CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz Limitations of Cryptography Crypto can be difficult to get right – Need expertise; “a little knowledge can be a dangerous thing…” – Should be integrated from the beginning Crypto will not solve all security problems – Must be implemented correctly – Key mgmt; social engineering; insider attacks – Develop (appropriate) attack/trust models – Need to analyze weak link in the chain… Continued… Human factors – Crypto needs to be easy to use both for endusers and administrators • Educate users – Generally, crypto isn’t just “plug-and-play” --need to know what you are doing Need for detection, audit, and recovery – In addition to other security measures Specific themes No “security through obscurity” Security as a process, not a product Manage risk Encryption does not provide authentication Need good sources of randomness Side channels and other unexpected avenues of attack Also… The papers demonstrate the importance of security in real-world applications! Hope you found them fun to read, also… – Hacking can be fun! “Why Cryptosystems Fail” Limited disclosure of crypto failures… Insider attacks – By bank clerks, maintenance engineers, … – Poor prevention/detection mechanisms – Poor key management Bad modeling – Failure to take into account chosen-plaintext attacks; live/test systems using same key – Bad trust models – Constantly changing threat model “Why Cryptosystems Fail” Poor cryptography – No cryptographic redundancy on ATM card – Unauthenticated authorization response! – No authentication of ATM machine to card – PIN not tied to account number – Bad “randomness” – Remote PIN verification – Incorrect key lengths – “Home-brewed” encryption algorithms “Insecurity of 802.11” WEP encryption protocol: IV, RC4(IV, k) (M, c(M)) Is this secure against chosen-plaintext attacks? – It is randomized… – But how is the IV chosen? • Only 24 bits long • Reset to 0 upon re-initialization “Insecurity of 802.11” Known-plaintext attacks – Based on header information… Chosen-plaintext attacks – Send IP traffic/e-mail to the mobile host – Transmit broadcast messages to access point – Authentication spoofing “Insecurity of 802.11” No cryptographic integrity protection – Encryption does not provide authentication! – Adding redundancy does not help… • Especially when a linear checksum is used • And when the checksum is key-independent – Encryption used to provide authentication • Allows easy spoofing after eavesdropping – Allows IP redirection attack – Allows TCP “reaction” attacks --- chosenciphertext attacks! “Analysis of E-Voting System” This paper should scare you… – Magnitude of possible attacks by voters – Not just the security flaws, but also the reaction of Diebold and govt. officials… Morals – Security through obscurity does not help – In this case, code was leaked “Analysis of E-Voting System” Poor cryptography – Smartcards have no cryptographic function – No cryptographic protection against multiple voting; improper audit mechanism for detecting overvoting – No cryptographic protection for admin cards • Only a weak PIN…if any • Possible to shut down the election! “Analysis of E-Voting System” Poor cryptography… – Most data stored without any integrity • Easy to modify ballot… – Hard-coded, non-random DES key! • Used for multiple versions!! – CBC mode with IV set to 0! • Problems with deterministic encryption… • Linking voters to votes – No cryptographic integrity mechanism Poor audit trail