Introduction to Information Security Pieter.Hartel@utwente.nl Overview Definitions Design issues Cryptography Security Protocols [And08] R. J. Anderson. Security Engineering: A guide to building dependable distributed systems. John Wiley & Sons Inc, New York, Second edition, 2008. http://www.cl.cam.ac.uk/~rja14/book.html [Sch04b] B. Schneier. Secrets and Lies: Digital Security in a Networked World. Wiley Publishing Inc, Indianapolis, Indiana, second edition, 2004. http://www.schneier.com/book-sandl.html 2 IIS Definitions [Men01a] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Chapter 1 of Handbook of applied cryptography. CRC Press, 2001. http://www.cacr.math.uwaterloo.ca/hac/ Security is asset protection owners1 to reduce impose countermeasures5 that may possess may be aware of that exploit threat agents7 give rise to wish to minimize that may be reduced by value vulnerabilities4 leading to risk3 to that increase threats6 to assets2 wish to abuse and/or may damage [ISO09] ITSEC. Information technology security techniques evaluation criteria for IT security part 1: Introduction and general model. Int. Standard ISO/IEC 15408-1, ISO/IEC, Dec 2009. http://standards.iso.org/ittf/PubliclyAvailableStandards/c050341_ISO_IEC_15408-1_2009.zip 4 IIS Definitions Availability: authorised users want the system to work as/when they expect it to Reliability: the ability of a system or component to perform its required functions Safety: being protected against non-desirable events (not specifically malicious) Confidentiality: to stop unauthorised users from reading sensitive information Integrity: Every data item/system component is as the last authorised modifier left it Maintainability: ease with which a software product can be modified 5 IIS Dependability vs. Security Availability (systems, data ) Reliability (systems ) Dependability Safety (systems ) Security Confidentiality (data ) Integrity (systems, data ) Maintainability (systems ) [Avi04] A. Avižienis, J.-C. Laprie, B. Randell, and C. Landwehr. Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. on Dependable and Secure Computing, 1(1):1133, Jan 2004. http://doi.ieeecomputersociety.org/10.1109/TDSC.2004.2 6 IIS Access control model – AU3 Authentication Principal Source Do Operation request Authorisation Reference Monitor guard Object resource Audit log Authentication: determine who makes request Authorisation: determine who is trusted to do which operation on an object Auditing: determine what happened and why [Lam04] B. W. Lampson. Computer security in the real world. IEEE Computer, 37(6):37-46, Jun 2004. http://doi.ieeecomputersociety.org/10.1109/MC.2004.17 7 IIS Privacy vs. Security Privacy is the right of an individual to determine what information about oneself to share with others Security can help » Selectively encrypt data Security can hinder » Calling home to prevent piracy » (Audit) logging [War1890] S. D. Warren and L. D. Brandeis. The right to privacy. Harvard Law Review, 4(5):193-220, Dec 1890. http://www.jstor.org/stable/1321160 8 IIS Design issues Examples of design goals Good: Bad: As secure as the real world [Lam04] Design security as an afterthought Defense in depth Security by obscurity [Ker1883] Make it usable Be explicit about: naming, typing, freshness, assumptions, goals, limitations etc [And95a] Make it complicated [Ker1883] A. Kerckhoffs. La cryptographie militaire. J. des Sciences Militaires, IX:5-38, Jan 1883. http://www.petitcolas.net/fabien/kerckhoffs/ 10 IIS Tools Policy – what is supposed to happen? » Access control Mechanisms – how should it happen? » Tamper resistance » Biometrics » Cryptography, Hashing, Random numbers Assurance – does it work? » Risk management » Protocol verification 11 IIS Attacks Definition: a successful exploitation of a vulnerability Examples: » Attacker shuts you out by trying to log in as you » Cold boot attack (remember the movie?) [Hal08] J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption keys. In 17th USENIX Security Symp., pp 45-60, San Jose, California, Jul 2008. USENIX Association. http://citp.princeton.edu/memory/ 12 IIS Cryptography [Men01a] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Chapter 1 of Handbook of applied cryptography. CRC Press, 2001. http://www.cacr.math.uwaterloo.ca/hac/ Algorithms + keys Cipher (aka cryptosystem) » “Public” algorithm + » Secret keys “attack” encrypt 14 “gfd6#Q” “attack” “sdwr$350” decrypt Symmetric ciphers Public algorithm + one secret key Standard algorithms: DES, AES Example: one time pad 01011001 Message 01010101 Secret key ----------------- 00001100 Cipher text 01010101 Secret key ----------------01011001 15 XOR IIS XOR Decrypted message Asymmetric ciphers Public algorithm+private key+public key Example: El Gamal » Multiplicative group Zn*={1...n-1} with n prime » Generator g: Zn* = { gi | i N } » Private key: x Zn* » Public key: h = gx All calculations » Salt: y R Zn* modulo n » Enc(m,h): (c,d) = (mhy, gy) » Dec((c,d),x): c/dx Exercise: prove that this works... 16 IIS Random numbers Pseudo random in SW True random in HW Standard statistical tests » NIST web site For example » Linear Congruential Method » r0 = s » rn+1=(a rn+c) mod m » Cyclic » Deterministic 17 IIS Hash functions Map arbitrary bit string to fixed size output » Easy to calculate for given input » Practically impossible to invert » Extremely unlikely that two inputs give the same hash For example » Knuth’s variant on Division » Hash(n) = n(n+h) mod m » Try it out… 18 IIS Visual Cryptography [Nao97] M. Naor and B. Pinkas. Visual authentication and identification. In Burton S. Kaliski Jr., editor, 17th Int. Conf. on Advances in Cryptology (CRYPTO), volume LNCS 1294, pages 322336, Santa Barbara, California, Aug 1997. Springer. http://www.springerlink.com/content/ghv31wm0pexkd3kq/ 19 IIS Security Protocols [And95a] R. J. Anderson and R. Needham. Programming satan's computer. In J. van Leeuwen, editor, Computer Science Today, volume LNCS 1000, pages 426-440. Springer, 1995. http://dx.doi.org/10.1007/BFb0015258 Definitions Sequence of communications by two or more parties to achieve security objective(s) Not like this (why?): 21 A B: A “Hi, I’m Alice” B A: Enter password: “Prove It!” A B: $R%&^8! “Here’s the proof” IIS Dolev Yao attacker model Eve can: » See all messages » Delete, alter, inject and redirect messages » Initiate new communications » Reuse messages from past sessions Eve cannot: » Solve “hard” problems (such as?) » Guess pseudo-random values (eg. nonces) » Get another identity (identity theft) » Time computations What to do: Make everything explicit 22 IIS Design is hard ‘‘Security protocols are three line programs that people still manage to get wrong’’ (Roger Needham) [Low96] G. Lowe. Breaking and fixing the Needham-Schroeder Public-Key protocol using FDR. In 2nd Int. Workshop on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume LNCS 1055, pages 147-166, Passau, Germany, Mar 1996. Springer. http://dx.doi.org/10.1007/3-540-61042-1_43 23 IIS Authentication protocol (1) A B: A “Hi, I’m Alice” B A: Enc(Nb,PKa) “Prove It!” A B: Nb “Here’s the proof” What’s the problem with this? » The nonce Nb leaks, so it cannot be used to secure the session 24 IIS Authentication protocol (2) A B: A “Hi, I’m Alice” B A: Enc(Nb,PKa) “Prove It!” A B: Enc(Nb,PKb) “Here’s the proof” (Wo)man in the middle attack: 25 AEB: A BEA: Enc(Nb,PKa) AE: Enc(Nb,PKe) B receives “A” from E E uses A to decrypt Nb Now E has Nb EB: Enc(Nb,PKb) E fools B IIS Authentication protocol (3) A B: A “Hi, I’m Alice” B A: Enc({B,Nb},PKa) “Prove It!” A B: Enc(Nb,PKb) “Here’s the proof” Does it work now? 26 A E B : A “Hi, I’m Alice” BEA: Enc({B,Nb},PKa) A can see that the message is not from E IIS Conclusions Consider the system as a whole Know your enemy Be explicit Use standard tools 27 IIS