm defense approaches include: • Signature-based worm scan filtering. Backdoor or Trapdoor • Filter-based worm containment. • Payload-classification-based worm containment. • Threshold random walk scan detection. • Rate limiting and rate halting. Logic Bomb One of the oldest types of malicious software. Code embedded in legitimate program. Activated when specified conditions met: e.g. presence/absence of some file, particular date/time, particular user. It causes damage when triggered: modify/delete files/disks, halt machine, etc. 11.1.3 Worms Replicating program that propagates over net: using email, remote login. It has phases like a virus. May disguise itself as a system process. One of the best known worms is Morris Worm. This is a secret entry point into a program, allows those who know access bypassing usual security procedures. Have been commonly used by developers for testing. A threat when left in production programs allowing exploited by attackers. 11.1.2 Viruses 11.2 Distributed Denial of Service Attacks Distributed Denial of Service (DDoS) attacks form a significant security threat. Making networked systems unavailable: by flooding with useless traffic. Uses large numbers of ’zombies’. Trojan Horse 11.2.1 A program with hidden side-effects. The program is usually superficially attractive: e.g. a game. Performs additional tasks when executed, allows attacker to indirectly gain access they do not have directly. Often used to propagate a virus/worm or to install a backdoor. Constructing an Attack Network Must infect large numbers of zombies. Needs: 1. Software to implement the DDoS attack. 2. An unpatched vulnerability on many systems. 20 3. Scanning strategy to find vulnerable systems. 11.2.2 Prevention of SQL Injection Check and filter user input: length limit on input (most attacks depend on long query strings), different types of inputs have specific language and syntax associated with them (e.g. name, email etc), do not allow suspicious keywords. DDoS Countermeasures Three broad lines of defense: 1. Attack prevention and preemption (before) Prevent SQL Injection and Cross-Site Scripting (XSS) Attacks SCRUB Error handling: error messages divulge information that can be used by hacker, error messages must not reveal potentially sensitive information. VALIDATE all user entered paramters. 2. Attack detection and filtering (during) 3. Attack source traceback and ident (after) Huge range of attack possibilities. Hence evolving countermeasures. 11.2.3 Botnet 12 This is a collection of software agent (robots) that run autonomously and automatically. Execute malicious functions in a coordinated way. A botnet id named after the malicious software, but there can be multiple botnets using the same malicious software, but operated by different criminal groups. 11.3 Military Operations Security (OPSEC) is a process that identifies critical information related to military operations, and then executes selected measures that eliminate or reduce adversary exploitation of this information. Commercial Operations Security is to apply security principles and practices to computer and business operations. SQL Structures Query Language (SQL): inferface to relational database systems. Allows for insert, update, delete and retrieval of data in a database. 11.3.1 Operations Security 12.1 Due Diligence and Due Care In general, due diligence is to make necessary investigations in order to be well informed. Information security due diligence is the process of investigating security risks: risk assessment is an essential element of due diligence. To show due care means that a company implements security policies, procedures, technologies and standards that balances the security risks. Practicing due diligence and due care together means that a company acts responsibly by taking the necessary steps to protect the company, it’s assets, and employees. SQL Injection It is the ability to inject SQL commands into the database engine through existing application. Occurs in flaw in web application, not in database or web server. No matter how patched your system is, no matter how many ports you close, an attacker can get complete ownership of our database. Some possibilities: • Brute forcing passwords using attacked server to do the processing. 12.2 Patch Management 1. Provide patch management infrastructure → requires procedures staff end computing environment. • Interact with OS, reading and writing files. • Gather IP information though reverse lookup. 2. Research newly released patches → compatibility issues, authenticity and integrity of patches. • Start FTP service on attacked server. • File uploading. 21 3. Test new patches on isolated platforms → patches often break functions, so better out first. 18. Incident response capability. 19. Data recovery capability. 20. Security skills assessment and appropriate training to fill gaps. 4. Deploy patches to production platforms → progressive, from leas sensitive to most sensitive systems. 13 5. Validate, log and report patching activities. 12.3 Top 20 Security Controls 13.1 Top 20 Controls were agreed upon by US consortium brought together by John Gilligan and the Center for Strategic and International Studies. Privacy and Regulatory Requirements Regulation of IT Security Regulation is a term used for governmental control over society’s stakeholders actions. Laws provide the grounds for regulation. Regulation follows political decisions, and usually relates to existing legal frameworks and societal demands. Regulation is often the result of either new risk for society, or persisting conflicts on the unregulated market, e.g. market failure. Self-regulation of stakeholders is another way of regulation. 1. Inventory of authorized and unauthorized devices. 2. Inventory of authorized and unauthorized software. 3. Secure configurations for hardware and software on laptops, workstations and servers. 13.1.1 4. Secure configurations for network devices such as firewalls, routers and switches. Who Regulates IT? The government are the source of most regulation → even in the areas where government attention spawned effective self-regulation. Post og Teletilsynet and Datatilsynet are specific supervisory authorities that regulate IT in Norway, among others. 5. Boundary defense. 6. Maintenance, monitoring and analysis of security audit logs. 7. Application software security. 13.1.2 8. Controlled use of administrative privileges. Electronic Signatures in Europe The goal is to provide a harmonized framework for the provision and use of electronic signatures in Europe. Defines terms, applicability of e-signatures, responsibilities of certificate authorities (CAs), liability and security requirements. 9. Controlled access based on the need to know. 10. Continuous vulnerability assessment and remediation. Regulatory Frameworks 11. Account monitoring and control. Data Protection OECD guidelines define international basis for collection, use and transfer of personal data. Regional (e.g. EU-wide) formulation of common data protection rules for harmonized services. National implementation and supervision in national laws and law systems by the national governments. Datatilsynet is the supervisory authority in Norway. In Norway, privacy can easily be weakened though new laws (e.g. Skatteliste, road toll etc). Some countries require data breach publications. 12. Malware defense. 13. Limitation and control of network ports, protocols and services. 14. Wireless device control. 15. Data loss prevention. 16. Secure network engineering. 17. Penetration tests and red team exercises. 22 13.2 Data Protection Regulation Privacy design vs. Business Model is a difficult challenge. Data minimization might be the ’best guess’. Protection is the ’right to be left alone’. Complications with data protection can be geographically: USA vs. Europe (safe harbor). Legally: jurisdictions differences in different locations. Sectoral (USA): industry self-regulation with occasional sectoral regulation (e.g. health data). Future challenges: interpretation of personal data through others in wrong contexts. 13.2.1 13.3 1. RFID operators shall conduct privacy risk assessments. 2. Risk assessments should honor stakes, and cover all stakeholders. EU Directive on Data Protection 3. Mandatory to take appropriate technical and organizational measures to mitigate the privacy risks. Created a harmonized space for handling personal information in EU and EFTA/EØS countries. Rules based on OECD. 4. Assign a responsible person for audit and adaption of the above. • Transparency, legitimate purpose, proportionality. 5. Privacy and security risk management shall be aligned. • Supervisory authority and public register of processing operations. 6. The privacy risk assessment summary must be published latest upon deployment of the RFID application. • Transfer of personal data to third countries. However, in most member states, a violation of privacy laws is not a capital crime of great interest to the government solicitor. 13.2.2 13.4 Cross-Border Issues 13.5 Privacy Enhancing Technology Privacy Enhancing Technology (PET), definition: A collection of IT artifacts that are used to minimize personal data, secure the use and storage of personal data, secure the use and storage of personal data, and enable the secure and privacypreserving management of personal data. Many flavors and purposes, ranging from self-defense to corporate information management. Encryption is a building block for PET, but not enough to provide pseudonumity, anonymity or unlikability of transactions. PET development inspired by the legal perspective on basic human rights. Technology-centric approach. PET research focused on information hid- Tension With Other Laws Data retention for intelligence/criminal investigation. Specific tax laws, e.g. Norway’s Skatteliste and Norway’s scanning of credit card payments. 13.2.4 Norwegian Regulation General rules in ’personopplysningsloven’ apply to RFID applications. No specific regulation has been implemented. However, Datatilsynet has already commented several RFID-based projects and formulated stringent requirements, e.g. in the case of passports. Today’s Internet services and mobile networks apps are located in many countries. They can be moved easily, along with their data. Consequence: safe harbor agreement EU-USA. The regulation was made for central data centers, not for cloud computing and global mobile phone networks. 13.2.3 EU Draft Recommendations Application of Data Protection Laws Comlex issue: analysis of various, possibility contradictory laws. Future introduction of new laws. Corss-border service or system mobility. User experience should not be impaired. Privacy management cost can be significant. 23 ing and control. Much focus on the end user and his action options. 13.6 Browser Cookie Manipulation Swaps and manages cookies. Random cookie exchange with other users. Goal: control sending and storage of own browser cookies. Attack user profiling websites through fake cookies or other peoples cookies - created entropy, destroys database value. 13.7 Is Privacy Different from Security? Privacy protection uses most known security methods to build protocols. The goals of privacy, however, are more than integrity, confidentiality, availability and non-repudiation: unobservability, unlikability, unidentifiability, anonymity. Referanser [1] Audun Jøsang, All lectures of INF3510. University of Oslo, Oslo, Sping 2012. [2] Lothar Fritsch, Privacy and Regulatory Requirements. Norsk Regningssentral, Oslo, Spring 2012. 24
