Kerckhoffs tips

Mail info@kerckhoffs-institute.org to register otherwise lecturers at the other universities may not know you

Register officially with TU/e, RUN & UT otherwise your marks cannot be transferred
Regularly check www.kerckhoffs-institute.org/ otherwise you may not be up to date on the schedules

Did you take Algebra & Security as homologation? otherwise you may not be able to pass Cryptography I
Join the Kerckhoffs student association Auguste otherwise you will not be able to make friends with all your peers Join the mailing list http://mailman.science.ru.nl/mailman/listinfo/kerckh offs-students otherwise we will not be able to reach you.
12-11-1966 Kerckhoffs Institute - design template

Introduction to Computer Security

Pieter.Hartel@utwente.nl

Overview
Course organisation Definitions Design Cryptography

Security Protocols
Coursework

[And08] R. J. Anderson. Security Engineering: A guide to building dependable distributed systems. John Wiley & Sons Inc, New York, Second edition, 2008. http://www.cl.cam.ac.uk/~rja14/book.html [Sch04b] B. Schneier. Secrets and Lies: Digital Security in a Networked World. Wiley Publishing Inc, Indianapolis, Indiana, second edition, 2004. http://www.schneier.com/book-sandl.html IntroSec 3

Course Organisation

Course objectives
Learn about the most important concepts in computer security Be able to appreciate the role of security techniques in an overall security approach

Be able to find, understand and survey basic security literature

Breadth, not depth....

IntroSec

Assessment
Written examination (50%) Social Engineering Experiment (25%) Stage I: Physical penetration testing (24%) Stage II: Digital penetration testing (1%) Paper for mini conference (25%) Team of three Peer review Mark set by students and moderator 5 best papers presented at mini conf. Prize for best presentation Exceptionally: Paper + experiment (50%)
6
IntroSec

Survey
Have you taken any of these? TU/e: Security (3ec/2IS05) RU: Security (3ec/I00086 or 6ec/IBI002) UT: Network security (5ec/265400) Something else that is relevant?

IntroSec

http://dies.cs.utwente.nl/~pieter/IntroSec
# Meeting

1
2 3 4 5 6 7 8 10 11 12 13
8

Introduction (Definitions)
Biometrics (Fingerprint, Face) Physical (Smart card, RFID, PUF) Software (Java, Java Card, PCC) Storage (Database, Disk) Network (Internet, WSN) Crime Science Pentesting (Guest Lecturer) Written Examination Paper assignment meeting Program committee meeting Mini conference

IntroSec

Definitions

Security is protection of assets.

owners1
to reduce impose Wish to minimize value

countermeasures5

that may possess may be aware of

that may be reduced by

vulnerabilities4
leading to

threat agents7
give rise to

that exploit

risk3

to

that increase

threats6
to

wish to abuse and/or may damage

assets2

[ITSEC05] Information technology security techniques evaluation criteria for IT security part 1: Introduction and general model. International Standard ISO/IEC 15408-1, ISO/IEC, Oct 2005. http://standards.iso.org/ittf/PubliclyAvailableStandards/c040612_ISO_IEC_15408-1_2005(E).zip IntroSec 10

Definitions
Availability: authorised users want the computer/system to work as they expect it to, when they expect it to Reliability: the ability of a system or component to perform its required functions under stated conditions for a specified period of time Safety: being protected against non-desirable events (not specifically malicious) Confidentiality: to stop unauthorised users from reading sensitive information Integrity: Every data item/system component is as the last authorised modifier left it Maintainability: ease with which a software product can be modified Authorisation requires authentication and audit!

11

IntroSec

Dependability vs. Security

Availability (data, systems) Reliability (systems)

Dependability

Safety (systems) Confidentiality (data, principals)

Security

Integrity (data, systems) Maintainability (systems)

[Avi04] A. Aviienis, J.-C. Laprie, B. Randell, and C. Landwehr. Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. on Dependable and Secure Computing, 1(1):1133, Jan 2004. http://doi.ieeecomputersociety.org/10.1109/TDSC.2004.2
12
IntroSec

Access control model AU3

Authentication Authorisation

Principal Source

Do Operation
request

Reference Monitor

Object

guard resource Audit log Authentication: determine who makes request Authorisation: determine who is trusted to do which operation on an object Auditing: make it possible to determine what happened and why

[Lam04] B. W. Lampson. Computer security in the real world. IEEE Computer, 37(6):37-46, Jun 2004. http://doi.ieeecomputersociety.org/10.1109/MC.2004.17 IntroSec 13

Privacy vs. Security

Privacy is the right of an individual to determine what information about oneself to share with others Security can help Selectively encrypt data

Security can hinder Calling home to prevent piracy (Audit) logging

14

IntroSec

Design

Goals
Good: As secure as the real world [Lam04] Defense in depth Be explicit about: naming, typing, freshness, assumptions, goals, limitations etc [And95a] Bad: Design security as an afterthought Security by obscurity [Ker1883] Make it complicated

[Ker1883] A. Kerckhoffs. La cryptographie militaire. J. des Sciences Militaires, IX:5-38, Jan 1883. http://www.petitcolas.net/fabien/kerckhoffs/ IntroSec 16

Tools
Assurance does it work? Risk management Protocol verification Policy what is supposed to happen? Access control Mechanisms how should it happen? Tamper resistance Biometrics Cryptography, Hashing, Random numbers But first an attack...
17
IntroSec

Attacks
Definition: a successful exploitation of a vulnerability Examples: Attacker shuts you out by trying to log in as you Cold boot attack (watch the movie)

[Hal08] J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption keys. In 17th USENIX Security Symp., pp 45-60, San Jose, California, Jul 2008. USENIX Association. http://citp.princeton.edu/memory/
18
IntroSec

Cryptography

[Men01a] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Chapter 1 of Handbook of applied cryptography. CRC Press, 2001. http://www.cacr.math.uwaterloo.ca/hac/

Algorithms + keys
Cipher (aka cryptosystem) Public algorithm + Secret keys

attack encrypt

sdwr$350 decrypt

gfd6#Q attack

20

IntroSec

Symmetric ciphers
Public algorithm + one secret key Standard algorithms: DES, AES Example: one time pad
01011001 01010101 ----------------XOR Message Secret key

00001100
01010101 ----------------01011001
21
IntroSec

Cipher text
Secret key XOR Decrypted message

Asymmetric ciphers
Public algorithm+private key+public key Standard algoritms: RSA, El Gamal Example: El Gamal Multiplicative group Zn*={1...n-1} Prime n, generator g All calculations Private key: x Zn* modulo n x Public key: h=g Salt: yRZn* Enc(m,h): (c,d) = (mhy, gy) Dec((c,d),x): c/dx Exercise: prove that this works...
22
IntroSec

Random numbers
Pseudo random in SW True random in HW Standard statistical tests NIST web site For example Linear Congruential Method r0 = s rn+1=(a rn+c) mod m Cyclic Deterministic

23

IntroSec

Hash functions
Map arbitrary bit string to fixed size output Easy to calculate for given input Practically impossible to invert Extremely unlikely that two inputs give the same hash For example Knuths variant on Division Hash(n) = n(n+h) mod m Try it out

24

IntroSec

Visual Cryptography

[Nao97] M. Naor and B. Pinkas. Visual authentication and identification. In Burton S. Kaliski Jr., editor, 17th Int. Conf. on Advances in Cryptology (CRYPTO), volume LNCS 1294, pages 322336, Santa Barbara, California, Aug 1997. Springer. http://www.springerlink.com/content/ghv31wm0pexkd3kq/ IntroSec 25

Security Protocols

[And95a] R. J. Anderson and R. Needham. Programming satan's computer. In J. van Leeuwen, editor, Computer Science Today, volume LNCS 1000, pages 426-440. Springer, 1995. http://dx.doi.org/10.1007/BFb0015258

Definitions
Sequence of communications by two or more parties to achieve security objective(s) Not like this:
A B:
B A: A B:

A
Enter password: $R%&^8!

Hi, Im Alice
Prove It! Heres the proof

27

IntroSec

Dolev Yao attacker model

Eve can: See all messages Delete, alter, inject and redirect messages Initiate new communications Reuse messages from past sessions

Eve cannot: Solve hard problems Guess pseudo-random values (eg. nonces) Get another identity (identity theft) Time computations
What to do: Make everything explicit
28
IntroSec

Design is hard
Security protocols are three line programs that people still manage to get wrong (Roger Needham)

[Low96] G. Lowe. Breaking and fixing the Needham-Schroeder Public-Key protocol using FDR. In 2nd Int. Workshop on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume LNCS 1055, pages 147-166, Passau, Germany, Mar 1996. Springer. http://dx.doi.org/10.1007/3-540-61042-1_43 IntroSec 29

Authentication protocol (1)

A B: A

Hi, Im Alice

B A:
A B:

Enc(Nb,PKa)
Nb

Prove It!
Heres the proof

Whats the problem with this? The nonce Nb leaks, so it cannot be used to secure the session

30

IntroSec

Authentication protocol (2)

A B: A

Hi, Im Alice

B A:
A B:

Enc(Nb,PKa)
Enc(Nb,PKb)

Prove It!
Heres the proof

(Wo)man in the middle attack:

AEB: BEA: AE: EB:
31
IntroSec

A Enc(Nb,PKa) Enc(Nb,PKe) Enc(Nb,PKb)

B receives A from E E uses A to decrypt Nb Now E has Nb E fools B

Authentication protocol (3)

A B: A

Hi, Im Alice

B A:
A B:

Enc({B,Nb},PKa)
Enc(Nb,PKb)

Prove It!
Heres the proof

Does it work now?

A E B : A

Hi, Im Alice

BEA:

Enc({B,Nb},PKa)

A can see that the message is not from E

32

IntroSec

Conclusions
Consider the system as a whole Know your enemy Be explicit Use standard tools

33

IntroSec

Coursework
[Lev88] R. Levin and D. D. Redell. An evaluation of the ninth SOSP submissions or how (and how not) to write a good systems paper. SIGGRAPH Comput. Graph., 22(5):264-266, Oct 1988. http://doi.acm.org/10.1145/378267.378283 [Sch09a] S. E. Schechter. Common pitfalls in writing about security and privacy human subjects experiments, and how to avoid them. technical report, Microsoft Research, 2009. http://cups.cs.cmu.edu/soups/2010/howtosoups.pdf [Pey93b] S. L. Peyton Jones, R. J. M. Hughes, and J. Launchbury. How to give a good research talk. ACM SIGPLAN Notices, 28(11):9-12, Nov 1993. http://doi.acm.org/10.1145/165564.903972

Penetration test
Stage I and III : gain possession of a marked notebook on the UT campus by using social engineering. Stage II : capture a number of flags on a remote server by using standard penetration testing tools. Paper : solve a problem and validate the solution.

35

IntroSec

Paper topics
1. Ranking Attack Scenarios 2. Ethics in Physical Penetration Testing 3. The Personal Chief Security Officer 4. Efficient Implementation of Searchable Encryption 5. Data-based Access Control

6. Privacy Breach from Inter-OSN Inferences

7. Security and Privacy in Body Sensor Networks 8. Tracking Insiders 9. Presenting Soft Policies 10. Alternate Password Entry Methods for Mobile Devices

36

IntroSec

What to do next (1)

Constraints pentesting 12 groups at UT only Sorry, not possible in Nijmegen or Eindhoven Constraint group size 3 By Tuesday 31 Aug at noon, send email to trajce.dimkov@utwente.nl First, second and third topic choice Team name

Allocation published same day

37

IntroSec

What to do next (2)

By the end of this class: Choose team, topic & notebook target Sign documents. By the 5th of September: Read the references associated with the topic. Write outline+abstract for the paper. Scout the notebook target. On the 6th of September after lecture: The physical penetration testing exercise starts. Meet with supervisors to discuss the paper. Labwork 2-5pm room Carr 1175 (bring laptop!)
38
IntroSec