Presentation is loading. Please wait.

Presentation is loading. Please wait.

Class 7 Practical Considerations CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Published byMae Wells Modified over 9 years ago

Similar presentations

Presentation on theme: "Class 7 Practical Considerations CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman"— Presentation transcript:

1 Class 7 Practical Considerations CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S14/

2 Administrative stuff Project proposal due next week No office hours tomorrow Use Google ScholarGoogle Scholar Projects – more clarification Quiz returned

3 Giving, storing, and wiping secrets Credentials Password security Storage security Input security – Ctrl-Alt-Del Forgetfulness security – Encryption? – https://citp.princeton.edu/research/memory/ https://citp.princeton.edu/research/memory/

4 Implementation considerations Kerckhoffs’ principle and Shannon’s maxim – Especially tempting to violate in case of “dirty” code – I’ve been there! Watch your (unstated) assumptions – Example: Unsanitized (untrustworthy) input Adversaries Side-channels Performance

5 NEVER BUILD YOUR OWN WHEN SOLUTION EXISTS!!! NEVER COMPOSE YOUR OWN WHEN LIBRARY EXISTS!!!

6 Problems: Side channels Side-channel attacks VERY damaging – Power – Timing – Error messages Different errors in SSH leak information (mismatch between implementation and specification of CBC block cipher mode): http://portal.acm.org/citation.cfm?id=586112

7 Optimizations Asymmetric encryption: – Password  Secret Key  E SK (K), E K (M) Signatures: – Password  Secret Key  M, Sig SK (h(M)) Why do this? Why is this safe? Symmetric: – Password  Key derivation/stretching/strengthening function  K

8 Trouble hiding in abstraction layers Hardware – CPU and drive drive architectures, e.g. SSD – Caches, RAM type – “Cold boot”: https://citp.princeton.edu/research/memory/https://citp.princeton.edu/research/memory/ Operating system – Swap/paging file(s) – Scheduling (process, access, I/O, etc.) Language and development tools – Compilation, (dynamic) optimization – Handling of temporary files (OS?) – Handling of mapped memory (OS?)

9 Always state your assumptions!

10 In practice: Problems Composability: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html Attack on PKCS #1 v2 standard-compliant RSA OAEP leaks plaintext bits: http://www.springerlink.com/content/tw5tuqb3hxbn9grq / This attack also leaks plaintext bits in a lot of systems that use CBC block cipher mode: http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps

11 Example: WEP – IV, RC4(IV, k)  (M, c(M)) – Claim: 24-bit IV + 40-bit key = 64-bit security Example: WEP – IV, RC4(IV, k)  (M, c(M)) – Claim: 24-bit IV + 40- bit key = 64-bit security On the right: text from Jonathan Katz Problems: Composability Is this secure against chosen-plaintext attacks? – It is randomized… 40-bit key (in some implementations)! – Claims that, with IV, this gives a 64-bit effective key(!) And how is the IV chosen? – Only 24 bits long -- IV repetitions are a problem! – Reset to 0 upon re-initialization – Some implementations increment the IV as a counter A repeating IV allows the attacker to compute the XOR of two plaintexts – We have discussed already how this can be damaging Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs – If portions of some plaintexts known, this enables determination of other plaintexts Known-plaintext attacks discovered on this usage of RC4 – Possible because the first byte of plaintext is a fixed, known header! Chosen-plaintext attacks – Send IP traffic/e-mail to the mobile host and watch it get forwarded – Transmit broadcast messages to access point – Authentication spoofing No cryptographic integrity protection – The checksum is linear (i.e., c(x  y) = c(x)  c(y)) and unkeyed, and therefore easy to attack – Allows IP redirection attack – Allows TCP “reaction” attacks Look at whether TCP checksum is valid Form of chosen-ciphertext attack Encryption used to provide authentication of mobile station (access point sends nonce; station returns an encryption of the nonce) – Allows easy spoofing after eavesdropping

12 Maintenance: Debian and OpenSSL Cause: Valgrind and Purify complain about bad code Result: Predictable random numbers How? In md_rand.c: //MD_Update(&m, buf, j); … //MD_Update(&m, buf, j); /* purify complains */ What happened?

13 SSL 3.0/TLS 1.0 vulnerabilities US CERT Vulnerability Note VU#864643: SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes US CERT Vulnerability Note VU#864643 “An attacker with the ability to pose as a man-in-the- middle and to generate specially-crafted plaintext input could decrypt the contents of an SSL- or TLS- encrypted session. This could allow the attacker to recover potentially sensitive information (e.g., HTTP authentication cookies).” NOT new – known CBC-mode attacks

14 Questions? Reading discussion

Download ppt "Class 7 Practical Considerations CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman"

Similar presentations

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Similar presentations

Ads by Google