 Security is multifaceted phenomenon o Confidentiality, integrity, availability  We spoke about various security threats  And some general defense approaches o Prevention o Detection and response (sustain the attack or get rid of it) o Learn from mistakes, improve prevention  Now we’ll talk about challenges in the defense field

 Your security frequently depends on others o Tragedy of commons  A good solution must o Handle the problem to a great extent o Handle future variations of the problem, too o Be inexpensive o Have economic incentive o Require a few deployment points o Require non-specific deployment points

 Fighting a live enemy o Security is an adversarial field o No problem is likely to be completely solved o New advances lead to improvement of attack techniques o Researchers must play a double game

 Attack patterns change  Often there is scarce attack data  Testing security systems requires reproducing or simulating legitimate and traffic o No agreement about realistic traffic patterns  No agreement about metrics  There is no standardized evaluation procedure  Some security problems require a lot of resources to be reproduced realistically

 Risk analysis and risk management o How important it is to enforce a policy o Which threats matter o Legislation may play a role  The role of trust o Assumptions are necessary  Human factors o The weakest link

 Motivation o Bragging Rights o Profit (Spam, Scam, Phishing, Extortion) o Revenge / to inflict damage o Terrorism, politics  Risk to the attacker o Usually small o Can play a defensive role

 Buggy code  Protocol design failures  Weak crypto  Social engineering/human factor  Insider threats  Poor configuration  Incorrect policy specification  Stolen keys or identities  Misplaced incentives (DoS, spoofing, tragedy of commons)

 Policy defines what is allowed and how the system and security mechanisms should act  Policy is enforced by mechanism which interprets and enforces it, e.g. o Firewalls o IDS o Access control lists  Implemented as o Software (which must be implemented correctly and without vulnerabilities)

 Encryption  Checksums  Key management  Authentication  Authorization  Accounting  Firewalls  VPNs  Intrusion Detection  Intrusion Response  Development tools  Virus scanners  Policy managers  Trusted hw

 Goal: Protect private communication in the public world  Alice and Bob are shouting messages over a crowded room  Everyone can hear what they are saying but no one can understand (except them)  We have to scramble the messages so they look like nonsense or alternatively like innocent text  Only Alice and Bob know how to get the real messages out of the scramble

 Authentication o Bob should be able to verify that Alice has created the message  Integrity checking o Bob should be able to verify that message has not been modified  Non-repudiation o Alice cannot deny that she indeed sent the message

 Exchanging a secret with someone you have never met, shouting in a room full of people  Proving to someone you know some secret without giving it away  Sending secret messages to any m out of n people so only those m can retrieve messages and the rest n-m cannot  Sending a secret message so that it can be retrieved only if m out of n people agree to retrieve it

Good cryptography assumes knowledge of algorithm by anyone, secret lies in a key!!!  Alice could give a message covertly “Meeting at the old place” o Doesn’t work for arbitrary messages and o Doesn’t work if Alice and Bob don’t know each other  Alice could hide her message in some other text – steganography  Alice could change the message in a secret way o Bob has to learn a new algorithm o Secret algorithms can be broken by bad guys

 Substitute each letter with a letter which is 3 letters later in the alphabet o HELLO becomes KHOOR  Instead of using number 3 we could use n  [1,25]. n would be our key  How can we break this cipher? Can you decipher this: Bpqa kzgxbwozixpg ammua zmit miag. Em eivb uwzm!

 We can also choose a mapping for each letter: (H is A, E is M, L is K, O is Y). This mapping would be our key. This is monoalphabetic cipher. o HELLO becomes AMKKY  How can we break this cipher?

 Symmetric key crypto: one key o We will call this secret key or shared key o Both Alice and Bob know the same key  Asymmetric key crypto: two keys o Alice has public key and private key o Everyone knows Alice’s public key but only Alice knows her private key o One can encrypt with public key and decrypt with private key or vice versa  Hash functions: no key

 Symmetric key crypto: one key  Transmitting over an insecure channel o Classic use: Alice and Bob encrypt messages they exchange  Secure storage on insecure media o Encrypt stored data so someone who breaks in cannot read it

Alice Bob RARA K AB (R A ) RBRB K AB (R B ) MMIC = E AB (check(M))  Authentication – prove the identity o Pass phrase – what if Mallory asks for the pass phrase o Strong authentication without revealing the secret  Integrity check o Calculate the checksum and encrypt it – MIC: message integrity code

 Asymmetric key crypto can do everything symmetric key crypto can but much (about 1,500 times) slower o However, it can do some things better! o However, it can do some extra things!  Transmitting over an insecure channel o If Alice wants to talk to Bob and Carol using symmetric key crypto she either has to remember two keys or run a risk that Bob can impersonate her when talking to Carol o With asymmetric keys, Bob and Carol know Alice’s public key and Alice knows her private key

 Secure storage on insecure media o Same as with symmetric key crypto  Authentication o Alice wants to verify Bob’s identity o She sends to Bob E PubBob (R A ) o Bob decrypts and sends back R A o This can be done with symmetric keys too but if Bob wanted to authenticate himself to Carol he would need to remember a new key. Not so with asymmetric keys. o Alice doesn’t need to store any secret info which is good if she is a computer

 Digital signatures o Alice orders books online from Bob o She signs every order using her private key o If she claims she didn’t place the order Bob can prove she did – non-repudiation o Can symmetric key crypto do this?

 Known also as one-way functions or message digests  Take an arbitrary-length message M and transform it into fixed-length hash h(M)  Properties: o Knowing M is easy to calculate h(M), but it is very hard to calculate M knowing h(M) o It is very hard to find M1  M so that h(M1) = h(M), this is collision-free property o E.g., take the message M as a number, add a large constant to it, square it, and take middle n digits as the hash

 Storing hashed password info  Message integrity o Use message M and a shared secret S, run this through hash function and produce MIC o Send only M and MIC o Why do we need a shared secret?  Message fingerprint o Hash the files to detect tampering o Works for download security too  Signing message hash instead of the whole message is faster

Alice Bob E K1 (M) M K1 D K2 (C) M K2 C M – message K1 – encryption key E K1 (M) – message M is encrypted using key K1 C – ciphertext K2 – decryption key D K2 (C) – ciphertext C is decrypted using key K2 If K1=K2 this is symmetric (secret key) encryption If K1  K2 this is asymmetric (public key) encryption

Alice Bob E K1 (M) M K1 D K2 (C) M K2 C Cyphertext-only attack: Eve can gather and analyze C’s to learn K2 Eve How does Eve know she got the right key? Eve has to have enough ciphertext – having XYZ with monoalphabetic cipher would not be enough What if K2 depends on a password in a known way?

Alice Bob E K1 (M) M K1 D K2 (C) M K2 C Known-plaintext attack: Eve can attempt to learn K2 by observing many ciphertexts C for known messages M Eve How does Eve obtain the plaintext?

Alice Bob E K1 (M) M K1 D K2 (C) M K2 C Chosen-plaintext attack: Mallory can feed chosen messages M into encryption algorithm and look at resulting ciphertexts C. Learn either K2 or messages M that produce C. Assumption is that extremely few messages M can produce same C. Mallory For a monoalphabetic cipher she could feed a message containing all the letters of the alphabet What if Alice has a limited vocabulary?

Alice Bob E K1 (M) M K1 D K2 (C) M K2 C Man-in-the-middle attack: o Mallory can substitute messages o Mallory can modify messages o So that they have different meaning o So that they are scrambled o Mallory can drop messages o Mallory can replay messages to Alice, Bob or the third party Mallory

Alice Bob E K1 (M) M K1 D K2 (C) M K2 C Brute-force attack: Eve has caught a ciphertext and will try every possible key to try to decrypt it. This can be made infinitely hard by choosing a large keyspace. Eve

 Substitution o Goal: obscure relationship between plaintext and ciphertext o Substitute parts of plaintext with parts of ciphertext  Transposition (shuffling) o Goal: dissipate redundancy of the plaintext by spreading it over ciphertext o This way changing one bit of plaintext affects many bits of the ciphertext (if we have rounds of encryption)

 Monoalphabetic – each character is replaced with another character o Ceasar’s cipher – each letter is shifted by 3, a becomes d, b becomes e, etc. o Keep a mapping of symbols into other symbols o Drawback: frequency of symbols stays the same and can be used to break the cipher

 Homophonic – each character is replaced with a character chosen randomly from a subset o Ciphertext alphabet must be larger than plaintext alphabet – we could replace letters by two-digit numbers o Number of symbols in the subset depend on frequency of the given letter in the plaintext o The resulting ciphertext has all alphabet symbols appearing with the same frequency

 Polygram – each sequence of characters of length n is replaced with another sequence of characters of length n o Like monoalphabetic cipher but works on n- grams