Securityarchitecture&engineering:introduc2on

SumanJanaColumbiaUniversity

*someslidesareborrowedfromVitalyShma2kovandAriJuels

1

Coursegoals

•  Understandthefundamentalprinciplesofsecurity– Whatarethecommonsecuritymechanisms?WhytheyoEengowrong?

– Whataretheunderlyingprinciplesbehindbuildingsecuresystems?

– Whybuildingsecuresystemsishard?

2

Logis2cs

•  Notextbookbutassignedreadingsfromdifferentsources

•  Grading– Sixprogrammingassignments(54%)– Midterm(20%)– Non-cumula2vefinal(20%)– Classpar2cipa2on(6%)

•  Classwebpage:hVp://sumanj.info/security_arch.html

3

Theartofadversarialthinking

4

What’sadversarialthinking?

“Securityrequiresapar/cularmindset.Securityprofessionals--atleastthegoodones--seetheworlddifferently.Theycan'twalkintoastorewithoutno/cinghowtheymightshopli?.They

can'tuseacomputerwithoutwonderingaboutthesecurityvulnerabili/es.Theycan'tvotewithouttryingtofigureouthow

tovotetwice.Theyjustcan'thelpit.”

-BruceSchneier

5

Adversarialthinkingdisclaimer

Hopefully,youwilllearntothinklikeacriminalmastermindbutbehavelikeagentleman/woman!

6

Adversarialthinking:keyques2ons

•  Securitygoal:whatsecuritypolicytoenforce?

•  Threatmodel:whoistheadversary?Whatac2onscantheadversaryperform?

•  Mechanisms:Whatsecuritymechanismscanbeusedtoachievethesecuritygoalsgiventheadversarialmodel

7

Keysecuritygoals

•  Confiden2ality:Datanotleaked

•  Integrity:Datanotmodified

•  Availability:Dataisaccessiblewhenneeded

•  Authen2city:Dataorigincannotbespoofed

8

Youcanapplyadversarialthinkinganywhere

•  ColumbiaIDcards– CanyoufakeanIDcard?

•  ATMmachine– Howdoestheservicepersongetsaccesstorefillitwithcash?

•  MTAmetrocard– Canyouincreasethecardbalancewithoutpaying?

9

Example:airtravel

Printboardingpassathome

IDcheckbyTSA

Boardingpasscheckatthegate

10

Adversarialthinkingexample:airtravel

•  Securitygoal:Ensurethateachpersongelnginsideanairporthasavalidboardingpassandisauthorizedtofly(i.e.,notontheno-flylist)

•  Mechanisms–  TSAchecksvalidityoftheID(e.g.,driver’slicense)andtheboardingpassHow?

–  TSAmatchesnameintheIDagainstthenameintheboardingpass

–  TSAensuresthatthenameisnotontheno-flylist– GateagentcheckswhethertheboardingpassisvalidandhasbeencheckedbyTSAHow?

11

CananaVackerwhoisontheno-flylistfly?

12

Whatisthethreatmodel?

•  CananaVackercreateafakeboardingpass?

•  CananaVackerfakeadriver’slicense?

13

Securityunderdifferentthreatmodels

•  Securitygoal:Ensurethateachpersongelnginsideanairporthasavalidboardingpassandisauthorizedtofly(i.e.,notontheno-flylist)– WhataretheminimumrequirementsforsomeonetoviolatethisgoalinthecurrentTSAsystem?

– ThecurrentTSAsystemissecureunderwhichthreatmodels?

14

Notallthreatmodelsareequal

•  Whichoneisharderandwhy?– Crea2ngafakeaboardingpass– Crea2ngafakedriver’slicense

15

Securitymeasuresinadriver’slicense?

16

Securitymeasuresinaboardingpass?

Canthebarcodebefaked?

17

Airtravelrevisited:adifferentsecuritygoal

Printboardingpassathome

IDcheckbyTSA

Boardingpasscheckatthegate

Securitygoal:everybodyboardinganaircraEmustpassthroughTSAsecuritycheck

18

EverybodymustgothroughTSAchecks

•  HowdoesthecurrentTSAsystemensurethis?•  WhatisanexamplethreatmodelwherethisgoalcanbeviolatedbyanaVacker?

19

Yetanothersecuritygoal

•  Onlyauthorizedtravelersshouldbeallowedtoenterpremiumlounges– Howwilltherecep2onistattheloungeknowwhoisauthorized?

20

WhatisthethreatmodelforthisaVack?

Howwillyoufixit?

21

WhataboutTSAPre-Check?

•  HowdoesTSAPre-Checkwork?– PassengersapplyforPre-Check– TSArandomlydecidewhetherthepassengeriseligibleforPre-Checkornotandsendstheinforma2onbacktotheAirline.

– TheAirlineencodesthatinforma2oninabarcodethatisontheissuedboardingpass.

22

HackingTSAPre-Check

1meansnoPre-Checkand3meansPre-Check

Source:hVps://puckinflight.wordpress.com/2012/10/19/security-flaws-in-the-tsa-pre-check-system-and-the-boarding-pass-check-system/

Noencryp2on

23

Unintendedside-effectsoftheboarding-passdesign

•  Whathappensifsomeoneelsegetsholdofyourboardingpass?

Allthisinforma2onisintheboarding

passincleartext

24

Adifferentselng:money

•  Coun2ngtokensmustbekeptinasafeplacetopreventtampering–  Inatempleorinclayenvelopesonshippingroutes

•  Howtomakecoun2ngtokenscompletelyportablefortrade?

25

Adifferentselng:money

•  Securitygoals– Tokenscanonlybecreatedbyatrustedauthority– Authen2cityoftokensshouldbeeasilyverifiablebyanyone

•  Threatmodel– AVackerscanforgeormodifytokens

•  Claytokenscanbeeasilyforged!

26

Adifferentselng:money

•  Coinswereintroducedaround6/7thcenturyBCE– Maketokensoutofscarceresources(goldandsilvers)

– Applyasignaturethatishardtocopy(dependsontheskillsoftheengravers)

– Harshpenaltyforforgers

27

Moderncrypto-currencies

•  Sameprinciples!– Scarceresource:computa2on– Hard-to-forgedata:cryptography– Wewilltalkaboutbitcoinslaterintheclass

28

Whoistheadversary?dependsonwhoyouare

29

Hackers

•  EvgeniyMikhailovichBogachev– GameoverZeusbotnet:bankingfraudandransomwaredistribu2on

30

Chinesegovernment

•  Censorshipofmaterialscri2caltothecurrentregime

•  Monitoringdissidents

31

Na2onalSecurityAgency(NSA)

32