Documente Academic
Documente Profesional
Documente Cultură
Security Engineering
Ross Anderson Wiley, 2001 Assurance requirements (online and offline) for logistics and inventory management for VERY large systems. Frequently require access hierarchies. Weapons systems (particularly nuclear) often require complex multifactor and/or multi-origin access. Example 3 Hospitals Distributed data and delivery systems. Special assurance issues cant lose data, cant store incorrect data or allow to become corrupt, i.e., reliability, and accuracy extremely important Privacy not only restricted to anonymity (hard to without special scrubbing), there are also role based privacy requirements. Availability of data/services also critical (sometimes, e.g., when in hospital). Think of DoS. Example 4 Homes Many/most of the above plus copyright issues. Question: What isnt included? Example 5 The Internet Open for discussion: - Old - New - Modified - Gone
Definitions
System anything or everything; product or component thereof, operating system, communications system, applications, staff, users, customers, environment in which embedded. Subject physical person in any role Person human or legal entity (company)
BRM-11/6/2012 CST 554 Lecture Notes (Ch1 & 2) SE-2
Security Engineering
Ross Anderson Wiley, 2001 Principal an entity that participates in a security system (subject, person, role, equipment, communications channel, group of principals) Role a function assumable by different persons Identity - (pure) a correspondence between a name and a person (as understood by another person) Identity - (vernacular) a name Trust - believed to be trustworthy (but may not be) Trusted system is a system is one whose failure can break a security policy Trustworthy a system or subsystem that will not fail Secrecy the effect of the mechanisms used to limit the number of principals who can access information Confidentiality the obligation to protect some other persons or organizations secrets if you know them Privacy the ability or right to protect your personal secrets Notes: - it is often insufficient to keep message contents secret, sometimes source or destination or other metadata may also need to be protected (anonymity, message content confidentiality, message source (or destination) confidentiality) - freshness recent or not a replay - integrity unchanged - authenticity integrity plus freshness - authentic copy a real copy of something that may be a fake - vulnerability a property a system that under application of a threat (attack) may lead to a security failure - threat a potential for an error or an attack mechanism (exploit) that can take advantage of a vulnerability - security policy a succinct statement of a systems security strategy - security target a detailed specification of the means of achieving the security policy - protection a property (confidentiality or integrity) defined in a sufficiently abstract way such that it is possible to reason about it (the property) in the context of general systems rather than specific implementations
BRM-11/6/2012
SE-3
Security Engineering
Ross Anderson Wiley, 2001
BRM-11/6/2012
SE-4
Security Engineering
Ross Anderson Wiley, 2001 Message from T to G with content T name/identity and an encrypted part consisting of T and some additional info (N) that is encrypted with some algorithm using key KT. Nonce a value; maybe a random number, timestamp or a counter in some cases (it depends ;-) Used to (attempt to) guarantee freshness. Problem with counters? Synchronization. Key diversification widespread use and knowledge of a key Challenge - Response Challenge Response E T:N T E:{T,N}K
Shared key, nonce must be truly random (or at least practically so) for challenge to not be subject to replay issues. Two factor C-R in this case a password generator (P) (many different implementations) S = server, U = user S U:N this is after providing login name 1st U P:N, Pin P U:{N, Pin} K this is an example value, reality is that as long as P and S understand what value should be, it works U S:{N,Pin}K Note: this is usually modified further by varying K for each P where P and U have been associated at S. Man-in-the-Middle (OK, OK Person-in-the-Middle) Difficult but almost always effective if interception and retransmission (with or without modification to payload) can be accomplished WITHOUT detection on the physical level (the hardest part).
BRM-11/6/2012 CST 554 Lecture Notes (Ch1 & 2) SE-5
Security Engineering
Ross Anderson Reflection attacks in mutual authentication Original challenge is reflected back to the original challenger by interloper (before any response) which provides a valid response which can be sent back as a valid response to the original challenger (F on page 21). This only works with symmetric keys and no freshness or originator information is included with the response. Trust assumptions and consequences in protocol design are IMPORTANT A common cause of protocol failure is that the environment [in which the protocol operates] changes, so that assumptions [ on which the protocol depends are no longer true], and the security protocols cannot cope with the new threats. Ross A. pg 23 Change can happen slowly and so threats may not be immediately evident. Managing Encryption Keys Authentication needed to associate principals with keys (and encryption algorithms). May embed info relative to authorization within the management structure, too. Especially important in distributed systems. In nondistributed systems or in distributed systems where key exchange (e.g., key-principal correlation) is accomplished on a personal basis, key management becomes a personal function (e.g., a key ring). In distributed systems principals may not know one another or ever have a formal meeting. In these cases a trusted third party is used to mediate the key-principal association process (introduction). Example is Kerberos, other methodologies introduced later. An general algorithm is presented on pg 26. The server gets a request from Alice to talk to Bob and server creates a session key and sends a copy to Alice so only Alice can read it. The server also sends an encrypted copy of the session key to Alice that only Bob can decrypt. Alice sends that to Bob along with a message encrypted with the session key (KAB). Bob decrypts the session key that Alice sent and then decrypts the message.
BRM-11/6/2012 CST 554 Lecture Notes (Ch1 & 2) SE-6
Wiley, 2001
Security Engineering
Ross Anderson Wiley, 2001 This protects both Bobs and Alices private keys and results in the potential for a long term association. Understand the Needham-Schroeder Protocol, especial the delay/compromise issue. Kerberos Two servers authentication, access management (introduction control) scalable management Authentication (approximate) S is authentication server A S:A,{A,N} Pwd S A:{A,T S,L,KAS }Pwd Subsequent exchange with authorization (introduction) server in book, pg 28, provides a session key, KAB A S:A, B S A:{TS, L, KAB, B,{ TS, L, KAB, A} KBS}KAS A B: { TS, L, KAB, A} KBS , {A, TA}KAB B A: { TA + 1}KAB TS and TA are timestamps. Used for freshness. Requires moderate synchronization of clocks (< 2 minutes usually but 2 seconds better). Formal verification sounds like fun but not for this course. Limitations of formal verification Even if protocol valid external assumptions may be incomplete (even erroneous). Examples abound. A major problem is incompatibilities at the boundary of two different protocol boundaries (edges). Here assumptions need to be formalized [if possible].
BRM-11/6/2012 CST 554 Lecture Notes (Ch1 & 2) SE-7
Security Engineering
Ross Anderson Wiley, 2001
BRM-11/6/2012
SE-8