Lecture 1 - Brunel University

EE5552 Network Security and
Encryption
block 1
Dr. T.J. Owens CMath, FIMA, MIEEE
Dr T. Itagaki MIET, MIEEE, MAES
The most important reference
Ross Anderson, Security Engineering: A Comprehensive
Guide to Building Dependable Distributed Systems,
John Wiley & Sons, SECOND EDITION, 2008
ISBN: 978-0470068526
Six sample chapters of the above are available on-line
at: “http://www.cl.cam.ac.uk/~rja14/book.html”
Teaching Staff
• Dr. T.J. Owens Ceng, MIET
– Module Leader
– [email protected]
– Blocks 7 – 12 (B)
• Dr T. Itagaki MIET, MIEEE, MAES
– [email protected]
– Blocks 1 – 6 (A)
Module Overview (A)
•
•
•
•
•
Block 1
Block 2
Block 3
Block 4
Block 5
• Block 6
Security Engineering the Basics
BAN Logic and Passwords
Access Control
Basic concepts of cryptography
Simple Ciphers and Classical Ciphers and
a Complexity Measure for Security
Modern Symmetric Key Cryptography
Module Overview (B)
• Block 7 Public Key Cryptography
• Block 8 Introduction to cloud security from
the customer point of view
• Block 9 Multilevel Security
• Block 10 Multilateral Security and Privacy
• Block 11 Role Based Access Control and Kerberos
• Block 12 TLS/SSL: The Payment Card Industry Data
Security Standard
Assessment
2 hours examination in end of April/early May (60%)
- FIVE questions. Answer THREE questions
3 laboratory based assignments (2 x 15%, 1X10%)
- lab attendance is a must
Re-sit in end of August
Block 1
Security Engineering the Basics
Objectives (1)
To introduce:
• Security Engineering
• Examples of distributed computing systems where security is
an important issue
• The terms used in this course when considering Security
Engineering
• Security protocols
• The use of passwords and challenge response identification
systems
Objectives (2)
To introduce:
• The use of nonces and ‘random number generators’
• The man-in-the-middle attack and the delayed data transfer
attack
• The role of environmental change
• (Encryption) key management and the Needham-Schroeder
key exchange protocol
Security Engineering (1)
Security Engineering is about the building of systems that are
dependable in the face of errors, attackers, and unfortunate
combinations of events.
– It focuses on the tools, processes and methods used to design, build,
and implement complete systems and how to modify them as their
environment changes.
Security Engineering (2)
The dependability of many systems is of fundamental
importance:
– The failure of nuclear power plant safety systems can have
catastrophic environmental consequences.
– A failure in international banking systems could result in global
economic depression.
– Lack of confidence in the robustness of a system can hold back
economic development.
Security engineering is often complex because the security
requirements of systems vary enormously.
Security Engineering (3)
However, generally, good security engineering requires four
things: (1-2)
– A security policy: A clear statement on what the implemented security
measures are supposed to achieve and how.
– Security mechanisms: Technology used to achieve security e.g.
cryptographic protocols, access controls.
Security Engineering (4)
However, generally, good security engineering requires four
things: (3-4)
– Assurance: Being aware of the amount of reliance that can be placed
on security so that, for example, the need for a periodic review of the
appropriateness of particular security mechanisms can be identified.
This also includes updates policies, auditing of security related
processes, etc.
– Incentives: Motivation for the people working with the system to
behave appropriately. In some cases this includes incentives for them
to do their job properly.
Security Engineering (5)
Typical requirements of a secure distributed computing system
are:
– User authentication (access control, user log-in/password)
– Message integrity with respect to origin and content (forged header,
intrusion, DRM, watermarking)
– Message confidentiality (encryption)
– Fault-tolerance (error/noise resistance)
– Concealment of system resources (system intrusion)
Security Engineering - examples
Example 1 – at a bank [1]
The essence of a branch’s operations is its accounting systems.
– Double entry book keeping where a debit on one account must be
matched by a credit on another is a security tool.
The biggest threat to a bank is its own staff.
– Bank employees are required to take regular holidays during which
they have no access to the bank premises or systems.
Alarm systems look for unusual patterns or volumes of
transactions.
Example 1 – at a bank [2]
When cash machines are used transactions are authenticated
using a card and a PIN.
– These machines were the first large scale commercial use of
cryptography.
Large sums of money are moved between banks using special
messaging systems, for example letters of credit.
– These use book keeping procedures but have stronger access controls
and use cryptography.
Example 1 – at a bank [3]
Most branches have strong rooms with alarms.
– Cryptography is used to prevent thieves circumventing the alarms, the
alarms send all’s well messages that are encrypted.
Many banks have a web site that allows customers to manage
their accounts online.
– This business is protected using standard Internet security technology
such as firewalls, SSL/TLS etc.
• So attackers started attacking the customers rather than the banks
through social engineering e.g. by phishing.
Example 2 – at an Air Force Base [1]
Electronic warfare systems try to jam enemy radar while
preventing the jamming of the base radar systems.
– These give insight into how to prevent denial of service attacks on
wireless communications.
Example 2 – at an Air Force Base [2]
In a military system is it not enough to encrypt messages as an
enemy that sees the encrypted messages may simply attack
their source.
– Low-probability-of-intercept (LPI) radio links are one answer. Some of
the ideas behind LPI links are now used in Digital Rights Management
(DRM).
– They use spread-spectrum modulation now used in a variety of
commercial applications. For example, Code Division Multiple Access
(CDMA).
Example 2 – at an Air Force Base [3]
The military have sophisticated systems for inventory
management.
– There may be distinct stores management systems at each security
level, a general system for things like jet fuel and another system for
things like fighter aircraft whose location could reveal tactical
intentions.
– The general rule is that sensitive information may not flow down to
less restrictive classifications.
Example 2 – at an Air Force Base [4]
As part of the process of linking intelligence systems search
engines have been developed that can index material at
multiple levels of security clearance and show users only the
search results they are cleared to know.
Protecting nuclear weapons has given rise to a lot of security
technology such as biometrics using iris patterns.
Example 3 – at the Home [1]
You may use web-based electronic banking
Your burglar alarm may send an encrypted all’s well signal to a
security company every few minutes.
Your car may have an electronic immobilizer that sends an
encrypted challenge to a radio transponder in a key fob.
– The transponder has to respond correctly before the car will start.
Example 3 – at the Home [2]
GSM phones authenticate themselves to the network using a
cryptographic challenge-response protocol similar to the ones
in car locks and immobilizers.
– 3G phones use a more sophisticated and secure challenge-response
protocol than GSM phones.
Satellite TV set-top boxes decipher movies as long as the channel
subscription is paid.
DVD players use copy control mechanisms based on
cryptography and copyright marking.
Terminology
Terminology – Why (1)
The lack of agreement on definitions is the cause of many
weaknesses in systems design.
A system can be taken to mean a product.
In this module because ignoring the human elements is a
primary cause of security failure a system is taken to mean
something far wider.
Terminology – Why (2)
A Complex System
One or more applications, for example, a payroll package,
together with the collection of components, operating
system, communications, and other parts of an organization’s
infrastructure that they are dependent upon together with all
users of the applications both internal and external to the
organization, the management of the organization, its
customers and operational environment including regulators.
There are big issues associated with who or what the
communicating parties in the system are and exactly what
they are communicating.
Terminology – Why (3)
In the security literature statements like “Alice authenticates
herself to Bob” are common.
Note that by convention communicating parties are given the names of
people.
Strictly, the statement Alice authenticates herself means Alice
proves she is who she says she is.
Does this mean Alice proves she is the person Alice or that she is
in possession of a smart card assigned to her as a form of
identification?
Terminology – Definitions (1)
• Subject will be used to mean a human being
• Person will be used to mean a human being or legal entity
such as a company.
• A role is a function taken on by different people at different
times.
The sister in charge of nursing care in a hospital ward
System Administrator, Super User, User…
Terminology – Definitions (2)
• A principal is an entity that participates in a security system.
• An entity can be
–
–
–
–
–
a person
a role
an item of equipment
a piece of software
an encryption key
Terminology – Definitions (3)
• A group is a set of principals. A group may itself be treated as
a principal.
• Identity in the context of this module means a
correspondence between the names of two principals
signifying that they refer to the same person, item of
equipment, or piece of software.
– This is best understood in terms of one person taking on several roles.
Terminology – Definitions (4)
• A trusted system or component is one whose failure will
breach the security policy of an organization.
• Secrecy refers to the effect of mechanisms used to restrict
access to information to specific principals.
• Confidentiality is obligation to protect the secrets of other
persons if you have access to them.
• Privacy is the ability to protect your own personal
information.
Terminology – Definitions (5)
• Anonymity in the context of this module will mean the ability
to protect metadata in such a way that information about a
person cannot be extracted from it.
e.g. If someone is identified sending encrypted messages to a clinic for
the treatment of sexually transmitted diseases it may be assumed that
they have a STD.
Terminology – Definitions (6)
• Authenticity means integrity plus freshness.
– Message integrity means knowing you have received a message as
sent (uncorrupted).
– Origin integrity means knowing the source of a message.
– Freshness means knowing that you are not receiving a replay of an
earlier message.
Terminology – Definitions (7)
• A vulnerability is a property of a system or its environment
which, in conjunction with a threat can lead to a breach in
security if the threat is realized.
• A security policy is a statement of a protection strategy for a
system.
• A security target is a statement of how a security policy will
be implemented in a particular product, for example by using
encryption.
Terminology – Definitions (8)
• Crucial to effective security engineering is the ability to make
protection goals explicit
– protection refers to a security related property of system such as
privacy or confidentiality.
• A protection profile is a security target written in a general
way to allow comparative evaluation of different products, for
example, between different types of firewalls.
Protocols (1)
• A security system usually comprises many principals
including people and organizations, equipment and
software, which communicate in a variety of ways
such as email and the telephone.
• A protocol is a recipe for achieving a given end.
– Protocols can be simple or complicated.
Protocols (2)
• Security protocols govern communications within
the system with the intention that they ensure that
its security is robust.
• Simple design features in protocols can lead to
serious breaches of security.
• A classic example is a protocol that governed many
of the first cash machines.
Protocols (3)
• Several banks encrypted the customers PIN and
wrote the encrypted PIN to the magnetic strip on the
customer’s bank card:
– An attacker altered the magnetic strip of his bank card by replacing his
bank account number with that of his wife.
– He found he could take money out of his wife’s account using his card
and PIN.
– He realised he could use any bank account in this way if he had access
to the bank account number and stole hundreds of thousands of
pounds.
– The banks affected had to spend millions of pounds upgrading their
systems.
Passwords (1)
Identification is a basic application of cryptographic algorithms.
– The primary use of identification is for access control.
Cryptographic algorithms used for identification are used within
identification protocols
– which enable the prover Bob to prove to the verifier Alice their
identity
Passwords (2)
Passwords are the most widely used means of authenticating
human users to computer systems.
Access to Unix or Windows XP is usually controlled by a
password system:
– Each user has a secret password
– The password system typically maintains a file that relates each
password to an authorised user.
– If this file is stored without protection an unauthorised person could
access it.
Passwords (3)
A solution is to store the result of applying a one-way function to
each of the passwords so a user's password can easily be
checked but not read from the password file.
Password files are write protected so that an attacker cannot
enter the one-way function of a password of their choice and
gain access.
If the use of a password identification system is not carefully
monitored it can be insecure.
Passwords (4)
Users when asked to select their own password will often select
a very short one or one that can easily be guessed.
This enables dictionaries of commonly used passwords to be
compiled that can be used to launch a dictionary attack.
The attacker applies the one-way function to each of the words
in the dictionary and looks for a result that matches an entry
in the password file.
Passwords (5)
There are various rules on the use of passwords that can be
applied to provide protection against dictionary attacks.
These include specifying a minimum length for a password,
normally at least eight characters, and including nonalphabetic characters such a $ and 5 in the password.
>> university’s e-mail/network password
Passwords (6)
However, users can find passwords selected on the basis of such
rules hard to memorise. Consequently, the use of smart cards
to store passwords is becoming popular:
To prove their identity, the user of a smart card inserts the card
into a card reader that reads the password stored on the card.
However, the use of a smart card does not prevent an attacker
intercepting the communication between the smart card
reader and the verifier.
Passwords (7)
To counter this threat, one-time passwords may be implemented
on a smart card:
– A function f is stored on the card, together with an initial string w.
– The first time the card is used a one-time password is generated as
w1 = f(w)
– The second time the card is used a one-time password is generated as
w2 = f(w1) , and so on.
– Provided the verifier has the same function f and initial string w
identification can take place.
Challenge response identification systems (1)
The use of one-time passwords does not rule out the possibility
that an attacker can learn the password before the
identification takes place.
To get around this problem challenge response identification
systems are used:
Challenge response identification systems (2)
In a challenge response identification system if the prover Bob
wants to identify himself to the verifier Alice then Bob must
respond correctly to a question, or challenge, from Alice.
Bob responds to the challenge by computing a response using a
secret key and sending it to Alice.
If the challenge response system is based on symmetric key
cryptography, Alice verifies the response using the same
secret key.
If the system is based on public key cryptography, Alice verifies
the response using the public key that corresponds to the
private key Bob used.
Challenge response identification systems (3)
Suppose Alice and Bob agree a secret key by which they may
identify themselves to each other:
– If Bob wants to identify himself to Alice he asks Alice for a
random number
– Bob encrypts this random number with the secret key and
sends the cipher text to Alice
– Alice decrypts the cipher text with the secret key and
compares the result with the number she sent.
– If there is a match then she accepts this as proof of
identity.
Challenge response identification systems (4)
Public-key cryptography may be used for identification as
follows:
– If Bob wants to identify himself to Alice he asks Alice for a random
number
– Bob encrypts this random number with his private key and sends the
cipher text to Alice
– Alice decrypts the cipher text using Bob’s public key and compares the
result with the number she sent.
– If there is a match then she accepts this as proof of identity.
For this challenge response system to work Alice must be sure
that she has the authentic public key of Bob.
Challenge response identification systems (5)
Challenge response identification systems are often
implemented by issuing staff with password generators that
look a little like calculators:
http://money-watch.co.uk/8224/hsbc-secure-key
http://www.hsbc.co.uk/1/2/security-centre/securekey?HBEU_dyn_lnk=SecurityCentre_Overview_BannerSlotA_LearnMore_Button
Challenge response identification systems (6)
Challenge response identification systems are often
implemented by issuing staff with password generators that
look a little like calculators:
– For a member of staff to log on to a corporate PC they have to call up
the log on screen by entering their user name
– The log on screen presents them with a random challenge which they
have to enter into the password generator together with a PIN.
– The password generator encrypts the entered information using a
secret key shared with the server and displays the first few digits of
the result as the password to be entered.
Nonces (1)
As well as people embedded
systems often use passwords:
In the mid-1990s remote
controls used to unlock car
doors broadcast their 16-bit
serial number as a password
to unlock the car.
Devices called grabbers could
record serial numbers and
http://ecx.imagesbroadcast them later to
amazon.com/images/I/41HkBV5TizL._SL500_AA300_.jpga
unlock cars.
Nonces (2)
Devices called grabbers could record serial numbers and
broadcast them later to unlock cars.
>> c.f. person in the middle attach
Another problem at this time was that 16-bit serial numbers
were too short. These give only 216 (= 65536) possible codes.
– Devices were developed that could broadcast every possible code in
succession which on average could open a car door in under an hour.
Nonces (3)
This drove embedded systems to adopt the sort of cryptographic
authentication protocols used by people.
Some car parks control access using authentication devices, for
example, small devices that broadcast an infrared signal.
In protocol engineering notation X K D denotes message X
encrypted under key KD by device D.
Nonces (4)
The protocol between the infrared device and the car park is
given by: D  G : D, D, N K
D
This means the device D sends its serial number followed by the
number obtained by the device encrypting its serial number
concatenated with a number N, where N stands for nonce, to
the car park server G.
Nonces (5)
In principle, a nonce is a number that is used only once.
– The idea is to use it to guarantee a message is fresh and not a replay of
an old message.
The car park server reads the device serial number and obtains
the key of the corresponding device and deciphers the
encrypted number.
The server then checks that the decrypted number begins with
the serial number of the device and then finally checks that
the nonce has not been used before.
Nonces (6)
The main issue with the above protocol is the use of a nonce:
Manufacturers normally do not disclose how they ensure a
nonce has not been used before.
Manufacturers have made the mistake of only checking the
nonce is different from the last one.
– In one car lock a thief could open the door by replaying the last but
one access code.
Nonces (7)
If a random number generator is used to generate the nonce the
server has to remember a reasonably large number of
previously used nonces.
The valet attack involves someone with temporary access to a
car remote control recording a number of access codes and
replaying them later to steal the car.
If a counter is used to generate a nonce in the remote control
and the server maintains a counter in step it does not have to
store values used as nonces.
– The problem becomes one of keeping the two counters in step as
remotes can be activated accidentally.
Accessory control
Accessory control is using an authentication mechanism to
ensure that, for example, only games CDs licensed by the
manufacturer of a games console can be used with that
manufacturers console.
Random number generators (1)
Modern car keys use the challengeresponse protocol:
When the car key is inserted in the
steering lock the engine
management system sends a
random challenge using a shortrange radio signal.
The car key encrypts the challenge and
sends the encrypted challenge back
to the engine management system
again using a short-range radio
signal.
http://www.pwcphoto.com/studio/pair-of-dice.jpg
Random number generators (2)
Crucial to the security of this protocol is the randomness of the
random challenge.
If a repeating succession of 16 different numbers is used to
provide a random challenge the use of wireless makes it
possible for a thief to interrogate such a car key while it is in
the owner’s pocket by sending a succession of challenges
using a short-range wireless device.
More generally, whenever random number generators are used
in security tools it is essential to ensure they are random
enough.
Random number generators (3)
Describing the number generators used in challenge response
protocols as random number generators is misleading.
True random number generators cannot be implemented using
computational algorithms running on modern processing
devices.
In an embedded system such as a car lock the random challenge
is usually generated by encrypting a counter using an
encryption key kept inside the device and not used for any
other purpose.
c.f. Excel “RAND()”, C++ “int rand (void)”
Man-in-the-middle Attack
(Modification – data integrity) [1]
Wi-Fi is a wireless technology that provides simple broadband
access using your laptop and an access point to which the
laptop has authenticated itself.
Suppose you have a modified Wi-Fi card designed to intercept
data. All information coming from the access points within
wireless range can be read.
Man-in-the-middle Attack
(Modification – data integrity) [2]
Suppose an attacker wishes to authenticate to a corporate
access point they should not be able to use. One approach
would be to set up a bogus access point:
– The bogus access point identifies a real corporate access point in
advance.
– When a corporate laptop sees the bogus access point and tries to
associate to it the bogus access point copies all the messages it
receives to the valid corporate access point, substituting its own
Medium Access Control (MAC) address.
– The bogus access point copies all the messages received from the valid
access point back to the mobile device. This intervention is possible
even when the data is encrypted and without the enemy knowing the
secret keys.
Man-in-the-middle Attack
(Modification – data integrity) [3]
If the message content is encrypted very little can be achieved
without some knowledge of the contents of the messages
before they were encrypted.
More can be achieved if the attacker is allowed to replay
captured messages.
In particular, if a simple challenge response scheme were used
for authentication by replaying captured messages the bogus
access point could associate itself to the corporate access
point.
Man-in-the-middle Attack
(Modification – data integrity) [4]
The security method for Wi-Fi called Wireless Protected Access
(WPA) is resilient to such attacks.
– It requires mutual authentication between the corporate user and the
access point and has built in protection against replay attacks.
One interesting problem arising with wireless challenge response
protocols is that an attacker could know that a wireless device
was in a certain area by getting a response to a challenge they
issued to it. Consequently, many modern systems
authenticate the challenge as well as the response.
Delayed Data Transfer Attack (1)
Many pay-TV systems involve a set-top-box which decrypts and
decodes the video signal of interest together with a customer
smartcard that generates the decryption keys.
The decryption keys are changed several times a second and are
computed in the smartcard by applying an encryption
algorithm to entitlement control messages that are contained
in the video signal.
If the messages passed between the smartcard and the set-topbox are the same for all set-top-boxes then a subscriber could
record logs of the keys sent to their set-top-box and post
them on the web.
Delayed Data Transfer Attack (2)
Someone who has recorded the encrypted signal can then
download the key log and use it to decrypt the video.
This type of attack is generally ignored by pay-TV companies
because it takes a fair amount of effort to carry out on a
regular basis and is not considered to result in significant loss
in revenue.
This is an important point as many businesses allow for a certain
amount of loss through theft; supermarkets and mobile
phone companies are prominent examples.
Changes in Business Environmental (1)
Protocols sometimes fail because assumptions that were made
when they were implemented cease to be valid when the
environment in which they operate changes.
London Transport had prior to privatisation excellent systems to
stop commuters cheating it.
In the 1980’s parts of the system were privatised creating dozens
of new companies some of which started cheating each other
and the systems in place could do nothing about it.
Changes in Business Environmental (2)
The best example of how this was done was the one-day travel
pass.
The revenue received from the ticket was distributed to the
companies involved based on a formula that depended on
where the ticket was sold.
Some companies started booking all their ticket sales the outlet
that gave them the greatest percentage share of the revenue.
Numerous legal actions followed.
(Encryption) Key Management (1)
The protocols discussed so far have largely been for
authenticating a principal.
Another class of protocols that is extremely important is the
encryption key management protocols.
Authentication protocols are now widely used in distributed
systems for general key management purposes.
– The authentication protocols of Wi-Fi Protected Access (WPA) and
Robust Security Network (RSN) are important examples.
(Encryption) Key Management (2)
To enable transmission of encrypted information communicating
parties must enter into a keying relationship where they share
common data, known as keying material.
In a secret key cryptosystem, the same key is used for both
encryption and decryption. Thus if two users wish to
communicate securely, they must first exchange a secret key
securely.
The methods used to enable keying relationships form what is
known as key management.
(Encryption) Key Management (3)
Key management includes all aspects of the keying relationships:
–
–
–
–
–
User initialisation
Generation and distribution of keying material
Controlling key material use
Backing up
Archiving and updating keying material.
Usually the least frequently changed keys must be manually
distributed under strict security.
These keys form the basis for the construction of other keys in a
hierarchy consisting of several levels with the keys used for
encrypting data changed as frequently as once per message.
(Encryption) Key Management (4)
The basic concept underlying key distribution protocols is that of
the trusted third party (often called Trent in the security
literature).
If symmetric key cryptography is to be used to encrypt messages
between two principals the simplest form of key management
is to use a Key Distribution Centre (KDC).
When a principal registers with a KDC it must prove its identity,
in the case of a subject, by visiting the KDC and proving
identification in the form of a passport etc.
(Encryption) Key Management (5)
The KDC provides each registered principal with a unique
encryption key in a secure manner so that it may
communicate with the KDC in a secure way, in the case of a
subject often by physical exchange.
If two principals, Alice and Bob, registered with the same KDC
want to communicate in a secure manner one of the
principals, say Alice, uses the encryption key (KA) it shares
with the KDC to securely ask it to send an encryption key (KAB )
to both it and Bob.
The KDC uses the key it shares with Alice (KA) to securely send
Alice the key Alice asked for and the key it shares with Bob
(KB) to securely send Bob the key.
Needham-Schroeder Protocol (1)
Developed in 1978 by Roger Needham and Mike Schroeder, it is
an elaboration of the basic protocol for key distribution
described in block 1 and many later key distribution protocols
were based on it.
Needham-Schroeder Protocol (2)
If Alice and Bob the communicating parties are denoted by A and
B, the trusted third party Trent by T and a nonce provided by
party X by NX, the protocol is described as:
Message 1:
Message 2:
Message 3:
Message 4:
Message 5:
Needham-Schroeder Protocol (3)
The first extra element is in the opening message where Alice
sends her random nonce so Trent can be sure her message is
not a replay attack.
In the second message Trent includes her nonce in encrypted
form so Alice can be sure Trent’s message is not a replay and
an encrypted message to send to Bob which is sent to Bob in
message 3.
Bob then does a challenge-response to be sure Alice is present
and expecting a message from him.
Needham-Schroeder Protocol (4)
There is a problem with this protocol and the previous one:
Suppose David steals Alice’s key KA and sends messages to Trent
pretending to be Alice asking for keys to talk to Michael and
Jane, David can impersonate Alice to Michael and Jane.
The problem is when Alice realises her key KA has been stolen
she must ask Trent to send a message to everyone she has
ever been issued a key to talk to by Trent revoking the key
they were sent.
Alice cannot do key revocation herself.
Needham-Schroeder Protocol (5)
Kerberos is an important development of the NeedhamSchroeder protocol that gets around this problem by using
timestamps rather than nonces and is covered later in the
course.
home work
•
•
•
•
Wi-Fi Protected Access (WPA)
Robust Security Network (RSN)
symmetric key cryptography
public key cryptography