CPS221 Lecture: Security last revised 11/29/10 Objectives 1. To introduce the notions of confidentiality, integrity, and availability of data 2. To introduce secret key, public key, and non reversible encryption 3. To introduce authentication based on certificates 4. To discuss issues specific to operating systems, networks, and database systems Materials: 1. Projectable of “Security Triad” from Stallings Computer Security 2. Projectable of attack costs table from Stallings 3. Projectable of binary code for “This is a test” 4. Projectable of Figure 2.3 from Stallings 5. Projectable of Stallings Figure 2.2 6. Projectable of Figure 29.3 from Forouzan 7. Encryption methods demo program 8. Public key private key demo program 9. Projectable of Figure 29.12 from Forouzan 10. Projectable of Figure 29.9 from Forouzan 11. Projectable of Figure 29.16 from Forouzan 12. Projectable of Figure 29.19 from Forouzan 13. Ability to show system root certificates on laptop 14. Ken Thompson article “Reflections on Trusting Trust” 15. Projectable of Figure 7.9 from Stallings 16. Ability to login to mysql on laptop and on joshua 17. Projectable of mysql privileges from p. 914-915 of manual 18. View example from Intro to DBMS lecture, including projectable of code for creating view and grant statements for base table and view 19. Projectable of Stallings Table 7.1 20. Ability to access yast2 on a workstation I. Introduction A. The topic of computer system security is, of course, a huge one. Our goal is just to look at a few key concepts: 1. Goals of security and kinds of threats and attacks 2. Encryption 3. Authentication 1
Transcript
CPS221 Lecture: Security last revised 11/29/10
Objectives1. To introduce the notions of confidentiality, integrity, and availability of data2. To introduce secret key, public key, and non reversible encryption3. To introduce authentication based on certificates4. To discuss issues specific to operating systems, networks, and database
systems
Materials: 1. Projectable of “Security Triad” from Stallings Computer Security2. Projectable of attack costs table from Stallings3. Projectable of binary code for “This is a test”4. Projectable of Figure 2.3 from Stallings5. Projectable of Stallings Figure 2.26. Projectable of Figure 29.3 from Forouzan7. Encryption methods demo program8. Public key private key demo program9. Projectable of Figure 29.12 from Forouzan
10. Projectable of Figure 29.9 from Forouzan11. Projectable of Figure 29.16 from Forouzan12. Projectable of Figure 29.19 from Forouzan13. Ability to show system root certificates on laptop14. Ken Thompson article “Reflections on Trusting Trust”15. Projectable of Figure 7.9 from Stallings16. Ability to login to mysql on laptop and on joshua17. Projectable of mysql privileges from p. 914-915 of manual18. View example from Intro to DBMS lecture, including projectable of code for
creating view and grant statements for base table and view19. Projectable of Stallings Table 7.120. Ability to access yast2 on a workstation
I. Introduction
A. The topic of computer system security is, of course, a huge one. Our goal is just to look at a few key concepts:
1. Goals of security and kinds of threats and attacks
2. Encryption
3. Authentication
1
4. Some issues specific to operating systems
5. Some issues specific to database systems
6. Some issues specific to networks
B. We cover the topic here in this course because some of the fundamental issues are cross-cutting ones that affect operating systems, networks, and database systems. (In fact, this is one place where there is significant overlap between full courses in these three areas.)
II. Security Goals and the Nature of Attacks
A. The NIST (National Institute of Standards and Technology) Security Handbook definition of computer security:”Computer Security: The protection afforded to an automated information system in order the attain the applicable objectives of preserving the integrity availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications.)
B. In general, security is concerned with preserving the confidentiality, integrity, and availability of information in the face of attacks that are often malicious or at least intended to subvert safeguards.PROJECT: Security Triad
1. Confidentiality has to do with two issues:
a) Data confidentiality: Ensuring that information can only be seen by those who are authorized to do so.Example: a bank will need to control who may have access to information about a customer’s accounts
b) Privacy: Ensuring that individuals have appropriate control or influence over what information about them can be collected and stored and how that information is disclosed to others.Example: Many organizations are required by law to have stated privacy policies
2. Integrity has to do with ensuring that information can only be changed by those who are authorized to do so.Example: a bank will need to control who may change the balance in a customer’s accounts
2
3. Availability has to do with ensuring that information can be accessed when a legitimate user needs to access it.Example: a bank will need to ensure that information about a customer’s account is available to be seen and or modified whenever that customer performs a transaction
C. Security is concerned with dealing with a variety of different kinds of threat or attack:
1. Unauthorized disclosure - a threat to information confidentiality
a) Exposure of confidential information to those who shouldn’t have access to it.
(1) Can be the result of a deliberate action by an insiderExample: An employee of a restaurant stealing credit card numbers of customers
(2) Can be the result of carelessness
(a) Careless use of file protection mechanisms - e.g. on most Unix-like systems the default protection setting for a file is “readable by anyone”
(b) Theft or careless disposal of media (or computers containing media) containing confidential informationSome examples (from (Stallings, 2008) p. 67)
i) “In December of 2004, Bank of America employees backed up and sent to its backup center data tapes containing the names, addresses, bank account numbers, and Social Security numbers of 1.2 million government employees enrolled in a chargecard account. None of the data were encrypted. The tapes never arrived and indeed have never been found ...”
ii) “In April of 2005, San Jose Medical group announced that someone had physically stolen one of its computers and potentially gained access to 185,000 unencrypted patient records.”
b) Interception of network traffic (recall the Wireshark lab)
3
c) Inference:
(1) Network traffic analysis - even if an attacker cannot learn the content of a user’s network traffic (due to encryption), the attacker may be able to learn something from the pattern of sites the user visits or other people the user communicates with.
(2) Inferences from statistical databasesExample: Suppose a system includes a facility for looking up the average salary for a group of people. Is it possible to find out the salary of a single individual? Yes - if one an obtain an average from two different groups, identical except for including or not including this one person.
d) Intrusion by an attacker
(1) Exploiting flaws in mechanisms intended to control access to information
(2) Activities such as breaking and entering
2. Deception: a threat to confidentiality and/or integrity
a) Masquerading:
(1) An attacker can learn the password of a user and then can use this to gain access to or modify information the user has legitimate access to:
(2) Use of a Trojan horseA Trojan horse is a program that performs a useful function but also performs a malicious one - e.g. a game program that spreads a virus.
b) Falsification: Unauthorized modification of a file or a database table.
(1) Misuse of authorized access by an insider
(2) Careless use of protection mechanisms
c) Replaying a captured message to cause the action specified to be done again.Example: An attacker might obtain a copy of a message authorizing an electronic funds transfer to an account belonging to the attacker.
4
A replay attack would involve the attacker inserting a second copy of the message into the network, with the result that the EFT operation is done twice.
d) Repudiation, where the originator of a message denies having sent it, or the recipient of a message denies having received it.
3. Attacks on availability:
a) Incapacitation
(1) Physical attack on hardware or communication links
(2) Malicious software
b) Obstruction - e.g. denial of service
4. Misappropriation of system resources
5. Attacks these sorts are actually quite costlyPROJECT Table of Attack costs from Stallings p. 31
D. Security mechanisms can be deployed to
1. Prevent attacks
2. Detect attacks, with a view to
a) Recovery
b) Holding the responsible party accountable
E. Many security mechanisms rely on four basic ideas:
1. Encryption
2. Authentication of users
3. Control of physical access to systems
4. Logging of security-related events, to facilitate recovery (if a suspicious event is discovered) and/or accountability
5. We will focus on the encryption and authentication, say a little about the physical access, and not discuss logging further.
5
III. Encryption
A. Encryption is concerned with replacing information (called plaintext) with an encrypted form (called ciphertext) that cannot be read.
1. Most types of encryption are reversible - the inverse operation (decryption) converts ciphertext back into plaintext.(However, we will see shortly that there are uses for irreversible forms of encryption also)
2. Encryption is often used to protect information confidentiality.
a) Sensitive information can be stored in encrypted form. This is a defense against snooping (unless the snooper can obtain access to the plaintext form of the information before it is encrypted or after it is decrypted by a legitimate user, or can somehow discover the key)
b) An attacker who masquerades as someone having legitimate access to information cannot learn anything from it without also knowing how to decrypt it
c) Sensitive information can be transmitted in encrypted form. This is a defense against interception.
3. Encryption can also be used to protect information integrity, since generally one cannot meaningfully modify information one cannot read.
a) This can be used to protect against unauthorized modification or masquerading.
b) It is, however, not necessarily a defense against replaying - since an attacker can replay an encrypted message even if he cannot understand it!
c) We will see that encryption is also used in strategies used for authentication and to protect against repudiation.
B. Examples of encryption strategies often use text as an example, so that what is being encrypted is a sequence of characters.
1. In practice, though, most encryption strategies are designed to work with binary data, and so can handle any type of information.
6
2. Of course, textual information can be represented as a sequence of numeric codes for individual characters; and each of these codes can be represented as a sequence of bits. The binary representation of a text is then the result of concatenating the codes for each individual character.
a) The examples in the Forouzan book represent characters by numbers in the range 0 .. 25 (plus space = 26)
b) More commonly, characters are represented using an encoding scheme such as ASCII or Unicode.Example: The message “This is a test” could be represented by the sequence of (binary) ASCII codesPROJECT01010100 01101000 01101001 01110011 00100000 01101001 01110011 00100000 01100001 00100000 01110100 01100101 01110011 01110100
3. However, for the sake of clarity, some of our examples will involve encryption of individual characters (or their numeric codes)
C. Reversible encryption strategies have two components - an algorithm, and a key.
1. The encryption algorithm is generally not regarded as a secret. Indeed, efforts to protect information by hiding the method used to protect it (security by obscurity) are generally not strong.
2. Instead, encryption depends upon a key - whose exact form depends on the algorithm being used.
3. Reversible encryption algorithms fall into two broad categories.
a) Symmetric key strategies, in which the same key that is used to encrypt a message is also used to decrypt it
(1) In this case, if encryption is used for a message, then both the sender of the message and the receiver must know the key - it is a “shared secret”. For this reason, strategies like this are sometimes called “shared key” or “secret key” strategies
(2) Of course, if encryption is used to protect stored information, only the owner of the information may need to know the key.
7
b) Asymmetric key strategies, in which different (but related) keys are used for encryption and decryption.
(1) In particular, if a messages is encrypted with one key, it can only be decrypted using the other key. (The key used to encrypt is of no use for decrypting.)
(2) Such strategies are sometimes called “public key” strategies because one of the keys (the one used for encryption) can be made totally public, while the other (known as the private key) is known only to one individual.
(3) To send a message using such a strategy, the sender can encrypt it using the recipient’s public key. But only the recipient can decrypt it, using the private key.
DEMO: PublicKeyPrivateKeyDemo program (use 11 as the public key and 59 as the private key)
NOTE: This example is meant simply to illustrate the idea - it is far from secure!
c) Some comparisons of the two approaches:
(1) Shared key strategies suffer from several problems:
(a) If it is desired to minimize the number of people knowing a given key, then it becomes necessary for each pair of users to share a unique key. For example, in a group of 10 people:
i) There are 45 different pairs. (Order doesn’t matter). Hence, 45 secret keys are needed.
ii) Each person needs to know 9 secret keys - one for each person being communicated with.
(b) Such strategies also suffer from what is known as “the key distribution problem” - how are keys to be communicated between individuals in such a way that a third party does not become aware of the key.
(c) Since both sender and receiver need to know the same key, such strategies are not directly useful for spontaneous communication
8
(2) Public key strategies do not suffer from these problems, but encryption and decryption typically involves a much greater amount of computation, making these strategies too inefficient to use for large messages.
(3) In practice, a hybrid approach is often used, in which a secret key (known as a session key) is used just for one communication between a pair of individual, with a public key system used to actually transmit the key.
4. It is also possible to classify substitution algorithms as stream algorithms or block algorithms.
a) In a stream algorithm, each character or byte is encrypted and later decrypted individually.
PROJECT Stallings Figure 2.3 (p. 48)
b) In a block algorithm, blocks of binary data (perhaps created from text) are the units of encryption and decryption.
c) A comparison of the two
(1) Stream algorithms are generally faster
(2) But block algorithms allow key reuse
D. Shared Secret Key Strategies
1. Shared Secret key strategies are of three different types
a) Substitution (ciphering) strategies
b) Transposition strategies
c) Hybrid strategies
2. In a substitution strategy, individual characters or blocks of digits are encrypted individually by applying some function that substitutes a different value for each character/block.PROJECT Figure 29.3 from ForouzanDEMO: Caesar, Vigenere, Stream strategies (strategy in Forouzan) using encryption strategies demo program.
9
(All examples are stream algorithms which use the key to specify an offset, with ‘’A’ meaning offset of 0, ‘B’ offset of 1 etc.)
3. In a transposition strategy, individual characters or bits are transposed as specified by the key
DEMO: Transposition strategy using encryption strategies demo program.
a) This example is a block algorithm, with the block size (in characters) equal to the length of the key.
b) In this example, the key letters specify where the individual characters in each block go - ‘A’ means the first position in the encrypted block, ‘B’ means the second position ...
c) In practice, transposition is more commonly done on the bit level, rather than with full characters.
4. Secret key encryption strategies are vulnerable to two kinds of cryptographic attack
a) Brute force discovery of the key by trying all possible values.
(1) Observe that with Caesar and the Stream algorithm discussed in Forouzan, the set of possible key values is very small - 26 if restricted to letters of the alphabet, or 256 if restricted to ASCII characters. In practice, a much broader range of key values would need to be used, of course - enough possibilities to make brute force discovery of the key infeasible even using the multiprocessor systems.Example: SSL and WEP use a stream algorithm known as RC4 that uses a key that can be anywhere from 8 to 2048 bits long.
(2) For brute force, the effort required is exponential in the number of bits in the key (i.e. the strategy requires trying each possible key to see if it produces a meaningful result.)PROJECT: Stallings Figure 2.2
b) Cryptanalysis. Here, the idea is to try to deduce the key from an analysis of the ciphertext.
10
(1) For example, an attacker may know at least the beginning of the plaintext from which a given ciphertext was produced (.eg. a standard header), and can use this information in an attempt to determine the secret key.
(2) Sometimes, an attacker has available both a ciphertext and the plaintext from which it was created - or even the encryption of a plaintext that the attacker has spoofed the target into encrypting.
(3) A key goal for an encryption algorithm is that even an attacker who knows the algorithm and who possesses several examples of ciphertext and the plaintext from which they were created will still be unable to discover the key in shorter time than what would be required for brute-force analysis.
c) One sort of secret key strategy is immune to either of these kinds of attacks: the use of a one-time pad, in which sender and receiver possess a sequence of keys, each of which is used for just one character of the message.
PROJECT: Figure 29.12 from Forouzan
The only vulnerability of this approach is disclosure of the key (e.g. in transit).
5. Both substitution and transposition, used alone, are vulnerable to cryptanalytic attacks. As we have noted, most practical secret key encryption strategies are hybrids that use a combination of substitution and transposition.
a) The Forouzan book discussed a hybrid algorithm known as DES (Data Encryption Standard) that was used starting in 1976. PROJECT Figure 29.9 from ForouzanDES was a federal standard, widely used both in government applications and in the private sector (e.g. electronic funds transfer)
b) It is thought that algorithms like DES are safe from cryptanalytic attack and are only vulnerable to brute force attacks. (This comes from years of analysis of the algorithms and attempts to discover loopholes.)
c) At the time DES was first put into use, its 56 bit key was safe against brute force attacks using the technology of the time.
11
(1) There are 256 possible keys. A brute force attack would need to try all possible keys until one worked - or almost 1017 possibilities - still a daunting number.
(2) However, in the last 1990’s, brute force attacks using a special-purpose highly parallel machine succeeded in less than a day, calling into question whether its key length was still safe.
(3) DES has been replaced in practice by one of two approaches.
(a) Triple DES does DES encryption three times on each block, using up to three different keys (yielding an effective key length of up to 168 bits).Recall, that, for an exponential problem, increasing the problem size by 1 doubles the effort required - so Triple DES with a 168 bit key requires 2112 (over 1033 ) times to crack using brute force than the effort required to brute force crack standard DES!
(b) A new algorithm called AES (Advanced Encryption Standard) became a federal standard in 2002. There are three versions, using key lengths of 128, 192, and 256 bits.
E. Public Key Strategies
1. Recall that shared key strategies have issues relative to key distribution and the need for a large number of keys.
2. A public key strategy, on the other hand, uses two keys - a public key which can be publicly disseminated, and a private key known only to the key’s holder.
PROJECT Figure 29.14 from Forouzan
3. The most widely used public key strategy is the RSA strategy, named after its inventors (Rivest, Shamir, and Adelman) who published it in 1978. A patent on it, granted in 1983, lasted 17 years, but the strategy is now in the public domain.
a) An RSA key is generated as follows:
(1) The process uses two large (100’s or 1000’s of digits) prime numbers, called p and q in the literature. These are secrets known only to the key’s owner.
12
(2) The product of the numbers (called n in the literature) is published as part of the public key.
(a) The security of the algorithm rests on the known difficulty of the factoring problem - the only known way to discover p and q would be to factor n, believed to require time exponential in the number of bits in the factors using a brute-force approach.
(b) If it a non-exponential factoring algorithm were discovered, the security of an algorithm like RSA would vanish in an instant - since once the factors of n (which is part of the public key) are known, discovering the private key is trivial.
(3) The key’s owner also generates two numbers (called e and d in the literature) which have the property that they are both relatively prime to (p-1)(q-1), and e * d mod ((p-1)(q-1)) is 1. (In essence, one can choose almost any value for e and find a suitable d value.) The value of e is published (along with n) as the public key; the value of d (along with n) constitutes the private key.
b) To encrypt a number P
(1) P may be a binary number to begin with (e.g. an image) or may be derived from a textual message.
(2) The number of bits in P must be < log2n. (Longer messages are encrypted as a series of blocks.)
(3) The sender computes and sends C = Pe mod n.
c) To recover the original value of P, the receiver, computes Cd mod n.
d) Example: Suppose, we use p = 7 and q = 37 . (Very unrealistically small values, but chosen to make arithmetic simple)
(1) n = 7 x 37 = 259
(2) (p-1)*(q-1) = 6*36 = 216
(3) Suppose we choose e = 11 (which is relatively prime to 216)
13
(4) Then we use d = 59, since 11 * 59 = 649 and 649 % 216 = 1 and 59 is relatively prime to 216
This yields the values we demonstrated earlier (DEMO again)
e) RSA works because (a result from number theory), for any P < n, Ped mod n = P when e and d have the properties indicated.
f) A public key system actually works both ways - i.e. if a message is encrypted with the sender’s private key it can be decrypted with the sender’s public key
DEMO use 59 to encrypt and 11 to decrypt
g) With RSA, the security of the algorithm depends on the length of the key. A key length of 1024 is considered safe for the foreseeable future.
h) Of course, actually using RSA involves significant computation to raise a message (or block of a message) to the power e (or if encrypted to d). In general, e and d are not small numbers - in fact, the encryption is less secure if e is small. (You have a homework problem which asks you what would be the case if e is 1).
(1) The problem is not as bad as it might appear at first. It would appear that calculating Pe would require e multiplications. Actually, it can be done by log2e multiplications and additions:(a) Suppose e has b bits (where b will be ceiling(log2e)(b) Calculate P2 as P x P, then P4 as P2 x P2, then P8 as P4 x
P4 ... Pb as Pb-1 x Pb-1. [ b multiplications in all ]
(c) Add the computed powers of P which correspond to 1’s in the binary representation of e [ b additions in all ]
(d) Thus, the exponentiation required for encryption has complexity O(log2e)(The same would apply to calculating Cd, whose complexity would be O(log2 d))
(2) Nonetheless the computational effort for a large message is still significant, since the numbers being multiplied are themselves very large.
14
4. There are public key algorithms other than RSA, but RSA is by far the most widely used.
a) Some algorithms can only be used for a subset of the tasks RSA can be used for - e.g. Diffie-Hellman is only usable for key distribution.
b) One alternative: Elliptic Curve Cryptography (ECC) appears to offer equal security for a far smaller bit size, but is fairly new and has not been analyzed for vulnerabilities as thoroughly as RSA has.
F. Hybrid Reversible Algorithms
1. In practice, a public key algorithm like RSA is not generally used for encrypting entire messages - at least large ones.
2. Instead, one approach is this:
a) The sender creates a secret key.
b) The sender uses this key to encrypt the message
c) The sender encrypts the secret key using the public key of the recipient. (The secret key will be relatively short, so this is not nearly as complex as encrypting the entire message).
d) The sender sends both the encrypted secret key and the encrypted message to the recipient.
e) The recipient decrypts the secret key using his/her private key, then uses the decrypted secret key to decrypt the original message.
f) Note that the sender and receiver do not need to share a key in common, so this can be used even when there has been no prior interaction between the two.
3. An approach like this is part of the secure socket layer (SSL) used with, for example, with https.
a) As part of establishing a connection, the client chooses a random number and uses it to generate a symmetric session key for that one connection. This session key is then used to encrypt other transmissions between the client and server during one session.
15
b) The client encrypts the random number with the server’s public key. The server decrypts it with its private key and generates the same session key from it.
c) No one else is able to learn the session key; hence, communication encrypted by it is secure.
G. Non-Reversible (One-Way) Encryption
1. The encryption strategies we have considered thus far have been reversible - given the encrypted text and the appropriate key, it is possible to reconstruct the original message.
2. There is also a category of encryption algorithms that are not reversible - i.e. there is no way to extract the original message from the encrypted form.
a) In fact, in general, the encrypted form is smaller than the encrypted message. Thus, several different messages will encrypt to the same value - so necessarily there is no way of recovering the correct original value.
b) Strategies used are variants of hashing (which you will study in CPS222)
binary data (perhapsderived from text)
hasheddata
(Large number of possiblevalues)
(Much smaller numberof possible values)
hashfunction
(1) Hashing strategies are used in search structures (e.g. Java HashSets and HashTables). In this case, irreversibility is not an issue.
(2) When used cryptographically, we want to ensure that there is no feasible way to reconstruct the original data given the hashed data, or to construct an arbitrary message that hashes to a given value.
c) When hashing is applied to a message to produce a much smaller hashed value, it is commonly called a digest.
16
3. So what is this sort of encryption good for? It can be used for authentication and non-repudiation.
a) You have already seen an example of this. When you downloaded a disk image of Ubuntu, you used MD5 to create a digest of the downloaded image which you then compared to a cryptographic digest posted on the Ubuntu site. This was intended to assure you that the image you downloaded had not been tampered with.The hashing algorithm used (MD5) is designed so that it is virtually impossible to change the contents of the disk image it protects in such a way as to yield the same md5 checksum as the original, unaltered version.
(1) The name “MD5” stands for “Message Digest Algorithm 5”.
(2) Actually, MD5 has been shown to have significant weaknesses Hence, another algorithm is preferred in many cases.
(a) One that is widely used is SHA-1 (Secure Hash Algorithm 1 - a successor to an algorithm that was shown to have weaknesses.)
(b) Because SHA-1 produces just a 160 bit hash, newer variants that produce longer hashes are taking its place (SHA-256, SHA-384, or SHA-512)
b) In general, the sender of a message can enable the receiver to be sure the message has been transmitted correctly as follows:
(1) Create a digest of the message using a well-known scheme such as MD5 or SHA-1.
(2) Send both the message and the digest to the recipient.
(3) The recipient can ensure the message’s integrity by
(a) Creating a digest of the message by using the same algorithm as the sender used.
(b) Comparing the two digests. If they are the same, the recipient can be confident that the message received is the same as the message sent
PROJECT: Figure 29.16 from Forouzan
17
(c) Of course, this assumes that the digest is secure. If this is an issue, the digest can be encrypted using the sender’s private key - in which case the ability to decrypt it using the sender’s public key ensures its authenticity.
c) Non-reversible encryption is also typically used for storing passwords.
(1) When a user chooses (or is assigned) a password, the password itself is not stored - rather, a one-way hash is stored.
(2) When a user presents a password for login purposes, the system encrypts the password supplied by the user with the same algorithm used to encrypt the stored password.
(3) If the encrypted password submitted matches the stored encrypted password, the user is assumed to have supplied the correct password.
(4) Use of non-reversible encryption means that password recovery requires generating a new password - there is no way the original password can be recovered.
d) Non-reversible encryption can be used to ensure the integrity of a file (or group of files). If a digest is made of the file(s) to be protected and saved, it can be compared to a digest created later to ensure that the file has not been changed.
e) Non-reversible encryption can also be used to guarantee not only that a message has not been corrupted but also can prevent the sender of a message from later claiming to not have sent it (digital signature).
(1) The sender creates a digest of the message (using a well-known algorithm)
(2) The sender then encrypts the digest with the sender’s private key.
(3) The sender sends the message (encrypted if necessary) and the encrypted digest to the recipient.
(4) The recipient can prove that the sender actually sent the message by demonstrating that the encrypted digest created by the sender, when decrypted with the sender’s public key, is identical to a digest created using the same algorithm from the received (and decrypted if necessary) message.PROJECT Figure 29.19 from Forouzan
18
IV. Authentication
A. There are many cases in which it is important to be sure that the person at the other end of a communication is who he/she claims to be (example: the many situations in which a password is utilized.)
B. In general, there are four ways a person might be able to prove he/she is who he/she claims to be.
1. Something the user knows a) A passwordb) Personal information such as mother’s maiden name, place of birth,
etc.c) An algorithm
2. Something the user hase.g. an ATM card - used in conjunction with a PIN to ensure that it has not been lost or stolen
3. Something the user ise.g. static biometrics such as fingerprints, iris scans
4. Something the user doese.g. dynamic biometrics such as voiceprints or handwriting characteristics (not just the appearance, but speed and pressure)
C. Passwords are the most commonly used form of authentication.
1. Because of this, they are a particular focus of attack by crackers. (Cracking is the term commonly used for a person who attempts to learn a password illicitly). What are some ways a cracker might attempt to learn a password?ASK
a) Exploiting user mistakes (e.g. writing a password down)
b) Popular password attack
c) Researching a particular user in an attempt to guess likely passwords. (This appears to be the way Sarah Palin’s email account was hacked)
19
d) Workstation hijacking
e) Running a Trojan horse login program. (Such a program is left running on a computer system (generally a publicly accessible one) and displays the normal username and prompts, but then captures what an unsuspecting user types and emails it to the cracker.)
2. A particular vulnerability arises if a cracker can gain access to the file containing the encrypted passwords, because then the cracker can run an offline dictionary attack, encrypting multitudinous possibilities to see if any matches an entry in the file.
a) This is possible because - by design - there is nothing secret about the hashing algorithm used for encrypting passwords. (There does not need to be, since it is one-way.)
b) Historically, on Unix the file that was originally used to store the passwords (/etc/passwd) is readable to any user logged on to the system.
(1) This was necessary because this file also stored information about users that needed to be publicly available (e.g. historically their office and phone numbers - though modern versions store this elsewhere)
(2) This was felt to be safe because passwords were stored in encrypted form.
(3) However, this became a serious vulnerability, because hackers figured out that they could try to encrypt password guesses (such as “password” or the user’s name) and compare the encrypted result to what was stored in the password file, without having to actually try to log in using the guessed password (a more time-consuming process, and one that could result in suspicious entries in system logs)
c) Modern Unix-like systems - and most other systems - store encrypted passwords in a file that is not publicly readable for just this reason.In the case of Linux, this is /etc/shadow. (The password field in ./etc/passwd is blank - the password isn’t stored there anymore)DEMO: try to access /etc/shadow as an ordinary user, then using sudo
20
d) Since a cracker may find a way to gain access to the password file on any system (not just Unix) two other techniques are used to make offline dictionary attacks more difficult.
(1) The use of password “salt”.
(a) On many systems, instead of encrypting just the user’s password, the system encrypts the password combined with a random “salt” value. This value is also stored in the password table, and when a user attempts to log in, the password the user supplies is combined with this value for encryption.
(b) What this does is to require a cracker to try a password combined with every possible salt value to see if it matches any entry in the password table - e.g. if a 12 bit salt is used, a cracker must try all 4096 possible combinations with something like “secret” or “password” to see if any matches an entry in the password table.
e) Using a deliberately slow encryption algorithm. This poses little burden when a legitimate user logs in, but makes the job of testing possible passwords for matches much more time-consuming.
D. Of course, the need to authenticate is often two-way. For example, when doing electronic banking, it is important to know that the site to which you give your password is really your bank, and not some impostor site whose creator will then use the password you supply to get funds from your account.
1. To facilitate this, a genuine site will use a certificate specifying its identity and public key.
2. The certificate is digitally signed by a certificate authority (CA) whose identify and public key are known to the client. The client can therefore verify the integrity of the certificate and hence the identity of the server and validity of the public key.
3. Of course, this depends on the client trusting the certificate authority. (The CA serves as a trusted third party, whom the client trusts to have verified the server’s identity and public key before issuing a signed certificate.) This may be as a result of the CA being one of the root CA’s known to the user (or more likely the user’s browser); or the CA may itself be verified by another CA known to the user. SHOW System root Certificates on my Mac
21
V. Issues Specific to Operating Systems
A. As you know, operating system security is typically based on user identity established via a password. Only a user that can properly authenticate as a known user is allowed to access the system in the first place, and what that user can do is determined by the identity.
B. Operating systems typically protect a number of resources
1. The right to access the system in the first place
2. Access to various files .
a) Many operating systems use a model similar to that found in traditional Unix., where a file is owned by a specific user, and access rights are specified for the user who owns the file, for others in the same group as the user who created the file, and for the world at large.
(1) In Unix, the password file specifies a user id for each user. When that user logs in, the user’s shell (and all processes it creates) normally run with the permissions of that user id.
(2) The file /etc/group specifies various groups. The password file specifies a primary group for each user, but a user may be a member of other groups as specified by /etc/group.
(3) The unit of protection is the file, which may be(a) An ordinary file(b) A directory (containing a listing of other files)(c) A “special file” representing an IO device or an area in
kernel memory
(4) Each file has a user and group owner - normally the user and group who created it.
(5) Each file specifies access rights for its user owner, its group owner, and everyone else.(a) If a process is running under the user id of the file’s owner,
the owner access rights govern.(b) If the process is running on behalf of a user who is a member
of the group owning the file - but not the user owner - the group access rights govern
22
(c) In all other cases, the “other” access rights govern
(6) Access rights are specified separately for each category: (a) Read access permitted - a process can read a file or list the
contents of a directory or read from an IO device or memory(b) Write access permitted - a process can write to a file or create or
delete files in a directory or write to an IO device or memory(c) Execute permitted - a process can execute a binary file (to
which it also has read access) or perform operations on a directory.(Recall how you needed to do this with the shell scripts you created in lab)
(7) It is also possible to set bits called “set user id” and “set group id” on a binary executable program. In this case, the program runs with the identity of the file’s owner user or group, and therefore has that user/group’s access permissions.
b) Some operating systems (including newer versions of Unix such as Linux), offer a model known as access-control lists, which allows an owner to grant access to specific users - a more flexible protection mechanism than the simple user - group - others model of Unix.
3. Various management functions
a) Unix has a rather broad-brush approach to this. There is one user (conventionally known as root or “superuser”) who is allowed to do everything - shutdown the system, change ownership or protection of files, etc.
(1) This can create a problem, because the only way to give a user the privilege to perform some “system” operation is to give them all privileges.
(2) However, it is possible to give a user the ability to run a specific program with “system” privileges via the setuid mechanism. (For example, /bin/ps does this to allow access to the kernel’s process table.)
(3) In addition, running as the root user is dangerous, because a typographical error ion a command can have disastrous consequences since the system allows the root user to do anything
23
Example: Barry Reinhold’s experience as a system manager
(4) For the latter reason, most Unix-like systems today use a command called sudo which executes a single command with superuser privileges. When first given, sudo requires the user to enter a password; if used again within 5 minutes, it doesn’t require a password again.Most systems require that the user who executes sudo be a listed in a file that specifies who is allowed to use sudo - (On some Linux systems, the password required is that of root; on many other systems (including Ubuntu and MacOS) it is the password of a user who is declared to be a system administrator in the list of user accounts.
b) Other systems use a more fine-grained approach. For example, recent versions of Windows have 35 distinct privileges which can be assigned to an individual user at login. This allows the use of the principle of minimum privilege - a user should be given the privileges to do what the user needs to do, but nothing more.
C. Attempts to bypass operating systems, or to hijack the system, are often made at one of four points.
1. The password system - we have discussed this already
2. Attempting to get a legitimate user to run a malicious program. (Trojan horses).
a) In earlier days, viruses were often spread by an infected program that was shared with other users - e.g. a game.
b) Today, Trojan horses may be embedded in programs downloaded from the web, or as macros embedded in documents sent in email attachments.
c) When a user runs a Trojan horse, the malicious code in the Trojan horse runs with the same access to the file system as the user running it.
(1) Of course, this means that a Trojan horse run as the “root” user on a Unix-like system is a particular danger.
24
(2) For this reason, the preferred mode of operation on most such systems is for administrators to run as ordinary users, using sudo only when necessary. (This is what requests to Authenticate on systems like Ubuntu mean - the utility needs to use sudo and requires a password to do so.)
3. Backdoors left in legitimate software.
A particularly insidious example of how this might be done is the approach discussed in Ken Thompson’s article “Reflections on Trusting Trust”DISCUSS
4. Buffer overflows.
When a program needs to accept input data, it must specify a buffer in memory to hold the data. (Recall how you needed to do this in your labs involving socket use)
a) Of course, the buffer has to be allocated with some amount of space capable of holding the largest expected legitimate data.
b) What if the data exceeds the size of the buffer? In this case, we have what is called a buffer overflow.(1) Historically, many of the library routines used by programs
written in C or C++ simply stored the excess data beyond the end of the buffer, overwriting legitimate data that was there.
(2) A malicious user could take advantage of this by knowledge of the way that local variables are allocated on the runtime stack
Local variables - includingbuffer
Return address for current routine
Information belonging to callerof the current routine
Parameters of current routine
Before overflow
25
the information (often transmitted over the network) might be long enough to overflow the buffer, replacing information higher up the stack with malicious code and changing the return address to point to this code instead of the original caller of the routine.
Local variables - includingbuffer
After overflow
Malicious code includedin overflow
Modified return address
(This, of course, requires that the attacker knows the architecture and stack structure of the machine the code will run on - which is why such attacks are typically made on widely used platforms.)If the overflow occurs in a routine running in kernel mode (such as in networking code), the attacker can do essentially anything desired in the malicious code - e.g. installing a worm or virus, a keystroke logger, or a remotely-activated “bot” used for denial of service or sending spam email.
5. Avoiding buffer overflow vulnerabilities involves various measures including using library routines that do not allow information to overflow allocated buffer space.
6. The buffer overflow problem has been known for a long time, yet there are still myriads of vulnerabilities in existence due to programmer failure or laziness.Given the present state of knowledge, this is totally unacceptable!
D. Of course, the “holy grail” of crackers is to obtain root level access to a system.
1. Once such access is obtained, a hacker may install a software package known as a rootkit, which modifies system-level behavior in such a way as to disguise the intruder’s presence on the system
26
Examples:
a) The code for the system’s “list processes” API may be modified so that the hacker’s processes are not reported
b) The system’s directory listing API code may be modified so that the hacker’s files are not reported
2. An example of how a rootkit might be installed
PROJECT Stallings Figure 7.9
3. Detection and removal of rootkits is complicated by the fact that the very tools that would be used (examination of running processes and directory listings) have been rendered unreliable by the rootkit.
One approach that is used is to access information directly - without going through system APIs and then compare this to the result obtained by going through the API’s.
E. Physical security is also important, lest an attacker be able to bypass operating system protections
1. Example: an attacker who can boot his own operating system from a medium like a CD can generally access all the files on the computer’s disk without regard to operating system-managed file protection.
For this reason, Linux systems often include a boot loader program will only allow the computer to boot from specified devices. The boot loader is itself password protected.
2. Example: an attacker who can take a disk out of the case can access any file on it without regard to operating system-managed file protection.
This is why if a stolen laptop contains confidential information that is not encrypted, that information can easily be accessed. (Fortunately, though, those who steal laptops are often more interested in the value of the hardware itself, not the information on it!)
27
VI. Issues specific to database systems
A. Database system security is built on top of operating system security. The file(s) in which the database is stored have protections set so that only the dbms can access them. (This is typically done by having the dbms run under a special user id used only for it, and having the database owned by this user)
B. The dbms, in turn, has its own user authentication mechanisms, so that logging on to the dbms is a separate and distinct step from logging on to the computer on which it is running.
1. In fact, most dbms’s allow a user to log on to the database remotely without having the actually log onto the computer running it.
DEMO: Log onto mysql on joshua from my computer
2. Some dbms’s may allow a user who is logged in to the computer to access the database under the same username.
DEMO: mysql on laptop
C. The DBMS, in turn, controls access to individual tables or columns within tables on the basis of the identity established by a user. The precise details of the privilege structure varies a bit from dbms to dbms (though the SQL syntax is the same).
1. For example, mysql allows a database administrator to grant privileges to users on all databases, specific databases, specific tables within a database, or even specific columns within a table.
2. There are a wide variety of different privileges that can be granted - most of which are meaningful only at one of the levels just noted (e.g. the privilege to create a table is applicable only at the database level.)
PROJECT: List of privileges from mysql manual pp. 914-915
a) Note the ALL option
b) Note that the privilege names are standard in SQL, though not all dbms’s implement them (e.g. REFERENCES in mysql).
3. The SQL GRANT statement can be used to grant privileges to a specific user, or to all users (GRANT ... TO PUBLIC)
28
D. One important feature of SQL is the concept of a view. A view is a “virtual table” that - among other uses - can be used to limit what a particular user may see.
Example (repeat from Intro to DBMS lecture) DEMO:
connect to security user bjork;set schema registrar;select * from course_taken;update course_taken set grade = 'C+'
where id = '5555555' and department = 'BCM' and
course_number = '101';select * from course_taken;
connect to security user aardvark;set schema registrarselect * from course_taken;select * from student_info;update course_taken set grade = 'A'
where id = '1111111'
PROJECT code for creating student_info view.
1. A view is treated like a table by the DBMS.
2. In particular, it is possible to specify distinct user access rules for a view from the table it is based on.
SHOW Grants used for table course_taken and view student_info
29
VII. Issues specific to networks
A. We consider in this section only issues peculiar to two parties communicating via a network. We assume basic operating system and dbms security on both ends.
B. Malware
1. Malware is short for “malicious software”. There are many different kinds of malware.PROJECT Stallings Table 7.1 - Go over types
2. There are many ways in which malware can be spread from one system to another.
a) Deliberate penetration using password cracking.
b) Deliberate penetration using buffer overflows.
c) Trojan horse programs available on the web.
d) Macro viruses in documents or spreadsheets sent by email. (This builds on the fact that some software - e.g. Microsoft Office - allows macros in documents that can access the user’s files or perform other “risky” operations.)
e) Macro viruses in the body of an email. (This builds on a mail program that allows executable code in an email)
3. One sort of malware that calls for particular note is malware that compromises a system in such a way that an attacker can later use it for other purposes, such as sending spam email or denial of service attacks.Such a compromised system is called a “bot” (short for robot) and a network of such compromised systems is called a “botnet”.
C. Denial of Service Attacks
1. A denial of service attack attacks the availability of a system, rendering it unable to perform its intended function. Such an attack may be motivated by
a) A desire to harm the “victim”, either due to malice or a desire to show off the attackers prowess
30
b) A desire to gain a finacial advantage of some sort - perhaps by extorting “protection money” from the target.
2. DOS attacks typically make use of the fact that it is possible to include a phony source address is an IP packet. IP contains no provision for verifying that a packet actually came from the system it claims to have come from.
3. One sort of DOS attack, known as flooding, involves sending so much traffic to a server that either its network connection or its ability to service requests is overloaded. The former may result in many legitimate access attempts being lost, as legitimate packets are dropped. The latter may result in response being unacceptably slow, to the point of even timing out.
a) A flooding attack may be originated from a system that has a higher network bandwidth than the site being attacked. Of course, the source address in the packets is usually spoofed to prevent the source of the attack from being discovered.
b) A flooding attack may be originated by sending packets to other servers on the network, but with the source address spoofed as being the target system. This causes these servers to respond to the target system, flooding it with traffic.
c) A distributed denial of service attack involves using a botnet to flood a target system with traffic. Though each individual bot may have low network bandwidth, the cumulative impact of a botnet may bring down even a high bandwidth server.
4. Another sort of DOS attack involves establishing numerous TCP connections to a server, thus overloading its internal connection table.
D. Preventative measures
1. Encryption of confidential information. It is always best to assume that anything that is transmitted over the Internet unencrypted can be read! While this may not be a concern with ordinary email or web browsing traffic, it is a significant concern with sensitive information or passwords.
2. Firewalls
a) A firewall may be a separate, hardened computer system placed between a local area network and an unsafe network such as the Internet.
31
“Unsafe” networkFirewallSystem Protected network
b) Or, a firewall may be a component of the network stack on an individual computer.
c) In either case, a firewall serves as a filter, either passing through or blocking packets according to rules that are specified as part of its configuration.SHOW yast2 Security/Firewall on a workstation
d) In a world in which there were no security loopholes in applications, a firewall would be unnecessary. But given the reality of applications having vulnerabilities, a firewall can serve to prevent undesired access.
Example: suppose a database houses sensitive data, and it is desired to allow the database server to be accessed on a LAN, but disallow accesses from outside, lest an attacker find a vulnerability that allows to the database. This can be done by configuring the firewall to block connections to the database from the external network
3. Virtual Private Networks
a) A firewall can create tensions between protection and legitimate use.
Example: Suppose, to protect a database, the firewall is configured to disallow external access. This would seem to also preclude accesses by legitimate users from home or while traveling.
b) One way to address these tensions is through the use of Virtual Private Network (VPN), which makes use of a facility called IPSec A VPN setup looks like this:
32
“Unsafe” network
FirewallSystem
Protected networkVPNServer
Legitimateuser
or
“Unsafe” network FirewallSystem Protected network
VPNServer
Legitimateuser
(1) A legitimate external user first establishes a connection to the VPN, using his/her authentication credentials.
(2) Then the legitimate user can use the VPN server as an intermediary to access resources on the protected network as an “insider”.
(a) The legitimate user sends packet directed at a server on the inside to the VPN server. The actual IP-level packet (which includes its destination IP and port inside the protected network) are both encrypted and authenticated..
(b) The VPN server decrypts the authenticated packet from the legitimate user, and then places it on the internal network, on the other side of the firewall.
(c) The same approach is used for outbound packets going from systems “inside” the firewall to the user outside, to protect the security of information travelling over the Internet and to assure the user that the packets really come from the “inside” system.Example: I prepared most of this lecture at home. Gordon’s firewall does not allow direct access to NAS1. However, I was able to access it using Gordon’s VPN - which required me to authenticate with my Gordon password before allowing me to access the file server.
33
4. Sandboxes
a) Running a program in a sandbox means running it in an environment where its capabilities are restricted to “safe” operations. For example, Java applets run in a web browser are run in a sandbox where the following operations - among others - are prohibited
(1) Any access to the file systems on the computer on which the applet is running
(2) Any network connection to any system other than the one from which it was downloaded [which might lead to getting around a firewall ]
b) Of course, there will be times when the legitimate functionality of an applet requires access outside the sandbox.
Example: Gordon’s VPN is implemented by a Java applet that must, of course, be able to access the file system on the computer it is running on to support file transfers between a host outside Gordon’s firewall and a file server inside it.
c) Java also supports the notion of a “signed applet” - an applet which is cryptographically signed by a trusted entity. Such an applet can be allowed access privileges outside the sandbox.
