CS 3700Networks and Distributed

SystemsNetwork Security Basics

• Definitions• Principals• Crypto

Defining Security

Policies and mechanisms for preserving desirable protection properties over data and resources.

• We reason about security in terms of properties• Policies specify what we want to enforce• Mechanisms are the means by which we enforce policies• Always in the context of an attacker

Security Properties

Let's consider an example where a general wants to give the order "Attack at dawn."

In a network, messages must be distributed from one principal to various other principals.

What are the properties we would like to enforce on messages?

Alternatively, what are the bad things that could be done to this message?

Confidentiality

"Hey, we're attacking at dawn!"

• Data must only be released to authorized principals• Cryptography has historically focused on providing confidentiality• But, there are other mechanisms

• Can have a temporal aspect

Integrity

“Attack Retreat at dawn."

• Data must not be modified (in an undetectable manner)• What constitutes a modification?• Corruption• Dropped, replayed, or reordered messages

• Cryptography has also historically provided this• e.g, (cryptographic) hash functions, HMAC

Authenticity

Enemy commander: "Attack at dawn."

• Establishment of identity• Or, verification of "genuineness"

• Again, cryptography has long considered this• e.g., HMAC, signatures• Consider the PKI that underlies SSL certificates or DNSSEC

Availability

“Xfk3^#M3mf a __ q3rf” – jamming results in garbled message

• Data and resources must be accessible when required• Related to integrity, but more concerned with denial of service (DoS)

attacks• Resource exhaustion (e.g., CPU, memory, network bandwidth)• Usually easy to perform, and very difficult to defend against

Non-repudiation

"I never said to attack at dawn!"

• Data must be bound to identity• Prevents denial of message transmission or receipt

• Cryptographic techniques• e.g., HMAC, certificates

Access Control

• Policy specifying how entities can interact with resources• i.e., Who can access what?• Requires authentication and authorization

• Access control primitives

Principal Users of a system

Subject Entity that acts on behalf of principals

Object Resource acted upon by subjects

Authorization

Authentication

• Verification of identity claim made by a subject on behalf of a principal• Involves examination of factors or credentials• Something you have – e.g., a badge• Something you know – e.g., a password• Something you are – e.g., your fingerprint

• Desirable properties include being unforgeable, unguessable, and revocable

Authorization

• Authorization follows authentication• If asking what someone can do, you must know who they are

• Usually represented as a policy specification of what resources can be accessed by a given subject• Can also include the nature of the access

Access Control Matrices

• Introduced by Lampson in 1971• Static description of system protection state• Abstract model of concrete systems

o1 o2 o3

s1 RW RXs2 R RWX RWs3 RWX

Given subjects si S, objects oj O, rights {R,W,X},∈ ∈

Limitations of Access Matrices

• The Unix model is very simple• Owner, groups, everyone; read, write, execute

• Not all possible policies can be encoded

file 1 file 2user 1 --- rw-user 2 r-- r--user 3 rw- rwxuser 4 rw- ---

file 1: two users have high privileges• If user 3 and user 4 are in a group, how to give user 2 read

and user 1 nothing?

file 2: four distinct privilege levels• Maximum of three levels (user, group, other)

Desired Permissions

Access Control List (ACL)

⟨object, subject, operation⟩

• Each object has an associated list subjectoperation pairs• Authorization verified for each request by checking list of tuples• Used pervasively in filesystems and networks• "Users a, b, and c and read file x."• "Hosts a and b can listen on port x."

• Drawbacks?• Infinite permutations of objects, subjects, and operations• Much more complicated to manage than Unix permissions

• Definitions• Principals• Crypto

Security Principles

• We've seen some basic properties and approaches to security• But, designing secure systems (and breaking them) remains an art• Security principles help bridge the gap between art and science

• Let's look at a few

Economy of Mechanism

Would you depend on a defense system designed like this?

Economy of Mechanism

Simplicity of design implies a smaller attack surface

• Correctness of protection mechanisms is critical• "Who watches the watcher?"• We need to be able to trust our security mechanisms• (Or, at least quantify their efficacy)

• Essentially the KISS principle• Keep it simple, stupid

Defense in Depth

Don't depend on a single protection mechanism, since they are apt to fail

• Even very simple or formally verified defenses fail• Layering defenses increases the

difficulty for attackers• Defenses should be

complementary!

High walls

Moat

Drawbridge Dude with a crossbow

Fail-safe Defaults

The absence of explicit permission is equivalent to no permission

• Systems should be secure "out-of-the-box"• Most users stick with defaults• Users should "opt-in" to less-secure configurations

Complete Mediation

Complete Mediation

Every access to every object must be checked for authorization

• Incomplete mediation implies that a path exists to bypass a security mechanism• Required property of reference monitors

Open Design

Kerckhoff's Principle: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge

• Generalization: A system should be secure even if the adversary knows everything about its design• Design does not include runtime parameters like secret keys

• Contrast with "security through obscurity"

Separation of Privilege

Privilege, or authority, should only be distributed to subjects that require it

• Some components of a system should be less privileged than others• Not every subject needs the ability to do everything• Not every subject is deserving of full trust

• Case study: Google Chrome• Each tab runs in a separate process with restricted privileges• Only the browser’s “core” process may access the network, files, etc.

Least Privilege

Subjects should possess only that authority that is required to operate successfully

• Closely related to separation of privilege• Not only should privilege be separated, but subjects should have the

least amount necessary to perform a task• Case study: Linux• By default, users are not given root or sudo permissions• Contrast to Windows 98, where all users were administrators by default

Work Factor

Increase the difficulty of mounting attacks

• Often entails the introduction of non-determinism• e.g. inceasing entropy used in

ASLR

• Also applies to crypto• Increase the lengths of keys

Compromise Recording

Concede that attacks will occur, but record the fact

• Auditing approach to security• Detection and recovery

• "Tamper-evident" vs. "tamper-proof"

• Definitions• Principals• Crypto

Cryptography is Fundamental

• The study and practice of techniques for secure communication in the presence of adversaries• Critical for many important security properties• Confidentiality• Integrity• Authentication and non-repudiation• Anonymity

• Two basic types• Symmetric key• Asymmetric key (a.k.a. public-key)

Symmetric Key Crypto

• Algorithms that use a single key for encryption and decryption• i.e. the algorithm is reversible• Keys are a form of shared secret

• Ancient examples:• Caeser shift – simple rotational cypher• Vigenère – Multiple Caesar shifts with independent keys

• Modern examples:• DES, 3DES, RC4, Blowfish, Twofish, AES• Warning: many of these methods are known to be vulnerable

AES Example

Alice BobEavesdropper

M

M

KAES

{M}KAES

{M}KAES

KAES

Weakness of Symmetric Key Crypto

• How do you securely exchange keys with someone?• Easy to do if you can meet them in person• However, the Internet is untrusted• You can’t exchange shared secrets over an untrusted medium

Alice BobEavesdropper

KAES KAESKAES

Public Key Cryptography

• Public key cryptography, a.k.a. asymmetric cryptography• Each principal has two keys: private (secret) and public• A message encrypted with one key must be decrypted by the other• Thus, the public key can be sent in-the-clear over the Internet

• Security is based on Very Hard Math Problems• O(1) time to verify a given solution for a given instance• Exponential time to check all possible solutions for a given instance

• Many different algorithms that offer different security properties• Diffie-Hellman, RSA, Goldwasser-Micali, ElGamal

• Forms the basis for most modern secure protocols• IPsec, TLS, S/MIME, PGP/GPG, etc.

RSA

• Invented by Rivest, Shamir, and Adleman in 1977• Equivalent system invented by Clifford Cox in 1973, but GCHQ classified it

• Security is based on the difficulty of factoring the product of primes• Alice chooses two secret primes p and q, n = pq• Choose e such that 1 < e < n – (p + q – 1), and gcd(e, n – (p + q – 1)) = 1• <n, e> is Alice’s public key• Private key

• RSA is the dominant public key cryptosystem today for historical reasons• Algorithm was commercialized by RSA Security• RSA Security created a certificate authority that eventually became Verisign

Public Key Crypto Example

Alice BobEavesdropper

PaSa PaPa

M

M

KAES

Brand new AES symmetric key

KAES

{M}KAES

• Why bother with the symmetric key?• Why not just encrypt M with Pa?

• Performance• Asymmetric crypto is slow, symmetric is fast• Use asymmetric for K (which is small)• Use symmetric for M (which is large)

{M}KAES{KAES}Pa{M}KAES

{KAES}Pa

Cryptographic Hash Functions

• Cryptographic hash function transform input data into scrambled output data• Deterministic: hash(A) = hash(A)• High entropy:

• md5(‘security’) = e91e6348157868de9dd8b25c81aebfb9• md5(‘security1’) = 8632c375e9eba096df51844a5a43ae93• md5(‘Security’) = 2fae32629d4ef4fc6341f1751b405e45

• Collision resistant• Locating A’ such that hash(A) = hash(A’) takes a long time• Example: 221 tries for md5

• Examples: md5, sha1, sha256, sha512• Warning: md5 and sha1 are considered broken and unsafe

Digital Signatures

Alice Bob

PaSa Pa

M

• What can you infer about a signed message?• The holder of Sa must have produced the signature, since Pa decrypts the hash• The message was not modified, otherwise the hash would not match

H(M)M

H(M) ?= H(M)

M{H(M)}Sa

Encryption vs. Signatures

Public Key Encryption• What does encryption give you?

• Confidentiality – only the holder of the private key can read the message

• Integrity – if the message is modified, it will no longer decrypt properly

• What does encryption not give you?• Authentication – you have no idea

who used your public key to encrypt the message

Digital Signatures• What do signatures give you?

• (Weak) Authentication – only the holder of the private key could have signed the message

• Integrity – if the message is modified, the signature will be invalid

• What do signatures not give you?• Confidentiality – the message is not

encrypted, it’s public

Authentication

• Does public key cryptography provide authenticity guarantees?• Yes – if you obtain Alice’s public key through a secure, out-of-band exchange• No – if you obtain Alice’s key via an untrusted network

The Man-in-the-Middle Attack

Alice BobAttacker

PaSaM

M

KAES

KAES

{M}KAES

{M}KAES{KAES}Pe

{M}KAES{KAES}Pa

PeSe PePaPa

Total compromise! The attacker can read, modify, or drop the message

Bob has no way of knowing that Pe does not belong to Alice

M

KAES

{M}KAES

Alice has no idea message has been compromised

Signing Public Keys

• The only way to authenticate a public key is to rely on trust• One or more third-party, trusted principals vouch for Alice’s key by signing it• Bob can verify the signatures using the public keys of the trusted third-parties• If Alice’s key is not signed, maybe Bob should not trust it

• Question: who do you trust?1. Web of trust: a social network of private individuals who sign each others keys

• OpenPGP keys2. Certificate authorities: companies that verify individuals and sign public keys

for a fee• X.509 certificates (more on these later)

Web of Trust

Pb

Pa Pd

Pc

Pe

Pf

Alice

Bob

Chris

Dave

Fred

Eric

a

a

b c

d

d

d

b c

f

e

eIs this Dave’s key?Bob and Chris say it is, and I

trust them, so I trust this key.

Is this Eric’s key?Maybe. Dave is two hops

away, but I don’t know Fred.

Is this Fred’s key?No way to tell, none of my

friends can vouch for it.

Public Key Infrastructure (PKI)

PBofA

Alice

GoDaddy

Is this BofA’s key?

PVerisign

PGoDaddy

Verisign

Is this GoDaddy’s key?

The whole chain is valid because I trust Verisign.

PVerisign

Your OS and web browser ship with ~200 trusted public keys by default.