CIS307: SECURITY

Read Chapter 7 in Kurose-Ross's book and chapter 8 in Tanenbaum-VanSteen.

Security Threats can occur to data, hardware, software, and communication links. Examples of security threats are interruptions (with loss of data, denial of service), interceptions, modifications, fabrications. Of course we aim for Secure Systems, with properties such as:

secrecy (privacy, confidentiality, no eavesdropping with consequent information leakage),
integrity (no data tampering or other form of vandalism),
authentication (nobody masquerades as somebody else - spoofing if joe@doe signs in as jane@smith - play-back attack if a malicious user eavesdrop a message, say an encrypted password, and plays it back - misrepresentation if www.pinco.com responds to www.ibm.com. A particular kind of masquerading attack is called man-in-the-middle, whereby an interlocutor or principal, places itself between client and server, passing back and forth messages, after registering them and possibly modifying them),
non-repudiation (nobody denies its actions),
authorization (making sure that a principal is allowed to do what it wants to do, using mechanisms such as Access Control Matrices, capabilities, encryption, filtering, firewalls),
auditing (audit-trail = analizable history of use; it establishes a basis for accountability), and
availability, reliability, safety.

We will focus on the first three properties.

In considering security we need to distinguish what are the security policies supported and what are the security mechanisms used to carry out the policies.

Some of the mechanisms involve:

Cryptography, i.e. encoding information so that only the intended interlocutors understand the transmitted information
Message Digests, i.e. hash values computed from the message that almost uniquely identify the message.

Examples of higher level mechanisms are:

Digital Signatures, i.e. encoded message digests used to authenticate the sender and verify the integrity of messages. A digital signature is specific to a message.
Certificate Authority(CA), i.e. an organization that creates and administers the distribution and use of Digital certificates.
Digital Certificates, i.e. data files that act like an online passport for an internet interlocutor (people, web servers, ..). They are issued by a trusted third party, a Certificate Authority, which verifies the identity of the certificate's holder. They cannot be forged. Digital certificates have two purposes: to certificate their holder, and to protect the data exchanged with that holder. A data certificate is specific to a principal, though a principal may have a number of different digital certificates. You may hear these days of support for e-commerce of wallets, that is components that in addition to the information needed for a certificate, they have the information needed for the use of credit cards, plus shipping information, etc.
Public Key Infrastructure (PKI), i.e. the definition of the technical, operational, and legal aspects of using a public key system to provide authentication, access control, confidentiality, and non-repudiation.
Trusted Third party (TTP), i.e. a certificate authority, a public key infrastructure, a higher authority that is agreed to and trusted by the communicating parties.
Internet Messaging Security Mechanisms, i.e. mechanisms such as the Secure Sockets Layer (SSL), a secure extension for MIME, S-Mime, and a secure extension of HTTP, HTTPS. There is also a Secure Electronic Transactions (SET) protocol and infrastructure for bank card payments over the Internet (developed by Visa, MasterCard, etc.).

CRYPTOGRAPHY

SENDER -->message-->ENCRYPT-->encrypted-->DECRYPT-->message-->RECEIVER

message = plaintext

encrypted = cyphertext

C = E(M), E: encryption algorithm, M: Message, C: Encrypted form of message
M = D(C), D: decryption algorithm
Since good en/decryption algorithm are hard to find, and can be stolen, people find it best to use keys in the algorithm, so that if a key is stolen, one can choose another key, without having to invent, implement, distribute a new algorithm. So the algorithm is public (not private) and the key is private (for now). When using keys, it is usual to write the encoding/decoding as follows:
C = E(M, Ke), M = D(C, Kd) Ke: encryption key, Kd: decryption key

One-way function: a function that is easy to compute but difficult to invert: F(X) is easy to compute with result Y, but given Y is very difficult to determine X such that F(X) is Y.

Trap-door function: a one-way function that, if we know a specific piece of information, can be inverted easily. That is the case when we have the decryption key to decode an encrypted message.

The key can be private (also called secret) or public. If private only one program knows it. If public, any program can obtain it, usually from an appropriate service. The longer the key, the safer it is. Suppose that I use a key that is just one bit. It is either 0 or 1; it will not take a malicious listener long before the key is guessed!

An encryption/decription schema is symmetric if the same key is used for encryption and for decryption. [To be precise, en/decryption is symmetric if there is a well defined known function for converting between the encryption and decryption key.] It is asymmetric otherwise. Usually symmetric algorithms are much faster than asymmetric algorithms. Often one uses asymmetric cryptography to obtain a key for symmetric cryptography; this key, called a session key, remains valid only for one communication session.

Data Encryption Standard (DES) - secret key, symmetric. Uses 64 bit keys (56 of information plus parity bits). It encrypts/decrypts data in chunks that are 64 bit long. Other sizes often used in DES are 128 (112 of information) and 192 (168 of information). As the size of the key grows, the difficulty of breaking the code grows, exponentially.

Diffie-Hellman (1976) introduced the concept of public keys. [Apparently, in 1973 Clifford Cocks in England came up with the same concept.] If two interlocutors want to talk we will have a Sender and a Receiver. The Sender will find out from a "reliable source" the public key used by Receiver and encode the message with that key. Only the intended receiver will know the private key and decode the message. [To answer the Receiver will have to use the public key of the Sender.]

Rivest-Shamir-Adleman (RSA) (1978)

	D = E, i.e. same algorithm for encryption and decryption
	Ke is public, so we call it Kp
	Kd is secret, so we call it Ks
	----------------------------------
	Choose two primes p and q, let N = p*q
	We will be able to send only messages whose numeric code is < N
	Choose an integer e relatively prime to (p-1)*(q-1) = Z.
	Find the smallest integer d such that
		(d*e)mod Z = 1
	Then the public key Kp is [e,N] and the private key Ks is [d,N].
		     e
		C = M   mod N   //This says that the message M must be smaller
                                //than N. If longer, break it up into 
				//chunks smaller than N and encrypt them 
				//individually.
		     d
		M = C   mod N
        Apparently, given N and e, it is computationally hard to compute d,
        if N is sufficiently large [al least 512 bits]. p and q must each
	be more than 200 bits.
	----------------------------------
	Example: p = 13, q = 17, N = 13*17 = 221, Z = (p-1)(q-1) = 192
		 e = 5
		 d = 77
		 The number of bits we can encrypt is 7 since
		 2^7 = 128 < N = 221.
		 So if we want to send a message longer than
		 7 bits we will decompose it in 7 bit fragments
		 and encrypt them individually. 
	----------------------------------




	The RSA algorithm is not good for protecting
	large messages since with it encryption/decryption are fairly
	slow - more that 1000 slower than DES. But it can 
	be used to transmit essential information, such as 
	secret keys and passwords. [Apparently on a 175Mhz Alpha
	RSA encrypts 1kbps, while 56-bit DES encodes over 30Mbps.] 
	In RSA it is normal to use 512-bit and 1024-bit keys.

Secrecy: Principal A wants to send a secret message M to principal B. [It is usual in the security area to use names like Alice and Bob for the principals involved in the interaction.] Let Kp(B) be the public key of B, Ks(B) the secret key of B. A will send E(M, Kp(B)). B is the only one with Ks(B), thus it is the only one who can read the message.

                A  -->  E(M, Kp(B))  -->  B

The Key distribution problem for public and private keys is dealt with through a Public Key Infrastructure and the use of digital certificates.

One-Time Pad: There is a an encryption method that is unbreakable, but very inconvenient. Suppose that we know that we need to send from A to B a message of n bits. We give before hand to both A and B a pad string s of n bits randomly generated. Then A will encrypt his message M as M^s, where ^ means exclusive or. And B will decrypt the encrypted message E with E^s. The trick is that, take a message bit x and a pad bit y, we have

x^y^y = x

Try it for any of the values of x and y and you will see it is true.

Block Cyphers: Both DES and RSA are block cyphers, that is the message is broken into chunks, or blocks, that are individually encrypted. This gives rise to a problem: an attacker may infer something about the code by looking at the individual blocks that may be repeated in different messages or in the same message. For this reason Cypher Block Chaining was introduced.

Cypher Block Chaining (CRC): Each message is started with an extra block, say, the current daytime, which makes the block unique. This plaintext block is encrypted. For all successive plaintext block, before encryption we will XOR it with the encrypted block of the preceding plaintext block. At the receiver we will decrypt the first cypher block. Then for all other cypher blocks, before decryption, we will XOR them with the preceding cypher block. [Remember: XOR is idempotent.]

Stream Cyphers: For the transmission of phone conversations, for efficiency reasons, instead of block cyphers are used cyphers that encrypt messages incrementally one bit at a time.

Steganography: On a totally different plane, a secret message may be superimposed on a visible message. For example, in an image where color is encoded as a 24bit number using RGB coding (one byte per color), we may use one bit from each color to send a message. The change in the picture would be not easily detectable, and we could transmit a secret message. [In a picture with 100,000 pixels, we would have 300,000 bits, i.e. 7,500 bytes available for our secret message.]

DIGITAL SIGNATURES and DIGEST FUNCTIONS (Integrity)

User A writes a document M, wants to distribute it and be sure that

all receivers R are sure that the document is the unmodified original one (integrity, no tampering),
it has been sent by A (no impersonation), and
A cannot deny having sent it (non-repudiation).

A does not care who or how many principals(programs/people) read the message.

Digest Function: a function that, given a document M generates a brief "fingerprint" or "message digest" or "hash value" or "thumbprint" that identifies this document uniquely with almost certainty.

MD5 (Rivest, 1992): A digest function that generates a 128 bit fingerprint from its text argument. It is much quicker to compute than encrypting with DES [on a 175Mhz Alpha, MD5 digest is computed at over 80Mbps]. Another often used digest function is SHA-1, which generates a 160 bit fingerprint from its text argument.

A sends:

	M + E(MD5(M), Ks(A))    // Ks(A) = Secret key of A

['+' means concatenation, E(MD5(M), Ks(A)) is called the digital signature of the message. It is also often called a Message Authentication Code (MAC).]
R uses the identity of A to determine the public key of A.
R uses this public key of A to decrypt the "digital signature" of M and obtain the hash value MD5(M).
R uses the Digest Function to compute the hash value of M.
If the two hash values are the same, all is well. Otherwise message was corrupted or not sent by A.

	A  ----> M + E(MD5(M), Ks(A)) ---> B

If in addition to authentication and integrity we also want secrecy then the message sent will be

	A  ----> E(M + E(MD5(M), Ks(A)), Kp(B)) ---> B

A weakness of the use of digital signatures is that it requires knowledge of the public key of the interlocutors. The danger is impersonation - if there is no reliable way of distributing public keys. The solution, as we will see later, is to use digital certificates and certificate authorities.

Attempts at Authentication

Principal A wants to authenticate itself to other principals. Let Kp(A) be the public key of A, Ks(A) the secret key of A. A will append E(A_id, Ks(A)) to its messages. Any principal B that receives this information will use Kp(A) to decode the signature, if it succeeds and finds "A_id", it will "know" that only A could have sent the message. In the following we use "+" to express "concatenation".

		A  -->  A_id + E(A_id, Ks(A))  -->  B

Note that this authentication, as it stands, is dangerous: somebody could capture and save that message (A_id+E(A_id,Ks(A))), and then use it to impersonate A by playing back a previous authentication message. We can solve the problem as follows: when A wants to authenticate itself to B, it asks B to send first to A a string x which is likely being sent for the first time to A (choose x at random as a 100 digits number!). Then A sends to B

		A_id + E(A_id + x, Ks(A))

now nobody can have memorized the authentication message and play it back.
Note that also this authentication is dangerous if anybody, not just B, could have sent to A the nonce x. Because then C could impersonate A in interacting with B. It gets in the middle between A and B. Waits for A to make a request to B and intercepts the communication.

		A  --> A_id --> C  -->  A_id  --> B       
		A  <--  x  <--  C  <--  x  <-- B
	 	A  --> E(A_id + x, Ks(A)) --> C  --> E(A_id + x, Ks(A)) --> B

and now B believes that C is really A, while A just thinks the communication was lost. We get back to this later. This is a form of man-in-the-middle attack. Later we will see another form.

Direct Authentication and Session Key exchange (using symmetric key)

We want a client to authenticate its identity to the server and the server to authenticate its identity to the client. We assume that the true client and server share a secret password P from which an algorithm can compute a key K. We use the notation K(Client) and K(Server) to indicate the value of K as assumed respectively by the client and the server. We should have K = K(Client) = K(Server). [Instead of a protocol based on symmetric cryptography, we could have used a protocol based on asymmetryc cryptography.]

The client sends to the server the message
```
         clientId
```
The server selects at random an integer x [it is random so that likely it was not used before] and sends to the client the message
```
	x
```
The client uses K(Client) to encode the message received, selects at random a number y, and sends to the server the message
```
	E(x, K(client)) + y
```
At this point, if x is retrieved, the server is certain of the identity of the client. Now the server sends to the client the message
```
	E(y, K(Client))
```
The client uses K(Client) to decode the message. If y is retrieved, the client is certain of the identity of the server. Mutual authentication has been achieved.

If desired at this point the server can send to the client the message

	E(SK, K(Server))

where SK is the session key that the server and client can use to exchange information during this session. Note that only the specified client will be able to decode the session key. This session key will be valid only for a specified time interval. The fact that K is used only during the exchange that results in the sharing of the session key SK, makes it more difficult for an hostile party to guess K. Notice also that we have shown the case of the server giving to the client the session key. The viceversa, with the client selecting the session key and giving it to the server is also possible.
We are combining in this way the security of secret key cryptography (now used efficiently because only for little data) with the efficiency of public key cryptography (now used securely because only for one session).

The values x and y are usually called nonces. They are just computed random numbers. As already observed, they are used so that an intruder cannot imitate an interlocutor by just remembering what that interlocutor returned in another occasion.

Reflection Attack: A case of bad Authentication (using symmetric key)

Here is an example of how easy it is to come up with bad security protocols. We are still using secret keys as in the last protocol. In the following x, y, and z are nonces.

client ---> clientId + x ---> server
client < -- E(x, K(server)) + y < -- server
The client decripts the E(x, K(server)) term using the secret key K(client) = K(server). If it obtains x, it knows that the server is who it is supposed to be.
client ---> E(y, K(client)) ---> server
The server decripts the E(y, K(client)) term using the secret key K(server) = K(client). If it obtains y, it knows that the client is who it is supposed to be.

This "Authentication Protocol" is bad in that it can be fooled with a Reflection Attack, as shown in the following modification:

client ---> clientId + x ---> server
client < -- E(x, K(server)) + y < -- server
client < -- serverId + y < -- hostile
client ---> E(y, K(client)) + z ---> hostile
hostile ---> E(y, K(client)) ---> server
The server decripts the E(y, K(client)) term using the server's secret key K(server) = K(client). It optains y, thus it knows that the client is who it is supposed to be, yet we know that it is really "hostile".

Direct exchanges of public keys: Man-in-the-Middle Attack

Alice and Bob are friends and want to communicate with absolute secrecy. They agree to exchange, say by email, public keys while authenticating each other. At the time that the public keys are exchanged a malicious third-party, Mallory does the following:

  Alice --> Alice_id --> Mallory --> Alice_id --> Bob
                         Mallory <-- x <-- Bob
			 Mallory --> E(x, Ks(Mallory)) --> Bob
                         Mallory <-- send me your public key <-- Bob
                         Mallory --> Public_key_of_Mallory --> Bob 
                                       Bob now thinks Mallory is Alice since
				       it can decrypt E(x,Ks(Mallory))
  Alice   <--    x  <--  Mallory
  Alice --> E(x, Ks(Alice)) --> Mallory
  Alice <-- Send me your public key <--  Mallory
  Alice --> Public_key_of_Alice --> Mallory
          Now Alice has authenticated herself to Mallory.
  Alice  <-- Bob_id <-- Mallory
  Alice  --> y -->  Mallory
  Alice  <-- E(y, Ks(Mallory)) <-- Mallory
  Alice --> Send me your public key --> Mallory
  Alice <-- Public_key_of_Mallory <-- Mallory
    Alice now thinks that Mallory is bob since it
    can decrypt E(y,Ks(Mallory))
          When Bob sends data d to Alice it sends
		E(d, Public_key_of_Mallory)
          Mallory decrypts and sends to Alice
		E(d, Public_key_of_Alice)
          and similarly in the opposite direction.

From this moment on everything exchanged by Alice and Bob gets interpreted by Mallory even if encrypted. Clearly the idea of exchanging naively public keys is no good. Some certified way of exchanging public keys is required, a public-key infrastructure.

Authentication Server and Distribution of Session Key

Here is an Authentication protocol (modified from a protocol by Needham - Schroeder, and related to Kerberos) used when there is an Authentication Authority S that generates session keys for interaction between two interlocutors A and B. It is carried out when a Client A wants to communicate with a server B. It is assumed that the authentication server and A share a secret key K(A) and the authentication server and B share a secret key K(B). Usually these secret keys are computed from userid, password pairs.

A sends to S the cleartext message
```
	A + B
```
to mean that A wants to interact with B.
S generates a timestamp T, a duration L (Lifetime), and a session key K and sends to A the message:
```
	E(T + L + K + B, K(A)) + E(T + L + K + A, K(B))
```
Now A uses its key K(A) to obtain the session key K, plus T and L; it then sends to B the message
```
	E(T + L + K + A, K(B)) + E(A + T, K)
```
B uses K(B) to determine T, L, K and A. The E(A + T, K) part is necessary to authenticate that the message is really from A (only A can have obtained the session key K, as demonstrated by the A+T value) and not from somebody that eavesdropped the conversion between S and A and obtained the E(T + L + K + A, K(B)) part. For this reason the E(A+T,K) part is called an authenticator. Now also B has the session key K, plus T and L, and knows that it can interact with A. It does so by sending to A the message
```
	E(T+1, K)
```
to indicate that B is ready. This authenticates B to A since only B has the session key K, as demonstrated by T+1.

More About Digital Certificates, Certificate Authorities, and SSL

As already indicated, a digital certificate is associated with an internet interlocutor to make secure its interactions with other interlocutors. At a minimum a digital certificate will include:

Name and Digital certificate of the certification authority that issued this certificate
The name and the public key of the owner of the certificate
Serial number and expiration date of the certificate.

In addition it may contain also the owner's address, e-mail address, phone, etc. The certificate is encoded by the issuing certificate authority using its private key so that the content of the certificate cannot be tampered with without detection. Here is how the certificate works. The sender requests the certificate of the recipient from the CA. This certificate is encrypted with the CA's secret key and contains the recipients's public key and additional information. The sender decodes the certificate with the public key of the CA and encodes the message with the retrieved public key of the receiver. The standard for Digital Certificates is X.509.]
A message M can be sent as follows:

	M + DigitalSignatureOfM + DigitalCertificateOfSender

and, if the certification authority is reliable, we are guaranteed authentication and non-tampering. Thus digital certificates can be used in place of passwords to identify principals. If in addition to authentication and integrity we want secrecy, it is easy to do since the DigitalCertificateOfSender contains the Public_key_Of_Sender. Thus we send

  E(M+DigitalSignatureOfM, Public_key_Of_Sender) +
	DigitalCertificateOfSender

A Certificate Authority, in addition to issuing certificates, will be concerned with renewing (i.e. extend the duration), and revoking (i.e. terminating the validity) existing certificates. A Certificate Authority cannot appear as a single server to which all users make appeal. Instead, as in the case of DSN (Distributed Name Service) one needs a distributed structure of communicating certificate authorities. At present there are a number of competing certificate authority services and a server used in e-commerce will have to keep certificates for the certification services it trusts. Front ends to certificate authorities are often called Registration Authorities.

SSL, the Secure Socket Layer, acts as an intermediate layer between the application protocol, say HTTP, and the transport protocol, say TCP. SSL has two subprotocols. One specifies the format of the messages exchanged. The other specifies the handshakes taking place between clients and servers. The protocol allows the selection of the cryptographic algorithm used. It always requires authentication of the server. Authentication of the client is optional. [Server authentication is almost always crucial - think of client having to give to server its own visa card number. Client authentication is rarer - necessary, for instance, if client asks for bank balance; not necessary if client asks for today's weather. In the case that the client gives a credit card number, the application using SSL will have other methods to make sure that the client is who it claims to be.]

In their SSL interactions interlocutors use digital signatures, digital certificates, and rely on certificate authorities. They use random numbers (nonces) to eliminate the possibility of hostile interlocutors remembering old interactions. Communications between client and server are encrypted. Public key cryptography is used only during session setup: the client, usually a browser, selects a secret symmetric session key, encrypts it with the public key of the server, and sends it to the server. Afterwards client and server communicate with the selected secret session key.
SSL has been modified into an Internet standard, the Transport Layer Security (TLS) protocol, as expressed in RFC 2246