Advanced Operating Systems, CSci555

Advanced Operating Systems, CSci555

USC CSci530 Computer Security Systems Lecture notes Fall 2010 Dr. Clifford Neuman University of Southern California Information Sciences Institute Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Security Systems

Lecture 1 August 27, 2010 The Security Problem Dr. Clifford Neuman University of Southern California Information Sciences Institute Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Administration Class home page http://ccss.usc.edu/530 Preliminary Syllabus

Assigned Readings Lecture notes Assignments Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Who gets in If you wish to enroll and do not have D clearance yet, send an email to [email protected] with:

Your name If you completed the prerequisites A phone number Request to received D clearance I will contact and assess if space becomes available Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Structure of lecture Classes from 9:00 AM 11:50 AM 10 minute break halfway through

Final 10 minutes for discussion of current events in security. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Administration Lab Component (see http://ccss.usc.edu/530L) 1 of the 4 units Instructor is David Morgan Instruction 4:30-5:20 Fridays in OHE 122 WebCast via DEN Todays Lab instruction is only a 30 minute introduction Hands on sections, choose from several sessions Provides an opportunity to do hands on work in

OHE 406 lab. Some labs will be done remotely using DETER Must sign up for your preference of session. Details will be provided this afternoon. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Administration Class e-mail: [email protected] Instructor Dr. Clifford Neuman Office hours Friday 12:55-1:55 SAL 212 Contact info on class web page TA

Anas Almajali Hours and contact information will be posted Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Administration Grading Base Grade Reading reports: 5%,5%,5% Exams: 25%, 30% Research paper 30% Supplemental grade (can raise or lower base): Lab exercises Pass(hi,lo)/Fail (adj 15%) Class participation up to 10% bonus

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Blackboard Using the DEN Blackboard system Read announcement http://mapp.usc.edu/ You must accept the terms of service Follow the instructions to obtain access to the Blackboard website. Contact [email protected] if you have difficulty gaining access to the system. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Class Participation This is a large class, but I treat is as smaller. Class participation is important. Ask and answering questions in class. Ask, answer, participate on-line Bonus for class participation If I dont remember you from class, I look in the web discussion forum to check participation. Did you ask good questions. Did you provide good answers. Did you make good points in discussions. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Academic Integrity I take Academic Integrity Seriously Every year I have too many cases of cheating Last year I assigned multiple Fs for the class On occasion, students have been dismissed from program What is and is not OK I encourage you to work with others to learn the material Do not to turn in the work of others Do not give others your work to use as their own Do not plagiarize from others (published or not) Do not try to deceive the instructors See section on web site and assignments More guidelines on academic integrity Links to university resources Dont just assume you know what is acceptable.

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE The Three Aspects of Security Confidentiality Keep data out of the wrong hand Integrity Keep data from being modified Availability Keep the system running and reachable Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Orthogonal Aspects

Policy Deciding what the first three mean Mechanism Implementing the policy Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Important Considerations Risk analysis and Risk Management How important to enforce a policy. Legislation may play a role. The Role of Trust Assumptions are necessary Human factors

The weakest link Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE In The Shoes of an Attacker Motivation Bragging Rights Revenge / to inflict damage Terrorism and Extortion Financial / Criminal enterprises Risk to the attacker Can play a defensive role. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

What is security System, Network, Data What do we want to protect From what perspective How to evaluate Balance cost to protect against cost of compromise Balance costs to compromise with risk and benefit to attacker. Security vs. Risk Management Prevent successful attacks vs. mitigate the consequences. Its not all technical Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Security and Society Does society set incentives for security. OK for criminal aspects of security. Not good in assessing responsibility for allowing attacks. Privacy rules are a mess. Incentives do not capture gray area Spam and spyware Tragedy of the commons Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Why we arent secure

Buggy code Protocols design failures Weak crypto Social engineering Insider threats

Poor configuration Incorrect policy specification Stolen keys or identities Denial of service Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE What do we want from security Confidentiality Prevent unauthorized disclosure Integrity Authenticity of document That it hasnt changed Availability

That the system continues to operate That the system and data is reachable and readable. Enforcement of policies Privacy Accountability and audit Payment Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE The role of policy in security architecture Policy Defines what is allowed and how the system and security mechanisms should act. Enforced By Mechanism Provides protection

interprets/evaluates (firewalls, ID, access control, confidentiality, integrity) Implemented as: Software: which must be implemented correctly and according to sound software engineering principles. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Security Mechanisms

Encryption Checksums Key management Authentication Authorization Accounting Firewalls

Virtual Private Nets Intrusion detection Intrusion response Development tools Virus Scanners Policy managers Trusted hardware Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Todays security deployment Most deployment of security services today handles the easy stuff, implementing

security at a single point in the network, or at a single layer in the protocol stack: Firewalls, VPNs IPSec SSL Virus scanners Intrusion detection Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE A more difficult problem Unfortunately, security isnt that easy. It must be better integrated with the application. At the level at which it must ultimately

be specified, security policies pertain to application level objects, and identify application level entities (users). Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Security Systems vs Systems Security INTRUSION DETECTION UNDER ATTACK

Firewalls Integration of dynamic security services creates feedback path enabling effective response to attacks POLICY Web Servers EACL GAA API ... Databases

IPSec Authentication Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE SECURITY AUDIT RECORDS Loosely Managed Systems

Security is made even more difficult to implement since todays systems lack a central point of control. Home machines unmanaged Networks managed by different organizations. A single function touches machines managed by different parties. Clouds Who is in control? Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Who is in Control

The Intruder The Government Your employer The Merchant The credit card companies The credit bureaus Ultimately, it must be you who takes control, but todays systems dont take that view.

Balance conflicting interests and control. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Current event How does this relate to our discussion 40% of spam from single criminal group San Francisco Chronicle, 8/24/2010 If you've ever wondered who the heck is sending all that unwanted e-mail clogging your inbox, well, it's very likely that 2 in every 5 spam messages you receive are the handiwork of the same group of criminals.

According to a new report from Symantec's MessageLabs, 41 percent of all spam comes from a single botnet known as Rustock. Rustock currently has 1.3 million infected computers under its control, which actually represents a decrease in size from April, when the botnet was 2.5 million computers strong. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE End of Lecture 1 Following slides are start of lecture 2 Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530:

Security Systems Lecture 2 September 3, 2010 Cryptography Dr. Clifford Neuman University of Southern California Information Sciences Institute Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Administration Assignment 1 on course web page

http://ccss.usc.edu/530 Due 22 September 2010 Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Cryptography and Security Cryptography underlies many fundamental security services Confidentiality Data integrity Authentication It is a basic foundation of much of

security. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE A Brief History Steganography: covered writing Demaratus and wax tablets German microdots (WWII) . Flaw: Discovery yields knowledge Confidentiality through obscurity Cryptography: secret writing TASOIINRNPSTO and TVCTUJUVUJPO

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Encryption used to scramble data PLAINTEXT CIPHERTEXT PLAINTEXT +

+ (KEY) ENCRYPTION (KEY) DECRYPTION Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE The Basics of Cryptography Two basic types of cryptography

TASONO PINSTIR Message broken up into units Units permuted in a seemingly random but reversible manner Difficult to make it easily reversible only by intended receiver Exhibits same first-order statistics Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE The Basics of Cryptography Two basic types of cryptography TRANSPOSITION (TASONOPINSTIR)

Message broken up into units Units permuted in a seemingly random but reversible manner Difficult to make it easily reversible only by intended receiver Exhibits same first-order statistics Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE The Basics (continued) Two basic types of cryptography (cont) TVCTUJUVUJPO Message broken up into units

Units mapped into ciphertext Ex: Caesar cipher First-order statistics are isomorphic in simplest cases Predominant form of encryption Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE The Basics (continued) Two basic types of cryptography (cont) Substitution (TVCTUJUVUJPO) Message broken up into units Units mapped into ciphertext

Ex: Caesar cipher First-order statistics are isomorphic in simplest cases Predominant form of encryption Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE How Much Security? Mono-alphabetic substitution cipher Permutation on message unitsletters 26! different permutations Each permutation considered a key Key space contains 26! = 4x1026 keys

Equals number of atoms in gallon H2O Equivalent to a 88-bit key Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE How Much Security? So why not use substitution ciphers? Hard to remember 26-letter keys But we can restrict ourselves to shorter keys Ex: JULISCAERBDFGHKM, etc Remember: first-order statistics are

isomorphic Vulnerable to simple cryptanalysis Hard-to-read fonts for crypto?! Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Crypto-analytic Attacks Classified as: Cipher text only Adversary see only the ciphertext Known plain text May know some corresponding plaintext (e.g. Login:) Chosen plaintext

Can ask to have text encrypted Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Substitution Ciphers Two basic types Symmetric-key (conventional) Single key used for both encryption and decryption Keys are typically short, because key space is densely filled Ex: AES, DES, 3DES, RC4, Blowfish, IDEA, etc Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES

INSTITUTE Substitution Ciphers Two basic types (cont) Public-key (asymmetric) Two keys: one for encryption, one for decryption Keys are typically long, because key space is sparsely filled Ex: RSA, El Gamal, DSA, etc Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE One Time Pads For confidentiality, One Time Pad provably secure.

Generate truly random key stream size of data to be encrypted. Encrypt: Xor plaintext with the keystream. Decrypt: Xor again with keystream. Weak for integrity 1 bit changed in cipher text causes corresponding bit to flip in plaintext. Key size makes key management difficult If key reused, the cipher is broken. If key pseudorandom, no longer provably secure Beware of claims of small keys but as secure as one time pad such claims are wrong. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Block vs. Stream: Block Block ciphers encrypt message in units called blocks E.g. DES: 8-byte key (56 key bits), 8-byte block AES (discussed later) is also a block cipher. Larger blocks make simple cryptanalysis useless (at least for short messages) Not enough samples for valid statistics 8 byte blocks common But can still tell if something is the same. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Key and Block Size Do larger keys make sense for an 8-byte block? 3DES: Key is 112 or 168 bits, but block is still 8 bytes long (64 bits) Key space is larger than block space But how large is permutation space? Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE More on DES Internals More details on the internal operation of DES is covered in the Applied Cryptography class CSci531

But we cover Modes of Operation in this lecture since these modes are important to apply DES, and the same modes can be used for other block ciphers. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Block vs. Stream: Stream Stream ciphers encrypt a bit, byte, or block at a time, but the transformation that is performed on a bit, byte, or block varies depending on position in the input stream and possibly the earlier blocks in the stream. Identical plaintext block will yield a different

cipher text block. Makes cryptanalysis more difficult. DES modes CBC, CFB, and OFB modes (discussed next) create stream ciphers from DES, which is a block cipher. Similar modes available for AES. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE DES Modes of Operation Electronic Code Book (ECB) Encrypt: Decrypt:

x1 x2 x xn x eK eK eK y1

y2 yn yy1 y2 yn dK dK

dK x1 x2 xn Each block encrypted in isolation Vulnerable to block replay Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE DES Modes of Operation Cipher Block Chaining (CBC)

Encrypt: IV Decrypt: I V x1 x2 xn eK

eK eK y1 y1 y2 y2 yn yn dK

dK dK x1 x2 xn Each plaintext block XORd with previous ciphertext Easily incorporated into decryption What if prefix is always the same? IV! Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

DES Modes of Operation Cipher Feedback Mode (CFB) Encrypt: Decrypt: x1 eK x2 x eK

x xn eK IV y1 y2 yn IV

y1 y2 yn eK eK x1 eK x2

xn For encrypting character-at-a-time (or less) Chains as in CBC Also needs an IV Must be Unique Why? Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE DES Modes of Operation Output Feedback Mode (OFB) x1 Encrypt: IV

eK Decrypt: IV x x2 eK xn x eK

y1 y2 yn y1 y2 yn eK eK

x1 eK x2 xn Like CFB, but neither ciphertext nor plaintext is fed back to the input of the block encryption. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Variants and Applications 3DES: Encrypt using DES 3x Two and three-key types

Inner and outer-CBC modes Crypt: Unix hash function for passwords Uses variable expansion permutations DES with key-dependent S-boxes Harder to analyze Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 3DES Using Two Keys Can use K1,K2,K3, or K1,K2,K1, or K1,K1,K1 Figure courtesy William Cheng Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

3DES Outer CBC Figure courtesy William Cheng Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 3DES Inner CBC Inner is more efficient, but less secure More efficient due to ability to pipeline implementation Weaker for many kinds of attacks Figure courtesy William Cheng

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Why not Two Round Meet in middle attack makes it not much better than single DES. Figure courtesy William Cheng Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Certification of DES Had to be recertified every ~5 years 1983: Recertified routinely 1987: Recertified after NSA tried to promote secret replacement algorithms Withdrawal would mean lack of protection Lots of systems then using DES 1993: Recertified after continued lack of alternative Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Enter AES 1998: NIST finally refuses to recertify DES

1997: Call for candidates for Advanced Encryption Standard (AES) Fifteen candidates whittled down to five Criteria: Security, but also efficiency Compare Rijndael with Serpent 9/11/13 rounds vs 32 (breakable at 7) 2000: Rijndael selected as AES Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Structure of Rijndael Unlike DES, operates on whole bytes for efficiency of software implementations Key sizes: 128/192/256 bits

Variable rounds: 9/11/13 rounds More details on structure in the applied cryptography class. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Security of Rijndael Key size is enough Immune to linear or differential analysis

But Rijndael is a very structured cipher Attack on Rijndaels algebraic structure Breaking can be modeled as equations Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Impact of Attacks on Rijndael Currently of theoretical interest only Reduces complexity of attack to about 2100 Also applicable to Serpent Still, uncomfortably close to feasibility DES is already insecure against brute force

Schneier (somewhat arbitrarily) sets limit at 280 Certainly usable pending further results Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Public Key Cryptography aka asymmetric cryptography Based on some NP-complete problem Unique factorization Discrete logarithms For any b, n, y: Find x such that bx mod n = y Modular arithmetic produces folding

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE A Short Note on Primes Why are public keys (and private keys) so large? What is the probability that some large number p is prime? About 1 in 1/ln(p) When p ~ 2512, equals about 1 in 355 About 1 in 3552 numbers ~ 21024 is product of two primes (and therefore valid RSA modulo) Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

RSA Rivest, Shamir, Adleman Generate two primes: p, q Let n = pq Choose e, a small number, relatively prime to (p-1)(q-1) Choose d such that ed = 1 mod (p-1)(q-1) Then, c = me mod n and m = cd mod n Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE An Example Let p = 5, q = 11, e = 3

Then n = 55 d = 27, since (3)(27) mod 40 = 1 If m = 7, then c = 73 mod 55 = 343 mod 55 = 13 Then m should = 1327 mod 55 Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE An Example Computing 1327 mod 55 131 mod 55 = 13, 132 mod 55 = 4, 134 mod 55 = 16, 138 mod 55 = 36, 1316 mod 55 = 31 1327 mod 55 = (13)(4)(36)(31) mod

55 = (1872 mod 55)(31) mod 55 = 62 mod 55 = 7 (check) Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Other Public Cryptosystems ElGamal (signature, encryption) Choose a prime p, a generator < p Choose a random number x < p Public key is g, p, and y = gx mod p Private key is x; to obtain from public key requires extracting discrete log Mostly used for signatures

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Other Public Cryptosystems Elliptic curve cryptosystems y2 = x3 + ax2 + bx + c Continuous elliptic curves used in FLT proof Discrete elliptic curves used to implement existing public-key systems Allow for shorter keys and greater efficiency Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Digital Signatures Provides data integrity Can it be done with symmetric systems? Verification requires shared key Doesnt provide non-repudiation Need proof of provenance Hash the data, encrypt with private key Verification uses public key to decrypt hash Provides non-repudiation But what does non-repudiation really mean? Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Digital Signatures

RSA can be used DSA: Digital Signature Algorithm Variant of ElGamal signature Adopted as part of DSS by NIST in 1994 Slower than RSA (but likely unimportant) NSA had a hand in its design (?!) Key size ranges from 512 to 1024 bits Royalty-free Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Key Exchange Diffie-Hellman key exchange Choose large prime n, and generator g

For any b in (1, n-1), there exists an a such that ga = b Alice, Bob select secret values x, y, resp Alice sends X = gx mod n Bob sends Y = gy mod n Both compute gxy mod n, a shared secret Can be used as keying material Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE FINISHING UP LAST LECTURE Hash Functions Given m, compute H(m) Should be

Efficient: H() easy to compute One-way: Given H(m), hard to find m such that H(m) = H(m) Collision-resistant: Hard to find m and m such that H(m) = H(m) Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE FINISHING UP LAST LECTURE Use of Hashes in Signatures Reduce input to fixed data size MD5 produces 128 bits SHA1 produces 160 bits Encrypt the output using private key

Why do we need collisionresistance? Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Current event How does this relate to our discussion Encryption busted on NIST-certified Kingston, SanDisk and Verbatim USB flash drives ZDNet - Adrian Kingsley-Hughes | January 6, 2010, 10:04am PST A word of warning to those of you who rely on hardware-based encrypted USB flash drives. Security firm SySS has reportedly

cracked the AES 256-bit hardware-based encryption used on flash drives manufactured by Kingston, SanDisk and Verbatim. The crack relies on a weakness so astoundingly bone-headed that its almost hard to believe. While the data on the drive is indeed encrypted using 256-bit crypto, theres a huge failure in the authentication program. When the correct password is supplied by the user, the authentication program always send the same character string to the drive to decrypt the data no matter what the password used. Whats also staggering is that this character string is the same for Kingston, SanDisk and Verbatim USB flash drives. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE End of Lecture 2 Following slides are start of lecture 3

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Security Systems Lecture 3 September 10, 2010 Key Management Dr. Clifford Neuman University of Southern California Information Sciences Institute Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES

INSTITUTE COVERED LAST LECTURE Administration Assignment 1 on course web page http://ccss.usc.edu/530 Due 22 September 2010 Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Key Exchange Diffie-Hellman key exchange Choose large prime n, and generator g

For any b in (1, n-1), there exists an a such that ga = b Alice, Bob select secret values x, y, resp Alice sends X = gx mod n Bob sends Y = gy mod n Both compute gxy mod n, a shared secret Can be used as keying material Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Cryptography in Use Provides foundation for security services Provides confidentiality Validates integrity Provides data origin authentication

If we know the key Where does the key come from Straightforward plan One side generates key Transmits key to other side But how? Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Key Management Key management is where much security weakness lies Choosing keys Storing keys Communicating keys

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE What to do with keys Practical issues How to carry them Passwords vs. disks vs. smartcards Where do they stay, where do they go How many do you have How do you get them to begin with. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Bootstrapping Security Exchange the key in person Can exchange key before it is needed. Could be a password. Hide the key in something else Steganography, fairly weak Armored courier If all else fails Send key over the net encrypted But, using what key (bootstrap) Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Key Exchange

Diffie-Hellman key exchange Choose large prime n, and generator g For any b in (1, n-1), there exists an a such that ga = b Alice, Bob select secret values x, y, resp Alice sends X = gx mod n Bob sends Y = gy mod n Both compute gxy mod n, a shared secret Can be used as keying material Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Diffie-Hellman Key Exchange (1) Choose large prime n, and generator g For any b in (1, n-1), there exists an a such

that ga = b. This means that every number mod p can be written as a power of g (mod p). To find such a g, pick the p such that p = 2q + 1 where q is also prime. For such choices of p, half the numbers will be generators, and you can test if a candidate g is a generator by testing whether g^q (mod n) is equal to n-1. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Diffie-Hellman Key Exchange (2)

Alice, Bob select secret values x, y Alice sends X = gx mod n Bob sends Y = gy mod n Both compute gxy mod n, a shared secret Can be used as keying material Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Man in the middle of DH DH provides key exchange, but not authentication

You dont really know you have a secure channel Man in the middle You exchange a key with eavesdropper, who exchanges key with the person you think you are talking to. Eavesdropper relays all messages, but observes or changes them in transit. Solutions: Published public values Authenticated DH (Sign or encrypt DH value) Encrypt the DH exchange Subsequently send hash of DH value, with secret Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Two Cases so Far Can exchange a key with anyone, but you dont know who you are talking with. Can exchange keys with known parties in advance, but are limited to communication with just those parties. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Peer-to-Peer Key Distribution Technically easy Distribute keys in person But it doesnt scale

Hundreds of servers Times thousands of users Yields ~ million keys Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Incremental Key Distribution Build toward Needham-Schroeder and Kerberos mechanisms Key-distribution tied to authentication. If you know who you share a key with, authentication is easy. You want to know who has the key, not just that anyone has it.

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Encryption Based Authentication Proving knowledge of encryption key Nonce = Non repeating value {Nonce or timestamp}KCS C S But where does Kc come from?

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE KDC Based Key Distribution Building up to Needham Schroeder/Kerberos User sends request to KDC: {s} KDC generates a random key: Kc,s Encrypted twice: {Kc,s}Kc, {Kc,s}Ks {Kc,s}Kc called ticket Ticket plus Kc,s called credentials Ticket is opaque and forwarded with application request No keys ever traverse net in the clear Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Kerberos or Needham Schroeder Third-party authentication service Distributes session keys for authentication, confidentiality, and integrity KDC 1. s,n 2. {Kc,sS,n }Kc, {Kc,s C C}Ks

3-5. {Nonce or T}Kcs S Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Problem User now trusts credentials But can server trust user?

How can server tell this isnt a replay? Legitimate user makes electronic payment to attacker; attacker replays message to get paid multiple times Requires no knowledge of session key Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Solution Add challenge-response Server generates second random nonce Sends to client, encrypted in session key Client must decrypt, decrement, encrypt Effective, but adds second round of

messages Can use timestamps as nonces But must remember what seen Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Problem What happens if attacker does get session key? Answer: Can reuse old session key to answer challenge-response, generate new requests, etc Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Solution Replace (or supplement) nonce in request/reply with timestamp [Denning, Sacco] {Kc,s, s, n, t}Kc and {Kc,s, c, t}Ks, resp Also send {t}Kc,s as authenticator Prevents replay without employing second round of messages as in challenge-response Lifetime of ticket Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Problem #5

Each client request yields new verifiable-plaintext pairs Attacker can sit on the network, harvest client request and KDC replies Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Solution #5 Introduce Ticket Granting Server (TGS) Daily ticket plus session keys TGS+AS = KDC This is modified Needham-Schroeder Basis for Kerberos

Pre-authentication Note: not a full solution Makes it slightly harder for adversary. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Kerberos Third-party authentication service Distributes session keys for authentication, confidentiality, and integrity KDC TGS

3. TgsReq 2. T+{Reply}Kc 1. Req 4. Ts+{Reply}Kt C 5. Ts + {ts}Kcs S Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Public Key Distribution Public key can be public! How does either side know who and what the key is for? Private agreement? (Not scalable.) Does this solve key distribution problem? No while confidentiality is not required, integrity is. Still need trusted third party Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Key Distribution linked to Authentication Its all about knowing who has the keys.

We will revisit Kerberos when we discuss authentication. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Key Management Key management is where much security weakness lies Choosing keys Storing keys Communicating keys Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Certification Infrastructures Public keys represented by certificates Certificates signed by other certificates User delegates trust to trusted certificates Certificate chains transfer trust up several links Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Examples PGP Web of Trust Can model as connected digraph of signers X.500 Hierarchical model: tree (or DAG?) (But X.509 certificates use ASN.1!) Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES

INSTITUTE Examples SSH User keys out of band exchange. Weak assurance of server keys. Was the same host you spoke with last time.

Discussion of benefits SET Hierarchical Multiple roots Key splitting Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Key Distribution Conventional cryptography Single key shared by both parties Public Key cryptography Public key published to the world Private key known only by owner

Third party certifies or distributes keys Certification infrastructure Authentication Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Practical use of keys Email (PEM or S/MIME or PGP) Hashes and message keys to be distributed and signed. Conferencing Group key management (discussed later) Authentication (next lecture) SSL And other real time protocols

Key establishment Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Recovery from exposed keys Revocation lists (CRLs) Long lists Hard to propogate Lifetime / Expiration Short life allows assurance of validitiy at time of issue. Realtime validation Online Certificate Status Protocol (OCSP) What about existing messages?

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Key Management Overview Key size vs. data size Affects security and usability Reuse of keys Multiple users, multiple messages Initial exchange The bootstrap/registration problem Confidentiality vs. authentication Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Key Management Review

KDCs Generate and distribute keys Bind names to shared keys Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Key Management Overview Who needs strong secrets anyway Users? Servers? The Security System? Software? End Systems? Secret vs. Public

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Security Architectures DSSA Delegation is the important issue Workstation can act as user Software can act as workstation if given key Software can act as developer if checksum validated Complete chain needed to assume authority Roles provide limits on authority new subprincipal Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Group Key Management Group key vs. Individual key Identifies member of groups vs. which member of group PK slower but allows multiple verification of individuals Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Group Key Management Issues Revoking access Change messages, keys, redistribute Joining and leaving groups

Does one see old message on join How to revoke access Performance issues Hierarchy to reduce number of envelopes for very large systems Hot research topic Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Group Key Management Approaches Centralized Single entity issues keys Optimization to reduce traffic for large groups May utilize application specific knowledges Decentralized

Employs sub managers Distributed Members do key generation May involve group contributions Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Group Key Management Approaches Centralized Single entity issues keys Optimization to reduce traffic for large groups May utilize application specific knowledges Decentralized Employs sub managers Distributed

Members do key generation May involve group contributions Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Current event How does this relate to our discussion A Strong Password Isnt the Strongest Security By RANDALL STROSS New York Times -September 4, 2010 MAKE your password strong, with a unique jumble of letters, numbers and punctuation marks. But memorize it never write it down. And, oh yes, change it every few months. These instructions are supposed to protect us. But they dont.

Some computer security experts are advancing the heretical thought that passwords might not need to be strong, or changed constantly. They say onerous requirements for passwords have given us a false sense of protection against potential attacks. In fact, they say, we arent paying enough attention to more potent threats. Heres one threat to keep you awake at night: Keylogging software, which is deposited on a PC by a virus, records all keystrokes including the strongest passwords you can concoct and then sends it surreptitiously to a remote location. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE End of Lecture 3 Following slides are start of lecture 4

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Security Systems Lectures 4&5 September 17&24, 2010 Authentication Dr. Clifford Neuman University of Southern California Information Sciences Institute Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Identification vs. Authentication Identification Associating an identity with an individual, process, or request Authentication Verifying a claimed identity Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Basis for Authentication Ideally

Who you are Practically Something you know Something you have Something about you (Sometimes mistakenly called things you are) Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Something you know Password or Algorithm e.g. encryption key derived from password Issues Someone else may learn it

Find it, sniff it, trick you into providing it Other party must know how to check You must remember it How stored and checked by verifier Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Examples of Password Systems Verifier knows password Encrypted Password One way encryption Third Party Validation

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Attacks on Password Brute force Dictionary Pre-computed Dictionary Guessing Finding elsewhere Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Something you Have

Cards Mag stripe (= password) Smart card, USB key Time varying password Issues How to validate How to read (i.e. infrastructure) Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Something about you Biometrics Measures some physical attribute Iris scan

Fingerprint Picture Voice Issues How to prevent spoofing Suited when biometric device is trusted, not suited otherwise Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Other forms of authentication IP Address Caller ID (or call back) Past transaction information

(second example of something you know) Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Enrollment How to initially exchange the secret. In person enrollment Information known in advance Third party verification Mail or email verification Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Multi-factor authentication Require at least two of the classes above. e.g. Smart card plus PIN RSA SecurID plus password (AOL) Biometric and password Issues Better than one factor Be careful about how the second factor is validated. E.g. on card, or on remote system. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

General Problems with Password Space from which passwords Chosen Too many passwords And what it leads to Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Single Sign On Users should log in once And have access to everything Many systems store password lists

Which are easily stolen Better is encryption based credentials Usable with multiple verifiers Interoperability is complicating factor. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Encryption Based Authentication Proving knowledge of encryption key Nonce = Non repeating value {Nonce or timestamp}Kc C

S Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Authentication w/ Conventional Crypto Kerberos or Needham Schroeder KDC 1 2 S

C 3,4,5 Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Authentication w/ PK Crypto Based on public key certificates DS 2 3 C

1 S Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Public Key Cryptography (revisited) Key Distribution Confidentiality not needed for public key Solves n2 problem

Performance Slower than conventional cryptography Implementations use for key distribution, then use conventional crypto for data encryption Trusted third party still needed To certify public key To manage revocation In some cases, third party may be off-line Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Certificate-Based Authentication Certification authorities issue signed certificates Banks, companies, & organizations like

Verisign act as CAs Certificates bind a public key to the name of a user Public key of CA certified by higher-level CAs Root CA public keys configured in browsers & other software Certificates provide key distribution Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Certificate-Based Authentication (2) Authentication steps Verifier provides nonce, or a timestamp is used instead. Principal selects session key and sends it to

verifier with nonce, encrypted with principals private key and verifiers public key, and possibly with principals certificate Verifier checks signature on nonce, and validates certificate. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Secure Sockets Layer (and TLS) Hello Hello + CertS C

{PMKey}Ks [CertC + VerifyC ] VerifyS S Attacker Encryption support provided between Browser and web server - below HTTP layer Client checks server certificate Works as long as client starts with the correct URL Key distribution supported through cert steps Authentication provided by verify steps Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES

INSTITUTE Trust models for certification X.509 Hierarchical Single root (original plan) Multi-root (better accepted) SET has banks as CAs and common SET root PGP Model Friends and Family approach - S. Kent Other representations for certifications No certificates at all Out of band key distribution SSH Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Federated Identity Passport v Liberty Alliance Two versions of Passport Current deployed version has lots of weaknesses and is centralized Version under development is federated and based on Kerberos Liberty Alliance Loosely federated with framework to describe authentication provided by others. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Passport v1 Goal is single sign on Implemented via redirections S 1 2 7 8 3 C 4

5 P 6 Assigned reading: http://avirubin.com/passport.html Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Federated Passport Announced September 2001 Multiple registrars E.g. ISPs register own users Kerberos credentials

Embedded authorization data to pass other info to merchants. Federated Passport is predominantly vaporware today, but .net authentication may be where their federated model went. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Liberty Alliance Answer to MS federated Passport Design criteria was most of the issues addressed by Federated Passport, i.e. no central authority. Got off to slow start, but to date has produced more than passport has.

Use SAML (Security Association Markup Language) to describe trust across authorities, and what assertions means from particular authorities. These are hard problems, and comes to the core of what has kept PKI from being as dominant as orginally envisioned. Phased approach: Single sign on, Web service, Federated Services Infrastrcture. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Federated Identity - Shibboleth Internet 2 Project Federated Administration

Attribute Based Access Control Active Management of Privacy Based on Open SAML Framework for Federation Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Shibboleth - Architecture Service Provider Browser goes to Resource Manager who users WAYF, and users Attribute Requester, and decides whether to grant access. Where are you from service

Redirects to correct servers Federation Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE The Shibboleth Protocol 3. Where are you from? 2. I dont know you, or where you are from 4. Redirect to IdP for your org Client

Web Browser 1. User requests resource 8 5. I dont know you. Authenticate using your orgs web login 1 3 5 2

Service Provider (SP) Web Site WAYF 4 6 7 8. Based on attribute values, allow access to resource 7. I dont know your attributes.

Ask the IdP (peer to peer) Identity Provider (IdP) Web Site LDAP 6. I know you now. Redirect to SP, with a handle for user Source: Kathryn Huxtable [email protected] 10 June 2005 Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES

INSTITUTE Generic Security Services API Moving up the Stack Standard interface for choosing among authentication methods Once an application uses GSS-API, it can be changed to use a different authentication method easily. Calls Acquire and release cred Manage security context Init, accept, and process tokens Wrap and unwrap

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Authentication in Applications Unix login Telnet RSH SSH HTTP (Web browsing) FTP Windows login SMTP (Email) NFS Network Access Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES

INSTITUTE Unix Login One way encryption of password Salted as defense against pre-computed dictionary attacks To validate, encrypt and compare with stored encrypted password May use shadow password file Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Telnet

A remote login application Normally just an unencrypted channel over which plaintext password sent. Supports encryption option and authentication options using protocols like Kerberos. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE RSH (Remote Shell/Remote Login) Usually IP address and asserted account name.

Privileged port means accept asserted identity. If not trusted, request unix password in clear. Kerberos based options available Kerberos based authentication and optional encryption Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Secure Shell (SSH) Encrypted channel with Unix login Establish encrypted channel, using public key presented by server Send password of user over channel

Unix login to validate password. Public key stored on target machine User generate Public Private key pair, and uploads the public key to directory on target host. Target host validates that corresponding private key is known. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Web Browsing (HTTP) Connect in the clear, Unix Password Connect through SSL, Unix password Digest authentication (RFC 2617)

Server sends nonce Response is MD5 checksum of Username, password, nonce URI User certificate, strong authentication Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE File Transfer Protocol Password based authentication or GSS-API based authentication Including use of Kerberos Authentication occurs and then stream is encrypted

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Windows Network Login In Win2K and later uses Kerberos In Win NT Challenge response Server generates 8 byte nonce Prompts for password and hashes it Uses hash to DES encrypt nonce 3 times Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Current event How does this relate to our discussion 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps Denis Fisher - Threat Post Kaperski Lab Security News Service - 9/13/2010 A pair of security researchers have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies, a weakness that could enable an attacker to hijack users' online banking sessions and cause other severe problems in vulnerable applications. Experts say that the bug, which will be discussed in detail at the Ekoparty conference in Argentina this week, affects millions of Web applications. In this case, ASP.NET's implementation of AES has a bug in the way that it deals with errors when the encrypted data in a cookie has been modified. If the ciphertext has been changed, the vulnerable application will generate an error, which will give an attacker some

information about the way that the application's decryption process works. More errors means more data. And looking at enough of those errors can give the attacker enough data to make the number of bytes that he needs to guess to find the encryption key small enough that it's actually possible. The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys. The attacker may also be able to create authentication tickets for a vulnerable Web app and abuse other processes that use the application's crypto API. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Security Systems

Lectures 5 September 24, 2010 Authentication Continued Dr. Clifford Neuman University of Southern California Information Sciences Institute Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Announcements Mid-term exam Friday October 8th 9AM-10:40AM, location TBD Open Book, Open Note, No Electronics

Lecture from 11-11:50 Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Authentication in Applications Unix login Telnet RSH SSH HTTP (Web browsing) FTP Windows login SMTP (Email) NFS

Network Access Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Email SMTP To send mail Usually network address based Can use password Can be SSL protected SMTP after POP Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES

INSTITUTE Email Post Office Protocol Plaintext Password Can be SSL protected Eudora supports Kerberos authent IMAP Password authentication Can also support Kerberos Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Email Message Authentication

PGP and S/MIME Digital Signature on messages Message encrypted in session key Optional Hash of message encrypted in private key Validation using senders public key Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Email Message Authentication SPF and SenderID Authenticate domain of sender

SPF record for domain in DNS Specifies what hosts (i.e. mail server host) can send mail originating from that address. Receivers may validate authorized sender based on record Can falsely reject for forwarded messages Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Email Message Authentication Domain Keys Public key associated with domain in DNS

Originators MTA attaches signature Authenticates senders domain Not individual sender Signature covers specific header fields and possibly part of message. Messages may be forwarded Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE File System Authentication Suns Network File System Typically address based Athena Kerberized version Maps authenticated UIDs to addresses

NFS bult on ONC RPC ONC RPC has stronger Kerberos/GSSAPI support Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE File System Authentication Andrew File System Based on Andrew RPC Uses Kerberos authentication OSFs DCE File System (DFS) Based on DCE RPC Uses Kerberos authenciation

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Network Access Servers Radius Problem: Not connected to network until connection established Need for indirect authentication Network access server must validate login with radius server. Password sent to radius server encrypted using key between agent and radius server

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Delegated Authentication Usually an authorization problem How to allow an intermediary to perform operations on your behalf. Pass credentials needed to authenticate yourself Apply restrictions on what they may be used for. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Proxies A proxy allows a second principal to operate with the rights and privileges of the principal that issued the proxy Existing authentication credentials Too much privilege and too easily propagated Restricted Proxies By placing conditions on the use of proxies, they form the basis of a flexible authorization mechanism Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Restricted Proxies PROXY CERTIFICATE Conditions: Proxy Grantor Use between 9AM and 5PM Grantee is user X, Netmask is 128.9.x.x, must be able to read this fine print, can you + Proxy Two Kinds of proxies

Proxy key needed to exercise bearer proxy Restrictions limit use of a delegate proxy Restrictions limit authorized operations Individual objects Additional conditions Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Authenticating Hardware and Software DSSA Delegation is the important issue Workstation can act as user Software can act as workstation if given key Software can act as developer

if checksum validated Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Next Generation Secure Computing Base (Longhorn) Secure booting provides known hardware and OS software base. Security Kernel in OS provides assurance about the application. Security Kernel in application manages credentials granted to application. Security servers enforce rules on what

software they will interact with. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Current event See last slide of slide deck Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE End of Lecture 5 Following slides are start of lecture 6

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Lecture 6 1 October 2010 Authorization and Policy Dr. Clifford Neuman University of Southern California Information Sciences Institute Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES

INSTITUTE Annoncements Mid-term Exam Friday October 8 Open Book, Open Note 9AM to 10:40 AM Location TBD Followed by Lecture 11AM-11:40 AM Class on Friday October 15th Class will meet 7:30AM to 9:20AM Shifted time due to USC Presidential Inaugural Activities Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE

Authorization: Two Meanings Determining permission Is principal P permitted to perform action A on object U? Adding permission P is now permitted to perform action A on object U In this course, we use the first sense Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Access Control

Who is permitted to perform which actions on what objects? Access Control Matrix (ACM) Columns indexed by principal Rows indexed by objects Elements are arrays of permissions indexed by action In practice, ACMs are abstract objects Huge and sparse Possibly distributed Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE

Instantiations of ACMs Access Control Lists (ACLs) For each object, list principals and actions permitted on that object Corresponds to rows of ACM Example: Kerberos admin system Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Instantiations of ACMs Capabilities For each principal, list objects and

actions permitted for that principal Corresponds to columns of ACM Example: Kerberos restricted proxies The Unix file system is an example of? Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Problems Permissions may need to be determined dynamically Time

System load Relationship with other objects Security status of host Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Problems Distributed nature of systems may aggravate this ACLs need to be replicated or centralized Capabilities dont, but theyre

harder to revoke Approaches GAA Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Authorization Final goal of security Determine whether to allow an operation. Depends upon Policy Possibly authentication

Other characteristics Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE The role of policy in security architecture Policy Defines what is allowed and how the system and security mechanisms should act. Enforced By Mechanism Provides protection interprets/evaluates (firewalls, ID, access control, confidentiality, integrity) Implemented as:

Software: which must be implemented correctly and according to sound software engineering principles. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 2 COVERED LAST LECTURE Policy: The Access Matrix Policy represented by an Access Matrix Also called Access Control Matrix One row per object One column per subject

Tabulates permissions But implemented by: Row Access Control List Column Capability List Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Policy models: Bell-LaPadula Discretionary Policy Based on Access Matrix Mandatory Policy Top Secret, Secret, Confidential, Unclassified

* Property: S can write O if and only if Level S <= Level O Write UP, Read DOWN Categories treated as levels Form a matrix (more models later in the course) Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Other Policy Models Mandatory Acces Control Bell-Lepadula is an example

Discretionary Access Control Many examples Role Based Access Control Integrity Policies Biba Model Like BellLepadula but inverted Clark Wilson Constrained Data, IVP and TPs Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Role Based Access Control Similar to groups in ACLs, but more general. Multiple phases

Administration Session management Access Control Roles of a user can change Restrictions may limit holding multiple roles simultaneously or within a session, or over longer periods. Supports separation of roles Maps to Organization Structure Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Integrity Policies

Biba Model Like BellLepadula but inverted Clark Wilson Constrained Data, IVP and TPs Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE COVERED LAST LECTURE Authorization Examples Access Matrix Access Control Lists

.htaccess (web servers) Unix file access (in a limited sense) On login lookup groups SSH Authorized Keys Capabilities Unix file descriptors Proxies mix ACLs and capabilities Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE STARTED LAST LECTURE Security is more than mix of point solutions Todays security tools work with no coordinated policy Firewalls and Virtual Private Networks

Authentication and Public Key Infrastructure Intrusion Detection and limited response We need better coordination Intrusion response affected at firewalls, VPNs and Applications Not just who can access what, but policy says what kind of encryption to use, when to notify ID systems. Tools should implement coordinated policies Policies originate from multiple sources Policies should adapt to dynamic threat conditions Policies should adapt to dynamic policy changes triggered by activities like September 11th response. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

4 GAA-API: Integration through Authorization Focus integration efforts on authorization and the management of policies used in the authorization decision. Not really new - this is a reference monitor. Applications shouldnt care about authentication or identity. Separate policy from mechanism Authorization may be easier to integrate with applications. Hide the calls to individual security services E.g. key management, authentication, encryption, audit

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 6 Authorization and Integrated Security Services INTRUSION DETECTION UNDER ATTACK Firewalls Web Servers

EACL GAA API ... Databases IPSec Authentication Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

SECURITY AUDIT RECORDS 7 Generic Authorization and Access-control API Allows applications to use the security infrastructure to implement security policies. gaa_get_object_policy_info function called before other GAA API routines which require a handle to object EACL to identify EACLs on which to operate. Can interpret existing policy databases. gaa_check_authorization function tells application whether requested operation is authorized, or if additional application

specific checks are required SC,obj_id,op input GAA API gaa_get_ object_eacl Application gaa_check_ authorization output

Yes,no,maybe Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 9 Three Phases of Condition Evaluation GAA-API EACL a.isi.edu, connect, Tom gaa_get_object_policy_info() gaa_check_authorization()

T/F/U gaa_execution_control() T/F/U gaa_post_execution_actions() T/F/U System State Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

10 GAA-API Policies originate from multiple sources Discretionary policies associated with objects Read from existing applications or EACLs Local system policies merged with object policies Broadening or narrowing allowed access Policies imported from policy/state issuers ID system issues state credentials, These credentials may embed policy as well. Policies embedded in credentials These policies attach to user/process credentials and apply to access by only specific processes. Policies evaluated remotely Credential issuers (e.g. authentication and authorization

servers) evaluate policies to decide which credentials to issue. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 8 Communicating threat conditions Threat Conditions and New Policies carried in signed certificates Added info in authentication credentials Threat condition credential signed by ID system Base conditions require presentation or availability of credential

Matching the condition brings in additional policy elements. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 11 Integrating security services The API calls must be made by applications. This is a major undertaking, but one which must be done no matter how one chooses to do authorization. These calls are at the control points in the app They occur at auditable events, and this is where

records should be generated for ID systems They occur at the places where one needs to consider dynamic network threat conditions. Adaptive policies use such information from ID systems. They occur at the right point for billable events. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 12 Advances Needed in Policy Ability to merge & apply policies from many sources Legislated policies Organizational policies

Agreed upon constraints Integration of Policy Evaluation with Applications So that policies can be uniformly enforced Support for Adaptive Policies is Critical Allows response to attack or suspicion Policies must manage use of security services What to encrypt, when to sign, what to audit. Hide these details from the application developer. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE GAA - Applications and other integration

Web servers - apache Grid services - globus Network control IPsec and firewalls Remote login applications ssh Trust management Can call BYU code to negotiate credentials Will eventually guide the negotiation steps Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 13

What dynamic policies enable Dynamic policy evaluation enables response to attacks: Lockdown system if attack is detected Establish quarantines by changing policy to establish isolated virtual networks dynamically. Allow increased access between coalition members as new coalitions are formed or membership changes to respond to unexpected events. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

14 Demo Scenario - LockDown You have an isolated local area network with mixed access to web services (some clients authenticated, some not). Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 15a Demo Scenario - LockDown

You have an isolated local area network with mixed access to web services (some clients authenticated, some not). You need to allow incoming authenticated SSH or IPSec connections. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 15b

Demo Scenario - LockDown You have an isolated local area network with mixed access to web services (some clients authenticated, some not). You need to allow incoming authenticated SSH or IPSec connections. When such connections are active, you want to lock down your servers and require stronger authentication and

confidentiality protection on all accesses within the network. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 15c Policies

HIPAA, other legislation Privacy statements Discretionary policies Mandatory policies (e.g. classification) Business policies Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 16 Mechanisms Access Matrix Access Control List

Capability list Unix file system Andrew file system SSH authorized key files Restricted proxies, extended certificates Group membership Payment Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 16 Summary Policies naturally originate in multiple places. Deployment of secure systems requires

coordination of policy across countermeasures. Effective response requires support for dynamic policy evaluation. Such policies can coordinated the collection of data used as input for subsequent attack analysis. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 16 Review for Mid-term Cryptography Basic building blocks Conventional

DES, AES, others Public key RSA Hash Functions Modes of operation Stream vs. Block Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Review for Mid-term Key Management Pairwise key management Key storage Key generation Group key management

Public key management Certification Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Review for Mid-term Authentication: Know, Have, About you Unix passwords Kerberos and NS Public Key Single Sign On Applications and how they do it Weaknesses

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Review for Mid-term Authorization and Policy: Access Matrix ACL Capability Bell Lapadula Dynamic Policy Management Delegation Importance of getting policy right Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Current Event See Final Slide in Slide Deck Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Security Systems Lecture 7, October 8 2010 (Following Mid-term exam) Introduction to Malicious Code

ADVANCE SLIDES Dr. Clifford Neuman University of Southern California Information Sciences Institute Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Classes of Malicious Code How propagated Trojan Horses Embedded in useful program that others will want to run. Covert secondary effect. Viruses

When program started will try to propagate itself. Worms Exploits bugs to infect running programs. Infection is immediate. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Classes of Malicious Code The perceived effect Viruses Propagation and payload Worms Propagation and payload

Spyware Reports back to others Zombies Controllable from elsewhere Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Activities of Malicious Code Modification of data Propagation and payload Spying Propagation and payload Advertising Reports back to others or uses locally Propagation

Controllable from elsewhere Self Preservation Covering their tracks Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Defenses to Malicious Code Detection Virus scanning Intrusion Detection Least Privilege Dont run as root Separate users IDs Sandboxing Limit what the program can do

Backup Keep something stable to recover Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Trojan Horses A desirable documented effect Is why people run a program A malicious payload An undocumented activity that might be counter to the interests of the user. Examples: Some viruses, much spyware. Issues: how to get user to run program. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES

INSTITUTE Trojan Horses Software that doesnt come from a reputable source may embed trojans. Program with same name as one commonly used inserted in search path. Depending on settings, visiting a web site or reading email may cause program to execute. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Viruses

Resides within another program Propagates itself to infect new programs (or new instances) May be an instance of Trojan Horse Email requiring manual execution Infected program becomes trojan Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Viruses Early viruses used boot sector Instruction for booting system Modified to start virus then system.

Virus writes itself to boot sector of all media. Propagates by shared disks. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Viruses Some viruses infect program Same concept, on start program jumps to code for the virus. Virus may propagate to other programs then jump back to host. Virus may deliver payload. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES

INSTITUTE Recent Viruses Spread by Email Self propagating programs Use mailbox and address book for likely targets. Mail program to targeted addresses. Forge sender to trick recipient to open program. Exploit bugs to cause auto execution on remote site. Trick users into opening attachments. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Viruses Phases Insertion Phase How the virus propagates Execution phase Virus performs other malicious action Virus returns to host program Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Analogy to Real Viruses Self propagating Requires a host program to replicate. Similar strategies

If deadly to start wont spread very far it kills the host. If infects and propagates before causing damage, can go unnoticed until it is too late to react. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE How Viruses Hide Encrypted in random key to hide signature. Polymorphic viruses changes the code on each infection. Some viruses cloak themselves by trapping system calls.

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Macro Viruses Code is interpreted by common application such as word, excel, postscript interpreter, etc. May be virulent across architectures. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Worms Propagate across systems by exploiting

vulnerabilities in programs already running. Buffer overruns on network ports Does not require user to run the worm, instead it seeks out vulnerable machines. Often propagates server to server. Can have very fast spread times. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Delayed Effect Malicious code may go undetected if effect is delayed until some external event.

A particular time Some occurrence An unlikely event used to trigger the logic. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Zombies/Bots Machines controlled remotely Infected by virus, worm, or trojan Can be contacted by master May make calls out so control is possible even through firewall. Often uses IRC for control.

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Spyware Infected machine collect data Keystroke monitoring Screen scraping History of URLs visited Scans disk for credit cards and password. Allows remote access to data. Sends data to third party. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Some Spyware Local Might not ship data, but just uses it To pop up targeted ads Spyware writer gets revenue for referring victim to merchant. Might rewrite URLs to steal commissions. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Theory of Malicious Code Can not detect a virus by determining whether a program

performs a particular activity. Reduction from the Halting Problem But can apply heuristics Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Defenses to Malicious Code Detection Signature based Activity based Prevention Prevent most instances of memory used as both data and code

Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Defenses to Malicious Code Sandbox Limits access of running program So doesnt have full access or even users access. Detection of modification Signed executables Tripwire or similar Statistical detection Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Root Kits Hide traces of infection or control Intercept systems calls Return false information that hides the malicious code. Returns fall information to hide effect of malicious code. Some root kits have countermeasures to attempts to detect the root kits. Blue pill makes itself hyper-root Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Best Detection is from the Outside

Platform that is not infected Look at network packets using external device. Mount disks on safe machine and run detection on the safe machine. Trusted computing can help, but still requires outside perspective Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Economics of Malicious Code

Controlled machines for sale Protection for sale Attack software for sale Stolen data for sale Intermediaries used to convert online balances to cash. These are the pawns and the ones that are most easily caught Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Economics of Adware and Spam Might not ship data, but just uses it To pop up targeted ads Spyware writer gets revenue for referring victim to merchant. Might rewrite URLs to steal commissions. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Current event How does this relate to our discussion

Mouse over' security flaw causes Twitter trouble By John D. Sutter, CNN - September 22, 2010 -- Updated 1015 GMT (CNN) -- Thousands -- possibly hundreds of thousands -- of Twitter users have been hit by a security bug that causes potentially dangerous content to appear on computer screens without warning, according to a researcher at the security firm Sophos. When users of the popular site "mouse over" a link on Twitter.com, the content appears even if the person did not click on it, says Graham Cluley, the researcher, who recommends users avoid Twitter.com until the issue is fixed. "It's obviously the most natural thing in the world just to move the mouse across the screen," he said in an interview with CNN. "You don't have to click on a link." The bad links may also be retweeted, or sent to that person's followers,

which causes the security flaw to spread across the network. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Current event How does this relate to our discussion Web snooping is a dangerous move By Bruce Schneier, Special to CNN - September 29, 2010

CNN) -- On Monday, The New York Times reported that President Obama will seek sweeping laws enabling law enforcement to more easily eavesdrop on the internet. Technologies are changing, the administration argues, and modern digital systems aren't as easy to monitor as traditional telephones. The government wants to force companies to redesign their communications systems and information networks to facilitate surveillance, and to provide law enforcement with back doors that enable them to bypass any security measures. These laws are dangerous, both for citizens of countries like China and citizens of Western democracies. Forcing companies to redesign their communications products and services to facilitate government eavesdropping reduces privacy and liberty; that's obvious. But the laws also make us less safe. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. Any surveillance system invites both criminal appropriation and government abuse. Function

creep is the most obvious abuse: New police powers, enacted to fight terrorism, are already used in situations of conventional nonterrorist crime. Internet surveillance and control will be no different. Official misuses are bad enough, but the unofficial uses are far more worrisome. The most serious known misuse of a telecommunications surveillance infrastructure took place in Greece. Between June 2004 and March 2005, someone wiretapped more than 100 cell phones belonging to members of the Greek government. Ericsson built this wiretapping capability into Vodafone's products, but enabled it only for governments that requested it. Greece wasn't one of those governments, but some still unknown party -- a rival political group? organized crime? -- figured out how to surreptitiously turn the feature on. Copyright 1995-2010 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Recently Viewed Presentations

  • A Reed Family Photo Album - MarkandDora.com

    A Reed Family Photo Album - MarkandDora.com

    Arial Default Design A Reed Family Photo Album Slide 2 Slide 3 Slide 4 Slide 5 Slide 6 Slide 7 Slide 8 Slide 9 Slide 10 Slide 11 Slide 12 Slide 13 Slide 14 Slide 15 Slide 16 Slide 17...
  • VCE &#x27;All Studies&#x27; Mean - Keilor Downs College

    VCE 'All Studies' Mean - Keilor Downs College

    Registered students will be sitting an entrance exam which, is an ACER national test, on Saturday 28th April. SEAL students are a separate home group who work at an accelerated pace in most of their subjects. This is a special...
  • Label Confusion - MN PIE

    Label Confusion - MN PIE

    Recent Progress on Labeling . The Label Review Manual has been revised and updated. ... For the Sevin label again, it notes waterproof and if you want to know the ones from the chart, the chart letter. No too bad....
  • 2015 Trifecta 1.0

    2015 Trifecta 1.0

    Hand Hygiene…. and relationship to infection prevention . 1847 Ignaz Semmelweis opened the discussion around hands carrying "cadaverous particles" and possible cause of puerperal fever mortality following childbirth. Reducing incidence from 20% to about 2% with antiseptic hand cleansing. 1850's...
  • Hamburger Paragraphs

    Hamburger Paragraphs

    Hamburger Paragraphs. VS. write. paragraph. The Topic Sentence (Top Bun) Very first sentence of your paragraph. Always needs to be indented. Introduce your main idea/topic of the paragraph. There are many reasons that I love to teach. First of all,...
  • Dealer: Application-aware Request Splitting for Interactive Cloud Applications

    Dealer: Application-aware Request Splitting for Interactive Cloud Applications

    Contributions. Introduce Dealer to help interactive multi-tier applications respond to transient variability in performance in cloud. Split requests at component granularity (rather entire DC) Pick best combination of component replicas (potentially across multiple DC's) to serve each individual request
  • Iterating: structure to regression

    Iterating: structure to regression

    Fits a latent class linear mixed model (LCLMM) also known as growth mixture model or heterogeneous linear mixed model. LCLMM consists in assuming that the population is divided in a finite number of latent classes; each latent class is characterized...
  • World War II Diary - Ms. McDonagh-Vella&#x27;s Classes

    World War II Diary - Ms. McDonagh-Vella's Classes

    EVERYTHING!" "Pearl Harbour is a United States Navy base that is located in Oahu, Hawaii. It is home to the Pacific Fleet." "Tomorrow we are going to begin our journey from Etorofu Island in the Kurils to Oahu…It will take...