Security Protocols • Security protocols are the intellectual core of security engineering • They are where cryptography and system mechanisms meet • They allow trust to be taken from where it exists to where it ’ s needed • But they are much older then computers…
A Simple Authentication • An infrared token used in some multi-storey parking garages to enable subscribers to raise the barrier. • First transmits its serial number & then transmits an authentication block that consists of the same serial number, followed by a random number, all encrypted using a key that is unique to the device. • T G : T, {T, N}KT • The in-car token sends its name, T, followed by the encrypted value of T concatenated with N, where N stands for “number used once,” or nonce.
A Simple Authentication • Key management: A typical garage token’s key KT is simply its serial number encrypted under a global master key, KM, known to the central server: • KT = {T}KM • This is known as key diversification . • Gives a very simple way of implementing access tokens, and is very widely used in smartcard-based systems as well.
A Simple Authentication: Common Mistake • Checking that the nonce is different from last time, • Given two valid codes A and B, the series ABABAB. . . was interpreted as a series of independently valid codes. • In one car lock, the thief could open the door by replaying the last-but-one code.
Car unlocking protocols: Challenge Response • • As the car key is inserted Principals are the engine controller E and the car key into the steering lock, the transponder T engine management unit Static (T E: KT) • sends a challenge, • Non-interactive T E: T, {T,N} KT consisting of a random n-bit • number to the key using a Interactive E T: N short-range radio signal. T E: {T,N } KT • The car key computes a • N is a ‘ nonce ’ for ‘ number response by encrypting the used once ’ . challenge.
What goes wrong • In cheap devices, N may be random or a counter – one-way communication and no clock • It can be too short, and wrap around • If it ’ s random, how many do you remember? (the valet attack) • Counters and timestamps can lose sync leading to DoS attacks • There are also weak ciphers – Eli Biham ’ s 2008 attack on the Keeloq cipher (2 16 chosen challenges then 500 CPU days ’ analysis – some other vendors authenticate challenges)
Problems • This is still not bulletproof. • In one system, the random numbers generated by the engine management unit turned out to be rather predictable, so it was possible for a thief to interrogate the key in the car owner’s pocket, as he passed, with the anticipated next challenge.
Two-factor authentication (password generator) S U: N U P: N, PIN S Server P U: {N, PIN} KP P Pwd Genertaor U User
IFF (2)
• Several MIGs had loitered in southern Angola, just north of the South African air defense belt, until a flight of SAAF Impala bombers raided a target in Angola. • Then the MIGs turned sharply and flew openly through the SAAF’s air defenses, which sent IFF challenges. • The MIGs relayed them to the Angolan air defense batteries, which transmitted them at a SAAF bomber; • the responses were relayed back in real time to the MIGs, which retransmitted them and were allowed through
IFF (3) • The middleman attack is very general – Conway discussed how to beat a grandmaster at postal chess • The fix for the man-in-the-middle attack is often application specific • E.g. NATO mode 12 IFF: 32 bit encrypted challenge (to prevent enemy using IFF to locate beyond radar range) at rate of 250 per second
Identify Friend or Foe (IFF) • Basic idea: fighter challenges bomber F B: N B F: {N} K • But what if the bomber reflects the challenge back at the fighter ’ s wingman? F B: N B F : N F B: {N} K B F: {N} K
Overcoming Reflection Attack • In many cases, it is sufficient to include the names of the two parties in the authentication exchange. • Require a friendly bomber to reply to the challenge: • F B : N with a response such as: • B F : {B, N}K • Thus, a reflected response {F, N} (or even ,F’, N} from the fighter pilot’s wingman ) could be detected.
Reflection Attacks • Mutual authentication: Mutual Id of two Suppose, that a simple challenge-response IFF system designed to prevent anti-aircraft gunners attacking friendly aircraft also had to be deployed in a fighter-bomber. • Now suppose that the air force simply installed one of its air gunners’ challenge units in each aircraft and connected it to the fire-control radar. • But now an enemy bomber might reflect a challenge back at our fighter, get a correct response, and then reflect that back as its own response:
Source: Ross Anderson
The Power of Security Policy Modeling 1. Message authentication code (MAC)-- data integrity mechanism that provides integrity, but no confidentiality. 2. Chosen plaintext secure encryption (CPA-secure encryption) provides confidentiality against eavesdropping, but is not secure against an active attacker who tampers with traffic. 3. Intuitively, combining the two primitives should provide both confidentiality and integrity against an active adversary. – How to do this integration?
Integrating Confidentiality and Integrity denote the encryption and MAC keys, respectively • • X|| y denotes concatenation of x and y
During decryption, if the relevant integrity tag fails to verify, the decryption algorithm outputs a distinguished symbol ($) to indicate error Which method is Right and which is better?
Threat Model • Threat model associated with authenticated encryption: – the attacker is able to obtain the encryption of arbitrary messages of its choice – Attacker’s goal : • Learn information about the decryption of a well-formed challenge ciphertext (thereby defeating confidentiality), • or generate a new well-formed ciphertext different from all ciphertexts previously given to the attacker (thereby defeating integrity). • If the attacker cannot do either then we say that the system provides authenticated encryption
Choice: TLS • Not generically secure: – there are specific instances of encryption and MAC such that the TLS combination does not provide authenticated encryption. – However, for specific encryption systems, such as randomized counter mode encryption, TLS method provides authenticated encryption even if the MAC is only weakly secure (so called, one-time secure). The reason is that the MAC is protected by the encryption and therefore need not be a fully secure MAC; weak MAC security is sufficient.
Choice: IPSEC • The IPsec construction can be shown to provide authenticated encryption for any MAC and CPAsecure encryption. • The basic reason is that the MAC locks the ciphertext so that any modification of the ciphertext en-route will be detected by the decryptor.
Choice: SSH • The SSH construction is known to be secure when a very specific MAC is used, but may not be secure for a general purpose MAC. To see why, recall that a MAC need not preserve confidentiality and therefore MAC (km, m) may leak information about the encrypted plaintext.
Choices • Based on these comparisons, a designer can choose the appropriate method for the application at hand. – When countermode encryption is used, the TLS construction is adequate even if a simple MAC is used. – Otherwise, one should use the IPsec construction. • This clear understanding is only made possible thanks to the precise formulation of authenticated encryption
What do we learn • Using the definition of authenticated encryption, the National Institute of Standards and Technology (NIST) was able to publish precise encryption modes, called CCM and GCM, designed to meet the definition • Once the goals of authenticated encryption were clearly spelled out, it turned out that authenticated encryption can be built far more efficiently than by combining encryption and MAC algorithms
Reference: Privacy and Cybersecurity: the next 100 years Carl Landwehr et al., Vol 100, Proceedings IEEE 2012, 13 May 2012
Protection from Untrusted Interaction • Vulnerabilities • Malware • Insufficient Control • User- oriented access control (DAC, MAC, RBAC, … ): it is typical for active entities (known as ‘subjects’) to have access to all the user's privileges regardless of the privileges actually required by the program running.
Running untrusted code Need to run buggy/unstrusted code: – programs from untrusted Internet sites: • apps, extensions, plug-ins, codecs for media player – exposed applications: pdf viewers, outlook – legacy daemons: sendmail, bind – honeypots Goal: if application “ misbehaves ” ⇒ kill it
User Oriented Control • User-oriented access controls do not sufficiently mitigate malware threat – Man-in-the-middle attacks can intercept communications between hosts and insert malware via trusted websites and hosts. • even intercept “secure” encrypted communications . – Viruses copy themselves to other programs. – Worms propagate across networks, often by exploiting software vulnerabilities. – Trojan horses pose as legitimate programs. – Malware can be sent via email in targeted attacks.
Recommend
More recommend