Lecture Notes - 4/25/2005
*************************************************************************
* ANOUNCEMENTS: *
* Professor Smith still has the midterms that weren't picked up. *
* Karl will present on Security using powerpoint *
* *
*************************************************************************
Main Topics to be discussed today:
1. DES
2. Pretty Good Privacy
3. Public key encryption
4. Safe Mail
5. Digital signatures
6. CLIPPER Chip
7. Karl's Presentation
8. Introduction to Virtual Machine
**************
DES
**************
+ Federal data encryption standard (DES). Can be implemented
efficiently in hardware and appears to be relatively safe.
+ A key consists of 64 binary digits of which
- 56 bits are randomly generated and used directly by the algorithm.
- 8 bits are used for error detection.
+ Block cipher. Encrypts 64 bits block at a time, breaking it up to 4 bit pieces,
and these 4 bit pieces intereact with each other(substitution, permutation).
If we place two blocks to each other, we have 128bits, a two level DES encryption.
Hard but not impossible to break. Chips for breaking it are available on the market.
+ NSA(National Security Agency), also known as "No Such Agency"(Prof's joke),
the govt. doesn't want cheap and effective encryption - would no longer be able to read third world traffic.
+ There are chips that encrypt/decrypt megabits per second.
+ DES no longer considered safe enough by NSA. The latest
standard is the CLIPPER chip. For practical purposes,
DES more than adequate.
+ Sufficient security is obtained by two level encryption in pairs.
+ Export or Import of Encryption chips like DES requires license.
- DES is a kind of conventional encryption. Using conventional encryption alone as a means for
transmitting secure data can be quite expensive simply due to the difficulty of secure key distribution.
Thus, Public key encryption was introduced.
*************************
Pretty Good Privacy
*************************
+ PGP - pretty good privacy - public domain encryption system. Based on DES.
Encryption
1. First compresses the plaintext
2. Generate a one-time only session key randomly from the random movement of mouse and the keystrokes.
3. Session key is then encrypted to the recipient's public key.
4. Transmit ciphertext along with public key-encrypted session key to receiver.
Decryption
1. Receiver uses private key to recover the temporary session key
2. plaintext is decompressed
**************************
Public key encryption
**************************
+ new mechanism for encryption where
knowing the encryption key doesn't help you to find decryp-
tion key, or vice versa.
+ Private Key and Public Key are inverse of each other.
+ Two keys are not derivable from each other.
+ Private key is the ONLY inverse of the public key, so senders' identity can be verified.
+ Each user keeps one key secret, publicizes the other.
Can't derive private key from public key. Public keys
are made available to everyone, in a phone book for example.
+ Specific scheme for public key encryption (pages 471-472, chap 14, of Silberschatz and Galvin):
Encode(m) : E(m) = (m^e) mod n = C
where "e" is the public encryption exponent ; "n" is the public encryption modulus, n> 0 , 0 <= e <= n-1
Decode(C) : D(C) = (C^d) mod n = m
where "d" is the private decryption exponent, 0 <= d <= n-1
+ Must derive e, d, and n such that the above decode is in-
verse of encode.
+ Let n=p*q (p, q large primes).
+ d is large integer relatively prime to (p-1)*(q-1)
(i.e. GCD[d, (p-1)*(q-1)] == 1
+ e is chosen such that (e*d) mod ((p-1)*(q-1)) ==1
+ ICBS(It Can Be Shown) that this makes E and D inverses. Proof requires Number Theory.
+ This is safe because although n is known, p & q are not
known, and so e cannot be derived. (factoring is known
to be hard.)
******************
Safe Mail
******************
+ Every sender uses the same public key publized by a destination user(receiver) to encrypt mail.
+ Anybody can encrypt mail for this user and be certain
that only the user will be able to decipher it, since nobody but the user keeps the private key.
It's a nice scheme because the user only has to remember one
key, and all senders can use the same key. However, the user doesn't
know for sure who he's getting mail from if every sender uses the same public key.
__________________________ Internet _________User_______________
Sender A Mail -----> | Public key encryption | ------------> | Private key decryption | --------> Mail
Sender B Mail -----> |__________________________| |___________________________ |
******************
Digital signatures
******************
+ can also use public keys to certify identity:
+ To certify your identity, use your private key to encrypt
a text message, e.g. ``I agree to pay Mary Wallace $100
per year for the duration of life.''
+ You can give the encrypted message to anybody, and they
can certify that it came from you by seeing if it de-
crypts with your public key. Anything that decrypts into
readable text with your public key must have come from
you! This can be made legally binding as a form of elec-
tronic signature.
+ Note that only encrypting with your private key permits
the mail or message to be read by anyone.
+ If you encrypt with your private key, and then some-
one else's public key, it can only be read by intend-
ed recipient.
_____________________ Internet _____Receiver____________
Mail(Sender A)----> |Private key encryption | ----> | Public key decryption|--------> Mail by Sender A
|key kept by sender A | - > |key publized by sender A|-----
|_______________________| | |_________________________| |
| |
| |
________________________ | |
Mail(Sender B)---> |Private key encryption |--- |
| key kept by sender B | |__> non-readable text
|_______________________|
+ One public key method believed to work: Publish a large com-
posite number (public key). Private key is factors of the
number. Factors hard to obtain.
+ Encryption appears to be a great way to thwart listeners. It
doesn't help with Trojan Horses, though.
+ One Way Encryption - use to encrypt password file. Don't have
to be able to decrypt it - just compare encryption of submit-
ted password with stored one. Can't deduce what needs to be
submitted. (I.e. encryption algorithm should not be invert-
able.)
+ General problem: how do we know that an encryption mechanism
is safe? It's extremely hard to prove. Mention example of
scheme that was recently disproven after being widely accept-
ed - knapsack problem. This is a hot topic for research:
theorists are trying to find provably hard problems, and use
them for proving safety of encryption.
******************
CLIPPER Chip
******************
+ Replacement for DES, developed by NSA using Skipjack algorithm(SECRET)
+ Chip Contains:
+ 64-bit block encryption (algorithm classified)
+ Uses 80 bit keys.
+ Skipjack algorithm can be more secure than DES , since it uses 80-bit keys and scrambles
the data for 32 rounds;by contrast, DES uses 56-bit keys and scrambles the data for only 16 rounds.
+ Uses the following numbers:
+ F - 80-bit key used by all Clipper chips
+ N - 30-bit serial number (per chip)
+ U - 80-bit secret decryption key for this chip only.
+ Secure conversation occurs this way:
+ Session key K is negotiated (somehow).
+ E(M;K) is encrypted message stream.
+ E(E(K;U), N; F) is a "law enforcement block". With
F, we can get E(K;U),N. From N, (the serial
number), we can get U (held by federal agencies), and then can get K. From K, we can decrypt messages.
+ Key U is xor of U1 and U2. U1 and U2 held by different
federal agencies. Can get both U1 and U2 only with court
ordered wiretap.
----------------------------------------------------------------------------------------------------------
Karl's Presentation on Security
******************
Hash Functions
******************
+ Store hashed password instead of password, so that we can verify a password, but not retrieve it.
+Dictionary attack: pre-compute on dictionary words their hash mappings.
eg. salt ---> nachos
Solution: add a sequence of random prefixes with length n, xxxxx, then
"xxxxxsalt" is stored. So every password is unique and
the required reverse dictionary n times bigger.
+md5("nachos") = 08b54e0e6795d86536b8a082b2e1c30f
+No "reverse-md5" to get "nachos" from 08b54e...
******************
Authenticity
******************
+ Don't want message to be
1. alterted or modified by attacker.
2. re-ordered by attacker
3. replayed by attacker
Solution to ordering & replay:
- Sequence number
- "I 'm finished" message
***********************************
Symmetric vs Asymmetric Encryption
***********************************
+Symmetric encryption (a.k.a. private-key
encryption)
- Encryption and decryption share the same key
- Therefore encryption key must be secret
Examples of ciphers:
- Caesar cipher
- Transposition cipher
- DES, 3DES
- AES, Blowfish, CAST, ARCFOUR
+Asymmetric encryption (a.k.a. public-key
encryption)
- Encryption and decryption use a different key
- Private key is two large numbers, public key is its product
- Therefore encryption key can be public
Examples of algorithms:
- RSA by Ron Rivest, Adi Shamir, and Leonard Adleman
- DSA (Digital Signature Algorithm)
Depend on the difficulty of factoring large numbers
Implementations:
- PGP, GPG (email & general-purpose)
- SSL (Secure Socket Layer) (https, imaps)
- SSH
******************
Certificates
******************
Assume Bob knows Charlie, Charlie knows Alice. But Bob doesn't know Alice
How does Bob know Alice's pub key?
- e.g. millions of websites exist
Does your browser know ALL of their public keys?
- Maybe Bob knows Charlie, Charlie knows Alice
Charlie signs message saying "Alice's key is 89fc76eb" and send it to Bob,
so Bob can know Alice's public key. => Key Ring
Example. Bob = your browser ; Alice = eBay.com; Charlie = Verisign.com
- Browser just knows Verisign's public key
- eBay gives you a message saying "ebay.com's public
key is 89a13ef" signed by Verisign
******************
Attacks on TCP
******************
+ Source spoofing
IF we want to send SYN/ACK to a destination address after receiving SYN, that address is specified in the SYN packet.
But how do we know that address is really the one you want to send to?
We ask the destination address to reply to our SYN/ACK to verify.
Each SYN/ACK contains a randomly generated initial sequence number(ISN),
so attacker cannot predict the ISN to be ISN+1 or ISN+2.....
+ SYN flood
When we receive SYN, we create state(in Nachos, add to "pending connections" list).
In TCP, there is a limit to state size(max 6 pending connections) and
un-acknowledged SYN ACKs expire after a minute. So, if we send 6 SYNs/ min, we can revent anyone
else from connecting(Denial Of Service).
Sol. SYN cookies - Don't create state(add to "pending connections") until we receive the packet after SYN/ACK.
************
Worm
************
A worm, unlike Virus, doesn't require human intereaction.
A worm can infect the entire Internet in an hour!
- Logistic curve: infects until no one else to infect
- Most of these worms written by amateurs
Traditional defenses use signature-based scanner
- Require a human to analyze the worm and create the
signature
New approaches:
- automatic signature generation
- machine learning
-----------------------------Karl's Research-----------------------------
******************************
Format-String Vulnerabilities
******************************
Format-String Vulnerabilities
In C, we should write printf(%s, string)
Common error: printf(string)
- Security hole, because string can contain %s, %n, etc.
We can now analyze source code to find such
bugs or verify there are none
Do this on all Debian Linux (8000 packages)
Research project w/ David Wagner
******************************
Machine learning on novel worms
******************************
Machine learning on novel worms
Mine data on emails => features
- Number of To: addresses, type of attachments, etc.
Based on features, classify an email as viral or
non-viral
- parametric classifier (Naive Bayes)
- novelty detector (Support Vector Machine)
Automatically detect previously unseen worms,
block sender
Research w/ Steve Martin, Anil Sewani, Blaine
Nelson, Anthony Joseph
Recommended
+CS161 (CS194 next semester) , already full as of 4/25
- Wagner, Joseph, Tygar
- www.CS161.org
+Cuckoo's Egg by Cliff Stoll
****************
Virtual Machine
****************
A self-contained operating environment that behaves as if it is a separate computer.
_______________________
| Bare Machine |
| ______________________|
|____ Privileged_______|
Software Nucleus
^ ^
| |
| |
| |
| |
| |
___________________ | | _______________________
| | | | | |
| User Program,U1 |------------------------- -------------------------| User Program, U2 |
|__________________| |_____________________|
End Of Lecture